Privacy policy
Last updated: 2026-05-04
This policy is provided in accordance with articles 13 and 14 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the French « Loi Informatique et Libertés » (Law n°78-17).
Data controller
The data controller for processing carried out through kazeni.eu is the site publisher. Any privacy-related request should be addressed to contact@kazeni.eu. We have not appointed a Data Protection Officer (DPO) — our processing does not currently meet the GDPR Art. 37 thresholds — but the contact above is the single point of contact for data subjects.
What we collect and why
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Account & waitlist data: name, work email, company, role, source/destination preferences, approximate data size. | Evaluate fit, contact you about early access, operate the account. | Performance of pre-contractual measures (Art. 6(1)(b)) and your consent (Art. 6(1)(a)) for the waitlist. | Until product GA, account deletion, or your erasure request — whichever comes first. |
| Authentication data: hashed password (Argon2id), session identifiers, OAuth provider IDs, magic-link tokens. | Sign you in, keep the session, prevent abuse. | Performance of contract (Art. 6(1)(b)) and our legitimate interest in account security (Art. 6(1)(f)). | Sessions: rolling 30 days, revoked on logout. Tokens: single use, expire within minutes. |
| Analytics: page views, CTA clicks, anonymised funnel events, coarse country (from IP, then discarded). | Understand aggregate traffic and improve the site. | Legitimate interest (Art. 6(1)(f)) — cookieless and identifier-free, so no consent banner is required under ePrivacy / CNIL guidance. | Aggregated for up to 12 months. |
| Server & security logs: IP address, user-agent, timestamp, request path, response code. | Operate the service, detect abuse, comply with legal record-keeping obligations. | Legitimate interest (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)). | Up to 12 months, then deleted or anonymised. |
| Transactional email metadata: address, send time, delivery status. | Send waitlist updates, magic links, security notifications. | Performance of contract (Art. 6(1)(b)). | As long as the account exists, plus 13 months for deliverability diagnostics. |
We do not collect special-category data (Art. 9) and we do not knowingly collect data from children under 16. We do not carry out any automated decision-making that produces legal effects (GDPR Art. 22).
Cookies and similar technologies
Marketing pages on kazeni.eu are cookieless: no advertising cookies, no third-party tracking, no localStorage-based identifiers. We only use the following strictly-necessary cookies, exempt from prior consent under article 82 of the French Data Protection Act and ePrivacy Directive 2002/58/EC:
- kazeni_session — first-party HTTP-only session cookie set after sign-in. Lifetime: rolling 30 days. Purpose: keep you authenticated.
- oauth_state — first-party HTTP-only cookie set during OAuth sign-in. Lifetime: a few minutes. Purpose: CSRF protection of the OAuth callback.
You can clear these cookies at any time through your browser; signing out also revokes the session.
Sharing and sub-processors
We never sell your personal data, never share it for advertising, and never use it to train AI models. We rely on the following processors, each bound by a GDPR Art. 28 data processing agreement:
- Scaleway SAS (FR) — application hosting and managed Postgres, EU region.
- Mailkick (EU) — email template rendering and delivery.
- PostHog (EU cloud, eu.i.posthog.com) — cookieless product analytics.
All sub-processors store and process personal data within the European Economic Area. We do not carry out transfers of personal data outside the EEA. If that ever changes, this policy will be updated and we will rely on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) plus any required supplementary measures.
Your rights
Subject to GDPR conditions, you have the right to:
- access the personal data we hold about you (Art. 15);
- obtain rectification of inaccurate data (Art. 16);
- request erasure (Art. 17) — exercisable from your account settings or by email;
- restrict or object to processing (Art. 18 and 21);
- data portability for data you provided to us (Art. 20);
- withdraw any consent at any time, without affecting prior lawful processing (Art. 7(3));
- define directives concerning the use of your data after death, under article 85 of the French Data Protection Act.
To exercise these rights, email contact@kazeni.eu. We respond within one month (extendable by two months for complex requests, with prior notice). We may ask for proof of identity if there is reasonable doubt about the requester. You can also lodge a complaint with the French CNIL or with the supervisory authority of your EU country of residence.
Security
Personal data is encrypted in transit (TLS 1.2+) and at rest. Passwords are hashed with Argon2id, never stored in clear. Access to production data is restricted to the publisher and is logged. We will notify affected users and the CNIL within 72 hours of becoming aware of a personal data breach likely to result in a risk to your rights and freedoms (GDPR Art. 33–34).
Changes to this policy
We update this page and the "last updated" date when anything material changes. For substantive changes to processing, registered users and waitlist subscribers are notified by email.