Privacy Policy

Last updated: Sept 25, 2023

Summary

CarboneIO is a French company 🇫🇷. All data is held on servers hosted in Graveline, Paris and Strasbourg. Servers are hosted by OVH. We are compliant with French data protection law, as well as General Data Protection Regulation EU 🇪🇺 (GDPR) 2016/679.

Your privacy is very important to us. This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service. By using the Service, you agree to the collection and use of information in accordance with this policy.

If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us by email at privacy@carbone.io

CarboneIO SAS is a French company with a capital of 10000 Euros, registered under N°899 106 785 in the Register of companies of La Roche-sur-Yon (85) and whose head office is located at : 130 La Sauvagère - 85170 BELLEVIGNY (hereinafter referred to as « Carbone », “us”, “we”, or “our”).

CarboneIO operates https://carbone.io website (the “Service”).

Security

All employees of CarboneIO SAS take the security of our software, products, infrastructure and services seriously.

Whenever we develop a new system, security, performance and reliability are the main focus of our architecture. Our team is dedicated to strict security practices as described below:

  • Before publishing new features or updating our services, code reviews are performed by the Data Protection Officers to detect security breaches and bad practices.
  • Employees that can access customer data, and we ensure they only have access to relevant data (ie: no access to reports and templates).
  • Computers are not storing any customer data.
  • All computers are encrypted.
  • By default, two-factor authentication (2FA) are used on third-party services (OVHCloud, Crisp, Stripe, Brevo).
  • All employees, agents, and providers are trained in data security practices.
  • We do not sell and will never sell any data and our policy is to respect your data privacy. Our business model is based on paid subscriptions.
  • Security policies are reviewed yearly for all employees and relevant subcontractors.
  • Data sent to Carbone Cloud API or Carbone Cloud Studio are not printed, saved nor logged.
  • Security vulnerabilities are actively tracked in any libraries employed within our operational backends, promptly applying patches upon the release of updates.

Security vulnerability

To report a security vulnerability, please review our security policy for more details: https://github.com/carboneio/carbone/security/policy

Data Security & GDPR (General Data Protection Regulation)

Carbone is GDPR-compliant, and strictly enforces the regulation as to protect the user data we store. According to GDPR, you, as the data subject, have the right to access, modify and delete your personal data, as well as the right to ask for the portability of your data and the right to object to the processing of your personal data.

Types of Data Collected

In order to provide the Services, Carbone is collecting the below data from their users. This section is also listing the security measures used to protect the data as well as the purpose of the collection.

  • Email address:
    • Used only for authentication
    • If you subscribe to the Carbone newsletter, the email will be stored and managed by Brevo (Sendinblue). The email is deleted from Brevo when you unsubscribe to the newsletter, or you delete your Carbone account.
  • Password: Encrypted and used only for authentication
  • Usage Data: Carbone API credit and template usage
  • IP address: for metrics purpose, it is deleted automatically after 7 days
  • Payment details and invoicing information: Name, Address, ZIP/Postal code, City, Country and Payment methods are stored and managed exclusively by Stripe. Carbone does not store any bank details.

Use of Your Personal Data

  • To identify users and provide support
  • To provide our Service
  • To notify users about new product or service updates (if subscribed to the Carbone newsletter)
  • To provide analysis to improve the service
  • To monitor, prevent and detect technical issues

Individuals rights

  • The right to be informed: we informe our customers of what we do with their data
  • The right of data access: from Carbone Account our customers can access to their data
  • The right to rectification: from Carbone Account our customers can update their data
  • The right to erasure: from Carbone Account our customers can delete their account and data
  • The right to restrict processing: we don't process the data of our customers.
  • The right of data portability: our customers can contact us (privacy@carbone.io) anytime they wish to get an export of their data
  • The right to object: our customers can contact us (privacy@carbone.io) and we will handle their request.
  • The right not to be subject to automated decision-making and profiling: We don't do that.

Carbone replies to all request under 1 week (3 weeks maximum).

Cookies

Read our Cookies Policy for more details.

Children's Privacy

Our Service does not address anyone under the age of 18, due to the nature of the service provided (business-to-business). We do not knowingly collect personally identifiable information from anyone under the age of 18.

Data Processing Agreement

If your company needs to ensure it is GDPR-compliant, it also needs to ensure its providers (ie. Carbone) are also GDPR compliant. The list of our providers (ie. Data Processors) is available, and kept up to date, in our Data Processing Agreement (DPA). Contact us (privacy@carbone.io) to get the DPA.

Data protection Officers

David Grelaud
Mail: privacy@carbone.io
Address: 130 la Sauvagère, 85170, Bellevigny, France