GDPR compliance

1. Our commitment

We apply GDPR principles at every step of our activity:

• Lawfulness, fairness, transparency: we explain clearly what we do with data
• Purpose limitation: data is used only for the purposes described
• Data minimisation: we collect only what is strictly necessary
• Accuracy: you can correct your data at any time
• Storage limitation: data is not retained longer than necessary
• Integrity and confidentiality: encryption, controlled access, regular audits
• Accountability: we document all our decisions and maintain a record of processing activities

2. Your rights

You have the following rights over your personal data:

Right of access

Obtain confirmation that data concerning you is (or is not) being processed, and obtain a complete copy.

Right of rectification

Have any inaccurate or incomplete data corrected. Most fields are editable directly in your account.

Right to erasure ("right to be forgotten")

Request deletion of your data when no longer necessary, when you withdraw consent, or if processing is unlawful. Some data may be retained to comply with a legal obligation (e.g. invoices for 10 years).

Right to restriction

Request a temporary freeze on a contested processing while accuracy is verified.

Right to data portability

Retrieve your data in a structured, commonly used, machine-readable format (CSV, JSON) to transfer it to another service.

Right to object

Object to processing based on legitimate interest, or to any direct marketing (objection to marketing is unconditional).

Automated decisions

invico uses AI to generate quotes, but these decisions have no legal effect on you: you remain in control of the final quote, which you can review, edit or reject before sending.

Post-mortem directives

You may tell us how you want your data handled after your death.

3. How to exercise your rights

Most actions are available directly from your account (export, deletion, modification). For other requests:

• Email: support@invico.pro (subject: "GDPR request")
• Mail: Yoann Collot (Invico) — 119 rue Dumont d'Urville, Apt A 1004, 59800 Lille, France

We respond within one month, extendable by two months for complex requests (you will be informed of the reason). An identity check may be required if we have a reasonable doubt.

This is free of charge, except for manifestly unfounded or excessive requests (notably repetitive ones).

4. Data controller contact

The appointment of a Data Protection Officer (DPO) is not mandatory for invico's activity (no large-scale processing of sensitive data, nor systematic monitoring).

Yoann Collot personally handles all data-related requests.
Email: support@invico.pro (subject: "Personal data")

5. Subprocessors and transfers

Our main subprocessors are:

• Google Cloud Platform / Google Cloud Storage — application hosting and storage of files and photos (data centres in the European Union)
• Vercel — landing and front-end hosting (United States)
• Groq — voice note transcription (United States, transfer outside the EU)
• Anthropic (Claude) — AI quote generation (United States, transfer outside the EU)
• OpenAI — embeddings computation for semantic search (United States, transfer outside the EU)
• Stripe — payment and billing (United States, transfer outside the EU)
• Resend — transactional emails (United States, transfer outside the EU)
• PostHog — audience measurement (United States, transfer outside the EU)
• Sentry — error monitoring (United States, transfer outside the EU)

A detailed, up-to-date list of subprocessors is in the privacy policy.

When a subprocessor is located outside the EU, we rely on Standard Contractual Clauses approved by the European Commission and on the Data Privacy Framework where applicable.

6. Complaint to the supervisory authority

If you believe your rights are not being respected, you may file a complaint with the French data protection authority (CNIL):

• Website: cnil.fr/en/home
• Address: 3 Place de Fontenoy, 75007 Paris, France
• Phone: +33 1 53 73 22 22

If you live in another EU country, you may also contact the supervisory authority of your country.

7. AI model transparency

invico uses artificial intelligence models (voice transcription, quote generation, semantic search). These models are provided by third-party vendors: Groq (voice note transcription), Anthropic (quote generation) and OpenAI (embeddings).

Data sent to the models is not used to train them — we systematically enable the "no training" / "zero data retention" options when available. Voice files and transcriptions are deleted on the vendor side after a short period (typically 30 days).