This policy describes how the ComploDex mobile app processes your personal data, in accordance with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act.
1. Data controller
- Name: Sébastien Soulier (sole proprietor — French micro-entrepreneur status)
- SIRET: 10483848700015
- Address: 12 Rue Georges Brassens, 32600 Lias, France
- GDPR contact: contact@lespetitscomplotistes.com
2. Data we process
| Data | Legal basis | Retention |
|---|---|---|
| Email (magic link) + auth UUID + account creation date | Performance of contract | Account lifetime + 30 days after deletion |
| Username, persona, language, avatar | Performance of contract | Same |
| Cards collected, Plausible/Parano votes, investigation walls, streak, settings | Performance of contract | Same |
| Subscription status (monthly/annual Premium, Founder Edition) and in-app purchase history | Performance of contract | Same |
| Device UUID, OS / app version | Legitimate interest (security, support) | 13 months |
| PostHog product analytics events | Consent (opt-in) | 13 months |
| Sentry crash reports | Consent (opt-in) | 90 days |
| FCM token (push) | Consent (opt-in) | While opt-in is active |
| Occasional geolocation (v1.3+) | Consent | Not stored |
consent_log history | Legal obligation (GDPR art. 7) | 5 years after account deletion (anonymized) |
| Payments (cards, IBAN, etc.) | N/A — handled by Apple / Google | N/A — never collected by the publisher |
3. Purposes
- Provide the ComploDex service (account, collection, votes, subscriptions)
- Improve the app via analytics and crash reports (opt-in only)
- Product communication via push notifications (opt-in only)
- Security (fraud detection, Postgres RLS, audit trail)
Conversely, ComploDex serves no advertising, integrates no third-party advertising SDK and never resells any data. No geolocation is collected in version 1 (a feature considered from v1.3 onwards, subject to explicit consent).
4. Detailed legal bases (GDPR art. 6)
- Performance of contract (art. 6.1.b) — account creation, app functionality, Premium subscription
- Consent (art. 6.1.a) — analytics, crash reports, push, geolocation
- Legal obligation (art. 6.1.c) —
consent_logretention - Legitimate interest (art. 6.1.f) — security, fraud prevention, support
5. Processors and recipients
| Processor | Role | Location | Outside EU | Safeguards |
|---|---|---|---|---|
| Supabase Inc. | Backend, database, Auth, Storage, Edge Functions | EU (Paris, eu-west-3) | No | Signed DPA |
| Brevo (formerly Sendinblue) | Transactional emails (GDPR export, deletion) | EU | No | Signed DPA |
| Sentry | Crash reporting (opt-in) | EU | No | Signed DPA |
| PostHog Cloud EU | Product analytics (opt-in) | EU | No | Signed DPA |
| Firebase Cloud Messaging | Push notifications (opt-in) | USA (Google) | Yes | Standard Contractual Clauses (SCC) |
| Apple Inc. | App Store, in-app purchases | USA | Yes | SCC + Apple Terms |
| Google LLC | Play Store, Play Billing | USA | Yes | SCC + Google Terms |
| DeepL | Admin pre-translation (never runtime) | EU (Germany) | No | Signed DPA |
6. Transfers outside the European Union
Some processors (Firebase Cloud Messaging, Apple, Google) process data in the United States. Such transfers are framed by the European Commission's Standard Contractual Clauses (SCC) and, where applicable, by the EU-US Data Privacy Framework certifications.
7. Your GDPR rights
| Right | How to exercise it in the app |
|---|---|
| Access / Portability | Settings > GDPR > Export my data → Brevo email within 24 h (JSON) |
| Rectification | Edit profile in the app (username, persona, avatar, language) |
| Erasure | Settings > GDPR > Delete my account → 30-day grace workflow — see the dedicated account-deletion page |
| Objection / Restriction | Email contact@lespetitscomplotistes.com |
| Withdraw consent | Settings > Notifications (push, analytics, crash reports — individual toggles) |
Response time: 1 month maximum from the request (GDPR art. 12.3).
You may file a complaint with the CNIL (the French data protection authority): www.cnil.fr.
8. Minors
The app is intended for users 13 years of age and older. If you are under 13, do not use this app. No chat, no public profile, no user-generated uploads, anonymous by default.
9. Security
- Email magic-link authentication only — no password to store or to compromise
- Row Level Security (RLS) Postgres enabled by default on all sensitive tables
- HTTPS / TLS on all exchanges (encryption in transit)
- Secrets stored in Supabase Vault (never hard-coded in the client)
- The
service_rolekey is never used on the client - Audit trail for admin sign-ins
10. Changes to this policy
Any major change (new processor, new purpose, new data category) triggers a re-consent flow in the app, tracked in the consent_log table.
11. Complodex beta-tester programme (website)
The website lespetitscomplotistes.com offers a form to join the beta-tester community of the Complodex application. This processing is distinct from the data collected by the app itself (sections 1 to 10) and obeys the following conditions:
- Purpose: to send beta invitations (TestFlight for iOS, Play Console Internal Testing for Android), as well as at most 1 or 2 product update emails around launch and, if applicable, an email when the Founder Edition opens if the corresponding box was ticked. No other communication.
- Legal basis: explicit consent (GDPR art. 6.1.a), collected via the form and confirmed by double opt-in (clicking a link sent by email).
- Data processed: email, chosen platform (iOS or Android), Founder Edition opt-in, pseudonymised IP fingerprint (HMAC hash with server salt), user-agent, language, version of the consent text, timestamps.
- Retention: unconfirmed requests are automatically deleted after 7 days. Confirmed signups are kept for at most 24 months after the last communication sent. Any data is deleted immediately upon user request (link in every email).
- Processors: none. Data is stored in a local SQLite database on the web server and emails are sent via the publisher's SMTP server.
- Rights: access, rectification, erasure, objection, portability — exercisable via the links present in every email (one-click unsubscribe, one-click GDPR deletion) or by directly contacting contact@lespetitscomplotistes.com.
- Proof of consent: confirmation timestamp and version of the consent text are kept to meet the proof obligation (GDPR art. 7).
12. Contact
For any question regarding the processing of your data: contact@lespetitscomplotistes.com.
Version v1.0 — Last updated: 11 May 2026