Privacy Policy

Preamble

KANAP (hereinafter "KANAP"), a SARL registered with the RCS Saverne under number 939 098 190, whose registered office is located at 2, rue du Finhay, 67210 Obernai, France, attaches the highest importance to the protection of your personal data. This privacy policy (hereinafter the "Policy") aims to inform you in a clear and transparent manner about the processing of personal data implemented by KANAP in connection with the use of the online IT budget management platform "CIO Assistant" (hereinafter "the Platform").

KANAP undertakes to comply with the General Data Protection Regulation (GDPR) and French Law No. 78-17 of January 6, 1978 relating to data processing, files, and freedoms, as amended.

1. Data Controller

The data controller for personal data collected via the Platform is KANAP, a SARL registered with the RCS Saverne under number 939 098 190, whose registered office is located at 2, rue du Finhay, 67210 Obernai, France.

For data entered by customers into the Platform (budget data, financial information, user data within tenants), the customer organization acts as the data controller, and KANAP acts as the data processor.

2. Personal Data Collected

KANAP collects the following personal data from users of the Platform:

• Account information: First name, last name, email address, job title, organization name
• Authentication data: Login credentials (passwords are hashed and never stored in plain text)
• Usage data: Platform usage logs, session information, IP addresses
• Financial data: Budget items, CAPEX/OPEX data, allocation information, contract details entered by users
• Billing information: Company name, billing address, VAT number

Payment information (credit card details) is not known to KANAP. It is processed directly by the secure payment platform (Stripe).

3. Purposes of Processing

Personal data collected by KANAP is processed for the following purposes:

• Service provision: Data is necessary to provide access to the Platform, manage user accounts, and deliver the IT budget management service.
• Service improvement: Usage data is used to improve the quality and functionality of the service, identify technical issues, and optimize performance.
• Customer support: Data is used to respond to user inquiries, provide technical assistance, and resolve issues.
• Billing and invoicing: Data is necessary to process subscriptions, issue invoices, and manage payments.
• Security: Data is processed to ensure the security of the Platform, detect and prevent fraud, unauthorized access, and security incidents.
• Legal compliance: Data is processed to comply with legal and regulatory obligations.

4. Legal Basis for Processing

The processing of your personal data is based on the following legal grounds:

• Contract performance: Processing is necessary to provide the CIO Assistant service (account management, Platform access, etc.).
• Legitimate interest: Processing for service improvement, security, and fraud prevention is based on KANAP's legitimate interest in developing and providing a quality and secure service.
• Legal obligation: Processing may be necessary to comply with legal obligations (accounting, tax, anti-money laundering, etc.).
• Consent: For certain optional features or communications, processing may be based on the user's explicit consent.

5. Data Recipients

KANAP may share your personal data in the following cases:

• Service providers: KANAP may use service providers (hosting, infrastructure, payment processing, email services, etc.) who may have access to personal data in the course of their duties. These providers are bound by confidentiality and security obligations and act as data processors under KANAP's instructions.
• Legal obligations: KANAP may be required to disclose personal data to administrative or judicial authorities when required by law.

KANAP undertakes not to share users' personal data for commercial purposes other than those mentioned above. KANAP will never sell or rent your personal data to third parties.

6. Data Retention Period

KANAP retains users' personal data for the period necessary to fulfill the purposes for which it was collected, plus applicable legal limitation periods:

• Account data (name, email, etc.) is retained for the duration of the subscription and for 3 years after the end of the subscription, for administrative and litigation management purposes.
• Usage data is retained for 1 year for service improvement purposes.
• Financial data entered by customers (budget items, CAPEX/OPEX, contracts) is retained for the duration of the subscription and may be deleted at the customer's request or automatically 30 days after account cancellation.
• Billing and invoicing data is retained for 10 years in accordance with French accounting and tax regulations.
• Payment data is not retained by KANAP and is managed directly by the payment processor (Stripe).

7. Data Security

KANAP implements appropriate technical and organizational measures to ensure the security of personal data and protect it against destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These measures include:

• Encryption of data at rest and in transit (TLS/SSL)
• Role-based access control and authentication mechanisms
• Regular security audits and vulnerability assessments
• Secure hosting infrastructure within the European Union
• Password hashing using industry-standard algorithms (Argon2)
• Multi-tenant isolation using Row-Level Security (RLS) in the database
• Incident response procedures and breach notification protocols

8. User Rights

In accordance with the GDPR, you have the following rights regarding your personal data:

• Right of access: You can request access to your personal data held by KANAP.
• Right to rectification: You can request correction or updating of your personal data.
• Right to erasure: You can request deletion of your personal data, subject to legal obligations.
• Right to restriction of processing: You can request that KANAP limit the processing of your data in certain situations.
• Right to object: You can object to the processing of your data for legitimate reasons.
• Right to data portability: You can request that KANAP provide your personal data in a structured, machine-readable format.
• Right to withdraw consent: You can withdraw your consent at any time for processing based on consent.

To exercise your rights, you can contact KANAP at the following email address: admin@cio-assistant.com.

You also have the right to lodge a complaint with the French Data Protection Authority (CNIL - Commission Nationale de l'Informatique et des Libertés).

9. International Data Transfers

KANAP hosts all data within the European Union. In the event that data needs to be transferred outside the EU (for example, to a service provider), KANAP will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

10. Cookies and Tracking Technologies

The CIO Assistant website and Platform may use cookies and similar tracking technologies for the following purposes:

• Essential cookies: Necessary for the operation of the Platform (authentication, session management).
• Analytics cookies: To understand how visitors use the site and improve user experience.

You can manage your cookie preferences through your browser settings. Note that disabling essential cookies may affect the functionality of the Platform.

11. Modifications to the Policy

KANAP reserves the right to modify this Policy at any time. Users will be notified of changes by any means, including a notification on the Platform or by email. Continued use of the Platform after modification of the Policy implies acceptance of these changes.

Last updated: October 12, 2025. For any questions regarding this privacy policy, please contact admin@cio-assistant.com.