trasimene.com

Privacy Policy

Last updated: April 3, 2026


— 01 —

Data Controller

TRASIMENE SAS, 61 Rue de Lyon, 75012 Paris — contact@trasimene.com. In accordance with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act (loi Informatique et Libertés), you have rights over your personal data. The data protection contact can be reached at the same email address.

— 02 —

Data Collected

User account: email address, first and last name, hashed password (bcrypt, not readable by Trasimène), registration date, unique identifier.

Service usage: access logs (IP, user-agent, timestamp — 30 days), anonymised scan events (pseudonymised device ID, aggregated results), push notification tokens (Firebase token — revocable).

Digital vault: data is encrypted with AES-256-GCM client-side before transmission; Trasimène does not hold the decryption key and cannot access your vault content.

Payment: no card data is stored by Trasimène. All transactions are handled exclusively by our PCI-DSS certified payment provider.

— 03 —

Legal Bases for Processing

Contract performance (Art. 6.1.b GDPR): user account management, provision of security service, subscription management.

Consent (Art. 6.1.a GDPR): newsletter delivery, analytics and marketing cookies.

Legitimate interests (Art. 6.1.f GDPR): platform security, fraud prevention, technical monitoring (Sentry).

Legal obligation (Art. 6.1.c GDPR): retention of connection logs (French legal requirement — 1 year).

— 04 —

Retention Periods

Active account: data retained for the duration of the subscription, plus 12 additional months after cancellation (appeal period).


Access logs: 30 rolling days.


Newsletter: until unsubscription, then deleted within 30 days.


Vault: data deleted within 7 days of account closure.

— 05 —

Sub-processors

TRASIMENE SAS uses the following sub-processors, all bound by a GDPR-compliant data processing agreement:

Google Cloud (Google LLC) — data hosting, region europe-west1 (EU) — https://cloud.google.com/security/compliance/gdpr

PostHog Inc. — product analytics, EU servers — https://posthog.com/privacy

Sentry (Functional Software Inc.) — error monitoring — https://sentry.io/privacy

Have I Been Pwned (Troy Hunt) — dark web monitoring API — no personal data transmitted (partial SHA-1 hash only)

RevenueCat Inc. — in-app subscription management — https://www.revenuecat.com/privacy

VirusTotal (Google LLC) — APK and URL antivirus analysis — https://support.virustotal.com/hc/en-us/articles/115002168385-Privacy-Policy

Google Safe Browsing (Google LLC) — malicious URL verification — https://safebrowsing.google.com/

Resend Inc. — transactional email delivery — https://resend.com/legal/privacy-policy

— 06 —

Cookies

Essential cookies (no consent required): authentication session (NextAuth.js), language preferences.

Analytics cookies (consent required): PostHog, Google Analytics — anonymised audience measurement, service improvement.

Marketing cookies (consent required): Meta Pixel, TikTok, LinkedIn, X — targeted advertising and campaign measurement.

You can manage your cookie preferences at any time via the Manage cookies button at the bottom of the page.

— 07 —

Your GDPR Rights

Under Articles 15 to 22 of the GDPR, you have the following rights:

Right of access (Art. 15) · Right to rectification (Art. 16) · Right to erasure (Art. 17) · Right to data portability (Art. 20) · Right to object (Art. 21) · Right to restriction of processing (Art. 18) · Right to withdraw consent at any time.

To exercise your rights: contact@trasimene.com — response within 30 days. Proof of identity may be requested.

— 08 —

Complaints to a Supervisory Authority

If you believe that processing of your personal data does not comply with applicable regulations, you have the right to lodge a complaint with the relevant supervisory authority. In France: Commission Nationale de l'Informatique et des Libertés (CNIL), 3 place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07 — https://www.cnil.fr.

— 09 —

International Transfers

Some sub-processors (Sentry, Have I Been Pwned) may process data outside the European Union. Such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, or by equivalent safeguards.

— 10 —

Minors

Access to the service is restricted to adults; minors must obtain the express consent of the holder of parental authority (see ToS). In accordance with article 45 de la loi Informatique et Libertés (French Data Protection Act), a minor under 15 years of age cannot consent alone to the processing of their personal data: the joint consent of the minor and the holder of parental authority is required. The holder of parental authority may exercise GDPR rights on behalf of the minor by writing to contact@trasimene.com.

— 11 —

Post-mortem Directives

In accordance with article 85 de la loi Informatique et Libertés (French Data Protection Act), you may set directives regarding the retention, erasure and disclosure of your personal data after your death, and modify them at any time by writing to contact@trasimene.com. In the absence of directives, your heirs may exercise certain rights under the conditions provided by law.