Privacy Policy
Updated on
Who we are
DEVEDANOS is a brand operated by S NOBOUR, a custom software development company registered in France.
- Legal entity: S NOBOUR, SASU (société par actions simplifiée unipersonnelle)
- SIREN: 910 383 116
- SIRET: 910 383 116 00027
- RCS: Nanterre
- Share capital: 5 000 €
- VAT: FR94910383116
- Registered address: 32 rue de Paris, 92100 Boulogne-Billancourt, France
- President: Sébastien Nobour
- Contact: sebastien@devedanos.com
- Website: https://devedanos.com
- Supervisory authority: CNIL (Commission Nationale de l’Informatique et des Libertés), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France — cnil.fr
S NOBOUR, operating as DEVEDANOS, is the data controller for all personal data described in this policy. S NOBOUR has determined that a Data Protection Officer is not required under Art. 37 GDPR given the nature and scale of its processing activities. For all privacy matters, contact sebastien@devedanos.com.
What data we collect
We collect personal data through forms on our website. These forms collect:
| Field | Required | Example |
|---|---|---|
| Email address | Yes | you@company.com |
| First name | Yes | Jane |
| Last name | Yes | Smith |
| Phone number | No | +33 6 12 34 56 78 |
| Guide language | Yes | French or English |
| GDPR consent | Yes | Checkbox (true/false) |
We do not collect sensitive personal data (racial or ethnic origin, political opinions, religious beliefs, health data, etc.).
Why we process your data and on what legal basis
We process your data for three purposes, each with a specific legal basis under GDPR Article 6:
1. Guide delivery, lead management, and optional callback from a developer — Consent (Art. 6(1)(a))
When you submit the form and tick the consent checkbox, we use your data to:
- Send you the guide PDF by email.
- Store your contact information in our CRM for follow-up.
- If you provide your phone number (optional), a DEVEDANOS developer may call you to discuss what motivated your download. The phone field is optional; providing it after reading the invitation notice above the field constitutes your specific consent to this call under GDPR Article 7. The timestamp of your consent is recorded in our CRM’s inbound webhook history as an auditable record.
You can withdraw this consent at any time (see “Your rights” below). Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
2. Operational monitoring — Legitimate interest (Art. 6(1)(f))
We log form submissions (including your name, email, and masked phone number) in our server logs for two operational reasons:
- Detecting and recovering from delivery failures (if the email does not reach you, we can identify the failed request and contact you)
- Diagnosing technical errors in the submission pipeline
Our legitimate interest is ensuring reliable service delivery. The impact on you is minimal: logs are automatically deleted after 3 days and access is restricted to our technical team. A documented assessment of our legitimate interests is available upon request.
3. Analytics and error monitoring — Legitimate interest (Art. 6(1)(f))
We track anonymous website usage and monitor client-side errors to improve our website. These tools receive no personally identifiable information:
- Analytics: We count page views, form conversions, and language preferences. The analytics data contains no email addresses, names, or other identifying information.
- Error monitoring: We capture JavaScript errors (stack traces, browser type, page URL) to fix bugs. Email addresses are automatically stripped from error reports before they leave your browser.
Who receives your data
We share your data with the following processors. Each processor has signed a Data Processing Agreement (DPA) with us, as required by GDPR Article 28.
Processors that receive personal data
| Processor | Legal entity | Purpose | Data received | Data location | Transfer safeguards |
|---|---|---|---|---|---|
| Resend | Plus Five Five, Inc. | Email delivery (guide PDF) | Email, first name | United States | EU Standard Contractual Clauses (SCCs) per Commission Decision 2021/914 |
| Mercaplug | S NOBOUR | CRM lead management | Email, first name, last name, phone (E.164, optional), language | United States | EU-U.S. Data Privacy Framework + SCCs |
| Better Stack | Better Stack, Inc. | Server-side operational logging | Email, first name, last name, phone (masked +X******NNNN, optional), language | European Union | No international transfer — data stays in the EU |
| Vercel | Vercel Inc. | Website hosting and serverless function execution | IP addresses, HTTP request metadata | United States | EU-U.S. Data Privacy Framework + SCCs |
Processors that receive no personal data
| Processor | Legal entity | Purpose | Data received | Data location |
|---|---|---|---|---|
| PostHog | PostHog Inc. | Website analytics | Language preference, page interactions, random request ID. No emails, no names. | European Union (Frankfurt, Germany) |
| Sentry | Functional Software, Inc. | Client-side error monitoring | Stack traces, browser type, page URL. No emails (stripped by a beforeSend filter), no IP addresses, no cookies. | European Union (Germany) |
Both PostHog and Sentry have signed DPAs with us. Even though they receive no personal data in our configuration, we maintain DPAs as a precaution.
International data transfers
Three processors transfer data outside the European Economic Area:
- Resend (United States): Protected by EU Standard Contractual Clauses included in their DPA.
- Mercaplug (United States): Protected by the EU-U.S. Data Privacy Framework (European Commission adequacy decision of 10 July 2023) and EU Standard Contractual Clauses as a fallback mechanism.
- Vercel (United States): Protected by the EU-U.S. Data Privacy Framework and EU Standard Contractual Clauses included in their DPA.
PostHog, Better Stack, and Sentry store all data within the EU. No international transfer occurs for these services.
How long we keep your data
| Processor | Retention period | Reason |
|---|---|---|
| Resend | 30 days | Email delivery metadata (delivery status, timestamps) retained for troubleshooting |
| Mercaplug | Until you request deletion or withdraw consent, and no longer than 2 years after your last interaction | CRM record for ongoing business relationship |
| Vercel | 30 days | Standard web server access logs |
| Better Stack | 3 days (automatic deletion) | Short-term operational logs for failure recovery |
| PostHog | 1 year (automatic deletion) | Anonymous analytics data, not linked to individuals |
| Sentry | 30 days (automatic deletion) | Error diagnostics, no personal data stored |
Your rights
Under GDPR Articles 15 through 22, you have the following rights regarding your personal data:
- Access (Art. 15): You can request a copy of all personal data we hold about you.
- Rectification (Art. 16): You can ask us to correct inaccurate data or complete incomplete data.
- Erasure (Art. 17): You can ask us to delete your personal data. We will delete it from all processors where technically feasible (see note below).
- Restriction (Art. 18): You can ask us to restrict processing of your data while we resolve a dispute or verify data accuracy.
- Portability (Art. 20): You can request your data in a structured, machine-readable format and have it transmitted to another controller.
- Objection (Art. 21): You can object to processing based on legitimate interest. We will stop processing unless we can demonstrate compelling legitimate grounds.
- Notification to recipients (Art. 19): When we rectify, erase, or restrict your data, we will notify each processor that received it, unless this proves impossible or involves disproportionate effort. We will tell you which processors were notified if you ask.
How to exercise your rights
Send an email to sebastien@devedanos.com with your request. We will respond within one month (Art. 12(3)). If we need more time due to the complexity of your request, we will let you know within the first month and explain why.
Withdrawal of consent
You can withdraw your consent at any time by emailing sebastien@devedanos.com. Upon withdrawal, we will:
- Delete your contact record from Mercaplug (CRM)
- Delete your email history from Resend (if still available)
- Better Stack logs auto-delete after 3 days; granular per-record deletion is not available, so if your data is within the 3-day retention window, it will be deleted automatically upon expiry
PostHog and Sentry hold no personal data about you, so no deletion is needed for those services.
Complaint to the supervisory authority
If you believe we have not handled your data correctly, you have the right to lodge a complaint with CNIL:
- Online: cnil.fr/plaintes
- Post: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Is providing your data mandatory?
No. Providing your personal data is voluntary. However, if you do not provide the required fields (email, first name, last name, and consent), we cannot send you the guide.
There is no statutory or contractual obligation to provide your data. You will not face any consequences for choosing not to submit the form, other than not receiving the guide.
Automated decision-making
We do not use automated decision-making or profiling based on your personal data (Art. 22 GDPR). No decisions with legal or similarly significant effects are made about you without human involvement.
Cookies and tracking technologies
PostHog may set a first-party cookie named ph_phc_* or use cookieless tracking (based on your browser settings) to count unique visitors. This cookie does not contain personal data and is used solely for aggregate analytics (page view counts, conversion rates). It expires after 1 year.
Sentry does not set cookies.
We do not use third-party advertising cookies or cross-site tracking.
For details on cookies, see our Cookie Policy.
Changes to this policy
We may update this policy to reflect changes in our processing activities or legal requirements. When we make significant changes, we will update the “Last updated” date at the top of this page.
Contact
For any questions about this privacy policy or how we handle your data:
S NOBOUR (DEVEDANOS) 32 rue de Paris, 92100 Boulogne-Billancourt, France sebastien@devedanos.com
This document describes our data processing practices. It does not constitute legal advice. For questions about your rights under the GDPR, consult a qualified data protection professional.