Privacy policy.

The controller of personal data is:

Visitors to kalisecu.com

No personal data is collected when simply visiting the site. No third-party tracking, audience-measurement or advertising cookies are stored.

Audit or subscription requests

• Identity: first name, last name, business email
• Company: name, address, phone (where applicable)
• Website concerned: URL, technologies, test credentials (provided by the Client)
• Electronically signed authorisation document
• Payment data (processed solely by our payment provider)

Purposes: execution of the subscribed service (audit, monitoring, report), invoicing, contractual communication, support, service improvement.

Legal bases: performance of the contract (art. 6.1.b GDPR) for data necessary for the service; legal obligation (art. 6.1.c) for invoicing and accounting retention; legitimate interest (art. 6.1.f) for platform security and fraud prevention.

Technical data produced by the service

While performing the service, Kalisecu produces and stores technical data about the Client's site (observed configuration, detected vulnerabilities, recommendations, screenshots). This data is strictly confidential and accessible only to the Kalisecu team and the holding Client.

• Prospect data (request without follow-up): 3 years from the last contact.
• Active client data: throughout the contractual relationship.
• Audit reports and technical data: kept on the personal dashboard for 12 months after the end of the subscription (Surveillance/Pilot), then deleted or archived on explicit Client request.
• Accounting data (invoices): 10 years, in accordance with article L.123-22 of the French Commercial Code.
• Platform technical logs: 12 months maximum, security purpose.

All operational data (reports, dashboard, service database) is hosted in mainland France, with no transit through servers outside the EU.

All sub-processors have signed a data-processing agreement (DPA) compliant with articles 28 and 32 GDPR. No data transfer occurs to jurisdictions without an adequacy decision from the European Commission.

Personal and technical data is protected by the following measures:

• Encryption in transit (TLS 1.2 minimum) and at rest on storage
• Multi-factor authentication on administrator accounts
• Strict per-Client logical isolation (multi-tenant)
• Access logging and quarterly review
• Encrypted backups, restoration tested
• Documented breach notification procedure (CNIL within 72h)

In accordance with articles 15 to 22 of the GDPR, you have the following rights over your personal data:

• Right of access, obtain confirmation and a copy of your data
• Right to rectification, correct inaccurate data
• Right to erasure, request deletion (subject to legal obligations)
• Right to restriction of processing
• Right to portability, receive your data in a structured format
• Right to object to processing based on legitimate interest

To exercise a right, write to hello@kalisecu.com. We respond within one month maximum.

You also have the right to lodge a complaint with the French data protection authority (CNIL, 3 place de Fontenoy, 75007 Paris).

This policy may be updated to reflect a legal or organisational change. The date of last update is shown below. Clients are notified by email of any substantial change.