Privacy Policy

This Privacy Policy explains how Pepite Data SARL (“we”, “us”, “our”) collects, uses, and protects personal data when you use pepitedata.com (the “Website”) or engage our services. We comply with the EU General Data Protection Regulation (GDPR) and the French Data Protection Act (“Loi Informatique et Libertés”).

1. Data controller

  • Controller: Pepite Data SARL
  • Registered office: 99 Avenue Achille Peretti, 92200 Neuilly-sur-Seine, France
  • SIRET: 949 608 939 00029
  • RCS: Nanterre B 949 608 939
  • VAT number: FR73 949 608 939
  • Privacy contact: contact@pepitedata.com

2. Personal data we collect and why

A. Booking and consultation requests (Cal.com / Stripe)

When you book a paid Expert Call or a free 30-minute scoping call via Cal.com, we receive:

  • Name, email address, optional phone number
  • Time zone and selected time slot
  • Information you provide in the intake form (company, role, topic, scoping context)
  • For paid bookings: payment confirmation from Stripe (card details are never received by us — Stripe holds them as PCI-DSS-compliant payment processor)

Legal basis: performance of a contract (GDPR Art. 6(1)(b)) for paid bookings; pre-contractual measures at your request (Art. 6(1)(b)) for free scoping calls.

Retention: 5 years from the end of the engagement for accounting purposes (Code de commerce Art. L.123-22); shorter for declined or unconverted prospects (12 months).

B. Engagement delivery (audits, advisory)

During an engagement, we may receive operational data you choose to share (architecture diagrams, configuration excerpts, anonymized metrics, names of team members involved). We do not request production access and do not collect end-user data of your systems.

Legal basis: performance of the consulting contract (Art. 6(1)(b)).

Retention: 5 years from end of engagement for accounting and contractual liability; engagement-specific data deleted on request unless required for legal or contractual purposes.

C. Contact form messages

When you contact us via the contact form, we collect: name, email address, message subject (optional), message content. Spam protection (Honeypot) processes form submission timing.

Legal basis: our legitimate interest in responding to inbound enquiries (Art. 6(1)(f)).

Retention: 12 months from last contact, unless the exchange leads to a commercial relationship (in which case retention follows section A above).

D. Blog comments

When you leave a comment on a blog post: name, email address, optional website URL, comment content, IP address, and browser user-agent (used for spam prevention via Limit Login Attempts and Honeypot).

Legal basis: consent (Art. 6(1)(a)) — submitting the comment with your details constitutes consent.

Retention: for the lifetime of the post, unless you request deletion.

E. Server logs and security

Our web server (nginx) records standard access logs containing IP address, timestamp, requested URL, HTTP status, user-agent, and referrer. The CrowdSec security plugin processes the same data to detect malicious behaviour (brute force, scanning, exploitation attempts).

Legal basis: our legitimate interest in protecting the Website against attacks (Art. 6(1)(f)).

Retention: 30 days for nginx access logs; CrowdSec decision data per CrowdSec’s documented retention.

F. Audience measurement (WP Statistics, Google Site Kit)

We use WP Statistics for internal traffic measurement (anonymized by default — IP addresses are anonymized before storage) and Google Site Kit / Google Analytics for cross-channel analytics. Google Analytics may set cookies and process IP addresses; we have configured anonymization where available.

Legal basis: consent (Art. 6(1)(a)) for Google Analytics cookies; legitimate interest (Art. 6(1)(f)) for WP Statistics anonymized internal measurement, in line with the CNIL’s exemption for proportionate audience measurement.

Retention: WP Statistics: 13 months. Google Analytics: 13 months (configured maximum under GDPR).

3. Recipients of your data

We share data only with the following categories of recipients, all bound by appropriate contracts and security obligations:

  • Cal.com (booking platform) — receives booking and intake data.
  • Stripe (payment processor) — receives card payment data directly from your browser; we receive only confirmation metadata.
  • Google (Site Kit / Analytics) — receives audience measurement data, subject to your cookie consent.
  • Our hosting provider (see Mentions légales) — operates the server infrastructure.
  • Tax and accounting authorities — when legally required (invoicing records).

We do not sell or rent personal data.

4. International transfers

Some of our processors (notably Cal.com, Stripe, Google) may transfer data outside the European Economic Area, in particular to the United States. Such transfers are governed by:

  • The EU-US Data Privacy Framework, where the recipient is certified;
  • Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by appropriate technical and organizational measures, where applicable.

5. Your rights

Under the GDPR you have the following rights regarding your personal data:

  • Right of access (Art. 15) — obtain a copy of the data we hold about you.
  • Right of rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”, Art. 17) — request deletion, subject to legal retention requirements.
  • Right to restriction (Art. 18) — limit processing in certain circumstances.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interest, including direct marketing.
  • Right to withdraw consent at any time, where processing is based on consent.
  • Right not to be subject to automated decision-making (Art. 22) — we do not perform such processing.

To exercise any of these rights, contact us at contact@pepitedata.com. We will respond within one month, extendable by two further months for complex requests.

If you believe your rights are not respected, you may lodge a complaint with the French data protection authority (CNIL): www.cnil.fr or by post to 3 Place de Fontenoy, 75007 Paris.

6. Security

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. These include:

  • HTTPS encryption for all data in transit;
  • IP whitelisting and CrowdSec WAF for administrative access;
  • Regular security updates of WordPress, plugins, and the underlying server;
  • Encrypted off-site backups;
  • Strict access control to engagement data.

7. Cookies

For details on the cookies used on this Website and how to manage your preferences, see our Cookies page.

8. Updates to this policy

We may update this Privacy Policy from time to time to reflect changes in our processing or in applicable law. The most recent version is always available at this URL.