Privacy Policy

Last updated: March 1, 2026

1. Introduction

Pilotd is committed to protecting the privacy of its users. This policy describes how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679).

2. Data Controller

Mylan Atlani
Email: contact@pilotd.fr

3. Data We Collect

We collect the following categories of data:

• Account data: email address, full name, password (hashed with bcrypt, never stored in plain text)
• Profile data: daily rate, preferred theme, language, visual style
• Business data: clients, missions, time entries, invoices, quotes, attendance records
• Technical data: IP address, browser information, access logs
• Payment data: processed exclusively by Stripe. Pilotd does not store any credit card numbers.

4. Purpose of Processing

• Service delivery — legal basis: performance of a contract
• Account management — legal basis: performance of a contract
• Email notifications — legal basis: legitimate interest
• Security and fraud prevention — legal basis: legitimate interest
• Service improvement — legal basis: legitimate interest

5. Legal Basis

Data processing is based on the following legal grounds, as applicable: performance of a contract (Article 6.1.b GDPR), legitimate interest (Article 6.1.f), and consent (Article 6.1.a).

6. Data Retention

• Active account: data is retained as long as the account is active
• After account deletion: 30-day recovery period, followed by permanent deletion
• Invoices and accounting documents: 10 years (as required by French commercial law, Article L123-22 of the Code de commerce)
• Technical logs: 12 months

7. Sub-processors

Your data may be processed by the following sub-processors in order to deliver the service:

• OVH SAS (hosting) — France. Servers located in France.
• Stripe Inc. (payments) — USA. Covered by the EU-US Data Privacy Framework.
• Cloudflare R2 (file storage) — European Union.
• Resend (transactional emails) — USA.

8. International Transfers

Stripe and Resend are based in the United States. These transfers are governed by adequacy decisions (EU-US Data Privacy Framework) and standard contractual clauses approved by the European Commission, in accordance with Articles 45 and 46 of the GDPR.

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to data portability (Article 20)
• Right to restriction of processing (Article 18)
• Right to object (Article 21)

To exercise your rights, contact us at contact@pilotd.fr. We will respond within 30 days.

You also have the right to lodge a complaint with the CNIL (French Data Protection Authority): www.cnil.fr.

10. Cookies

Pilotd uses only strictly necessary cookies for the operation of the service (authentication, session preferences). These cookies do not require consent under Article 82 of the French Data Protection Act. No advertising or tracking cookies are used. See our consent banner for more details.

11. Security

We implement the following technical and organizational measures to protect your data:

• Encrypted connections (TLS/HTTPS)
• Passwords hashed with bcrypt
• Signed URLs for file access (1-hour expiry)
• JWT token rotation
• Data isolation per tenant (multi-tenant architecture)

12. Changes to This Policy

This privacy policy may be updated to reflect changes to the service or applicable regulations. The date of last modification is indicated at the top of this page. In the event of a material change, we will notify you by email.

13. DPO Contact

For any questions regarding the protection of your personal data, you can contact us at contact@pilotd.fr.

Reference: Commission Nationale de l'Informatique et des Libertés (CNIL) — www.cnil.fr.