Privacy policy

Last updated: 3 May 2026.

This policy describes how wheremyflow (published by Frédéric GAVEAU EI, 6 rue du Château, 12190 Estaing, France) processes personal data at two distinct levels:

1. Visitors of sites tracked by our customers (measured end-users).
2. Users of the wheremyflow service (customers who subscribe).

#1. Visitors of tracked sites

#1.1 No personal data stored

The w.js tracker is designed never to collect or store any direct identifier. The technical data captured (IP address, User-Agent) is anonymised in memory before insertion into the database:

• The IP address is used solely for geolocation at country/region/city level (via the sovereign DB-IP database from Eris Networks, hosted in France) then HMAC-SHA256 hashed with a monthly-rotating salt (the current date being concatenated in the HMAC input, the final visitor ID rotates daily). The raw IP never reaches the database.
• The User-Agent is minimised to the browser family (Chrome, Firefox, Safari, Edge, Opera, Other) without version number, and to the OS family.
• The screen resolution is bucketed into 5 categories.
• The language is limited to the 2-character ISO code.
• The referrer is limited to the hostname.

#1.2 No cookies set

No cookie is set in the visitor's browser. The identifier used to deduplicate unique visits is a server-side HMAC-SHA256 hash computed at each event, changing every day and different for each site (implicit rotation + isolation per site_id).

#1.3 Legal basis

The publisher's legitimate interest in measuring their site audience (GDPR article 6.1.f), combined with the consent exemption under article 82 of the French Data Protection Act, as detailed in the CNIL July 2025 reference framework.

#1.4 Visitor rights

Visitors have the right to object, exercised through three modalities:

• by enabling Do Not Track in their browser settings,
• by enabling Global Privacy Control (Sec-GPC),
• by using the opt-out button/snippet provided by the site publisher (if integrated).

#1.5 Retention period

| Data | Period | | --------------------------- | ------------------------------------------------------------------ | | Raw events (events) | 90 days | | Daily aggregated statistics | 25 months | | Active anonymisation salt | 1 month (auto-rotation) | | Retired salt | 0 day — atomically deleted at rotation (Plausible/Fathom doctrine) | | Active live sessions | 5 minutes |

#2. Users of the wheremyflow service (subscribed customers)

#2.1 Data processed

When you subscribe and use the service, we process:

| Data | Purpose | Legal basis | Retention | | ------------------------------------------------ | ------------------------------- | ------------------------------------------------------- | ---------------------------------------------------- | | Email, password (Argon2id hashed) | Authentication | Contract performance | Account lifetime + 12 months | | Name, company, address, VAT ID | Billing, accounting obligations | Legal obligation (art. L.123-22 French Commercial Code) | 10 years (accounting) | | Payment data | Collection | Contract performance | Processed by Mollie B.V. (NL) — not stored by us | | Technical logs (hashed IP, truncated user-agent) | Security, anti-abuse | Legitimate interest | 30 days | | Support messages | Reply to requests | Legitimate interest | 24 months |

#2.2 Sub-processors

| Sub-processor | Role | Location | | ------------------------- | ---------------------------------------------- | ----------------------------------------------------------------------- | | Clever Cloud SAS | Infrastructure hosting | HQ: Nantes, France — datacenters FR (Paris/Roubaix), ISO/IEC 27001:2022 | | Eris Networks (DB-IP) | IP geolocation database | Perros-Guirec, France | | Brevo SAS | Transactional email delivery | Paris, France | | Mollie B.V. | Online payment | Amsterdam, Netherlands | | Mistral AI | Insight generation (anonymous aggregates only) | Paris, France |

No sub-processor outside the EU. No transfer to the United States, United Kingdom or any third country.

#2.3 Your rights

Under articles 15 to 22 of the GDPR, you have the following rights:

• Access — download your data via the Compliance tab, "Download all data (CSV ZIP)" button. See Export and erasure.
• Rectification — edit your details in the billing portal.
• Erasure — delete your site (and all its data) via "Erase site". For full account deletion, contact the DPO.
• Portability — the ZIP export provides your data as CSV files (one per dashboard view, English column headers).
• Objection / Restriction — contact the DPO.
• Complaint — to your country's data protection authority (🇫🇷 CNIL · 🇩🇪 DSK · 🇮🇹 Garante · 🇪🇸 AEPD · 🇳🇱 AP — see DPO contact for the full list of all 27+3 EU/EEA authorities).

Response time: maximum 1 month (GDPR article 12), extendable by 2 months for complex requests.

#2.4 DPO contact

• Email: dpo@wheremyflow.com
• Address: Wheremyflow — Frédéric GAVEAU - DPO, 6 rue du Château, 12190 Estaing, France.

#3. Security

• TLS 1.2+ encryption in transit (HSTS enabled).
• TLS encryption on the database connection.
• Argon2id-hashed passwords (OWASP 2024 parameters).
• Short sessions (7 days) with httpOnly, secure, sameSite=strict cookies.
• Password policy: 10 characters minimum.
• Application-level separation of ingest / dashboard (distinct code roles, fail-closed regex guards, audit logs).
• Automatic monthly rotation of cryptographic salts.

#4. Breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent data protection authority (CNIL for France, BfDI/DSK for Germany, Garante for Italy, AEPD for Spain, AP for the Netherlands, and any other applicable lead supervisory authority) within 72 hours and, where applicable, inform you without undue delay (GDPR articles 33-34).

#5. Amendments

Any material amendment to this policy will be notified to you by email at least 30 days before entry into force.