StratenOcon

Privacy Policy

How StratenOcon collects, uses, and protects personal data, and the rights you have under the EU General Data Protection Regulation (GDPR).

Last updated: [DATE]

This policy is provided in English. A French-language version is available on request at privacy@stratenocon.com.
Contents
1. Who we are 2. Data we collect 3. Purposes & legal bases 4. AI processing 5. Retention 6. Recipients & subprocessors 7. International transfers 8. Your rights 9. Complaints (CNIL) 10. Cookies 11. Contact

1. Who we are (data controller)

StratenOcon SAS is the data controller responsible for the personal data described in this policy.

StratenOcon provides an AI-powered enterprise search and workplace assistant that indexes data from tools you connect (the "connectors") and lets your team ask questions across that data with cited answers. When we process personal data contained in your workspace on your instructions, we generally act as a data processor on your organisation's behalf; for account, billing, security, and marketing data we act as a data controller. This policy focuses on our controller activities and explains our processor role where relevant.

2. Categories of personal data we collect

Account data

Name, work email address, hashed password (we never store passwords in clear text), organisation/workspace membership, role, language preference, and authentication metadata (e.g. MFA status, SSO identifiers).

Workspace content ingested from connectors

When your organisation authorises a connector, we ingest and index content from the connected system so it can be searched. Depending on the source this can include emails, chat messages, documents and files, meeting transcripts and summaries, calendar events, tickets, and CRM notes. This content may contain personal data about you, your colleagues, and third parties. We process it on your organisation's instructions to provide the service.

Usage and log data

IP address, device and browser information, timestamps, pages and features used, search queries, and diagnostic/error information used to operate, secure, and improve the service.

Billing data

Billing contact details and subscription/payment metadata. Card payments are processed by Stripe; we do not store full card numbers.

3. Purposes and legal bases (GDPR Art. 6)

PurposeLegal basis
Providing and operating the service (account, indexing, search, connectors)Performance of a contract (Art. 6(1)(b))
AI-powered search, answers, and assistant features over your dataPerformance of a contract; our legitimate interest in delivering the core product (Art. 6(1)(b) / (f))
Security, abuse prevention, fraud detection, and audit loggingLegitimate interest in protecting our users and systems (Art. 6(1)(f)); legal obligation where applicable
Billing and subscription managementPerformance of a contract; legal obligation (accounting) (Art. 6(1)(b) / (c))
Marketing and product emailsConsent, or legitimate interest for existing customers with an opt-out (Art. 6(1)(a) / (f))
Complying with legal obligations and responding to lawful requestsLegal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You can object at any time (see section 8).

4. AI processing disclosure

To generate answers, summaries, and agent actions, your queries and relevant excerpts of your workspace content are sent to third-party large language model (LLM) providers — principally Anthropic (Claude) and OpenAI — acting as our subprocessors. We also use these providers for embeddings, image understanding, and audio transcription where those features are used.

5. Data retention

6. Recipients and subprocessors

We share personal data only with service providers who process it on our behalf under GDPR Art. 28 data processing agreements. Key subprocessors include Amazon Web Services (hosting, storage, email), Anthropic and OpenAI (AI processing), Stripe (payments), Sentry (error monitoring), and Resend (transactional email).

A full, current list — including purpose, data processed, location, and transfer safeguards — is published on our Subprocessors page. We notify customers of material changes to that list.

We do not sell personal data. We may disclose data where required by law or to protect our rights, and to a successor entity in the event of a merger or acquisition, subject to this policy.

7. International transfers

Our primary hosting is in the EU (AWS Europe, Paris — eu-west-3). Some subprocessors (notably AI providers and certain SaaS tools) process data in the United States. For such EU-to-US and other transfers outside the EEA, we rely on appropriate safeguards under GDPR Chapter V — principally the European Commission's Standard Contractual Clauses (SCCs), and the EU-US Data Privacy Framework (DPF) where the recipient is certified — together with supplementary measures such as encryption in transit. See the Subprocessors page for the safeguard applicable to each provider.

8. Your rights (GDPR Art. 15–21)

Subject to the conditions in the GDPR, you have the right to:

How to exercise them: use the in-app Account & Privacy settings to export or delete your data and to manage marketing preferences, or email privacy@stratenocon.com. If the data concerned belongs to a workspace controlled by your organisation, we may direct your request to that organisation (the controller) or act on their instructions. We respond within the statutory time limits (normally one month).

9. Right to lodge a complaint

If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with your supervisory authority. In France this is the CNIL (Commission Nationale de l'Informatique et des Libertés), www.cnil.fr. We would appreciate the chance to address your concerns first — please contact us at privacy@stratenocon.com.

10. Cookies

We use strictly necessary cookies to run the service, and — only with your consent — analytics or preference cookies. You can review and change your choices at any time via the cookie consent banner and the Cookie preferences link in our website footer.

11. Contact & changes

Questions about this policy or your data? Email privacy@stratenocon.com or our DPO at dpo@stratenocon.com.

We may update this policy from time to time. Material changes will be notified through the service or by email. The "Last updated" date at the top reflects the current version.

← Back to home