Privacy Policy

1. Introduction

This Privacy Policy describes the practices for the collection, use, retention, and protection of personal data implemented by NUAGIC (hereinafter "the Publisher", "we") in the operation of the TerraPerf service (hereinafter "the Service").

1.1 Data Controller

Nuagic operates the TerraPerf Service under license from Sofrasorb, the intellectual property owner of the platform. For the purposes of data protection law, Nuagic acts as the data controller, determining the purposes and means of processing your personal data in the operation of the Service.

1.2 Data Protection Officer (DPO)

• Email: contact@nuagic.com
• Postal address: NUAGIC — Data Protection, 144 Avenue Charles de Gaulle, 92200 Neuilly-sur-Seine, France

2. Personal Data We Collect

2.1 Data You Provide

• Identification: Name, surname, email address, profile picture (from OAuth provider: Google, GitHub, GitLab, Microsoft)
• Professional information: Company name, team name (optional)
• Infrastructure Code: Terraform / OpenTofu files submitted for Analysis
• Feedback: Comments, ratings on Analysis results

2.2 Data Collected Automatically

• Authentication data: OAuth provider identifier, provider used, last login date (lifetime of Account)
• Session data: Session and authentication cookies (httpOnly) (session / 30 days)
• Technical data: IP address, browser type and version (90 days)
• Transaction data: Credit purchase history, consumption history, balance (7 years, legal obligation)
• Analysis data: Analysis identifier, status, score, estimated size, creation date (12 months)

2.3 Behavioral Analytics (With Consent Only)

If you accept analytics cookies, data is collected via Google Analytics 4 (pages visited, usage events, aggregated session data). IP addresses are anonymized before processing. Analytics collection is disabled by default.

3. Purposes and Legal Bases

• Account creation and management — Performance of contract (Art. 6(1)(b))
• Performing Analyses — Performance of contract (Art. 6(1)(b))
• Credit management and payments — Performance of contract (Art. 6(1)(b))
• Authentication and security — Legitimate interest (Art. 6(1)(f))
• Behavioral analytics — Consent (Art. 6(1)(a))
• Fraud and abuse prevention — Legitimate interest (Art. 6(1)(f))
• Legal and accounting obligations — Legal obligation (Art. 6(1)(c))

4. Recipients and Processors

4.1 Technical Processors

• Sofrasorb — Platform development and maintenance. Technical data and error logs (limited diagnostic access). Located in France (EU). Governed by a Data Processing Agreement (DPA) with restricted access.
• Anthropic — AI analysis of Infrastructure Code. Located in the United States. Standard Contractual Clauses (SCCs).
• Amazon Web Services (AWS) — Hosting of the entire Service. eu-west-1 (Ireland, EU). SOC 2, ISO 27001 certified, GDPR compliant.
• Stripe — Payment processing. United States / EU. PCI-DSS Level 1 certified, SCCs.
• Google Analytics — Audience analytics (with consent). Anonymized navigation data. Google Consent Mode v2.

4.2 OAuth Authentication Providers

Google, GitHub, GitLab, and Microsoft provide name, email, and profile picture for authentication only. No data is transmitted back to providers outside the authentication flow.

5. International Data Transfers

All Service data is hosted within the EU (AWS eu-west-1, Ireland). Transfers to the United States (Anthropic, Stripe, Google) are protected by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.

For Anthropic transfers: data is transmitted via TLS 1.2+, processed temporarily, and deleted within 24 hours. The API is used in "zero data retention" mode where available.

6. Data Retention

• Account data: Lifetime of Account + 30 days after closure
• Infrastructure Code: Automatically deleted within 24 hours
• Analysis Reports: 12 months (unless deleted earlier by User)
• Transaction data: 7 years (legal obligation)
• Technical logs: 90 days
• Session cookies: Session duration or 30 days
• Analytics data: 14 months
• Admin audit logs: 3 years

7. Cookies

Essential cookies (no consent required): session management, CSRF protection, authentication tokens (httpOnly).

Analytics cookies (with consent): Google Analytics (_ga, _ga_*, _gid).

Payment cookies: Stripe fraud prevention (__stripe_mid, __stripe_sid).

You can manage cookie preferences via the consent banner or your browser settings. Refusing analytics cookies does not affect the Service.

8. Your Rights

Under the GDPR (EU Regulation 2016/679), you have the right to:

• Access (Art. 15): Obtain a copy of your personal data
• Rectification (Art. 16): Correct inaccurate data
• Erasure (Art. 17): Request deletion of your data
• Restriction (Art. 18): Limit processing in certain cases
• Portability (Art. 20): Receive your data in JSON, Markdown, or CSV format
• Object (Art. 21): Object to processing based on legitimate interest
• Withdraw consent (Art. 7(3)): Withdraw analytics consent at any time

To exercise your rights, contact us at:

• Email: contact@nuagic.com
• Post: NUAGIC — Data Protection, 144 Avenue Charles de Gaulle, 92200 Neuilly-sur-Seine, France

We will respond within one (1) month, extendable by two (2) months for complex requests.

9. Data Security

• Encryption in transit (TLS 1.2+)
• Authentication tokens in httpOnly cookies (XSS-resistant)
• No password storage (OAuth delegation)
• CSRF protection
• No banking data stored (Stripe handles payments)
• Strict environment separation (dev, staging, production)
• Audit logging of all administrator access

In the event of a data breach, we will notify the CNIL within 72 hours (Art. 33 GDPR) and inform affected users without undue delay if there is a high risk (Art. 34 GDPR).

10. AI Analysis

The Service uses AI (Anthropic Claude) to analyze Infrastructure Code. This produces a quality score, findings, and recommendations. This is not automated decision-making under Article 22 GDPR — results are purely informational and advisory, with no legal effects on users.

11. Protection of Minors

The Service is for professional use and not designed for persons under 18. We do not knowingly collect data from minors.

12. Changes to This Policy

We may update this policy at any time. Substantial changes will be notified by email and an in-app banner, with 30 days' notice before taking effect.

13. Contact & Supervisory Authority

If you believe your data protection rights have been violated, you may lodge a complaint with: