Privacy policy

Last updated: June 23, 2026

1. Introduction

This Privacy Policy explains how ACSEO (“we”, “us”, or “our”) collects, uses, and protects your personal data when you use the Appizy service available at www.appizy.com and converter.appizy.com (the “Service”).

Data controller

ACSEO

SAS au capital de 104 254,00 €

SIREN: 511 727 257

RCS Aix-en-Provence

TVA intracommunautaire: FR31511727257

Siège social: Latitude Arbois Bat B, 1060 Rue René Descartes, 13290 Aix-en-Provence, FRANCE

Email: contact@appizy.com

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

We process your personal data based on the following legal bases under GDPR Article 6:

  • Contractual necessity (Article 6(1)(b)): To provide the Service, manage your account, process conversions, and fulfill our obligations under our Terms of Use
  • Legitimate interest (Article 6(1)(f)): For service improvement, security monitoring, analytics, and customer support
  • Consent (Article 6(1)(a)): For newsletter subscriptions and optional communications
  • Legal obligation (Article 6(1)(c)): To comply with tax, accounting, and anti-fraud requirements

3. Personal data we collect

3.1 Account data

When you create an account, we collect:

  • Email address
  • Name and surname (from OAuth providers or user-provided)
  • User ID (UUID automatically generated)
  • Registration date (timestamp of account creation)
  • Terms consent status (boolean flag and date of acceptance)
  • Newsletter consent (boolean flag for marketing communications)
  • IP address (temporarily logged for security purposes)

3.2 Subscription data

When you subscribe to a paid plan:

  • Subscription status (active, inactive, cancelled)
  • Plan type (Free, Pro, Business)
  • Billing cycle (monthly or yearly)
  • Next charge date
  • FastSpring subscription ID (link to payment processor)
  • FastSpring user ID

Important: Payment card information is handled exclusively by FastSpring, our payment processor. We do not store or have access to your credit card details.

3.3 Session and calculator data

When you use the conversion service:

  • Session ID (format: YYYY-MM-DD-uuid)
  • Original file name (.xlsx or .ods files)
  • File extension
  • Conversion configuration (layout, theme, toolbar settings - stored as JSON)
  • Conversion status (new, in progress, completed, deleted)
  • Publishing status (hosted or not)
  • Conversion reports (errors and warnings from the conversion process)
  • Creation and update timestamps

3.4 Files uploaded

  • Spreadsheet files (.xlsx, .ods formats)
  • File metadata (size, upload date)
  • Generated web applications (HTML, CSS, JavaScript files)

We do not read or analyze the content of your spreadsheets. Files are processed only for the technical conversion to web applications. We do not use your files for machine learning, AI training, or any other purpose beyond the conversion service.

All files are stored in encrypted AWS S3 buckets.

3.5 Analytics data

We use Fathom Analytics, a privacy-first analytics service that collects:

  • Page views (URLs visited)
  • Referrer (source of traffic)
  • Device type (desktop, mobile, tablet)
  • Browser type
  • Country (derived from IP address, then immediately anonymized)
  • Session duration

Fathom Analytics does not:

  • Store IP addresses
  • Use cookies or trackers
  • Create user fingerprints
  • Track users across websites
  • Collect personally identifiable information

This anonymous, aggregated data helps us understand how our website is used and improve user experience.

3.6 Technical data

  • Browser and device information
  • Access timestamps
  • API request logs
  • Error logs (for debugging purposes)

4. How we use your data

4.1 Service provision

We use your personal data to:

  • Authenticate your account
  • Process conversions of spreadsheets to web applications
  • Store and host your generated calculators
  • Provide preview functionality
  • Manage sessions and track conversion status
  • Apply your subscription tier features and limitations

4.2 Communication

We send emails for:

Transactional emails (via Mailgun EU region):

  • Trial end warning (sent 14-17 days after registration)
  • Churn warning (sent when your subscription ends, with 7-day grace period notice)
  • Access revocation notice (sent after the 7-day grace period expires)
  • Support responses to your inquiries
  • Password reset and account verification

Newsletter (only if you have consented):

  • Product updates and new features
  • Service announcements

You can unsubscribe from the newsletter at any time.

4.3 Service improvement

We use anonymized analytics data from Fathom to:

  • Understand website usage patterns
  • Identify popular features
  • Optimize user experience
  • Make informed product decisions

We process data to:

  • Monitor for fraudulent activity
  • Enforce our Terms of Use
  • Comply with legal obligations
  • Respond to legal requests from authorities
  • Protect our rights and the security of our users

5. Data sharing and third-party processors

We share your data only with trusted third-party processors who help us provide the Service. All processors are carefully selected and bound by data protection agreements.

5.1 Payment processing

FastSpring (United States - Merchant of Record)

  • Purpose: Payment processing and subscription management
  • Data processed: Payment information, billing address, order history
  • Safeguards: PCI DSS compliant, Standard Contractual Clauses
  • Role: FastSpring acts as the official reseller of Appizy subscriptions
  • User control: Manage subscriptions via FastSpring dashboard (link provided in checkout email)
  • Privacy policy: https://fastspring.com/privacy/

Important: FastSpring is responsible for payment data. We only receive subscription status updates via secure webhooks.

5.2 Email delivery

Mailgun (EU region)

  • Purpose: Transactional email delivery
  • Data processed: Email addresses, message content, delivery logs
  • Safeguards: GDPR compliant, servers located in EU
  • Privacy policy: https://www.mailgun.com/privacy-policy/

5.3 Analytics

Fathom Analytics

  • Purpose: Privacy-first website analytics
  • Data processed: Anonymous page views, referrer, device type (no personal data)
  • Safeguards: GDPR compliant by design, ISO 27001 certified
  • Cookie-free: No cookies, no consent required
  • Privacy policy: https://usefathom.com/privacy

5.4 Infrastructure

Amazon Web Services (AWS)

  • Services used: S3 (file storage), Lambda (conversion processing), CloudFront (CDN), SQS (message queuing), SNS (notifications), CloudWatch (logging)
  • Purpose: Service infrastructure and hosting
  • Data processed: Uploaded files, generated applications, session metadata, logs
  • Safeguards: AWS Data Processing Addendum, ISO 27001, SOC 2, encryption at rest and in transit
  • Privacy policy: https://aws.amazon.com/privacy/

5.5 Content delivery networks

Google Fonts - Web typography (https://policies.google.com/privacy)

Cloudflare CDN - JavaScript libraries (https://www.cloudflare.com/privacypolicy/)

6. Data retention

6.1 User account data

  • Retained while your account is active
  • Deleted upon request (contact contact@appizy.com, processing within 30 days)
  • Exception: FastSpring retains purchase history for tax and legal compliance (7-10 years)

6.2 Session and calculator data

Demo sessions (trial users without paid subscription):

  • Automatically deleted 7 days after creation
  • Daily automated cleanup job removes files from S3

User sessions (paid subscribers):

  • Retained until you manually delete them
  • Access to hosted calculators revoked 7 days after subscription ends (grace period)
  • Files remain in S3 until session is deleted

Deleted sessions:

  • Marked as deleted in database
  • Files removed from S3 by daily cleanup job
  • Metadata retained for record-keeping

6.3 Support communications

  • Email exchanges: Up to 3 years (to help us understand product issues and prioritize features)
  • Spreadsheet files sent for debugging: Deleted after issue resolution

6.4 Payment records

  • Handled by FastSpring
  • Retained for 7-10 years per tax and anti-fraud legal obligations
  • Cannot be deleted even if account is closed

6.5 Logs and analytics

  • API and access logs: Typically 30-90 days (CloudWatch retention policy)
  • Authentication logs: Retained according to system configuration
  • Fathom analytics: Aggregated data, not attributable to individuals

7. Your rights under GDPR

As a data subject under GDPR, you have the following rights:

7.1 Right of access (Article 15)

You can request a copy of all personal data we hold about you.

How to exercise: Email contact@appizy.com with your request

Response time: Within 30 days

7.2 Right to rectification (Article 16)

You can correct inaccurate personal data.

How to exercise: Update your account settings or email contact@appizy.com

7.3 Right to erasure / “Right to be Forgotten” (Article 17)

You can request deletion of your personal data.

How to exercise: Email contact@appizy.com

Current process: Manual deletion by our team (we are working on self-service deletion)

Timeline: Within 30 days of request

Exception: FastSpring retains purchase history for legal compliance

7.4 Right to restriction of processing (Article 18)

You can request that we limit how we process your data.

How to exercise: Email contact@appizy.com

7.5 Right to data portability (Article 20)

You can receive your personal data in a machine-readable format (JSON).

How to exercise: Email contact@appizy.com

Current process: Manual export by our team (we are working on self-service export)

What’s included: Account data, session metadata, uploaded files, conversion configurations

Format: JSON file + original spreadsheet files

Timeline: Within 30 days of request

7.6 Right to object (Article 21)

You can object to processing based on legitimate interest.

How to exercise: Email contact@appizy.com

Newsletter: Unsubscribe link provided in all marketing emails

You can withdraw consent at any time for newsletter subscriptions.

Note: You cannot withdraw consent for processing necessary to provide the Service (contractual basis).

7.8 Right to lodge a complaint

If you believe we have not handled your personal data appropriately, you can file a complaint with:

CNIL (Commission Nationale de l’Informatique et des Libertés)

Address: 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France

Website: https://www.cnil.fr/

Phone: +33 1 53 73 22 22

8. Data security measures

We implement industry-standard security measures to protect your data:

8.1 Encryption

  • At rest: All files stored in AWS S3 use S3-managed encryption (AES-256)
  • In transit: All data transfers use HTTPS/TLS encryption
  • Passwords: Stored with industry-standard hashing (bcrypt)

8.2 Access control

  • Authentication: Required for all access to user data
  • Ownership verification: API calls verify that you own the session before allowing access
  • Lambda@Edge access control: Published calculators use metadata-based access control
  • IAM policies: Strict AWS permissions limiting access to data

8.3 Monitoring

  • AWS CloudWatch: Continuous monitoring for unauthorized access attempts
  • Security alerts: Automated notifications for suspicious activity
  • Regular updates: Security patches applied promptly

8.4 Vendor security

  • AWS: Extensive compliance certifications (ISO 27001, SOC 2, etc.)
  • FastSpring: PCI DSS compliant for payment processing

9. International data transfers

Data controller: ACSEO is based in France (European Union).

International transfers: Some of our processors are located outside the European Union:

  • FastSpring (United States)

Safeguards: We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Processor certifications (SOC 2, ISO 27001, PCI DSS)

EU-based processors:

  • Mailgun (EU region servers)
  • AWS (region to be confirmed - likely EU)

10. Children’s Privacy

The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at contact@appizy.com. We will delete the data promptly.

11. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

All decisions regarding account termination or subscription management are made by humans.

12. Cookies and tracking technologies

We prioritize your privacy by minimizing the use of cookies and trackers.

We do NOT use:

  • Third-party tracking cookies
  • Advertising cookies
  • Cross-site tracking
  • Fingerprinting techniques

12.2 Essential cookies

We use only essential cookies necessary for the Service to function:

Session cookies:

  • directus_session_token (session authentication, expires after 1 day)
  • directus_refresh_token (session refresh, expires after 7 days)
  • SameSite: “lax”
  • Purpose: Keep you logged in

12.3 Analytics without cookies

Fathom Analytics: We use Fathom, a privacy-first analytics service that:

  • Does NOT use cookies
  • Does NOT store IP addresses
  • Does NOT fingerprint users
  • Does NOT track users across websites
  • Collects only anonymous, aggregated data

GDPR compliance: Because Fathom is cookie-free and fully anonymous, no cookie consent banner is required under GDPR.

12.4 Third-party cookies

FastSpring: Our payment processor may use cookies during the checkout process. These are managed by FastSpring and governed by their privacy policy.

13. Changes to this privacy policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

Notification: We will notify you of material changes by email and update the “Last Updated” date at the top of this page.

Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

14. Contact us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

Email: contact@appizy.com

Mail: ACSEO, Latitude Arbois Bat B, 1060 Rue René Descartes, 13290 Aix-en-Provence, FRANCE

We will respond to your inquiry within 30 days.

15. Specific provisions for EEA users

If you are located in the European Economic Area (EEA):

  • This Privacy Policy complies with GDPR requirements
  • You have all the rights listed in Section 7
  • You can lodge complaints with your national data protection authority or with CNIL (France)
  • International data transfers are protected by Standard Contractual Clauses
  • We are committed to transparency and accountability in all data processing activities