Privacy Policy

Last updated: 6 June 2026 · Version 1.5

1. Data controller

2. Data Protection Officer (DPO)

As Nael is not legally required to appoint a DPO (fewer than 250 employees, no large-scale processing of sensitive data within the meaning of Article 9 GDPR), equivalent responsibilities are handled directly by Geoffrey Gotfryd, President of Nael SASU.

DPO contact: hello@nael.so — Geoffrey responds personally within 24 business hours (the formal GDPR response deadline remains one month maximum).

3. Data collected and purposes

3.1 At registration

• First name, email, business name, city, phone number, trade/sector — required to identify the User and configure their workspace (legal basis: contract performance);
• GDPR and Terms consent — timestamped, retained as proof (legal basis: consent);
• Benchmark consent — only if voluntarily enabled by the User (opt-in, legal basis: consent).

3.2 Processing of accounting ledger data and purpose

Accounting ledger data — the Fichier des Écritures Comptables (FEC) or an equivalent general ledger export (CSV) imported by the appointed Consultant — is processed solely to extract the financial indicators needed to:

• populate the User's dashboard (score, KPIs, alerts, trajectory);
• produce the exportable diagnostic report (4-page PDF);
• compare the establishment's ratios against industry benchmarks (median, P25, P75) from the data.benchmarks_sectoriels table, associated with the NAF code provided at registration.

Legal basis: contract performance (Article 6(1)(b) GDPR). Accounting ledger data is never used for other purposes (advertising, resale, third-party model training) without separate explicit consent.

3.3 Sector preview during processing

During the waiting period for ledger data processing (between import by the Consultant and dashboard availability), the application may call the GET /api/benchmarks/:naf_code route to temporarily display the sector average margins corresponding to the User's NAF code.

This call transmits no personal accounting data: only the NAF code is used. Returned values come exclusively from the aggregated data.benchmarks_sectoriels table. No identifying User data is retained beyond what is strictly necessary for the Service to function.

3.4 During use of the Service

• Accounting ledger data — imported into Nael by the Consultant appointed by the User, from their accounting software. It contains the Client's structured accounting entries: labels, accounts, amounts, dates, journals. The Client does not upload any documents to Nael themselves.
• Calculated Management Data — score, indicators (revenue, food cost, payroll, cash position, EBITDA, VAT), ratios, alerts, and diagnostic report produced by Nael from the ledger data. Stored in a secured PostgreSQL database, isolated by client identifier.
• Usage data — login dates, features accessed (legal basis: legitimate interest for service improvement).

3.5 PDF report generation and export

Accounting ledger data enables generation, at the User's exclusive request, of an exportable diagnostic report in PDF format (4 pages). This document includes the Nael Score, a summary of sector variances, historical trajectory, and a simplified income statement.

The report is generated only upon explicit action by the User. Data it contains remains strictly confidential and is not transmitted to any third party without prior consent.

4. Subprocessors and international transfers

Nael uses the following subprocessors to provide the Service:

Subprocessor	Role	Location	Legal basis
OVH SAS	API hosting, PostgreSQL database	Strasbourg, France	Art. 6(1)(b) GDPR
Vercel Inc.	nael.so frontend hosting	USA (Paris CDG1 edge)	SCC + DPF
Mistral AI SAS	AI analysis — inferences (indicator calculation, alerts, monthly summary)	Paris, France (EU)	Art. 6(1)(b) GDPR
Conversational memory	Local PostgreSQL, OVH France VPS — self-hosted storage; no third-party subprocessor (Letta or otherwise); no memory data leaves the VPS	Strasbourg, France	Art. 6(1)(b) GDPR
Brevo SAS	Transactional email	France (EU)	Art. 6(1)(b) GDPR
Cloudflare Inc.	DNS, DDoS protection	USA (transit)	SCC + DPF
Stripe Inc.	Card payment — activated only if a paid subscription is taken out; no Stripe data is exchanged during the free trial	USA	SCC + DPF
Namecheap Inc.	Domain name registration	USA	SCC + DPF

4.1 Transfers outside the European Union — Art. 44 GDPR

Subprocessors located in the United States (Vercel, Cloudflare, Stripe, Namecheap) are governed by:

• the Standard Contractual Clauses (SCCs) of the European Commission (Decision 2021/914), which require a level of protection equivalent to the GDPR;
• certification under the EU-US Data Privacy Framework (DPF), recognised by the European Commission adequacy decision of 10 July 2023, for eligible subprocessors.

The Client does not upload any documents to Nael themselves. Accounting ledger data imported by the appointed Consultant is processed. Mistral AI receives only the minimised accounting data necessary for analysis; Stripe receives data only if an active paid subscription is in place.

4.2 Note on conversational memory

Conversations with the Nael advisor are stored exclusively in the PostgreSQL database hosted on the OVH VPS (France). Nael does not use Letta or any other third-party service to store client exchange history.

4.3 Note on Mistral AI

AI financial analyses are processed by Mistral AI SAS (Paris, France). Only the content of your message and the financial indicators necessary to the response are transmitted. Mistral does not store API call data for model training (see Mistral Privacy Policy). Legal basis: contract performance (Art. 6(1)(b) GDPR). Mistral DPA available on request at hello@nael.so.

4.4 Minimisation during AI processing

When data is processed by our AI provider, Nael never transmits a full bank identifier (truncated IBAN), account number, or third-party name where this can be avoided. Only data strictly necessary for extraction and analysis is transmitted.

5. Hosting and security

The guarantees below are identical to those displayed on the free diagnostic page:

• API and database hosted with OVH SAS — Strasbourg datacenter, France;
• nael.so frontend served by Vercel Inc. via its Paris (CDG1) edge node;
• Financial data hosted in France, isolated per client, GDPR-compliant;
• Strict isolation — each establishment has a separate data space;
• Deletion on request — complete deletion of all your data on simple request to hello@nael.so;
• PostgreSQL 16 database with strict per-client isolation (controlled multi-tenant queries);
• TLS 1.3 encryption for all communications (HTTPS required on nael.so and api.nael.so);
• Passwords stored as bcrypt hashes, never in plain text;
• External API keys stored in environment variables, never in source code;
• Automated daily database backups with 30-day retention;
• Audit trail logged in the database for all sensitive operations.

6. Retention periods

• Imported accounting ledger data: stored in isolated, encrypted form for the duration of the account, then 10 years after closure (legal obligation to retain accounting documents under Article L.123-22 of the French Commercial Code);
• Calculated indicators, score, and summaries: retained for the duration of the subscription, then 10 years after termination, aligned with the same legal obligation;
• Identification data (first name, email): retained for the duration of the subscription, then deleted within 3 years of termination;
• Technical and audit logs: 10 years (reliable audit trail obligation).

6.3 Anonymised data and performance reference

With your consent, Nael may use your financial data in strictly anonymised and aggregated form for the following purposes:

• Service improvement — detection of algorithmic issues, calibration of alert thresholds and reference ratios;
• Performance reference — production of performance indices allowing each User to benchmark against comparable businesses.

Legal basis: consent (Article 6(1)(a) GDPR), freely revocable at any time from account settings or by email to hello@nael.so.

→ Read the full information page on anonymised data

7. Your GDPR rights

Under Articles 15 to 22 of the GDPR, you have the following rights:

• Right of access — obtain a copy of the data we hold about you;
• Right to rectification — correct inaccurate or incomplete data;
• Right to erasure — request deletion of your data (subject to legal accounting retention obligations);
• Right to restriction of processing — limit use of your data in certain cases;
• Right to data portability — receive your data in a structured, machine-readable format;
• Right to object — object to certain processing based on legitimate interest;
• Withdrawal of consent — for processing based on consent (benchmarks, marketing emails) at any time.

To exercise these rights, contact us at hello@nael.so. A response is guaranteed within 30 days (extendable by 2 months in complex cases).

8. Cookies and trackers

The nael.so website and Nael application use no advertising cookies or third-party trackers. No marketing analytics tools (Google Analytics, Meta Pixel, etc.) are installed.

Only cookies and local storage strictly necessary for the Service to function are used. Authentication relies on an HttpOnly cookie (nael_auth) set by the server: the session token is never accessible to JavaScript or stored in localStorage. The browser retains only non-sensitive metadata (first name, plan, display preferences). These items are exempt from prior consent (Article 82 of the French Data Protection Act).

9. Complaints to the supervisory authority

If you believe, after contacting us, that your rights are not being respected, you may lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):

• Online: cnil.fr/plaintes
• By post: CNIL — 3 place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07, France