Back to Home

Privacy and data protection

Privacy Policy | HumanMap

A plain-language overview of what HumanMap collects, why we process it, who helps us run the service, and how you can exercise your rights.

Effective date

Last updated: 2026-06-18

Data roles

HumanMap is controller for account, billing, website, and support data, and processor for organizational data uploaded by customers.

Privacy contact

[email protected]

Key points

  • Your organizational data remains yours and is used to provide, secure, support, and improve the Service.
  • Core account and organizational data is stored through EU-hosted Supabase infrastructure.
  • Payment, email, storage, analytics, advertising, and security providers process only the data needed for their role.
  • Non-essential analytics and marketing trackers require consent where applicable; you can contact us to withdraw or adjust consent.
  • GDPR rights requests can be sent to [email protected] and are handled within one month.
Table of Contents
  1. 1. Introduction and Data Controller
  2. 2. Information We Collect
  3. 3. Legal Bases for Processing
  4. 4. How We Use Your Information
  5. 5. Third-Party Service Providers
  6. 6. Cookies and Tracking Technologies
  7. 7. Data Sharing and Disclosure
  8. 8. International Data Transfers
  9. 9. Data Security
  10. 10. Data Retention
  11. 11. Your Rights
  12. 12. Children's Privacy
  13. 13. Changes to This Policy
  14. 14. Contact Us

This page is intended to explain our data practices clearly. It is not a substitute for a signed data processing agreement or legal advice for your organization.

1. Introduction and Data Controller

This Privacy Policy describes how HumanMap ("we", "us", or "our") collects, uses, stores, and protects personal data when you use our website at humanmap.fr and our organizational chart platform (the "Service"). HumanMap is based in Paris, France. We act as data controller for account, billing, website, support, and service-administration data. For organizational data that customers upload about their employees, teams, and charts, the customer is generally the data controller and HumanMap acts as a data processor under the customer's instructions.

2. Information We Collect

2.1 Account Data

When you create an account, we collect:

  • Full name and email address
  • Company or organization name
  • Country of residence
  • Authentication data such as password hashes, magic-link/verification activity, and session metadata
  • Subscription and billing history

2.2 Organizational Data

When you use the Service, you may upload or create:

  • Employee names, job titles, departments, and contact information
  • Team structures and reporting relationships
  • Organizational charts and their configurations
  • Uploaded files such as profile photos and company logos

2.3 Technical Data

We automatically collect certain technical information:

  • IP address and approximate geolocation
  • Browser type and version, operating system, and device type
  • Pages visited, features used, and time spent on the Service
  • Referral source and session identifiers
  • Error logs, security logs, and performance data
  • Consent and communication preferences

4. How We Use Your Information

We use your personal data for the following purposes:

  • Providing, operating, and maintaining the Service
  • Processing payments and managing your subscription
  • Responding to your support requests and inquiries
  • Sending transactional emails (account confirmations, billing alerts, security notices)
  • Analyzing usage patterns to improve features and user experience
  • Detecting, preventing, and addressing fraud, abuse, and security issues
  • Complying with legal obligations and enforcing our Terms and Conditions

5. Third-Party Service Providers

We share data with the following third-party providers, strictly for the purposes described. Each provider is bound by data processing agreements and maintains appropriate security certifications:

  • Hetzner (Application hosting) — Hosts the HumanMap application infrastructure in Germany. Processes application traffic, request metadata, security logs, and service data needed to provide, secure, and maintain the Service.
  • Supabase (Database and authentication) — Stores your account data and organizational data securely. Hosted exclusively in the EU (Ireland). SOC 2 Type II certified.
  • Stripe (Payment processing) — Processes subscription payments and stores payment method information. PCI-DSS Level 1 certified. We never store your full card details on our servers.
  • Cloudflare R2 (File storage) — Stores uploaded files such as profile photos and company logos.
  • Brevo (Transactional email) — Sends account-related emails including welcome messages, billing alerts, and support notifications.
  • PostHog (Product analytics) — Tracks feature usage and platform performance to help us improve the Service. Data is processed on EU servers (eu.i.posthog.com).
  • Google Ads (Conversion tracking) — Measures the effectiveness of our advertising campaigns. Tracks signup and purchase conversion events.
  • Meta Pixel (Conversion tracking) — Measures the effectiveness of our advertising on Meta platforms. Tracks signup and purchase conversion events.
  • Cloudflare Turnstile (Bot protection) — Helps protect registration, authentication, and forms from automated abuse.

We may update this provider list when our infrastructure changes. We require providers to process data only for the services they provide to us and to apply appropriate safeguards.

6. Cookies and Tracking Technologies

We use cookies and similar technologies on our Service. These fall into the following categories:

6.1 Essential Cookies

Required for the Service to function. These cannot be disabled.

  • Authentication session cookies (to keep you logged in)
  • CSRF protection tokens (to prevent cross-site request forgery)

6.2 Analytics Cookies

Help us understand how the Service is used so we can improve it. Where required, these trackers are used only with consent unless they meet a strict legal exemption.

  • PostHog — Product analytics, processed on EU servers

6.3 Marketing Cookies

Used to measure the effectiveness of our advertising campaigns and generally require consent before use.

  • Google Ads (gtag) — Conversion tracking for ad campaigns
  • Meta Pixel (fbq) — Conversion tracking for Meta ad campaigns

You can update non-essential tracker consent from Cookie settings in the product footer, or block/delete cookies through your browser settings. You may also contact us at [email protected] to withdraw or update consent. Disabling non-essential trackers will not affect core Service functionality.

7. Data Sharing and Disclosure

7.1 We Never Sell Your Data

We do not sell, rent, or trade your personal data to third parties for marketing or advertising purposes.

7.2 Limited Sharing

We may share your data only in these circumstances:

  • Service providers: With the third-party providers listed in Section 5, solely to operate, secure, support, analyze, and improve the Service.
  • Legal requirements: When required by law, regulation, legal process, or enforceable governmental request.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to this Privacy Policy.
  • With your consent: When you explicitly authorize us to share your data with a specific third party.
  • Safety and security: To protect the rights, property, or safety of HumanMap, our users, or the public.

8. International Data Transfers

Our application infrastructure is hosted by Hetzner in Germany, our primary database is hosted by Supabase in the EU (Ireland), and PostHog analytics data is configured for EU processing. Some service providers, including Stripe, Cloudflare, Google, Meta, and email or support providers, may process data outside the European Economic Area (EEA), including the United States. When data is transferred outside the EEA, we rely on appropriate safeguards such as adequacy decisions, the EU-U.S. Data Privacy Framework where applicable, or the European Commission's Standard Contractual Clauses (SCCs).

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • TLS encryption for all data transmitted between your browser and our servers
  • Encryption at rest for stored data
  • Password hashing using bcrypt — we never store or have access to your plain-text password
  • Row Level Security (RLS) in our database to ensure strict data isolation between organizations
  • CSRF token protection on all state-changing operations
  • Bot protection for sensitive public forms
  • Regular security reviews and monitoring
  • Strict access controls limiting internal access to personal data on a need-to-know basis

While we take every reasonable precaution, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to [email protected].

10. Data Retention

We retain your data for the following periods:

  • Account and organizational data: Retained while your account is active, then deleted or anonymized within 30 days of account closure unless we must retain it for legal, security, backup, or dispute-resolution reasons.
  • Billing and transaction records: Retained for 5 years after the transaction date, as required by French tax and accounting law.
  • Technical and usage logs: Retained for up to 12 months, then deleted or anonymized unless needed to investigate security, fraud, or service reliability issues.
  • Support correspondence: Retained for 2 years after the last interaction for quality and reference purposes.

You may request earlier deletion of your data at any time, subject to legal retention obligations.

11. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete personal data.
  • Right to erasure: Request deletion of your personal data ("right to be forgotten").
  • Right to data portability: Request your data in a structured, machine-readable format (JSON export available through the Service).
  • Right to restrict processing: Request that we limit the processing of your personal data in certain circumstances.
  • Right to object: Object to processing based on legitimate interest or for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
  • Automated decision-making: We do not use your personal data for decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, contact us at [email protected]. We will respond within one month and may ask for information needed to verify your identity. If you are unsatisfied with our response, you have the right to lodge a complaint with the French data protection authority (CNIL) or your local supervisory authority.

12. Children's Privacy

The Service is intended for users aged 18 and older. We do not knowingly collect personal data from children under 18. If we become aware that we have collected data from a minor, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. For material changes, we will provide reasonable advance notice by email, in-product notice, or another appropriate method before the change takes effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact Us

If you have questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:


    Privacy Policy | HumanMap