This notice explains how PolicyForge collects, uses, and protects your personal data when you use our service. It is written to comply with the EU General Data Protection Regulation (GDPR) and equivalent privacy laws.
1. Data controller
The data controller is NAGASHIELD SECURITY, a French SAS with €1 share capital, registered with the Paris Trade and Companies Register under number 989 235 999, whose registered office is at 60 rue François 1er, 75008 Paris, France, publisher of the PolicyForge service. For any question about your personal data, contact: contact@nagashieldsecurity.com.
2. Data we collect
We collect only what is strictly necessary:
- Account data: email address, full name, company name, role, language preference.
- Generated data: policies you create, drafts, exports, branding settings (logo, colours).
- Technical data: audit logs (who did what and when), IP address at the moment of sensitive actions.
- Billing data: managed by our processor Stripe (we never store card numbers).
3. Lawful bases
- Contract performance (Art. 6(1)(b) GDPR) — to provide the service.
- Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, audit trails.
- Legal obligation (Art. 6(1)(c)) — accounting and tax retention.
4. Purposes
Your data is used to:
- Provide and improve the PolicyForge service.
- Authenticate your account and secure access to your policies.
- Process your subscription billing (via Stripe).
- Notify you about incidents or major updates.
- Respond to your support requests.
5. Retention
- Active account: as long as you use the service.
- After account deletion: personal data is deleted immediately; accounting records are retained for 10 years (French legal obligation).
- Security logs: 12 months.
6. Your rights
You have the right to:
- Access your data (JSON download from "My account").
- Rectify your information (from "My account").
- Delete your account (from "My account").
- Restrict or object to processing (email contact@nagashieldsecurity.com).
- Data portability: receive your data in a structured format (JSON export).
- Lodge a complaint with your supervisory authority (e.g. CNIL in France).
7. Subprocessors
We rely on a small set of subprocessors bound by GDPR-compliant DPAs. The complete, current list is published on the Subprocessors page.
8. International transfers
Some subprocessors process data outside the EU (notably Stripe and Vercel in the US). Such transfers rely on the Standard Contractual Clauses (SCCs) approved by the European Commission, with supplementary technical measures (encryption, access controls).
9. Security
Your data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Access is strictly role-controlled and limited to need-to-know. We maintain an audit trail of all sensitive actions. Our internal security policies are available on request.
10. Data breaches
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we notify the competent supervisory authority within 72 hours and inform you without undue delay when the risk is high.
11. Cookies
We use only strictly necessary cookies (authentication session, language preference). No marketing cookies, no third-party analytics. No prior consent is required for these essential cookies.
12. Changes
This notice is reviewed annually and after any material change. The "Last updated" date at the top reflects the latest revision. Material changes are communicated by email.
13. Contact
For any question: contact@nagashieldsecurity.com.