Privacy policy

1. Data controller

HEELONYS is responsible for processing performed through the heelonys.fr showcase website and for commercial or demo requests submitted via the contact form.

2. Personal data collected

We collect only data strictly necessary to qualify incoming requests, prepare business exchanges, and protect the form against automated submissions.

2.1. Contact form

• Full name to identify your contact at HEELONYS
• Professional email to reply and organize discussions
• Organization or team to understand your environment and decision context
• Contact source to identify request origin
• Project description to qualify intended use, constraints, and expected support level

Transmission and storage: this is a static showcase website. Submitted data is not stored in a business application database on the website server. It is transmitted to Formspree, then handled manually by HEELONYS in professional email and internal sales follow-up tools.

2.2. Technical and anti-spam data

• honeypot field website;
• form start timestamp form_started_at;
• session anti-bot marker anti_bot_token stored in sessionStorage;
• Turnstile token issued by Cloudflare for anti-spam verification;
• GED/admin technical authentication cookies (ged_premfa, ged_session, wm_ged_session, wm_ged_flash) used for session security.

2.3. Connection and log data

For website security and fraud prevention, the hosting provider and some technical providers may process technical data such as IP address, date/time, browser type, operating system, and related HTTP responses.

2.4. Audience measurement

We measure website traffic with Plausible Analytics. This tool is configured without cookies. Data used for audience measurement is aggregated, hosted in the European Union and, under the selected configuration, is not intended to directly identify a user.

3. Purposes and legal bases

Purpose	Legal basis	Retention period
Receive, qualify, and answer incoming requests	Pre-contractual measures and legitimate B2B interest	3 years after last contact if no contract is signed
Prepare scoping, demo, or quote	Pre-contractual measures requested by you	Case processing duration, then archive according to prospect/customer status
Secure the form and fight spam	Legitimate interest	Technical duration needed for filtering and abuse analysis
Log access and maintain website security	Legitimate interest and, where applicable, legal obligation	Up to 1 year for connection logs unless legal requirement differs
Anonymous audience measurement	Legitimate interest	Aggregated data retained without time limit (full anonymity)

4. Data recipients

Your data is limited to authorized personnel at HEELONYS and, where necessary, technical processors involved in contact form routing or security.

4.1. Internal recipients

• HEELONYS management and sales contacts handling business relationships;
• technical or product team where functional or security qualification is needed;
• support or operations when a support offer is being prepared.

4.2. External recipients

• Hosting provider: OVH-Cloud
• Formspree for contact form routing
• Cloudflare Turnstile for anti-spam verification
• Proton Calendar (proton.me) when you click a 30-minute booking link; any data you submit there is processed under Proton's own privacy policy
• Plausible Analytics for strictly anonymous audience measurement (aggregated data, no direct identification)
• Competent authorities only where legally required

4.3. Third-party resources loaded by the website

• Google Fonts for typography
• CDNJS / Cloudflare for some front-end libraries
• LinkedIn when following external links from the website

5. Data retention period

Data type	Retention period
Incoming requests and sales qualification	3 years after last contact if no contract is signed
Customers under contract	Contract duration then legal/accounting archiving
Connection logs	Up to 1 year unless specific legal requirements apply
Session anti-bot markers	User session or technical verification duration
GED/admin session cookies	Limited technical duration (1 minute to 8 hours depending on cookie), then automatic removal or logout cleanup

6. Your rights

Under GDPR and French Data Protection law, you have rights of access, rectification, erasure, restriction, portability, and objection.

We respond within one month from request receipt, extendable by two months in complex cases.

Complaint to CNIL

7. Security and confidentiality

HEELONYS implements proportionate technical and organizational measures to protect your data against unauthorized access, loss, alteration, or unwanted disclosure.

Technical measures

• SSL/TLS encryption for data in transit;
• anti-spam and human verification on forms;
• reasonable security updates and software hygiene;
• access restrictions to authorized personnel only.

The website is hosted by OVH-Cloud. For any security vulnerability report related to HeelonVault or a HEELONYS service, use security@heelonys.fr.

8. Minors

Our website and services are not intended for minors under 16 years old. We do not knowingly collect personal data from minors.

9. Privacy policy changes

HEELONYS reserves the right to modify this privacy policy at any time to reflect changes in practices, applicable law, or operational reasons.

10. Data protection contact

For any security issue on HeelonVault or a HEELONYS service, contact security@heelonys.fr.

11. Links to other websites

This website may contain links to third-party websites. HEELONYS is not responsible for the privacy practices of those websites.