Privacy policy

How we handle data when you use Orilyt.
Last updated: 2026-03-27

1. Data controller

The data controller is Jean-Benoît Kauffmann, entrepreneur individuel (JBK Agency), SIRET 315 218 131 00060, 593 rue du Bas Moulin, 77190 Dammarie-lès-Lys, France. Contact: [email protected].

2. Data collected

We collect the following categories of personal data:

  • Account data: email address, hashed password, preferred language, plan, subscription status.
  • Audit data: URL of audited sites, audit scores, report content (JSON), AI-generated summaries.
  • Prospecting data: prospect name, email, phone, company, position, notes, pipeline status, email correspondence.
  • Billing data: Stripe customer ID, subscription details. Credit card numbers are processed and stored exclusively by Stripe; we do not have access to them.
  • Technical data: IP address, browser user-agent, session cookies, security logs (login attempts, rate limiting).
  • Analytics: anonymous page views (page, date, count). No third-party tracking scripts are used.
Important: Orilyt performs read-only checks via HTTP on publicly accessible URLs. It does not access private areas, does not require credentials, and does not modify the audited websites.

3. Purposes of processing

  • Providing the Service: account management, audit execution, report generation, monitoring alerts, quote generation.
  • Billing: processing payments, managing subscriptions and credits.
  • Prospecting: sending audit reports, email outreach and follow-ups on behalf of the User.
  • Security: fraud prevention, rate limiting, login protection, security event logging.
  • Service improvement: anonymous usage statistics, error monitoring.
  • Communication: transactional emails (verification, password reset, alerts, monthly reports).

4. Legal basis

  • Contract performance (Article 6(1)(b) GDPR): providing the Service as described in the Terms.
  • Legitimate interests (Article 6(1)(f) GDPR): security, fraud prevention, service improvement.
  • Legal obligation (Article 6(1)(c) GDPR): billing records, tax compliance.
  • Consent (Article 6(1)(a) GDPR): optional analytics cookies, if applicable.

5. Sub-processors and data sharing

We do not sell personal data. Data is shared only with the following service providers, necessary to operate the Service:

  • Hetzner Online GmbH (Germany) — hosting, servers and databases.
  • Stripe, Inc. (USA) — payment processing. Stripe is certified under the EU-US Data Privacy Framework.
  • Anthropic (USA) — AI-generated report summaries and prospecting emails. Only audit scores and public site data are transmitted; no personal data.
  • OpenAI (USA) — AI-generated SEO suggestions. Same scope as above.
  • Google (USA) — PageSpeed Insights API and Safe Browsing API. Only the audited URL is transmitted.
  • Resend (USA) — transactional email delivery (SMTP).

For US-based processors, data transfers are covered by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework where applicable.

6. Data retention

  • Account data: retained while the account is active. Deleted 90 days after account termination.
  • Audit reports: retained while the account is active or for 12 months for anonymous audits.
  • Billing records: retained for 10 years (French tax law obligation).
  • Security logs (IP, login attempts): retained for 12 months.
  • Prospecting data: retained while the account is active. The User may delete individual prospects at any time.

7. Your rights

In accordance with the GDPR and the French Data Protection Act ("Loi Informatique et Libertés"), you have the following rights:

  • Right of access: obtain a copy of your personal data.
  • Right to rectification: correct inaccurate data.
  • Right to erasure ("right to be forgotten"): request deletion of your data.
  • Right to restriction: restrict processing in certain circumstances.
  • Right to portability: receive your data in a structured, machine-readable format (available via the GDPR export feature in account settings).
  • Right to object: object to processing based on legitimate interests.

To exercise your rights, contact: [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the French supervisory authority: CNIL (Commission Nationale de l'Informatique et des Libertés), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr.

8. Security measures

We implement appropriate technical and organizational security measures, including: HTTPS encryption in transit, password hashing (bcrypt), prepared SQL statements, CSRF protection, rate limiting, security headers (HSTS, CSP, X-Frame-Options), and access controls.

Despite these measures, no system is completely secure. In the event of a data breach affecting your rights, we will notify you and the CNIL within 72 hours as required by Article 33 of the GDPR.

9. International data transfers

Your data is primarily stored in Germany (Hetzner). Some sub-processors are based in the United States. Transfers to the US are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission or by the EU-US Data Privacy Framework certification of the processor.

10. Minors

The Service is not intended for persons under 16 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us for deletion.

11. Changes to this policy

We may update this Privacy Policy from time to time. Significant changes will be notified by email or in-app notification. The "Last updated" date at the top of this page indicates the most recent revision.