privacy policy

The hosted swarmrise service is published and operated by Yorga, a French SASU (Societe par Actions Simplifiee Unipersonnelle) registered under SIREN 889 512 406. For the purposes of GDPR and other applicable data protection laws, Yorga acts as the data controller for personal data collected through the Service. This means Yorga determines the purposes and means of processing your personal data.

If you have questions about our data practices or wish to exercise your rights, please contact us through the channels listed in the Contact Information section below. You may also lodge a complaint with the CNIL (Commission nationale de l'informatique et des libertes), which is the French data protection supervisory authority.

We collect information that you provide directly to us, as well as information collected automatically when you use the Service.

2.1 Account Information

When you create an account, we collect:

• First name and surname
• Email address
• Profile picture (optional, if provided through authentication)

2.2 Organization Data

When you create or join organizations, we collect and process:

• Organization names and settings
• Team structures and hierarchies
• Role assignments (leader, secretary, referee)
• Membership information
• Invitation data (email addresses of invitees)

2.3 Optional Contact Information

You may choose to provide additional contact information, including:

• Mobile phone number
• Physical address
• Social media profiles (LinkedIn, Facebook, Instagram, WhatsApp)

This information is entirely optional and collected only with your explicit consent.

2.4 Usage Data

We automatically collect certain information when you use the Service:

• Browser type and version
• Device information
• IP address
• Pages visited and features used
• Date and time of access

2.5 Decision Audit Trail

To ensure transparency and accountability, we maintain audit trails of significant actions within organizations, including:

• Author email for changes made
• Timestamps of actions
• Before and after states of modified data

We use the information we collect for the following purposes, each with a specific legal basis under GDPR:

3.1 Service Provision (Contract - Article 6(1)(b))

• Create and manage your user account
• Provide access to organization management features
• Process organization memberships and invitations
• Enable team and role management functionality
• Authenticate your identity

3.2 Legitimate Interests (Article 6(1)(f))

• Maintain decision audit trails for accountability
• Improve and optimize the Service
• Prevent fraud and ensure security
• Respond to support requests

3.3 Consent (Article 6(1)(a))

• Store optional contact information you choose to provide
• Display your profile picture

You may withdraw consent at any time by updating your profile settings or contacting us.

We use the following third-party services to operate the Service. Each of these services processes your data on our behalf:

4.1 Clerk (Authentication)

• Purpose: User authentication and identity management
• Data processed: Email, name, profile picture, authentication credentials
• Location: United States
• Privacy policy: clerk.com/legal/privacy

4.2 Convex (Database and Backend)

• Purpose: Real-time database storage and serverless backend functions
• Data processed: All application data including user profiles, organization data, and audit trails
• Location: United States
• Privacy policy: convex.dev/legal/privacy

4.3 Google Fonts

• Purpose: Font delivery (Montserrat Alternates)
• Data processed: IP address (minimal)
• Privacy policy: policies.google.com/privacy

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account data: Retained for the lifetime of your account. When you delete your account, we will delete your personal data within 30 days, except where retention is required by law.
• Organization data: Retained for the duration of your membership in an organization. When you leave an organization, your member record is removed, though audit records may be retained for accountability purposes.
• Invitation data: Retained until the invitation is accepted, rejected, or expires.
• Audit trails: Retained for the lifetime of the organization for accountability and compliance purposes.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights regarding your personal data:

6.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.

6.2 Right to Rectification (Article 16)

You have the right to correct inaccurate personal data and to have incomplete data completed. You can update most of your information directly through your account settings.

6.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data under certain circumstances, including when the data is no longer necessary for the purposes for which it was collected.

6.4 Right to Restriction (Article 18)

You have the right to request restriction of processing of your personal data under certain circumstances.

6.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

6.6 Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests, including profiling.

6.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

6.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable data protection laws. As Yorga is established in France, you may contact the CNIL (Commission nationale de l'informatique et des libertes) at cnil.fr.

To exercise any of these rights, please contact us using the information in the Contact section below. We will respond to your request within 30 days.

We use browser storage technologies to provide and improve the Service. Our use is limited to strictly necessary functionality:

7.1 Local Storage

7.2 Authentication Cookies

Clerk (our authentication provider) uses session cookies for authentication state management. These are strictly necessary for the Service to function and do not require consent under the ePrivacy Directive.

7.3 No Tracking Cookies

We do not use analytics, advertising, or tracking cookies. We do not engage in behavioral tracking or targeted advertising.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL.
• Secure authentication: We use Clerk, a specialized authentication provider, with industry-standard security practices.
• Multi-tenant isolation: Organization data is logically isolated to prevent unauthorized cross-organization access.
• Access controls: Role-based access controls ensure users can only access data they are authorized to view.
• Regular security reviews: We conduct regular security assessments of our codebase and infrastructure.

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States, where our third-party service providers (Clerk and Convex) are located.

For transfers of personal data from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with our service providers
• Supplementary measures where necessary to address specific risks

You may request a copy of the safeguards we have in place by contacting us.

The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify you by email or through a prominent notice on the Service
• For significant changes affecting your rights, we may request renewed consent

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about our data practices, please contact us:

• Publisher: Yorga (SASU, SIREN 889 512 406)
• GitHub: github.com/yves-christol/swarmrise
• Supervisory authority: CNIL (Commission nationale de l'informatique et des libertes) -- cnil.fr

We will respond to all legitimate requests within 30 days. In some cases, we may need to verify your identity before processing your request.