Privacy Policy
Last updated: February 23, 2026
1. Introduction & Data Controller
This Privacy Policy explains how SB TECH CONSULTING ("we", "us", "our") collects, uses, and protects your personal data when you use the AuthProxy service.
Data Controller:
- SB TECH CONSULTING, SASU
- RCS Paris 933 105 538
- SIRET: 933 105 538 00013
- 58 rue de Monceau, 75008 Paris, France
- Privacy contact: [email protected]
2. Data We Collect
Account Data (Dashboard Users)
| Data | Legal Basis | Retention |
|---|---|---|
| Email address | Contract performance | Until account deletion |
| Display name | Contract performance | Until account deletion |
| OAuth provider ID | Contract performance | Until account deletion |
| Organization membership | Contract performance | Until account deletion |
| Site configurations | Contract performance | Until account deletion |
Analytics Data (PostHog)
| Mode | Data | Legal Basis | Retention |
|---|---|---|---|
| Anonymous (default) | Aggregated pageviews, events, device type, browser, referrer, scroll depth | CNIL audience measurement exemption | 25 months max |
| Full (after consent) | Person profiles, session recordings, user journeys linked to email | Consent (Art. 6(1)(a) GDPR) | 25 months max |
Error Monitoring (Sentry)
| Mode | Data | Legal Basis | Retention |
|---|---|---|---|
| Default (always on) | Stack traces, browser/OS, error messages, anonymized request URLs | Legitimate interest (service reliability) | 90 days |
| Enriched (after consent) | + User email, user ID | Consent | 90 days |
End-User Data (Proxy — AuthProxy as Processor)
| Data | Legal Basis | Retention |
|---|---|---|
| Email address | Contract performance (DPA) | Until site owner deletes |
| Access logs (IP, geolocation, headers, timestamps, URLs) | Contract performance (DPA) | 90 days |
| Encrypted session metadata | Contract performance (DPA) | Session duration (configurable) |
Billing Data (LemonSqueezy as Merchant of Record)
| Data | Legal Basis | Retention |
|---|---|---|
| Name, email, payment information | Contract performance | Per LemonSqueezy policy; invoices: 10 years (French tax law) |
3. Sub-Processors
| Sub-Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, D1 database, KV cache, Analytics Engine, WAF, TLS | Global (330+ PoPs), D1 primary in EU | DPF EU-US, SCCs, AES-256-GCM encryption |
| LemonSqueezy, LLC | Billing, payments, tax collection (Merchant of Record) | USA | SCCs, PCI-DSS compliant |
| PostHog, Inc. | Product analytics (dashboard + website) | EU (PostHog Cloud) | EU hosting, GDPR DPA |
| Sentry (Functional Software, Inc.) | Error monitoring | USA | DPF EU-US, SCCs, PII scrubbing by default |
| Resend, Inc. | Transactional emails (invitations, alerts) | USA | SCCs |
We provide 30 days' notice before adding or changing sub-processors.
4. How We Use Your Data
- Service delivery: Account management, authentication proxy, access logging
- Service improvement: Anonymous analytics to understand feature usage and improve UX (CNIL-exempt)
- Security: Error monitoring, abuse prevention, rate limiting
- Communication: Transactional emails (invitations, alerts, account notifications)
- Billing: Subscription management via LemonSqueezy
- Legal compliance: Responding to lawful requests, enforcing Terms of Service
We do NOT use your data for: advertising, selling to third parties, profiling for automated decision-making, or any purpose beyond what is described in this policy.
5. GDPR Rights (EU Residents)
Under the General Data Protection Regulation, EU residents have the following rights:
| Right | How to Exercise |
|---|---|
| Access (Art. 15) | Account settings shows all personal data. Email [email protected] for a complete export. |
| Rectification (Art. 16) | Edit display name in account settings. Email [email protected] for other corrections. |
| Erasure (Art. 17) | Delete account in account settings. All personal data removed within 30 days. |
| Portability (Art. 20) | CSV export of access logs from dashboard. Email [email protected] for full data export. |
| Restriction (Art. 18) | Email [email protected]. |
| Object (Art. 21) | Email [email protected]. For analytics: use Cookie Preferences to withdraw consent. |
| Withdraw consent (Art. 7(3)) | Cookie Preferences link (footer on website, bottom-left on dashboard). |
Supervisory authority: CNIL (Commission Nationale de l'Informatique et des Libertés), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France. www.cnil.fr
Response time: 30 days from receipt of request (extendable by 60 days for complex requests with notification).
6. CCPA Rights (California Residents)
Under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA):
- We do NOT sell your personal information. We have not sold personal information in the preceding 12 months and have no plans to do so.
- We do NOT share your personal information for cross-context behavioral advertising.
- Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected.
- Right to delete: You may request deletion of your personal information (see account deletion in dashboard).
- Right to opt-out of sale: Not applicable — we do not sell personal information. The "Do Not Sell or Share My Personal Information" link is provided for transparency.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
Contact: [email protected]
7. Cookies
This section serves as the complete cookie policy for authproxy.app and dash.authproxy.app.
What is a cookie: A small file stored on your device by your web browser to remember information between visits.
Cookies We Use
| Cookie / Storage | Type | Purpose | Duration | Consent |
|---|---|---|---|---|
_authproxy_session_* | Strictly necessary | Authentication session (AES-256-GCM encrypted) | Configurable per site | Not needed |
__cf_bm | Strictly necessary | Cloudflare bot management | 30 minutes | Not needed |
cf_clearance | Strictly necessary | Cloudflare WAF challenge | Configurable | Not needed |
| LemonSqueezy cookies | Strictly necessary | Payment processing | Per LemonSqueezy | Not needed |
| PostHog (anonymous) | CNIL-exempt analytics | Aggregated pageviews, events, device info | Memory only (no persistent cookie) | Not needed (informed via this policy) |
| PostHog (full) | Analytics | Person profiles, session recordings | 13 months max | Required (EU/UK) |
cookie_consent | Strictly necessary | Stores consent preference | 13 months | Not needed |
Consent Management
- EU/UK: Opt-in banner with equal-prominence Accept/Refuse buttons
- US: Notice with opt-out link
- Other: Simple notice or no banner
- Cookie Preferences always accessible: footer link (website), bottom-left icon (dashboard)
- No cookie wall — refusing cookies does not block access to the service
- Consent expires after 13 months (CNIL requirement)
8. Children
AuthProxy is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will delete that information promptly. If you believe a child under 16 has provided us with personal information, contact [email protected].
9. Changes to This Policy
- Material changes will be communicated via email to registered users at least 30 days in advance.
- Non-material changes are effective upon posting with an updated "last updated" date.
- Continued use of the Service after changes constitutes acceptance.
- Previous versions are available upon request.
10. Contact Information
- Data Controller: SB TECH CONSULTING SASU
- Address: 58 rue de Monceau, 75008 Paris, France
- Privacy inquiries: [email protected]
- General inquiries: [email protected]
- Response time: 30 days