Privacy policy
How Brifay collects, uses and protects your personal data.
Last updated: 10 April 2026
Contents
1. Data controller
The controller for personal data collected through the Brifay application and website is:
| Company name | Brifay |
|---|---|
| Legal form | Société par actions simplifiée unipersonnelle (SASU — French single-shareholder simplified joint-stock company) |
| Share capital | €5,000 |
| Registered office | 15 place Michelet, 37000 Tours, France |
| Trade register (RCS / SIREN) | RCS Tours 105 817 209 |
| SIRET | 105 817 209 00015 |
| EU VAT number | FR30105817209 |
| APE / NAF code | 58.29C |
| Legal representative | Brifay, represented by its legal representative |
| [email protected] |
The data protection contact is reachable at: [email protected].
2. Personal data collected
Brifay collects only the data strictly necessary to operate the CMMS service. We do not collect any sensitive data within the meaning of Article 9 GDPR.
| Category | Data | Nature |
|---|---|---|
| User account | Email, last name, first name, phone, profile picture | Email and name mandatory; phone and picture optional |
| Authentication | Email, password (hashed) | Mandatory |
| Location | GPS coordinates of sites and buildings (entered manually) | Optional |
| Media | Photos and files attached to maintenance requests | Optional |
| Messaging | Messages exchanged in the request chat | Linked to use |
| Equipment | Asset tracking data and maintenance history | Linked to use |
| Notifications | Push notification tokens, preferences | Linked to use |
| Payment | Processed exclusively by Stripe — Brifay does not store any payment card data | Mandatory for subscriptions |
| Technical data | IP address, device type, OS and application version | Automatic |
| Customer support | Screenshots, bug reports via Gleap | Optional |
3. Purposes of processing and legal bases
Each data processing activity relies on a legal basis provided for by the GDPR (Article 6):
| Purpose | Legal basis |
|---|---|
| Creation and management of the user account | Performance of the contract (Art. 6(1)(b)) |
| Provision of the CMMS service (requests, equipment, maintenance) | Performance of the contract (Art. 6(1)(b)) |
| Internal messaging (request chat) | Performance of the contract (Art. 6(1)(b)) |
| Storage of attachments | Performance of the contract (Art. 6(1)(b)) |
| Map display (Google Maps) | Performance of the contract (Art. 6(1)(b)) |
| Push notifications (Firebase) | Legitimate interest (Art. 6(1)(f)) — informing in real time about maintenance events. Can be disabled in settings. |
| Billing and subscriptions (Stripe) | Legal obligation (Art. 6(1)(c)) and performance of the contract (Art. 6(1)(b)) |
| Customer support (Gleap) | Legitimate interest (Art. 6(1)(f)) — improving the service and resolving issues |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Statistics and service improvement | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
Brifay does not carry out any profiling or automated decision-making producing legal effects on users.
4. Recipients and subprocessors
Your data is never sold to third parties. It is shared only with the following subprocessors, which are contractually bound to process it solely on Brifay's instructions:
« Product » subprocessors (Brifay application)
| Subprocessor | Role | Location | Safeguards |
|---|---|---|---|
| Supabase | Database, authentication, file storage, Edge Functions | European Union | DPA, AES-256 encryption |
| Firebase / FCM (Google) | Mobile push notifications | USA / global | EU-US Data Privacy Framework, ISO 27001 |
| Stripe | Payments and subscriptions | EU / USA | PCI-DSS level 1, DPA |
| Pennylane | VAT invoicing (Stripe synchronisation) | France (EU) | DPA, French accounting compliance |
| EmailIt | Product transactional emails (from brifay.com) | EU | DPA |
| Gleap | Customer support, bug reports | Austria (EU) | GDPR-native, designated DPO |
| Sentry | Edge Functions error observability | USA | SCC, pseudonymisation |
| Google Maps | Map display | USA / global | EU-US Data Privacy Framework |
« Website and acquisition » subprocessors (marketing site + warm marketing emails)
| Subprocessor | Role | Location | Safeguards |
|---|---|---|---|
| Cloudflare (DNS, Turnstile, Stream, Web Analytics) | DNS for the brifay.com and usebrifay.com domains, invisible anti-bot on forms, hosting and signing of the demo video, anonymous website audience statistics | Global (EU edge by default) | SCC, DPA, EU edge hosting by default |
| Acumbamail | Warm marketing emails only (after explicit consent) from usebrifay.com | Spain (EU) | DPA, 1-click opt-out, SPF/DKIM/DMARC |
| PostHog | Product and website analytics (funnels, identification post-capture), first-party cookie only, no third-party cookie | EU (EU instance) | DPA, IP hashing, anonymisation by default |
| RADAAR | Scheduled publishing of brand content on LinkedIn / YouTube / X / Google Business Profile | USA | SCC; processes public content only |
| Google Workspace | Shared mailbox [email protected] (receiving email replies), French meeting-booking calendar | EU / USA | EU-US Data Privacy Framework, DPA |
« Cold prospecting » subprocessors (only if enabled)
The following subprocessors are used only for outbound B2B prospecting (cold email), on the legal basis of legitimate interest (documented LIA — legitimate interest assessment), with a systematic 1-click opt-out (List-Unsubscribe). No customer « product » data passes through these tools.
| Subprocessor | Role | Location | Safeguards |
|---|---|---|---|
| Apify / Outscraper | Company sourcing (public sources only, never LinkedIn) | EU / global | SCC, public sources |
| Dropcontact (or Pharow) | GDPR-compliant professional named enrichment (B2B only) | France (EU) | DPA, GDPR by design |
| Smartlead | Sending cold emails from usebrifay.com (dedicated mailboxes, isolated from warm sending) | USA | SCC, 1-click opt-out |
Within Brifay, only authorised individuals (technical support, management) access the data within the limits of their duties.
Multi-tenant isolation
Each organisation using Brifay has an isolated workspace. A user can only access data belonging to the organisation to which they belong.
5. Transfers outside the European Union
Some of our subprocessors (Firebase/Google, Stripe, Cloudflare, Sentry, RADAAR, Google Workspace, and — if cold prospecting is enabled — Smartlead) may process data in the United States. These transfers are framed by:
- The EU-US Data Privacy Framework (European Commission adequacy decision)
- The Standard Contractual Clauses (SCC) issued by the European Commission
- Additional technical measures (end-to-end encryption, pseudonymisation)
Your main database (Supabase) is hosted within the European Union. You can obtain a copy of the transfer safeguards by contacting [email protected].
6. Retention periods
Your data is retained in accordance with the recommendations of the CNIL (France's data protection authority), following the three-phase cycle: active base, intermediate archiving, deletion:
| Data | Active retention | Archiving |
|---|---|---|
| User account | Duration of the contractual relationship | 3 years after last activity |
| Maintenance data | Duration of the contract | 5 years after end of contract |
| Internal messages | Duration of the contract | 1 year after closure of the request |
| Attachments | Duration of the contract | Deleted with the account |
| Billing data | Duration of the contract | 10 years (legal obligation) |
| Technical logs | 1 year | — |
| Cookies | 13 months maximum | — |
At the expiry of these periods, data is irreversibly deleted or anonymised. You may request early deletion, subject to any contrary legal obligations.
7. Your rights
In accordance with the GDPR and the French Data Protection Act, you have the following rights:
| Right | Description |
|---|---|
| Access (Article 15 GDPR) | Obtain confirmation that your data is being processed and receive a copy of it |
| Rectification (Article 16 GDPR) | Correct or complete inaccurate or incomplete data |
| Erasure (Article 17 GDPR) | Request the deletion of your data (« right to be forgotten ») |
| Restriction (Article 18 GDPR) | Temporarily suspend the processing of your data |
| Portability (Article 20 GDPR) | Receive your data in a structured, machine-readable format (CSV, JSON) |
| Objection (Article 21 GDPR) | Object to processing based on legitimate interest |
| Withdrawal of consent (Article 7 GDPR) | Withdraw your consent at any time, without affecting prior processing |
| Post-mortem directives | Set out instructions regarding what happens to your data after your death (French law) |
How to exercise your rights
- By email: [email protected]
- Via the page: Delete my account
We reply within one month (extendable by two months for complex requests). Identity verification may be requested.
Complaint to the CNIL
If you consider that the processing of your data does not comply with the regulations, you can lodge a complaint with the CNIL (France's data protection authority):
Commission Nationale de l'Informatique et des Libertés
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07, France
www.cnil.fr
If you are based in another EU Member State, you may also lodge a complaint with the supervisory authority of your country of residence.
8. Cookies and trackers
Strictly necessary cookies
These cookies are essential for the service to operate and do not require your consent:
- Supabase Auth — authentication session, security tokens
- Stripe — transaction security and fraud prevention
Cookies subject to consent
- Firebase Analytics — audience measurement and service improvement (duration: 13 months max.)
- Google Maps — display of interactive maps
- Gleap — technical support and user feedback
Manage your preferences
You can change your cookie preferences at any time via your browser settings. Refusing non-essential cookies does not block access to the service.
9. Data security
Brifay implements technical and organisational measures to protect your data in accordance with Article 32 GDPR:
Technical measures
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest (AES-256)
- Password hashing (bcrypt)
- Authentication via JWT tokens
- Regular automatic backups
- Access logging (audit logs)
- Hosting in SOC 2 and ISO 27001 certified data centres
Organisational measures
- Access limited to strictly necessary personnel (least privilege principle)
- Strong password policy
- Security incident management procedures
In the event of a breach
In the event of a personal data breach, Brifay notifies the CNIL within 72 hours (Article 33 GDPR) and informs the data subjects if the risk is high (Article 34 GDPR).
10. Protection of minors
Brifay is a professional service intended for companies and public sector organisations (B2B). The service is not intended for individuals under 16 years of age. No data of minors is intentionally collected.
11. Changes to this policy
Brifay may update this privacy policy. In case of substantial change, we will inform you by email or by notification within the application. The date of the last update is indicated at the top of this page.
This policy is governed by French law. In case of dispute, the French courts shall have jurisdiction.
12. Contact
For any question relating to the protection of your data:
- Email: [email protected]
- Form: Contact page