Vidimus
Sign inContact us
Legal

Privacy policy

How Vidimus collects and processes personal data on vidimus.eu and within the platform, drafted against Regulation (EU) 2016/679 (GDPR) and the French Loi Informatique et Libertés (LIL) as amended.

Last updated: 2026-06-01

Controller and DPO

The data controller is VIDIMUS SASU, registered office at 11bis rue du 8 mai 1945, 92700 Colombes, France. Contact for any privacy-related question: dpo@vidimus.eu.

A Data Protection Officer (Délégué à la Protection des Données / DPO) has been designated under Article 37 GDPR and can be reached at the address above.

What we collect

Vidimus processes the following categories of personal data:

  • Identification & account data: name, professional email address, organisation, role, hashed password, authentication tokens.
  • Usage & technical data: IP address, browser user-agent, device type, language, session timestamps, error logs, audit-log entries (actor, action, entity, timestamp, reason).
  • Contractual data: billing contact, invoicing information, communication history with our support and account teams.
  • Content you submit: agent intake declarations, evidence documents, and any other content you upload to the platform. This may contain personal data depending on your use — you are the controller of that data; we act as your processor (see the Data Processing Addendum).

We do not knowingly collect special-category data (Article 9 GDPR) through the marketing website. If you avoid uploading special-category data to the platform, we will not process any.

Purposes and lawful bases

We process personal data for the following purposes, on the following bases:

  • Provide the service (account creation, authentication, platform features) — performance of the contract, Article 6(1)(b).
  • Bill and account (invoicing, accounting records) — legal obligation, Article 6(1)(c); French Code de commerce L.123-22 (10-year retention).
  • Security & abuse prevention (audit logs, intrusion detection, rate limiting) — legitimate interest, Article 6(1)(f); also our security obligation under Article 32 GDPR.
  • Customer support (responding to your requests) — performance of the contract, Article 6(1)(b), or legitimate interest, Article 6(1)(f), where you are not yet a customer.
  • Pilot and demo requests (the "Request a pilot" form) — pre-contractual measures at your request, Article 6(1)(b).
  • Legal compliance (responding to requests from authorities, exercising and defending rights) — legal obligation, Article 6(1)(c) / legitimate interest, Article 6(1)(f).

Recipients and sub-processors

Personal data is accessed by:

  • Authorised Vidimus personnel bound by confidentiality, on a strict need-to-know basis.
  • Sub-processors acting on documented instructions (Article 28 GDPR). The current list is maintained in the Data Processing Addendum. As of the date above, key sub-processors include Supabase (EU-region database, authentication, and storage), Vercel (frontend hosting), and Mistral AI (EU-based LLM provider).
  • Public authorities where required by an enforceable legal request.

International transfers

Vidimus is designed to keep tenant data inside the European Economic Area. The production database, object storage, and authentication services reside in the EU (Supabase eu-central-1). Default LLM processing is performed by an EU-based provider (Mistral). Where a transfer outside the EEA is unavoidable for a strictly limited ancillary purpose (e.g., the Vercel global edge network for static assets), it is covered by the European Commission's Standard Contractual Clauses (SCCs, Decision 2021/914) and any further safeguards required by Schrems II.

Retention

We retain personal data for no longer than necessary:

  • Account data: for the duration of the customer relationship, plus up to 3 years for the purpose of demonstrating compliance and managing post- contractual matters.
  • Accounting records: 10 years (French Code de commerce L.123-22).
  • Audit logs: minimum 6 months in line with the EU AI Act record-keeping expectation; longer where sector-specific rules require it.
  • Pilot-request data: 3 years from your last interaction with us (CNIL guidance on B2B prospect management).
  • Tenant content (agent intake, evidence documents): for the duration of the contract and then deleted or returned per the DPA.

Your rights

Under GDPR Articles 15-22 you have the right to access, rectify, erase, restrict processing of, port, and object to the processing of your personal data, as well as the right not to be subject to a decision based solely on automated processing where it produces legal effects (Article 22). You may also withdraw consent at any time where processing is based on consent, without affecting prior processing.

To exercise these rights, write to dpo@vidimus.eu. We will respond within one month (Article 12(3) GDPR), extendable by two further months for complex requests.

You also have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL) or with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.

Security

Vidimus applies technical and organisational measures appropriate to the risk (Article 32 GDPR), including encryption in transit (TLS 1.2+) and at rest, Postgres row-level security for tenant isolation, hardened authentication, secret rotation, and an append-only audit trail. Personnel access is granted on a least- privilege basis and is logged.

Cookies

See the dedicated cookie policy for the list of cookies, their purpose, retention, and the consent mechanism.

Changes to this policy

We may update this policy to reflect changes in our processing, in the regulatory environment, or in our sub-processors. Material changes will be notified to account holders by email and surfaced on this page at least 30 days before they take effect.

Note. This page is a template drafted from general EU and French legal requirements. It is not legal advice. Review with counsel before relying on it for any specific situation.