Privacy Policy
Last updated: March 27, 2026
1. Data Controller
The data controller for your personal data is:
12 Megavolt — Pierre Bazoge, Entrepreneur Individuel
4 rue Paul Claudel, 41100 Vendôme, France
SIRET: 507 888 568 00015
Email: hello@notifuse.com
Hosting providers: OVHcloud, 2 rue Kellermann, 59100 Roubaix, France. Google Cloud Belgium, Chaussée de La Hulpe 166, 1170 Brussels, Belgium.
2. Privacy Contact
You may contact our privacy team at hello@notifuse.com for any questions related to the processing of your personal data or to exercise your rights.
3. Data We Collect
3.1 Account data
When you create an account on Notifuse Cloud, we collect:
- Email address
- Full name
- Organization name
- Website URL
- Logo URL (optional)
- Chosen subdomain
3.2 Billing data
When you subscribe to a paid plan, our payment processor (Stripe) collects:
- Payment method details (processed and stored by Stripe)
- Billing address
- Invoice history
We do not store credit card numbers on our servers. All payment data is handled by Stripe, Inc. in accordance with PCI DSS standards.
3.3 Usage data
- Service usage metrics (emails sent, API calls)
- Login timestamps and IP addresses
- Browser type, operating system, and device information
- Pages visited on our website
3.4 Support data
- Communications when you contact our support team
- Any information you voluntarily provide in support requests
3.5 Data processed on behalf of customers
As part of the service, Notifuse processes data on behalf of our customers (who act as data controllers for their end users). This data may include email addresses, names, and other contact information of our customers' recipients. This processing is governed by our Data Processing Agreement (DPA) with each customer, not by this Privacy Policy.
4. Purposes and Legal Bases
We process your personal data for the following purposes, each with its corresponding legal basis under GDPR Article 6:
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Contractual necessity (Art. 6(1)(b)) |
| Service delivery (sending emails and notifications) | Contractual necessity (Art. 6(1)(b)) |
| Billing and invoicing | Contractual necessity (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) |
| Customer support | Contractual necessity (Art. 6(1)(b)) |
| Product improvement and usage analytics | Legitimate interest (Art. 6(1)(f)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications to existing customers | Legitimate interest (Art. 6(1)(f), LCEN soft opt-in) |
| Marketing communications to prospects | Consent (Art. 6(1)(a)) |
| Tax and accounting records | Legal obligation (Art. 6(1)(c)) |
| Cookies and website analytics | Consent (Art. 6(1)(a)), except strictly necessary cookies |
Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your rights and freedoms. You may request details of these assessments by contacting us.
5. Data Retention
We retain your personal data only as long as necessary for the purposes described above:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of the contract + 3 years |
| Billing and invoicing data | 10 years (French Commercial Code, Art. L123-22) |
| Email sending logs | 1 year |
| Support tickets | Duration of the contract + 2 years |
| Usage analytics | 25 months (CNIL guidance) |
| Cookie consent records | 13 months |
| Marketing consent records | Duration of consent + 3 years |
6. Recipients and Subprocessors
Your personal data may be shared with the following categories of recipients, strictly for the purposes described in this policy:
| Subprocessor | Location | Purpose | Transfer Mechanism |
|---|---|---|---|
| OVHcloud | France | Cloud hosting and data storage | N/A (EU) |
| Google Cloud | Belgium | Cloud hosting and data storage | N/A (EU) |
| Stripe, Inc. | United States | Payment processing | EU-US Data Privacy Framework |
| Postmark (ActiveCampaign, LLC) | United States | System emails (account verification, notifications) | EU-US Data Privacy Framework |
This list was last updated on March 27, 2026. We will notify you by email before adding or replacing any subprocessor.
We do not sell your personal data. We do not share your data with third parties for their own marketing purposes.
7. International Data Transfers
Your data is primarily stored and processed within the European Economic Area (EEA). When data is transferred outside the EEA, we ensure adequate protection through one of the following mechanisms:
- EU adequacy decisions — Transfers to countries recognized by the European Commission as providing adequate data protection (e.g., UK, under the renewed adequacy decision valid until December 2031).
- EU-US Data Privacy Framework — For US-based subprocessors certified under the DPF (validated by the EU General Court in September 2025).
- Standard Contractual Clauses (SCCs) — EU-approved contractual safeguards, maintained as a supplementary measure.
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) — Obtain a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — Correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — Request deletion of your data under certain circumstances.
- Right to restrict processing (Art. 18) — Limit how we use your data in certain conditions.
- Right to data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) — Object to processing based on legitimate interests or for direct marketing (absolute right for direct marketing).
- Right not to be subject to automated decisions (Art. 22) — Not be subject to decisions based solely on automated processing, including profiling.
- Right to withdraw consent (Art. 7(3)) — Withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
How to exercise your rights
Send your request to hello@notifuse.com. We will respond within one month of receiving your request. This period may be extended by two additional months for complex or numerous requests, in which case we will inform you of the extension.
Right to lodge a complaint
If you believe your rights have not been respected, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):
CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Website: www.cnil.fr
9. Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS) and at rest
- Access controls and role-based authentication
- Regular security assessments and vulnerability monitoring
- Incident response procedures
In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify the CNIL within 72 hours and inform you without undue delay.
10. Cookies
Our website uses cookies and similar technologies. We distinguish between:
Strictly necessary cookies (no consent required)
- Authentication and session cookies
- Security cookies
- User interface preference cookies (e.g., language)
- Load-balancing cookies
Analytics cookies (consent required)
We use analytics tools to understand how visitors interact with our website. These cookies are only set after you give your consent via our cookie banner.
You can manage your cookie preferences at any time by clicking the "Manage Cookies" link in the footer. You may also configure your browser to refuse cookies. Refusing non-essential cookies does not affect your ability to use our services.
We re-request your cookie consent every 13 months, in accordance with CNIL recommendations.
11. Is Providing Data Mandatory?
Providing your email address and name is necessary to create an account and use Notifuse Cloud (contractual requirement). Without this data, we cannot provide you with the service. Providing billing information is necessary to subscribe to a paid plan. All other data is optional.
12. Automated Decision-Making
We do not use automated decision-making, including profiling, that produces legal effects or similarly significantly affects you. If this changes in the future, we will update this policy and provide you with meaningful information about the logic involved.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a notice on our website at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
14. Contact Us
For any questions about this Privacy Policy or your personal data, contact us at: