Privacy Policy
Arxa Intelligence places the highest importance on the protection of your personal data. This policy describes, in accordance with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act, the processing operations we carry out when you visit our website, create an account, use our treasury management services or interact with our sales and support teams.
1. Data controller
The controller for personal data collected through use of the Arxa Intelligence platform is Arxa Intelligence SAS, a French simplified joint-stock company headquartered in France.
Arxa Intelligence has appointed a Data Protection Officer (DPO) responsible for ensuring compliance with the applicable regulatory framework and responding to any request relating to your data.
- Company: Arxa Intelligence SAS
- Registered office: 12 rue de la Paix, 75002 Paris, France
- Registration: Paris Trade Register 932 451 678
- Data Protection Officer: dpo@arxaintelligence.com
- General contact: contact@arxaintelligence.com
2. Data we collect
We strictly limit the data we process to what is necessary to deliver the service. Three main categories are collected:
Account and identification data
Provided when creating an account and during ordinary use of the platform.
- First name, last name, role and professional email address of the user
- Company name, business registration number, sector of activity and headcount
- Login credentials (email + bcrypt hash of the password — never the plaintext password)
- Language, time zone and display preferences
Financial and banking data
Aggregated from your banks through our PSD2 aggregation provider Bridge by Bankin', strictly upon your instruction.
- Balances and transaction history of the bank accounts you choose to connect
- Transaction labels, counterparties, amounts and value dates
- Loan schedules, credit lines and banking commitments you record
- Financial documents you import (invoices, balances, ledgers, schedules)
Technical and usage data
Automatically collected to ensure security and improve the service.
- IP address, browser type, operating system, pages visited, session duration
- Authentication logs and audit trail of sensitive actions (creation/deletion of payments, permission changes)
- Technical session identifiers, CSRF tokens, correlation IDs
We never collect so-called "sensitive" data (racial origin, political opinions, health data, etc.). No children's data is processed, the service being intended exclusively for professional use.
3. Legal bases
Each processing operation relies on a legal basis identified among those provided for in Article 6 GDPR:
- Performance of the contract — Account creation and management, delivery of the subscribed features, billing, user support, security of payments and data. Without these processing operations, the service cannot be delivered.
- Consent — Connection of a bank account via PSD2, deposit of cookies that are not strictly necessary (analytics), sending commercial prospecting emails to potential customers. Consent can be withdrawn at any time.
- Legitimate interest — Platform security (intrusion detection, logging), fraud prevention, product improvement based on aggregated and anonymized data, prospecting existing customers for similar products.
- Legal obligation — Retention of invoices and accounting documents in accordance with the French Commercial Code, response to judicial requisitions, anti-money-laundering obligations where applicable.
You can exercise your rights or withdraw your consent at any time, without affecting the lawfulness of processing carried out beforehand.
4. Recipients and sub-processors
Your data is accessible only to authorised Arxa Intelligence staff, strictly within the scope of what their role requires. We rely on a limited number of technical sub-processors, selected for their security level and bound by a Data Processing Agreement compliant with Article 28 GDPR.
| Sub-processor | Location | Purpose |
|---|---|---|
| Supabase | European Union (Frankfurt, DE) | Application database hosting, authentication, storage of user files. |
| Vercel | European Union (EU regions) | Frontend hosting and delivery, serverless function execution, technical logging. |
| Stripe Payments Europe | Ireland (EU) | Card and SEPA payment processing, recurring billing, customer billing portal. |
| Bridge by Bankin' | France | Bank account aggregation under PSD2, as an account information service provider authorised by the French ACPR. |
| Resend | European Union | Sending transactional emails (account validation, alerts, invoices, product notifications). |
An up-to-date list of our sub-processors can be obtained on request from the DPO. Any substantial change is notified in advance, giving you a window to raise a legitimate objection.
5. International transfers
All personal data we process is by default hosted and processed within the European Union. No transfer to a third country occurs in the normal course of the service.
Where, exceptionally, a sub-processor operates from a country outside the European Economic Area (for instance for technical support provided by certain North American vendors), the transfer is governed by the Standard Contractual Clauses adopted by the European Commission on 4 June 2021, supplemented where appropriate by additional technical measures (encryption, pseudonymisation, reinforced access controls).
Before any transfer, we systematically carry out a Transfer Impact Assessment to ensure a level of protection essentially equivalent to that offered by the GDPR. A copy of that assessment can be provided on substantiated request.
6. Retention periods
Your data is retained for the period strictly necessary for the purpose of the processing, then archived or deleted in accordance with the table below:
| Data category | Duration | Basis |
|---|---|---|
| Account data and user profile | Term of contract + 3 years after closure | Civil prescription (art. 2224 French Civil Code) and management of the contractual relationship. |
| Aggregated financial and banking data | 10 years after the relevant accounting year | Article L.123-22 of the French Commercial Code on retention of accounting records. |
| Technical logs, IP, session identifiers | 12 months maximum | Article L.34-1 of the French Postal and Electronic Communications Code. |
| Commercial prospecting data | 3 years after the last active contact | CNIL recommendation on commercial prospecting. |
| Analytics cookies (with consent) | 13 months maximum | CNIL guidelines of 17 September 2020. |
Once retention periods expire, data is irreversibly anonymised or definitively deleted from our production and backup systems within a maximum of 90 days.
7. Your rights
In accordance with Articles 15 to 22 GDPR, you have the following rights regarding your personal data:
- Right of access — Obtain confirmation that your data is being processed and receive a readable copy of it.
- Right to rectification — Have any inaccurate or incomplete data concerning you corrected without undue delay.
- Right to erasure — Have your data deleted where the legal conditions are met (consent withdrawal, end of purpose, founded objection).
- Right to restriction — Request the temporary suspension of processing, for instance while a rectification request is being verified.
- Right to portability — Receive the data you provided in a structured, commonly used, machine-readable format and transmit it to another controller.
- Right to object — Object to processing based on legitimate interest or to use of your data for commercial prospecting.
- Post-mortem directives — Set directives regarding the fate of your data after your death, in accordance with Article 85 of the French Data Protection Act.
To exercise these rights, contact our DPO at dpo@arxaintelligence.com, stating the subject of your request and attaching, in case of reasonable doubt about your identity, a supporting document. We undertake to respond within one month, extendable by two months in case of complexity.
If, after contacting us, you consider that your rights are not being respected, you have the right to lodge a complaint with the French Data Protection Authority (CNIL — 3 place de Fontenoy, 75007 Paris, www.cnil.fr).
8. Cookies and trackers
Our website and application use cookies that are strictly necessary for the operation of the service (session management, security, language preference) as well as, subject to your prior consent, analytics cookies intended to measure audience in an aggregated and anonymized manner.
Details of the cookies used, their purpose, lifetime and how to manage your preferences are set out in our dedicated cookie policy.