Octopussian - Privacy Policy
Version of April 23, 2026
Table of Contents
- Preamble and purpose
- Data controller and contact
- Definitions
- Purposes and legal bases for processing
- Categories of personal data processed
- Recipients and Subprocessors
- Transfers outside the European Union
- Retention periods
- Technical logging
- Rights of data subjects
- Cookies, trackers, and advertising pixels
- Artificial intelligence and absence of profiling
- Security and breach notification
- Policy changes
1 - Preamble and purpose
1.1 Who we are
Octopussian, a simplified joint-stock company (SAS) with share capital of €10,000, headquartered at 78, avenue des Champs-Élysées, 75008 Paris - France, registered with the Paris Trade and Companies Registry under number 981 982 358 and with EU VAT number FR50 981 982 358 (hereinafter "Octopussian", "We", "our", "us"), publishes the application accessible as a SaaS at app.octopussian.com and its subdomains (hereinafter the "Application"), as well as the website octopussian.com (hereinafter the "Website").
1.2 Purpose
This Privacy Policy (hereinafter the "Policy") describes how Octopussian processes personal data collected when you browse the Website or use the Application, within the meaning of Regulation (EU) 2016/679 of April 27, 2016 (the "GDPR") and French Law No. 78-17 of January 6, 1978, as amended (the "Data Protection Act").
It applies to any natural person whose personal data is processed by us in this context: Website visitors, Application users, Account holders, prospects, individuals who contact us via the contact form, and any other data subject within the meaning of the GDPR.
1.3 Relationship with the Terms and Conditions and the DPA
The agreement between Octopussian and its Customers is governed by the Terms and Conditions (hereinafter the "T&Cs") and their annexes, chief among which is Annex A - Data Processing Agreement (hereinafter the "DPA"), established pursuant to Article 28 of the GDPR.
When a Customer and its Users store data in the Application in connection with their own business activities (including: contact records, files stored in the drive, shared passwords, chat and video conferencing content, knowledge base content, calendar events, to-do list tasks, and signed documents), Octopussian acts as a Processor within the meaning of Article 4(8) of the GDPR, under the responsibility of the Customer, who remains the Data Controller for such processing operations. The applicable framework is then the DPA, not this Policy.
This Policy, by contrast, covers the processing operations for which Octopussian itself acts as Data Controller within the meaning of Article 4(7) of the GDPR, including, by way of illustration and without limitation: the creation and management of Accounts and Users, billing and collections, technical support, application security and abuse prevention, commercial communications, Website operation and cookie management, and the handling of data subject rights requests. A detailed list of purposes and their legal bases is set out in Article 4 of this Policy.
In the event of any conflict between this Policy and the DPA with respect to a given processing operation, the provisions of the DPA shall prevail for that operation.
1.4 Scope and acknowledgment
Browsing the Website and using the Application implies acknowledgment of this Policy. The Policy is not a contract: it does not, in and of itself, constitute a legal basis for processing within the meaning of Article 6 of the GDPR. It informs data subjects of the processing operations carried out by Octopussian as Data Controller, in accordance with Articles 13 and 14 of the GDPR.
This Policy is subject to change. The terms governing notification of changes are set out in Article 14.
2 - Data controller and contact
2.1 Data controller
The Data Controller for the personal data covered by this Policy is:
Octopussian, SAS with share capital of €10,000 Registered office: 78, avenue des Champs-Élysées, 75008 Paris - France Paris Trade and Companies Registry No. 981 982 358 EU VAT number: FR50 981 982 358 Represented by its President, Mr. Simon-Émile Guetta
2.2 Contact
For any questions regarding this Policy, the processing operations we carry out, or to exercise your rights under the GDPR, you may contact us:
- by email at
- via the contact form at
https://octopussian.com/contact, by selecting, depending on the nature of your request, the subject "Question about the Privacy Policy" or "Exercise my personal data rights"; - by postal mail to the registered office address above.
We are committed to acknowledging receipt of your request as promptly as possible. Detailed information on how to exercise your rights is provided in Article 10 of this Policy.
3 - Definitions
The following terms, capitalized throughout this Policy, have the meanings set out below.
- Personal data: any information relating to an identified or identifiable natural person, within the meaning of Article 4(1) of the GDPR.
- Processing: any operation or set of operations, whether automated or not, performed on personal data — such as collection, recording, organization, structuring, storage, adaptation, consultation, use, disclosure, dissemination, erasure, or destruction — within the meaning of Article 4(2) of the GDPR.
- Data Controller: the natural or legal person who, alone or jointly with others, determines the purposes and means of processing, within the meaning of Article 4(7) of the GDPR.
- Processor: the natural or legal person who processes personal data on behalf of a Data Controller, within the meaning of Article 4(8) of the GDPR.
- Data subject: the identified or identifiable natural person whose personal data is the subject of processing.
- Recipient: the natural or legal person, public authority, agency, or other body to which personal data is disclosed, whether or not a third party, within the meaning of Article 4(9) of the GDPR.
- Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed, within the meaning of Article 4(12) of the GDPR.
- CNIL: Commission nationale de l'informatique et des libertés, the French supervisory authority within the meaning of Article 51 of the GDPR.
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- DPA: Annex A to the T&Cs, formalizing Octopussian's obligations as a Processor within the meaning of Article 28 of the GDPR.
The terms T&Cs, Application, Website, Services, Customer, User, Administrator, Account Holder, Account, Data, and Credentials have the meanings assigned to them in Article 1 of the T&Cs. Their definitions are not reproduced here in order to avoid any inconsistency between the contractual documents. In the event of any drafting discrepancy, the definition in the T&Cs shall prevail.
4 - Purposes and legal bases for processing
4.1 Processing operations for which Octopussian is the Data Controller
Octopussian processes personal data for the purposes listed below. For each purpose, the applicable legal basis within the meaning of Article 6(1) of the GDPR is specified.
Where multiple legal bases are listed, each one applies to the portion of processing it covers — for example, issuing and sending an invoice falls under contract performance, while retaining it for ten years falls under a legal obligation.
| Ref. | Purpose | Brief description | Legal basis (Art. 6(1) GDPR) |
|---|---|---|---|
| 4.1.1 | Creation and management of Accounts and Users | Registration, authentication, rights management and linkage to one or more Accounts, keeping the service operational, pseudonymization when a User is removed from all Accounts they were linked to | (b) Performance of the contract and pre-contractual measures taken at the data subject's request |
| 4.1.2 | Billing, payment collection, and accounting | Issuing invoices, tracking payments and balances, accounting reconciliation, bookkeeping, collection of outstanding amounts | (b) Performance of the contract; (c) Legal obligation under the accounting and tax obligations applicable to Octopussian |
| 4.1.3 | Technical support | Receiving, triaging, and handling support requests submitted via the contact form and, where applicable, via the self-service support chatbot | (b) Performance of the contract |
| 4.1.4 | Transactional onboarding | Sending, via our subprocessor Brevo (see Art. 6), activation, welcome, and onboarding emails for the Application, with technical deliverability monitoring for these messages | (b) Performance of the contract |
| 4.1.5 | Service communications | Informing Customers and Users of significant changes to the Application, security or availability incidents, revisions to the T&Cs or this Policy, billing deadlines, and contractual events (suspension, termination, renewal) | (b) Performance of the contract; (c) Legal obligation for notification of a breach affecting the Customer (Art. 33(1) GDPR via the DPA) or of a change required by law |
| 4.1.6 | Application security and abuse prevention | Intrusion detection and anomaly monitoring, fraud prevention, enforcement of the Acceptable Use Policy (Annex C to the T&Cs), precautionary suspension or termination of an Account in the event of abuse | (f) Legitimate interest of Octopussian in preserving the integrity and availability of its Services, protecting other Users, and preventing unlawful use |
| 4.1.7 | Technical logging | Retention of records relating to operations performed on the shared password vault (identity of the author, type of operation, timestamp, list of access rights). Details are set out in Article 9 | (f) Legitimate interest of Octopussian in ensuring vault integrity and protecting Users against unauthorized operations (Art. 6(1)(f) GDPR) |
| 4.1.8 | Handling requests submitted via the contact form or by mail | Processing requests according to the subject selected: commercial information, technical information, questions about this Policy, exercise of GDPR rights, reporting a security incident or abuse, other requests | (b) Pre-contractual measures for commercial information requests; (c) Legal obligation for GDPR rights requests and questions about this Policy; (f) Legitimate interest of Octopussian in responding to other requests from its correspondents |
| 4.1.9 | Handling data subject rights requests | Receiving, verifying identity where applicable, processing, and providing reasoned responses to requests for access, rectification, erasure, portability, objection, restriction, withdrawal of consent, and post-mortem directives | (c) Legal obligation — Articles 12 to 22 of the GDPR and Law No. 78-17 of January 6, 1978, as amended |
| 4.1.10 | Cookies, trackers, and advertising pixels on the Website | Audience measurement, traffic analysis, targeted advertising on partner ad networks (Meta, Google, LinkedIn), server-side conversion tracking. Details, the list of trackers, and opt-out options are set out in Article 11 | (a) Prior consent for trackers that are not strictly necessary for the requested service |
| 4.1.11 | Compliance with legal obligations and defense of our rights | Retention of accounting, contractual, and evidentiary documents in accordance with statutory retention periods; responding to lawful requests from judicial, administrative, or supervisory authorities; compiling and managing evidence in the event of litigation | (c) Legal obligation; (f) Legitimate interest in compiling evidence and conducting legal defense |
4.2 Processing operations for which Octopussian is a Processor
The processing operations that the Customer and its Users carry out through the Application, involving data they enter in connection with their own business activities — including to-do lists, contacts, files stored in the drive, passwords shared in the vault, chat and video conferencing content, knowledge base content, calendar events, transferred files, and electronically signed documents — fall outside the scope of this Policy.
For these processing operations, the Customer remains the Data Controller and independently determines the applicable purposes and legal bases. Octopussian carries them out as a Processor, under the terms of the DPA (Annex A to the T&Cs), pursuant to Article 28 of the GDPR.
5 - Categories of personal data processed
This article lists, by type, the categories of personal data processed by Octopussian in connection with the purposes described in Article 4.1. Not all data is collected for all purposes: only the data strictly necessary for each purpose is processed, in accordance with the data minimization principle set out in Article 5(1)(c) of the GDPR.
5.1 Identification and contact data
First name, last name, salutation (if provided), professional email address, phone number (if provided), job title or position (if provided), professional postal address (when required for billing purposes).
5.2 Account and authentication data
User's unique internal identifier (non-meaningful UUID), identifier(s) of the linked Account(s), functional profile (Account Holder, Administrator, User), password (stored exclusively as a salted cryptographic hash — it is not readable by Octopussian), encrypted TOTP shared secret for two-factor authentication when enabled, dates and timestamps of the most recent logins, time zone declared by the User for sending notifications at their preferred times.
5.3 Connection and technical data
Source IP addresses of connections, technical session identifiers, browser user agent, and operating system identification. This data is processed in real time for authentication and connection anomaly detection purposes, but is not stored persistently beyond the duration of the active session. The only durable records are described in Article 9.
5.4 Billing and payment data
Company name, legal form, registration number (SIREN or equivalent), EU VAT number, billing address, name and email address of the person responsible for billing where applicable, history of invoices issued, payments received, and account balance.
The credit card number is never shared with Octopussian or stored on our systems. Payment is processed entirely by our subprocessor Stripe Payments Europe Ltd (see Art. 6 and Art. 7). We retain only the technical elements returned by Stripe for accounting reconciliation and service continuity purposes: opaque Stripe customer identifier, transaction token, card brand, last four digits of the card number, expiration date, and payment status.
5.5 Data relating to requests addressed to Octopussian
Content of messages submitted via the contact form, at , or by postal mail, any attached documents, timestamps, and the subject selected in the form. These exchanges may contain personal data that the data subject has chosen to share with us; they are encouraged to provide only the information strictly necessary for processing their request.
5.6 B2B declaratory data and contractual acceptance records
When creating an Account, the Account Holder checks a declaratory box confirming their legal majority, that they are registering in a professional capacity, and that they have authority to bind the legal entity they represent. This declaration is retained along with the timestamp of acceptance, the User's identifier, their IP address, and the version of the text accepted.
Also retained for evidentiary purposes are the timestamp, User identifier, and version of the text accepted for each acceptance of the T&Cs, the DPA, and this Policy, as well as for any subsequent revisions brought to the Account Holder's attention.
5.7 Cookie and tracker consent history
For trackers placed on the Website that require prior consent, a history of the visitor's choices (acceptance, refusal, withdrawal of consent) is retained, with timestamps, in order to provide proof of consent as required by Article 7(1) of the GDPR. Details are set out in Article 11.
5.8 Your data in the Application belongs to you
The information you enter in the Application — your contacts, files in your drive, passwords shared in the vault, chat messages, video conferences, knowledge bases, calendar, tasks, transferred files, and electronically signed documents — belongs to you.
We host it to make it accessible only to the people you have authorized. We do not use it for any purpose of our own: no resale, no advertising, no profiling, no AI training. We do not share it with any third party, except at your request, to comply with a lawful judicial order, or to fulfill a legal obligation that applies to us.
The precise legal framework, our security commitments, and our obligations toward your organization are set out in the DPA (Annex A to the T&Cs).
6 - Recipients and Subprocessors
6.1 Principle — need to know
Personal data processed by Octopussian is disclosed only to those who need access to it by reason of their role or assignment, and only to the extent strictly necessary for the purposes described in Article 4.
6.2 Recipients internal to Octopussian
Octopussian personnel authorized to process personal data — product, development, operations, support, administration, and billing teams — access only the data strictly necessary for their respective duties, within the framework of an internal access control policy. Each is bound by a professional-level confidentiality obligation.
6.3 Strategic Subprocessors
We engage the following Subprocessors to provide the Application and the Website. Each is bound by a data processing agreement compliant with Article 28 of the GDPR.
| Subprocessor | Entity and registered office | Purpose for Octopussian | Public DPA reference |
|---|---|---|---|
| OVH | OVH SAS - 2 rue Kellermann, 59100 Roubaix, France (Lille Métropole Trade Registry 424 761 419) | Hosting of the Application and Website, storage of files uploaded to the drive and of backups, all data centers located within the European Union | DPA contracted under the current version published by OVH |
| Stripe | Stripe Payments Europe Ltd - Dublin, Ireland | Payment processing and payment receipt management | https://stripe.com/legal/ssa and Data Transfers Addendum https://stripe.com/legal/dta |
| Brevo | Sendinblue SAS - 106 boulevard Haussmann, 75008 Paris, France (Paris Trade Registry 498 019 298) | Sending transactional onboarding emails (activation, welcome, and user onboarding) | DPA integrated into Brevo's general terms published at https://www.brevo.com/legal/termsofuse/ |
| Mistral AI | Mistral AI SAS - 15 rue des Halles, 75001 Paris, France (Paris Trade Registry 952 418 325) | Providing the language model powering the artificial intelligence features; model training opt-out contractually activated by Octopussian | https://legal.mistral.ai/terms/data-processing-addendum |
6.4 Other technical service providers
We also engage other technical service providers for the operation of the Application and Website whose role is more limited or peripheral:
- Delivery of educational videos published on the Website, via a Content Delivery Network whose points of presence are configured to remain within the European Union;
- Geographic enrichment of IP addresses based on the IP address number, for the purpose of connection anomaly detection, using a specialized service established in the European Union;
- Syntactic and deliverability verification of email addresses entered during registration, using a specialized service established in the European Union.
Each of these providers is bound by a data processing agreement compliant with Article 28 of the GDPR.
6.5 Up-to-date list of Subprocessors
The complete, up-to-date list of our Subprocessors is set out in Annex D to the T&Cs. In accordance with the DPA, any material change to this list is communicated to Customers in advance with thirty (30) days' notice, allowing for a reasoned right of objection under the conditions set out in the DPA.
Using this contractual reference — rather than naming each provider in this Policy — keeps the list of technical providers current without requiring repeated editorial revisions to the Policy itself. This approach is expressly permitted by Article 13(1)(e) of the GDPR, which allows recipients to be identified by category.
6.6 Recipients acting as independent Data Controllers
Some of our Subprocessors carry out, alongside the processing they perform on our behalf, processing operations they conduct for their own purposes, in respect of which they act as independent Data Controllers. These processing operations are outside our control and are governed by their own policies, which they communicate to their end users.
In the interest of transparency, we identify the known cases below:
- Stripe: fraud prevention, compliance with anti-money laundering and know-your-customer (AML/KYC) obligations, management of relationships with its financial partners, product development and improvement.
- Brevo: security and integrity of its sending platform, statistical aggregation and service improvement.
- ipregistry: improvement of its own geographic databases, fraud prevention on its own services.
- Mistral AI: automated moderation and abuse detection in connection with the use of its models, aggregated usage statistics. The use of data to train Mistral AI models is excluded by the opt-out that Octopussian has contractually activated.
6.7 Other third-party recipients
Personal data may be disclosed, where necessary and only to the extent strictly required by the circumstances, to:
- legal service providers engaged for specific assignments (attorneys, enforcement officers), who are bound by professional secrecy;
- judicial, administrative, or supervisory authorities duly requesting information on a legal basis (subpoena, supervisory authority request, enforceable court order);
- a transferee or acquirer in the event of an asset transfer, merger, or acquisition involving all or part of Octopussian's business, under the conditions set out in the T&Cs and subject to equivalent data protection.
7 - Transfers outside the European Union
7.1 Principle — processing within the European Union
Octopussian hosts and processes personal data within the territory of the European Union. The strategic Subprocessors identified in Article 6.3 are established in the European Union and operate infrastructure located within the European Union.
Only one situation gives rise to a direct and structural transfer to a third country: payment processing by Stripe, described in Article 7.2. For other Subprocessors, transfers may, in certain cases, occur within their own organizations in connection with the performance of their services or their own purposes; these cases are specified in Article 7.3.
7.2 Direct transfer to Stripe in the United States
Payment processing by Stripe involves the communication of data to Stripe Payments Europe Ltd (Ireland), and then, within its internal organization and for its own purposes, to Stripe, Inc. (United States) and other entities within the Stripe group.
These transfers are governed cumulatively by:
- the adherence of the relevant Stripe entities to the EU-U.S. Data Privacy Framework, subject to the European Commission's adequacy decision (EU) 2023/1795 of July 10, 2023;
- the Standard Contractual Clauses adopted by the European Commission on June 4, 2021 (implementing decision (EU) 2021/914), Modules 1 and 2, incorporated into the Stripe agreement through the Data Transfers Addendum published at
https://stripe.com/legal/dta.
7.3 Transfers that may occur within our EU-established Subprocessors
Some of the Subprocessors identified in Articles 6.3 and 6.4 may, for the internal performance of their services or for their own purposes, engage subsequent subprocessors or carry out processing outside the European Union. These operations are governed by each Subprocessor's own DPA, as contracted with Octopussian. The transfer safeguards provided by these DPAs are as follows:
- Sendinblue SAS (Brevo) — use of the Data Privacy Framework and Standard Contractual Clauses for any transfers outside the European Union occurring within its organization;
- Elaunira SARL (ipregistry) — use of Standard Contractual Clauses (Modules 2 and 3) and the UK International Data Transfer Addendum for any transfers outside the European Economic Area occurring within its organization;
- Mistral AI SAS — default processing within the European Union; in the event that subsequent subprocessors located outside the European Union are involved, use of Standard Contractual Clauses or applicable adequacy decisions;
- CyberPanda s.r.o. (operating the EmailListVerify service, Slovakia) — use of Standard Contractual Clauses (Modules 2 and 3) for any transfers outside the European Economic Area occurring within its organization.
For the content delivery network used to stream the Website's educational videos, points of presence have been configured to remain within the European Union. Data generated by viewing these videos — in particular the visitor's IP address — is therefore processed within the European Union.
The list and identity of the Subprocessors mentioned above are set out in Annex D to the T&Cs, which is updated in accordance with the procedures described in Article 6.5. In the event of any material change to the transfer safeguards implemented by these Subprocessors, this Policy will be updated in accordance with the procedures set out in Article 14.
8 - Retention periods
Octopussian retains personal data only for as long as necessary for the purposes for which it was collected, in accordance with the storage limitation and data minimization principles set out in Article 5 of the GDPR.
| Category | Active retention period | Outcome at expiry |
|---|---|---|
| Account and authentication data (§5.1 and §5.2) | Duration of the Account | Pseudonymization: first and last name replaced by initials; email replaced by a server-salted SHA-256 hash; phone numbers, postal address, notes, and avatar deleted |
| Contractual acceptance records and B2B declarations (§5.6) | Duration of the Account | Retained for 5 years after Account closure (five-year limitation period, Art. 2224 of the French Civil Code) |
| Technical connection data associated with an active session | Duration of the session | Deleted upon session expiry |
| Billing data and accounting records (§5.4) | Duration of the contract | Retained for 10 years from the close of the relevant fiscal year (Art. L.123-22 of the French Commercial Code) |
| Requests submitted via the contact form (§5.5) | Duration of request processing | 1 year from the closure of the case |
| GDPR rights requests (§5.5) | Duration of request processing | 5 years from the closure of the case |
| Cookie and tracker consent history (§5.7) | — | 13 months from each choice made |
| Shared password vault metadata | Duration of the Account | Deleted upon Account closure (see §9.2) |
| Database backups | — | Maximum 72 hours (several rolling backup sets) |
8.1 Pseudonymization upon Account closure
When a User is no longer linked to any active Account, their record is pseudonymized within the meaning of Article 4(5) of the GDPR. The following operations are carried out automatically:
- First and last name → replaced by the User's initials.
- Email address → replaced by a server-salted SHA-256 hash, which is non-reversible at rest. This hash allows Octopussian only to verify the identity of a person who presents their own email address when exercising their rights.
- Optional identifying data (landline and mobile phone numbers, postal address, notes, avatar) → deleted.
- Interface language → retained (non-identifying data).
This operation preserves the referential integrity of Application records without maintaining any directly accessible identifier.
In the event of a subsequent rights request, the data subject may provide their email address, which allows Octopussian to locate their record by verifying the hash. If identification cannot be established with reasonable certainty, Octopussian is entitled not to act on the request, in accordance with Article 11 of the GDPR, and will inform the data subject accordingly.
8.2 Backups
Databases are backed up on object storage infrastructure hosted in France. Several rolling backup sets are retained, with a maximum retention period of 72 hours, after which backups are automatically purged. Backups are used solely for service continuity and incident recovery purposes.
9 - Technical logging
9.1 Scope
This article describes the only technical records maintained by Octopussian that contain personal data. Infrastructure monitoring logs (availability, load, performance) do not contain personal data and are outside the scope of this Policy.
9.2 Audit trail for shared password vault operations
Operations performed on the shared password vault are logged in order to protect Users against unauthorized modifications or deletions.
The following are recorded in the database: the identity of the User who performed the operation, the type of operation (creation, modification, deletion), the timestamp, and the list of Users who have or previously had access rights to each entry.
The content of passwords is never accessible to Octopussian. Passwords are end-to-end encrypted using an asymmetric mechanism: only Users with the corresponding access rights can decrypt them, client-side.
These records are retained for the duration of the Account and deleted upon its closure.
Legal basis: legitimate interest of Octopussian in ensuring vault integrity and protecting Users against unauthorized operations (Art. 6(1)(f) GDPR).
9.3 Authentication
Authentication failures are not subject to persistent logging. A temporary counter records the number of consecutive failures for a given Account; after a limited number of consecutive unsuccessful attempts, a twenty-minute delay is enforced before any new attempt. This counter is reset upon successful login and does not constitute a durable record of personal data.
9.4 Absence of persistent access logs
Octopussian does not retain HTTP access logs, application logs, or security logs containing personal data. Connection data (IP addresses, user agents, timestamps) is processed in real time for authentication and anomaly detection purposes, then discarded without persistent storage. Infrastructure monitoring metrics (CPU load, memory, disk space) do not contain personal data and are outside the scope of this Policy, in accordance with Article 9.1.
10 - Rights of data subjects
10.1 Applicable rights
As a data subject, the GDPR grants you the following rights with respect to the personal data we process as Data Controller.
| Right | Subject matter | Conditions and limitations |
|---|---|---|
| Access (Art. 15 GDPR) | Obtain confirmation that data about you is being processed and receive a copy | Free of charge; in the case of manifestly excessive or repetitive requests, we may charge a reasonable fee or decline to act |
| Rectification (Art. 16 GDPR) | Have inaccurate or incomplete data corrected | You may directly edit your own User profile in the Application; for other data, please submit a request to us |
| Erasure (Art. 17 GDPR) | Request the deletion of your data | Not applicable to data we are required to retain under a legal obligation (accounting records, contractual evidence) or for the establishment, exercise, or defense of legal claims |
| Portability (Art. 20 GDPR) | Receive your data in a structured, machine-readable format | Limited to data you have provided and to processing based on your consent or contract performance; for the Application, the Account Holder may request a full export of their Account |
| Objection (Art. 21 GDPR) | Object to processing based on legitimate interests | We may continue processing if we demonstrate compelling legitimate grounds — particularly for application security and password vault audit logging |
| Restriction (Art. 18 GDPR) | Temporarily suspend processing while you contest its lawfulness or accuracy | Applicable in the cases provided for in Article 18 of the GDPR |
| Withdrawal of consent (Art. 7(3) GDPR) | Withdraw consent previously given at any time | Applies to processing based on consent (non-essential cookies, activation of AI features); withdrawal does not affect the lawfulness of processing carried out before the withdrawal |
| Post-mortem directives | Define what happens to your data after your death | Provided for under applicable French law; submit your directives by postal mail or to .com` |
10.2 How to exercise your rights
To exercise any of the rights listed in Article 10.1, please submit your request via the contact form at https://octopussian.com/contact (subject "Exercise my personal data rights"), or by email at .
Please include your name, the email address associated with your Application account — or, if your Account has been closed, any information that may help identify you (company name, approximate period of use) — and a precise description of your request. We may, where the situation warrants it, ask you to provide additional verification before acting on your request.
10.3 Response times
We will respond within one month of receiving your request. This period may be extended by an additional two months for complex requests; in that case, we will notify you within the first month and explain the reason for the extension.
If your record has been pseudonymized following Account closure and identification cannot be established with reasonable certainty, we will notify you and are not required to act on your request — see §8.1.
10.4 Right to lodge a complaint with the CNIL
If, after contacting us, you believe your rights are not being respected, you may lodge a complaint with the Commission nationale de l'informatique et des libertés (CNIL) at https://www.cnil.fr/fr/plaintes.
10.5 Post-mortem directives and requests from heirs
In accordance with Article 85 of Law No. 78-17 of January 6, 1978, as amended, a User may submit directives to or by postal mail regarding what should happen to their data after their death. These directives apply only to their personal identification and Account record (§5.1 and §5.2); data entered in the Application in connection with the Customer's professional activities is excluded and falls under the Customer's responsibility as Data Controller. Directives must be clear, concise, in a language understood by Octopussian, and executable without legal interpretation; failing this, they will be treated as non-existent.
In the absence of executable directives, or where the Customer is a natural person operating professionally without a distinct legal entity, heirs may contact Octopussian through a notary or equivalent ministerial officer under applicable law, or directly with a certificate of heirship and a death certificate, legalized or apostilled in accordance with applicable conventions. Octopussian is not in a position to resolve disputes among heirs or to assess the applicability of professional secrecy to the deceased's activities; requests that raise such issues will be referred to the competent notary or professional regulatory authority, and requests whose authenticity cannot be reasonably established will not be acted upon (Article 11 of the GDPR).
Where the deceased User is no longer linked to any Account, their record has already been pseudonymized (§8.1); in the absence of a request within the period set out in Article A.11 of the DPA, the data will be deleted in accordance with the end-of-contract schedule.
11 - Cookies, trackers, and advertising pixels
11.1 Application site ( app.octopussian.com )
The Application places a technical session cookie upon authentication. This cookie is strictly necessary for the service to function: it maintains the logged-in User's session and cannot be refused without rendering the Application inoperable. It is not subject to a consent requirement.
11.2 Commercial website ( octopussian.com ) — general principle
No trackers are placed, and no data is transmitted to analytics or advertising partners, without your prior consent.
On your first visit to the Website, a consent dialog is displayed. It allows you to accept or refuse all trackers described in Article 11.3. If you do not accept, no trackers are activated. Your choice is stored in your browser's local storage (localStorage) for a period of 13 months; after this period, the dialog will be presented to you again. You may change your choice at any time by clicking the "Learn more" link in the dialog.
11.3 Trackers subject to consent
If you accept, the following services are activated:
| Service | Publisher | Purpose | Transfer outside the EU |
|---|---|---|---|
| Google Analytics 4 | Google Ireland Ltd (Ireland) | Audience measurement and visitor behavior analysis; management of advertising campaigns (Google Ads, YouTube Ads) via Google Consent Mode v2 | To Google LLC (United States) — EU-U.S. Data Privacy Framework + Standard Contractual Clauses |
| LinkedIn Insight Tag | LinkedIn Ireland Unlimited Company (Ireland) | Conversion measurement and advertising targeting on LinkedIn | To LinkedIn Corporation (United States) — Standard Contractual Clauses |
| Meta Pixel / Conversions API | Meta Platforms Ireland Ltd (Ireland) | Conversion measurement and advertising targeting on Meta networks (Facebook, Instagram) | To Meta Platforms, Inc. (United States) — EU-U.S. Data Privacy Framework + Standard Contractual Clauses |
These services may, for their own purposes, process personal data as independent Data Controllers (advertising profiling, product improvement). Such processing is governed by their own privacy policies.
LinkedIn and Meta campaigns are not permanently active. Octopussian's legal documents cover their potential activation, provided your consent has been obtained under this article.
11.4 Server-side collection infrastructure
Data is transmitted to the platforms identified in Article 11.3 via a server-side tagging mechanism operated by our subprocessor Stape Europe OÜ (Sepapaja tn 6, Tallinn, Estonia), established in the European Union. No data is collected through this mechanism if you refuse trackers.
12 - Artificial intelligence and absence of profiling
12.1 Artificial intelligence features
Our intelligent assistant feature relies on an AI model provided by Mistral AI SAS (France). This feature is only activated if the Account Holder has explicitly enabled it for their Account. By default, data sent to this model is processed within the European Union. In the event that Mistral AI subprocessors located outside the European Union are involved in the processing chain, Mistral AI guarantees that such transfers are governed by GDPR-compliant mechanisms (standard contractual clauses or adequacy decision). Data processed in this context is not used to train Mistral AI models: the training opt-out has been contractually activated by Octopussian.
12.2 Absence of profiling and automated decision-making
Octopussian does not carry out any profiling of Users and does not engage in any automated decision-making that produces legal effects or similarly significantly affects data subjects, within the meaning of Article 22 of the GDPR.
13 - Security and breach notification
13.1 Security measures
Octopussian implements appropriate technical and organizational measures to ensure the security of personal data, in accordance with Article 32 of the GDPR.
13.2 Automated abuse prevention mechanisms
The Services incorporate automated mechanisms designed to prevent misuse of the Application, including upfront analysis of content before transmission to a third-party subprocessor and the non-execution of operations that violate the Acceptable Use Policy. These mechanisms operate without any human review of Customer data.
When a clear violation of the Acceptable Use Policy is detected, the relevant operation is not executed and a warning is automatically sent to the User. Repeated such events may result in a suspension or termination decided by an authorized staff member, based on a limited, one-off review of the corresponding metadata (author, timestamp, type of operation), without access to content, under the conditions set out in Article 13.4 of the T&Cs.
13.3 Breach notification
In the event of a personal data breach, Octopussian will notify the CNIL within 72 hours of becoming aware of the incident, where such notification is required by Article 33 of the GDPR. Notification obligations toward the Customer as Data Controller are governed by the DPA (Annex A to the T&Cs).
14 - Policy changes
This Policy may be amended at any time. The date of the most recent update appears at the bottom of the page. In the event of a material change, Account Holders will be notified in accordance with the procedures set out in Article 20 of the T&Cs. The version in force is the one published on the Website.