Privacy policy
1. Who we are
The data controller is Oriskami SAS, a French simplified joint-stock company (SAS) registered with the Tribunal de commerce de Rennes under SIREN 892 745 969, with its registered office at Parc EDONIA – Bâtiment M, rue des Îles Kerguelen, 35760 Saint-Grégoire, France.
For any privacy-related question, write to legal@oriskami.com. Our lead supervisory authority is the Commission nationale de l'informatique et des libertés (CNIL), France.
We do not maintain a Data Protection Officer at this scale. The contact above is the single point of contact for data subjects.
2. Data we collect
We collect data in three ways.
2.1 Data you provide
When you create an account, contact us, or sign up for the service: your name, professional email, company, role, and any free-text content you send us (forms, support requests).
When you engage commercially with the service: billing identifiers (legal entity, VAT, billing address) and a payment instrument handled by our payment service provider (see section 5).
2.2 Data we collect automatically
When you use the service or visit a public page: IP address, coarse browser fingerprint (user-agent, Accept-Language), pages visited, timestamps, referrers, and request-level diagnostics needed to operate the service securely.
We log API calls and authentication events (logins, password resets, server-key usage) for security, audit, and abuse detection.
2.3 Data from third parties
If you sign up via GitHub OAuth, GitHub returns your verified email address and the public profile fields you have authorised. We do not receive your GitHub password.
We do not buy personal data from data brokers.
3. Why we use it (purposes and legal bases)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Performing the contract (account, access, billing, support) | Contract — Art. 6(1)(b) |
| Securing the service (logging, abuse detection, fraud prevention) | Legitimate interest — Art. 6(1)(f) |
| Complying with legal obligations (invoices, tax, response to lawful requests) | Legal obligation — Art. 6(1)(c) |
| Sending operational service messages | Contract — Art. 6(1)(b) |
| Occasional commercial messages to existing clients about closely related services | Legitimate interest — Art. 6(1)(f), with opt-out |
| Producing aggregated, anonymised usage statistics | Legitimate interest — Art. 6(1)(f) |
We do not engage in solely-automated decision-making with legal or similarly significant effects within the meaning of GDPR Art. 22. The service is a decision-support tool; a human operator interprets and acts on its outputs.
4. Cookies and similar technologies
We use strictly necessary cookies to operate authentication and session continuity. These are essential to the service and require no consent.
We do not use advertising, profiling, or cross-site tracking cookies. We do not embed third-party analytics on the public pages of www.samroute.com beyond what is required to operate the site.
You can disable cookies at the browser level; doing so will break authentication.
5. Who we share data with
We share personal data with a small number of named subprocessors, each governed by a written agreement (GDPR Art. 28) and limited to the strict purpose described.
| Subprocessor | Purpose | Location |
|---|---|---|
| OVHcloud | Production hosting, storage | France (EU) |
| Stripe | Payment processing for non-ENTERPRISE clients | EU + United States (under SCCs and Stripe's adequacy framework) |
| Mapbox | One-off static map tile fetched at build time for the public footer thumbnail | United States (single fetch, no live visitor data) |
| GitHub | OAuth authentication for users who choose "Sign in with GitHub" | United States (only when the user opts in) |
| Google Fonts | Serving IBM Plex Mono on certain server-rendered SVGs | United States (subresource fetch, no Client Data) |
Beyond these subprocessors, we share personal data only when a competent authority lawfully requires it, or if disclosure becomes necessary to protect the rights, property, or safety of Oriskami SAS, our clients, or the public.
We do not sell personal data and we do not share it for advertising.
6. International transfers
Client Data is hosted exclusively in the European Union (production at OVHcloud in France).
Some subprocessors are established in the United States. Where transfers occur to a country without an adequacy decision, they are framed by Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and any additional safeguards required after Schrems II.
7. Your rights
Under the GDPR, you have the right to:
Access the personal data we hold about you (Art. 15)
Rectify inaccurate or incomplete data (Art. 16)
Erase your data where the conditions of Art. 17 apply (see /en/data-deletion for the step-by-step procedure)
Restrict processing in the cases set out in Art. 18
Port your data in a structured, machine-readable format (Art. 20)
Object to processing based on legitimate interest (Art. 21)
Withdraw any consent you have given, at any time, without affecting processing already carried out (Art. 7(3))
Lodge a complaint with the CNIL or with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement (Art. 77)
To exercise any of these rights, write to legal@oriskami.com. We respond within one month, extendable by two months for complex requests, and do not charge a fee unless the request is manifestly unfounded or excessive.
8. How long we keep data
We retain account and contract data for the duration of the contract plus the legal limitation period (typically five years under French law; ten years for accounting records).
Technical logs are retained for up to twelve months for security and audit purposes, then either deleted or aggregated into non-personal statistics.
Marketing data is retained for three years from the last contact unless you opt out earlier.
9. Children
The service is for professional use only. We do not knowingly collect personal data from individuals under sixteen.
10. Changes
We may update this policy as the service or applicable law evolves. We notify clients by email and post the updated text on this page with a new effective date. Your continued use of the service after a change constitutes acknowledgement of the updated policy.
11. Contact
Privacy and data-protection questions: legal@oriskami.com.
Postal: Oriskami SAS, Parc EDONIA – Bâtiment M, rue des Îles Kerguelen, 35760 Saint-Grégoire, France.
This privacy policy is a good-faith draft. It will be reviewed by counsel as the service grows. Last reviewed by counsel: pending.
