Last updated : 2026-05-20
Privacy policy
1. Data controller
The controller of the data collected via the SEOrestoApp Service is:
SEOrestoApp, sole proprietorship (micro-entreprise), whose registered office is at 64-66 rue des Archives, 75003 Paris, France.
Contact: info@seoresto.fr.
Data Protection Officer (DPO): no DPO is appointed, as designation is not mandatory here. For any data-related question, write to info@seoresto.fr.
2. Two distinct roles
SEOrestoApp processes data in two different capacities:
- Data controller for the data of its own professional customers (account, billing, use of the Service).
- Processor (Art. 28 GDPR) for the personal data of the establishments' customers (review content, feedback collected via QR code, etc.), processed on behalf of and on the instructions of the professional customer, who is then the controller. These processing activities are governed by a Data Processing Agreement (DPA).
This policy mainly describes the processing for which SEOrestoApp acts as controller.
3. Data collected
| Category | Examples | Source |
|---|---|---|
| Account data | name, e-mail, password (hashed), account type | User |
| Establishment data | name, address, hours, photos, attributes | User / Google |
| Google connection | OAuth tokens (encrypted), account ID, Google e-mail | Google (via your consent) |
| Review data | review text, ratings, author as provided by the platform | Google Business Profile |
| QR feedback | rating, free comment left by the establishment's customer | End customer |
| Billing data | plan, payment history (bank details are handled by Stripe) | User / Stripe |
| Technical and usage data | connection logs, IP address, in-app actions | Automatic |
| Cookies and trackers | see the Cookie policy | Automatic |
4. Purposes and legal bases
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Account creation and management, provision of the Service | Performance of the contract |
| Connection and synchronization with Google Business Profile | Performance of the contract / consent to connection |
| AI-assisted content generation | Performance of the contract |
| Billing and payment management | Performance of the contract / legal obligation |
| Security, fraud prevention, logging | Legitimate interest |
| Service improvement and statistics | Legitimate interest |
| Communications and notifications | Performance of the contract / consent (marketing) |
| Compliance with accounting and legal obligations | Legal obligation |
5. Recipients and sub-processors
Data is accessible to the Publisher's authorized staff and to the sub-processors below, to the extent necessary for their tasks:
| Sub-processor | Role | Location |
|---|---|---|
| Google (Google Business Profile API) | source of reviews and publication | EU / outside EU |
| Anthropic | AI content generation | outside EU (United States) |
| Stripe | payment and billing | outside EU (United States) |
| Resend | transactional e-mail delivery | outside EU (United States) |
| HOSTKEY B.V. | hosting of the application, databases and file storage | EU (Netherlands) |
6. Transfers outside the European Union
Some sub-processors are located outside the European Union, notably in the United States. These transfers are framed by appropriate safeguards within the meaning of Articles 44 et seq. GDPR: the European Commission's Standard Contractual Clauses and/or adherence to the Data Privacy Framework where applicable. A copy of the safeguards can be requested at info@seoresto.fr.
7. Retention periods
| Data | Period |
|---|---|
| Account data | duration of the relationship + 3 years after last contact / end of inactivity |
| Review and presence data | duration of the subscription, then deletion / anonymization |
| Google OAuth tokens | until the account is disconnected or the subscription ends |
| Billing data | 10 years (legal accounting obligation) |
| Technical logs | 12 months |
| QR-code data | per the instructions of the professional customer (controller) |
| Cookies | see the Cookie policy (consent: max 13 months) |
8. Security
The Publisher implements appropriate technical and organizational measures: encryption of access tokens, encryption of communications (HTTPS), access control, logging, secure hosting, backups. As no measure guarantees absolute security, the Publisher undertakes to notify any data breach under the conditions provided by the GDPR.
9. Your rights
In accordance with the GDPR, you have the rights of access, rectification, erasure, restriction, objection, portability, and the right to set directives on the fate of your data after your death.
To exercise these rights, contact info@seoresto.fr. Proof of identity may be requested. You also have the right to lodge a complaint with the CNIL (www.cnil.fr) or your local supervisory authority.
Where SEOrestoApp acts as a processor (the establishment's customers' data), requests to exercise rights must be addressed to the professional customer acting as controller; SEOrestoApp assists in accordance with the DPA.
10. Cookies
The use of cookies and trackers is described in the Cookie policy.
11. Changes to this policy
This policy may be updated. The date of last update appears below; material changes are notified.
Last updated: 20 May 2026.