Privacy Policy
Protection of your personal data
In accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act, we are committed to protecting your personal data.
GDPR Compliant Site
Your personal data is protected and processed in accordance with European data protection regulations (EU Regulation 2016/679).
Data collected
Minimum required
Retention
up to 3 years (excl. legal billing obligations)
Security
TLS + RLS
Hosting
EU / US (DPF)
Introduction
This privacy policy aims to inform users of the OneDpe site about how their personal data is collected, used and protected, in accordance with Regulation (EU) 2016/679 of April 27, 2016 (GDPR) and French Law No. 78-17 of January 6, 1978 as amended (Data Protection Act).
1. Data Controller
Controller
RIANN SAS
Address
200 rue de la Croix-Nivert, 75015 Paris — RCS Paris 101 434 009
Data Protection Officer (DPO)
dpo@onedpe.fr2. Personal Data Collected
We only collect data necessary for the operation of the service. Here is the detail of data collected according to the features used:
Identification data
- Email address (required)
- First and last name (optional)
- Password (bcrypt hashed — irreversible)
DPE analysis data
- Consulted DPE number, property address / municipality
- Technical characteristics entered (floor area, energy, insulation)
- 3CL / renovation parameters and saved analyses
Navigation data
- IP address (anonymized)
- Browser type
- Pages visited
Consequences of refusing to provide data
Data marked as "optional" may be withheld. However:
- Without DPE analysis data: you will not be able to save your DPE analyses.
- Without name: communications will be generic.
- Without analytics cookies: we will not be able to improve the service based on your usage.
Access to the basic service and authentication is never compromised by refusing optional data.
3. Processing Purposes
Your data is processed for the following purposes:
Service provision
Creation and management of your account, execution of DPE analyses, saving your data.
Communication
Sending transactional emails, notifications related to your account, customer support.
Service improvement
Anonymous statistical analysis to improve user experience and features.
Legal obligations
Compliance with accounting and tax obligations, response to judicial requisitions.
4. Legal Basis for Processing
| Purpose | Legal basis (GDPR) |
|---|---|
| Service provision | Contract execution |
| Marketing communication (newsletter, promotions) | Consent |
| Statistical analysis | Legitimate interest |
| Legal obligations | Legal obligation |
5. Data Retention Period
| Purpose | Retention |
|---|---|
| Account data | Subscription duration + 3 years |
| DPE analysis data | Deleted with account |
| Billing data | 10 years (Legal accounting obligations) |
| Newsletter data / regulatory alerts (separate consents) | Until unsubscription + 3 years (Separate consent for each purpose (unsubscription available at any time)) |
| Cookies | 13 months maximum (In accordance with CNIL recommendations) |
6. Data Recipients
Your data may be transmitted to the following categories of recipients, in strict compliance with the principle of data minimization:
🔒 Your data is never sold or transferred to third parties for commercial or advertising purposes.
When you delete your account, propagation to third-party services (analytics, hosting) may take up to 72 hours.
7. Transfers Outside the European Union
Some of our providers are located in the United States (Supabase, Vercel, Google, Upstash). These transfers are governed by:
8. Your Rights
In accordance with the GDPR, you have the following rights regarding your personal data:
Obtain confirmation of processing and a copy of your data
Correct your inaccurate or incomplete data
Request the deletion of your data (right to be forgotten)
Restrict processing in certain cases
Receive your data in a structured format (JSON/CSV)
Object to processing for legitimate reasons
How to exercise your rights?
By email: dpo@onedpe.fr with a copy of your ID.
From your account: Profile → Data export / Account deletion
CNIL complaint: www.cnil.fr
Consent withdrawal: you can withdraw your consent at any time (e.g., newsletter unsubscription, cookie preference changes). Withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal.
10. Automated Decisions
In accordance with Article 22 of the GDPR, we inform you of the existence of automated processing within our services:
11. Data Breach Notification
In the event of a personal data breach, we are committed to notifying the CNIL within 72 hours in accordance with Article 33 of the GDPR, and to informing affected data subjects if the breach is likely to result in a high risk to their rights and freedoms (Article 34 of the GDPR).
14. Minors
Our service is not intended for persons under the age of 15. We do not knowingly collect personal data from minors. If you are a parent or guardian and become aware that a minor has provided us with personal data without your consent, please contact our DPO: such data will be deleted as soon as possible.
12. Data Security
We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure or destruction:
Transit encryption
HTTPS/TLS 1.3 on all communications
At-rest disk encryption
AES-256 disk encryption provided by Supabase (AWS/GCP) on the hosting infrastructure. Data remains readable in plaintext via the authenticated API — there is no client-side application-level encryption. Application-level protection relies on authentication, row-level access control (RLS) and TLS connection.
Passwords
Bcrypt hashing with unique salt
Restricted access
Least privilege principle, 2FA authentication
Backups
Daily automatic backups
Monitoring
24/7 monitoring, anomaly detection
13. Contact
For any questions regarding this policy or your personal data:
Data Protection Officer
dpo@onedpe.fr