Privacy

Who we are

Apshan publishes apshan.com and operates the Apshan service. Apshan is the data controller for any personal data collected through this website and the service. Company identification, registration, and hosting details are disclosed in the Legal notice.

For all data protection matters, write to privacy@apshan.com.

What data we collect

Apshan collects the categories of personal data set out below. Not every category applies to every user; what we collect depends on how you interact with the website and the service.

Account data

Email address, name, role, company, country. Provided by you when you create an account or join a waitlist.

Authentication data

Hashed credentials, multi-factor authentication secrets, session tokens, OAuth identifiers. Generated when you sign in.

Usage data

Queries you submit to the service, sources retrieved, features used, exports requested, API calls. Generated as you use the product.

Telemetry

Page views, latency metrics, error reports, device and browser information, truncated IP address. See the Telemetry section below.

Communications

Support tickets, email replies, in-product messages. Provided by you when you contact us or respond to our communications.

Billing data

Invoices, billing address, VAT identification, transaction metadata. Card numbers are handled directly by our payment processor and never touch Apshan servers.

Apshan does not knowingly collect personal data from minors under the age of 16. If you believe a minor has provided personal data to Apshan, contact privacy@apshan.com and we will delete the record.

Why we process it

Provide and improve the service

Contractual necessity (GDPR Article 6(1)(b)). Required to operate the product.

Authentication and security

Legitimate interests (Article 6(1)(f)). Preventing fraud, abuse, and unauthorized access.

Service communications

Contractual necessity (Article 6(1)(b)). Operational notices about your account.

Product updates and marketing

Consent (Article 6(1)(a)). Opt-in only; you can withdraw consent at any time.

Telemetry and analytics

Legitimate interests for strictly-necessary telemetry (Article 6(1)(f)); consent for optional analytics (Article 6(1)(a)).

Legal compliance and tax

Legal obligation (Article 6(1)(c)). Including French commercial code requirements.

Respond to your data subject requests

Legal obligation (Article 6(1)(c)). GDPR Articles 15-22.

Apshan does not sell personal data, does not use it for advertising profiling, and does not use customer data to train Apshan's models.

Cookies

Apshan uses cookies in four categories. You manage your preferences through the consent banner shown on first visit, and can change them at any time via the "Cookie settings" link in the footer. The banner is operated by Axeptio, our EU-resident consent management platform, listed on /subprocessors with full disclosure.

Strictly necessary

Session, CSRF, authentication, security. Required for the site to function. Set without consent under the ePrivacy strict-necessity exception.

Functional

Language, theme, and other interface preferences. Set with your consent or after a clear affirmative action.

Analytics

Anonymized usage analytics. Two providers: PostHog (EU data residency in Frankfurt, with Standard Contractual Clauses covering its US parent entity) and Google Analytics 4 (Google Ireland Limited, with onward transfers to the United States under the EU-US Data Privacy Framework). Set only with your prior consent and gated per-vendor in the cookie banner. On the waitlist and form-submission pages, Google Ads also receives an unsalted SHA-256 hash of your email for conversion attribution. Google uses that hash to match the submission against accounts it already holds for attribution. Apshan cannot reverse the hash. When you grant marketing consent, the same submission also sends an unsalted SHA-256 hash of your email, plus your IP address and user-agent string, to Meta Platforms Ireland Limited via its Conversions API and to LinkedIn Ireland Unlimited Company via its Conversions API. These server-to-server flows match each vendor's published Conversions API specification, run alongside the cookie-banner consent for each vendor, and are bounded to the conversion-attribution purpose. Without your marketing consent, no server-side data is transmitted to either platform.

Marketing and advertising

Conversion-tracking and review-invitation tags. The LinkedIn Insight Tag is set only with your prior consent and is excluded from pages handling sensitive data (application forms, privacy and compliance documents, and contact pages) per LinkedIn's terms of service. If you navigate into one of those pages after consenting elsewhere, the tag is opted out before any further events fire. Trustpilot's invite SDK is set only with your prior consent and is invoked only at our explicit trigger points.

Apshan does not set social-network "share" pixels, does not participate in real-time advertising auctions or work with data brokers, and does not sell, rent, or trade visitor data.

Telemetry

Telemetry covers the operational signals Apshan needs to keep the service reliable and improve it over time. We split telemetry into two layers:

Operational telemetry

Server logs, error reports, latency and performance metrics, security events. Required to operate the service safely. Processed under legitimate interests (Article 6(1)(f)). Personal identifiers are removed or truncated at ingestion where feasible. Retained for the period set out in "How long we keep it".

Product analytics

Aggregated, anonymized signals about which features are used and how the product performs. Optional and consent-based (Article 6(1)(a)). You can opt out at any time through the cookie banner or your account settings without affecting your access to the service.

Apshan does not use telemetry to profile individual users for advertising or to make automated decisions that affect you.

Third parties and subprocessors

Apshan relies on a small set of vetted subprocessors to operate the service. Each subprocessor receives only the data needed for its specific function and is bound by a data processing agreement with Standard Contractual Clauses where relevant. The categories are:

Hosting and infrastructure

EU-based providers running the application servers, databases, and object storage.

Marketing-website CDN

Static assets (HTML, CSS, JavaScript, images) for the public marketing website are served via a global CDN. Visitor IP addresses and user-agent strings transit the CDN edge but are not retained beyond standard access-log windows. No customer data flows through this CDN.

Email delivery

EU-based or SCC-protected providers handling transactional and operational emails.

Analytics and error tracking

Privacy-respecting, EU-preferred providers for product analytics and runtime error monitoring.

Payment processing

PCI-DSS-compliant processor handling card data. Card numbers never touch Apshan servers.

AI inference

Large language model providers (Mistral, Anthropic) used to generate responses. Apshan curates this list to providers whose data residency and compliance posture align with ours. See the Trust page for the named providers and current data-residency posture.

Authentication and identity

Optional single sign-on and multi-factor providers used by enterprise customers who choose to enable them.

Customer support

Helpdesk software used to handle support tickets and customer communications.

Customer feedback and reviews

Review and trust-rating platforms used to collect feedback after key events. Visitor tracking is consent-gated; no data is sent without your explicit consent.

Advertising and conversion tracking

Marketing pixels (e.g., LinkedIn Insight Tag) used to attribute campaigns and measure conversions. Loaded only after explicit consent and excluded entirely from pages handling sensitive data (application forms, privacy and compliance documents, and contact pages) per the providers' own terms of service.

The current and complete list of named subprocessors, including company name, country, role, and DPA reference, lives at /subprocessors. We provide thirty days' notice before adding, removing, or materially changing a subprocessor.

International transfers

Apshan's primary data residency is the European Union. Where a subprocessor processes personal data outside the EU/EEA, we rely on an adequacy decision from the European Commission, the European Commission's Standard Contractual Clauses (SCCs), or another lawful transfer mechanism. In practice, certain analytics, telemetry, and infrastructure subprocessors process data in the United States and Singapore under SCCs. The /subprocessors page lists the country of processing for each subprocessor.

How long we keep it

Account data

While your account is active and for twelve months after closure, unless a longer period is required by law.

Authentication data

Hashed credentials retained while the account is active; session tokens rotated on a regular schedule.

Usage data

Retained according to your plan and the Terms; queries and outputs may be retained for operational and compliance purposes for a defined period.

Operational telemetry

Retained for thirteen months in raw form, then anonymized or aggregated.

Product analytics

Anonymized at ingestion or within thirty days; aggregates retained indefinitely.

Communications

Retained for twenty-four months after the last interaction.

Billing data

Retained for ten years, as required by French commercial law.

Backups

Backups containing personal data may persist up to thirty days beyond the active retention period before automatic purge.

Security

Apshan applies industry-standard technical and organizational measures to protect personal data: encryption in transit (TLS 1.3), encryption at rest for sensitive data, principle of least privilege for internal access, separation of production and non-production environments, and routine review of access logs.

In the event of a personal data breach, Apshan will notify the CNIL within seventy-two hours of becoming aware of it, in accordance with GDPR Article 33, and will inform affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34).

Your rights

Under the GDPR, you have the right to:

• Access — obtain a copy of the personal data we hold (Article 15);
• Rectification — have inaccurate data corrected (Article 16);
• Erasure — have your data deleted, subject to legal exceptions (Article 17);
• Restriction — limit how we process your data (Article 18);
• Portability — receive your data in a structured, commonly-used format (Article 20);
• Objection — object to certain processing (Article 21);
• Withdraw consent — at any time, where processing is based on consent.

To exercise these rights, write to privacy@apshan.com. We will respond without undue delay, and within one month at the latest, per GDPR Article 12.

You also have the right to lodge a complaint with the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL): www.cnil.fr.

Data Protection Officer

Apshan has not designated a Data Protection Officer. The conditions of GDPR Article 37 (public authority, large-scale systematic monitoring, large-scale special-category processing) do not apply to Apshan at this stage.

For all data protection matters, contact privacy@apshan.com.

Automated decision-making

apshan.com does not perform automated decision-making, including profiling, that produces legal effects or similarly significantly affects you.

Changes to this policy

We may update this Privacy policy. The "Last reviewed" date at the top of the page reflects the most recent change. Material changes that affect how we process personal data will be announced by email and, where appropriate, surfaced in-product before they take effect.

Contact

privacy@apshan.com
Apshan, 6 Rue d'Armaillé, 75017 Paris, France.