Privacy Policy | HumanMap

1. Introduction and Data Controller

This Privacy Policy describes how HumanMap ("we", "us", or "our") collects, uses, stores, and protects your personal data when you use our website at humanmap.fr and our organizational chart platform (the "Service"). We are committed to protecting your privacy and handling your data in a transparent, lawful manner. For any questions regarding this policy, you may contact us at [email protected]. HumanMap is based in Paris, France, and acts as the data controller for the personal data described in this policy.

2. Information We Collect

2.1 Account Data

When you create an account, we collect:

• Full name and email address
• Company or organization name
• Country of residence
• Encrypted password (hashed using bcrypt — we never store your password in plain text)
• Subscription and billing history

2.2 Organizational Data

When you use the Service, you may upload or create:

• Employee names, job titles, departments, and contact information
• Team structures and reporting relationships
• Organizational charts and their configurations
• Uploaded files such as profile photos and company logos

2.3 Technical Data

We automatically collect certain technical information:

• IP address and approximate geolocation
• Browser type and version, operating system, and device type
• Pages visited, features used, and time spent on the Service
• Referral source and session identifiers
• Error logs and performance data

3. Legal Bases for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

• Contract performance: Processing necessary to provide the Service you signed up for, including account management, billing, and support.
• Legitimate interest: Processing necessary for our legitimate business interests, such as improving the Service, preventing fraud, and ensuring platform security.
• Consent: Where you have given explicit consent, such as for marketing communications or analytics cookies. You may withdraw consent at any time.
• Legal obligation: Processing necessary to comply with applicable laws, such as tax and accounting requirements.

4. How We Use Your Information

We use your personal data for the following purposes:

• Providing, operating, and maintaining the Service
• Processing payments and managing your subscription
• Responding to your support requests and inquiries
• Sending transactional emails (account confirmations, billing alerts, security notices)
• Analyzing usage patterns to improve features and user experience
• Detecting, preventing, and addressing fraud, abuse, and security issues
• Complying with legal obligations and enforcing our Terms and Conditions

5. Third-Party Service Providers

We share data with the following third-party providers, strictly for the purposes described. Each provider is bound by data processing agreements and maintains appropriate security certifications:

• Supabase (Database and authentication) — Stores your account data and organizational data securely. Hosted exclusively in the EU (Ireland). SOC 2 Type II certified.
• Stripe (Payment processing) — Processes subscription payments and stores payment method information. PCI-DSS Level 1 certified. We never store your full card details on our servers.
• Cloudflare R2 (File storage) — Stores uploaded files such as profile photos and company logos.
• Brevo (Transactional email) — Sends account-related emails including welcome messages, billing alerts, and support notifications.
• PostHog (Product analytics) — Tracks feature usage and platform performance to help us improve the Service. Data is processed on EU servers (eu.i.posthog.com).
• Google Ads (Conversion tracking) — Measures the effectiveness of our advertising campaigns. Tracks signup and purchase conversion events.
• Meta Pixel (Conversion tracking) — Measures the effectiveness of our advertising on Meta platforms. Tracks signup and purchase conversion events.

We do not use a third-party hosting provider. Our application infrastructure is self-hosted and managed directly by HumanMap.

6. Cookies and Tracking Technologies

We use cookies and similar technologies on our Service. These fall into the following categories:

6.1 Essential Cookies

Required for the Service to function. These cannot be disabled.

• Authentication session cookies (to keep you logged in)
• CSRF protection tokens (to prevent cross-site request forgery)

6.2 Analytics Cookies

Help us understand how the Service is used so we can improve it.

• PostHog — Product analytics, processed on EU servers

6.3 Marketing Cookies

Used to measure the effectiveness of our advertising campaigns.

• Google Ads (gtag) — Conversion tracking for ad campaigns
• Meta Pixel (fbq) — Conversion tracking for Meta ad campaigns

You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect core Service functionality.

7. Data Sharing and Disclosure

7.1 We Never Sell Your Data

We do not sell, rent, or trade your personal data to third parties for marketing or advertising purposes.

7.2 Limited Sharing

We may share your data only in these circumstances:

• Service providers: With the third-party providers listed in Section 5, solely to operate and improve the Service.
• Legal requirements: When required by law, regulation, legal process, or enforceable governmental request.
• Business transfers: In connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to this Privacy Policy.
• With your consent: When you explicitly authorize us to share your data with a specific third party.
• Safety and security: To protect the rights, property, or safety of HumanMap, our users, or the public.

8. International Data Transfers

Our primary database is hosted by Supabase exclusively in the EU (Ireland), and PostHog analytics data is also processed on EU servers. However, some of our other service providers (such as Stripe, Cloudflare, Google, and Meta) may process data in countries outside the European Economic Area (EEA), including the United States. When data is transferred outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) to ensure your data receives an adequate level of protection.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• TLS encryption for all data transmitted between your browser and our servers
• Encryption at rest for stored data
• Password hashing using bcrypt — we never store or have access to your plain-text password
• Row Level Security (RLS) in our database to ensure strict data isolation between organizations
• CSRF token protection on all state-changing operations
• Regular security reviews and monitoring
• Strict access controls limiting internal access to personal data on a need-to-know basis

While we take every reasonable precaution, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to [email protected].

10. Data Retention

We retain your data for the following periods:

• Account and organizational data: Retained while your account is active, then deleted within 30 days of account closure.
• Billing and transaction records: Retained for 5 years after the transaction date, as required by French tax and accounting law.
• Technical and usage logs: Retained for up to 12 months, then automatically purged.
• Support correspondence: Retained for 2 years after the last interaction for quality and reference purposes.

You may request earlier deletion of your data at any time, subject to legal retention obligations.

11. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your personal data ("right to be forgotten").
• Right to data portability: Request your data in a structured, machine-readable format (JSON export available through the Service).
• Right to restrict processing: Request that we limit the processing of your personal data in certain circumstances.
• Right to object: Object to processing based on legitimate interest or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the French data protection authority (CNIL) or your local supervisory authority.

12. Children's Privacy

The Service is intended for users aged 18 and older. We do not knowingly collect personal data from children under 18. If we become aware that we have collected data from a minor, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. For material changes, we will notify you at least 30 days in advance via email or a prominent notice within the Service. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:

• Email: [email protected]
• Address: HumanMap, Paris, France