Privacy Policy
Last updated: April 28, 2026
FLUXA SAS is committed to protecting your personal data. This policy informs you how we collect, use and protect your data when you use the GEOanalyze service accessible at geoanalyze.com.
This policy is established in accordance with Regulation (EU) 2016/679 of 27 April 2016 (the "GDPR") and French Law No. 78-17 of 6 January 1978 as amended ("French Data Protection Act").
1. Data controller
FLUXA SAS
Legal form: Simplified Joint Stock Company (SAS)
Share capital: 1 000 €
Registered office: 7 Boulevard du 8 Mai 1945, 16000 Angoulême
RCS: Angoulême B 103 868 824 — SIREN : 103 868 824
VAT number: FR95 103868824
Email : [email protected]
2. Data Protection Officer (DPO)
We have not designated a Data Protection Officer, as designation is not mandatory in our case (Article 37 GDPR). For any questions regarding data processing, contact us at [email protected].
3. Data collected, purposes and legal bases
We process your personal data for the following purposes, each supported by a legal basis under Article 6 of the GDPR:
| Purpose | Data | Legal basis | Retention |
|---|---|---|---|
| Order fulfillment and report delivery | Email address, analyzed URL, Stripe payment identifiers | Contract performance (6.1.b) | 3 years from last interaction |
| Accounting and tax obligations | Billing data, email | Legal obligation (6.1.c — Art. L. 123-22 Code of Commerce) | 10 years |
| Security, fraud prevention and incident logging | IP address, connection logs, application events | Legitimate interest (6.1.f) | 12 months |
| Newsletter (service updates, GEO educational content) | Email address, subscription status, open/click events | Consent (6.1.a) — dedicated checkbox | Until consent is withdrawn (unsubscribe link in every email) |
| Audience analytics (Google Analytics) | Cookie identifiers, anonymized IP, navigation path | Consent (6.1.a) — cookie banner | 13 months |
| Cookie consent management | Consent preferences | Consent (6.1.a) | 6 months |
We do not collect special categories of data under Article 9 of the GDPR (health data, ethnic origin, political opinions, biometric data, etc.).
4. Use of third-party AI models
To produce the GEO audit, we query several AI models from third-party providers (Anthropic, OpenAI, Google). The data sent to these models consists of:
- the URL you submit and the public HTML content fetched at that URL;
- questions written by FLUXA SAS concerning the business sector, product or service identified from that URL.
No personal account data (email, billing details, etc.) is sent to these models. However, if the analyzed URL contains identifying information (trade name, name of a sole trader, etc.), this information will be processed by the queried models. The terms of use of the relevant providers apply in addition to this policy:
5. Sub-processors
In accordance with Article 28 of the GDPR, we use the following sub-processors, contractually committed to GDPR compliance and appropriate security measures:
| Sub-processor | Role | Location | Guarantees |
|---|---|---|---|
| Scaleway SAS | Infrastructure & hosting (Dedibox, Docker containers) | France | UE |
| Supabase Inc. | Managed database and authentication (PostgreSQL) | United States (headquarters) — data stored in an EU region | CCT |
| Stripe Payments Europe Ltd / Stripe, Inc. | Online payment processing | Ireland / United States | CCT + DPF |
| Anthropic, PBC | Semantic analysis and GEO visibility test (Claude API) | United States | CCT |
| OpenAI, L.L.C. | GEO visibility test (ChatGPT Search API) | United States | CCT |
| Google LLC / Google Ireland Ltd | GEO visibility test (Gemini API) and audience analytics (Google Analytics) | United States / Ireland | CCT + DPF |
| Sendinblue SAS (Brevo) | Transactional emails and newsletter delivery | France | UE |
SCC = Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914). DPF = Data Privacy Framework (US certification, see dataprivacyframework.gov). These mechanisms ensure an adequate level of protection for transfers to the United States.
6. Transfers outside the European Union
Some of our sub-processors (Anthropic, OpenAI, Stripe, Google, Supabase) are established in the United States or contract through their US entity. These transfers are governed by Standard Contractual Clauses adopted by the European Commission and, where applicable, by the Data Privacy Framework (DPF) when the sub-processor is certified. You may obtain a copy of these guarantees on request at [email protected].
7. Newsletter and unsubscription
If you have ticked the newsletter opt-in box at order time, your email is added to our mailing list managed via Brevo (Sendinblue SAS, France). You can unsubscribe at any time:
- by clicking the Unsubscribe link at the bottom of every email received;
- or by emailing [email protected] with subject "Newsletter unsubscribe".
Withdrawing your consent does not affect the lawfulness of previous mailings.
8. Your rights
Under Articles 15 to 22 of the GDPR and the French Data Protection Act, you have the following rights:
- Right of access (art. 15): confirm whether your data is processed and receive a copy.
- Right of rectification (art. 16): have inaccurate or incomplete data corrected.
- Right to erasure (art. 17): request deletion of your data, subject to legal retention obligations (notably accounting).
- Right to restriction (art. 18): request temporary suspension of processing.
- Right to data portability (art. 20): receive your data in a structured, commonly used, machine-readable format.
- Right to object (art. 21): object to processing on grounds relating to your particular situation.
- Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
To exercise these rights, contact us at [email protected]. We respond within one (1) month of receiving your request, extendable by two (2) months for complex or numerous requests, in accordance with Article 12 of the GDPR.
9. Right to lodge a complaint
If you believe, after contacting us, that your rights are not respected, you may lodge a complaint with the CNIL:
Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
www.cnil.fr/plaintes
10. Data security
We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure or destruction, in accordance with Article 32 of the GDPR: encrypted communications (HTTPS/TLS), strong authentication (TOTP) on administrator accounts, environment isolation, Row-Level Security access controls in the database, incident logging.
In the event of a data breach likely to create a risk to your rights and freedoms, we will notify the CNIL within 72 hours and, if the risk is high, notify you as soon as possible (Articles 33 and 34 GDPR).
11. Cookies
For more information on cookies and trackers, see our Cookie Policy.
12. Policy updates
We reserve the right to update this policy to reflect regulatory or technical changes. In the event of a material change (new sub-processor, new purpose, etc.), we will notify you by email before the changes take effect.