GDPR and personal data

Privacy

Ultimo aggiornamento: March 20, 2026

This policy explains what data is collected, why it is collected, which legal basis applies, how long it is kept and how you can exercise your rights.

This complete legal page is currently available in French and English. Other site languages temporarily fall back to this version to avoid approximate contractual translations.

Data controller Orynela, operating under the Orynela™ brand, acts as the data controller for the processing described below.
Your rights Access, rectification, objection, erasure, restriction, portability and withdrawal of consent when consent is the applicable legal basis.
Security measures Secret encryption (AES-256), password hashing (Argon2id), logging, HTTPS/TLS, access segregation and continuous technical review.
GDPR contact point rgpd@orynela.ai
Data Protection Officer No DPO has been appointed at this stage given the size and nature of the activity. The GDPR contact point (rgpd@orynela.ai) fulfils this operational role.

Data categories

  • Account data: name, email, language, account status, creation date and login timestamps.
  • Supplementary identification data: phone number, postal address, city, postal code and country when provided during registration.
  • Technical data: IP address, user agent, security logs, session traces and anti-fraud metadata.
  • Usage data: visited pages, interface preferences, dashboard actions and event history.
  • Billing data: Stripe customer identifier, subscription, payment status, invoices and transactions handled by the payment provider. Full credit card details are never stored by Orynela.
  • Broker-related data: encrypted API keys (public key, secret key), strategy settings, execution logs, instruction history and related technical statuses. API keys are encrypted at rest (AES-256) and in transit (TLS). Access is strictly limited to automated processes required for service delivery.
  • Marketing data: email address and opt-in preference when the user consents to receive promotional communications.

Purposes and legal bases

  • Contract performance (GDPR art. 6(1)(b)): account creation, service delivery, authentication, support, billing, transmission of operation instructions via the broker API and incident prevention.
  • Legitimate interest (GDPR art. 6(1)(f)): security, logging, fraud prevention, product improvement, internal analytics and defense of our rights.
  • Legal obligation (GDPR art. 6(1)(c)): retention of accounting records (10 years), retention of connection logs (12 months, LCEN obligation), abuse prevention and responses to competent authorities.
  • Consent (GDPR art. 6(1)(a)): optional cookies, non-essential analytics or marketing communication if enabled.

Recipients and processors

  • Internal team members or technical providers strictly authorized on a need-to-access basis.
  • Stripe (payment processor) for transaction and billing management — broker API keys are never shared with Stripe.
  • Hosting provider (Hostinger International Ltd.) and infrastructure providers for availability, backup and platform security.
  • OAuth providers (Google, GitHub) when the user chooses those login methods.
  • User's broker: API keys are used exclusively to transmit operation instructions configured by the user on their own broker account.

Transfers outside the EU

  • Some providers (notably Stripe, Google, GitHub) may process data from countries located outside the European Union.
  • When that happens, transfers are framed by appropriate safeguards such as standard contractual clauses (SCCs), European Commission adequacy decisions or equivalent technical measures.

Retention periods

  • Identification data (name, email, account): for the duration of the contractual relationship, then deleted or anonymized within 3 years of the last activity, unless a longer period is required by law.
  • Broker API keys: for the duration of the active subscription, then deleted within 30 days of account termination.
  • Operation data (instruction history, execution logs): for the subscription duration, then archived for 5 years for accounting and tax obligations.
  • Payment data: for the transaction duration, then 13 months (CNIL recommendation). Full card details are never stored.
  • Security logs and connection traces (IP, user-agent): rolling 12 months (LCEN obligation).
  • Accounting records and invoices: 10 years in accordance with article L123-22 of the French Commercial Code.
  • GDPR requests and support exchanges: 3 years from closure of the request.
  • Cookie consent: duration of the cookie (180 days maximum), renewed with each new choice.

Automated decision-making and profiling

  • The service uses algorithms to generate signals and, when the user has expressly configured it, to automatically transmit operation instructions to the third-party broker.
  • These operations execute the technical instructions configured by the user. The user retains full control at all times: they may activate, modify, suspend or deactivate any strategy.
  • In accordance with GDPR article 22, the user has the right to obtain human intervention, to express their point of view and to contest any automated decision by writing to rgpd@orynela.ai.

Exercising your rights

  • You may contact rgpd@orynela.ai to exercise your rights of access, rectification, objection, erasure, restriction, portability or withdrawal of consent.
  • Reasonable proof of identity may be requested where necessary to protect your data.
  • Orynela undertakes to respond to any request within one month, in accordance with the GDPR.

Complaint to the supervisory authority

  • If you believe the processing of your personal data infringes applicable regulation, you have the right to lodge a complaint with the French data protection authority (CNIL).
  • CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr

Cookies and trackers

  • The use of cookies and similar technologies is detailed in our cookie policy, accessible from the site footer or at /legal/cookies.