Legal

Privacy Policy

Data we collect, purposes, sub-processors, GDPR rights.

Last updated: 2026-05-20

This Privacy Policy explains how VenuXboost collects, uses and protects your personal data, in compliance with the General Data Protection Regulation (GDPR), the French “Informatique et Libertés” law, and equivalent laws in the jurisdictions where we operate.

1. Data controller

The data controller is Miller Kiefer, doing business as VenuXboost, principal establishment at 630 avenue Querbes, Montréal, QC, H2V 3W7 (Canada).

For any data-related question, contact our Data Protection Officer: support@venuxboost.app.

2. Data we collect

  • Account data: email, hashed password (bcrypt), signup date, language preference, locale.
  • Campaign data: public URL of the targeted content, platform, ordered volume, order history.
  • Payment data: we never store card data. Stripe and Moneroo process this data under their own policies (PCI DSS Level 1).
  • Technical data: IP address, user-agent, session identifiers, login logs (Supabase Auth).
  • Anti-fraud data: reCAPTCHA Enterprise score, basic browser fingerprint, aggregated behavioural signals.

3. Purposes and legal bases

  • Contract performance: account creation and management, campaign processing, billing, support.
  • Legal obligations: invoice retention (10 years), response to legal requests.
  • Legitimate interest: platform security (anti-fraud, abuse prevention), product improvement, aggregated statistics.
  • Consent: marketing emails (explicit opt-in, one-click unsubscribe), non-essential measurement cookies.

4. Sub-processors and third parties

We work with GDPR-compliant sub-processors under DPA. Data is processed in the EU when possible:

  • Supabase (EU) — database, authentication, file storage.
  • Stripe (Ireland, USA — DPF certified) — card payments.
  • Moneroo (Benin, PCI DSS compliant) — Mobile Money payments.
  • Resend (USA — DPF certified) — transactional email delivery.
  • Google reCAPTCHA Enterprise (USA — DPF certified) — bot protection.
  • Vercel (USA — DPF certified) — hosting and CDN.
  • Sentry (USA — DPF certified) — server error monitoring.

5. Cookies and trackers

We use strictly necessary cookies (session, anti-CSRF) and, subject to your consent, audience-measurement cookies. You can change your preferences at any time from the consent banner or your account settings.

6. Retention periods

  • Active account data: for the lifetime of the account.
  • Data after account closure: deleted within 30 days, except legal obligations.
  • Invoices: 10 years (accounting obligation).
  • Technical logs: 13 months maximum.

7. Your rights

Under the GDPR, you have the following rights:

  • Right of access to your data
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to portability (structured JSON export available on request)
  • Right to object to processing based on legitimate interest
  • Right to withdraw consent at any time
  • Right to lodge a complaint with your supervisory authority (e.g. CNIL in France, www.cnil.fr)

To exercise these rights: support@venuxboost.app. We reply within 30 days maximum.

8. International transfers

Some sub-processors (Stripe, Vercel, Sentry, Resend, Google) process data in the USA under the EU-US Data Privacy Framework (DPF), complemented by Standard Contractual Clauses (SCCs) where required.

9. Security

TLS in transit, encryption at rest (Supabase), hashed passwords (bcrypt), two-factor authentication available, rate-limiting and reCAPTCHA Enterprise on sensitive endpoints. In case of a data breach affecting your rights, we notify the supervisory authority within 72 hours per GDPR Article 33.

10. Contact

Data Protection Officer: support@venuxboost.app