trasimene.app
Privacy Policy
Last updated: April 3, 2026
— 01 —
Data Controller
TRASIMENE SAS, 61 Rue de Lyon, 75012 Paris — contact@trasimene.com. In accordance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection law, you have rights over your personal data. The Data Protection Officer (DPO) can be reached at the same email address.
— 02 —
Data Collected
User account: email address, first and last name, hashed password (bcrypt, not readable by Trasimène), registration date, unique identifier.
Service usage: access logs (IP, user-agent, timestamp — 30 days), anonymised scan events (pseudonymised device ID, aggregated results), push notification tokens (Firebase token — revocable).
Digital vault: data is encrypted with AES-256-GCM client-side before transmission; Trasimène does not hold the decryption key and cannot access your vault content.
Payment: no card data is stored by Trasimène. All transactions are handled exclusively by our PCI-DSS certified payment provider.
— 03 —
Legal Bases for Processing
Contract performance (Art. 6.1.b GDPR): user account management, provision of security service, subscription management.
Consent (Art. 6.1.a GDPR): newsletter delivery, analytics and marketing cookies.
Legitimate interests (Art. 6.1.f GDPR): platform security, fraud prevention, technical monitoring (Sentry).
Legal obligation (Art. 6.1.c GDPR): retention of connection logs (French legal requirement — 1 year).
— 04 —
Retention Periods
Active account: data retained for the duration of the subscription, plus 12 additional months after cancellation (appeal period).
Access logs: 30 rolling days.
Newsletter: until unsubscription, then deleted within 30 days.
Vault: data deleted within 7 days of account closure.
— 05 —
Sub-processors
TRASIMENE SAS uses the following sub-processors, all bound by a GDPR-compliant data processing agreement:
Google Cloud (Google LLC) — data hosting, region europe-west1 (EU) — https://cloud.google.com/security/compliance/gdpr
PostHog Inc. — product analytics, EU servers — https://posthog.com/privacy
Sentry (Functional Software Inc.) — error monitoring — https://sentry.io/privacy
Have I Been Pwned (Troy Hunt) — dark web monitoring API — no personal data transmitted (partial SHA-1 hash only)
— 06 —
Cookies
Essential cookies (no consent required): authentication session (NextAuth.js), language preferences.
Analytics cookies (consent required): PostHog — anonymised audience measurement, service improvement.
Marketing cookies (consent required): Google Analytics, Meta Pixel — targeted advertising and campaign measurement.
You can manage your cookie preferences at any time via the Manage cookies button at the bottom of the page.
— 07 —
Your GDPR Rights
Under Articles 15 to 22 of the GDPR, you have the following rights:
Right of access (Art. 15) · Right to rectification (Art. 16) · Right to erasure (Art. 17) · Right to data portability (Art. 20) · Right to object (Art. 21) · Right to restriction of processing (Art. 18) · Right to withdraw consent at any time.
To exercise your rights: contact@trasimene.com — response within 30 days. Proof of identity may be requested.
— 08 —
Complaints to a Supervisory Authority
If you believe that processing of your personal data does not comply with applicable regulations, you have the right to lodge a complaint with the relevant supervisory authority. In France: Commission Nationale de l'Informatique et des Libertés (CNIL), 3 place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07 — https://www.cnil.fr.
— 09 —
International Transfers
Some sub-processors (Sentry, Have I Been Pwned) may process data outside the European Union. Such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, or by equivalent safeguards.