Privacy Policy

Welcome to Entract.me! Your privacy matters to us. This policy explains how we collect, use, and protect your data when you use our productivity platform. We follow GDPR and French data protection laws to keep your information safe.

Last updated: August 25, 2025

Data Controller

Entract.me is a productivity platform based in France.

Contact for privacy matters: help@entract.me

Personal Data We Collect

Account & Service Data (Legal Basis: Contract Performance)

Account: Email, username, encrypted password
Usage: Todos, focus sessions, website blocking lists, progress data
Subscription: Status and billing history (payment details handled by Polar)

Security & Technical Data (Legal Basis: Legitimate Interest)

IP addresses: Retained 24 hours for spam/abuse prevention (essential for service security)
Device fingerprints: Retained 90 days for fraud detection and account security (necessary to prevent unauthorized access and payment fraud, balanced against user privacy)
Session data: Authentication and security tokens (essential for service functionality)

Analytics Data (Legal Basis: Consent - EU users only)

Usage analytics: Feature usage via Datafast (opt-in for EU users)
Performance: Error tracking and service improvements

How We Use Your Data

Data Minimization Principle: We collect and process only the minimum data necessary for each specific purpose.

Service delivery: Sync focus sessions, track progress, manage account (only data necessary for functionality)
Security: Prevent fraud, spam, and abuse (limited to security-essential data)
Communication: Essential service updates via Resend (no marketing without consent)
Support: Authorized personnel may access account data for debugging and technical support (logged access, minimal data exposure)
Improvement: Product development using aggregated, anonymized data (with explicit consent where required)

Data Processors & Sharing

All processors are EU-based with appropriate safeguards:

Supabase: Database & authentication (EU servers)
Upstash Redis: Rate limiting (EU servers)
Polar: Payment processing
Resend: Service emails (EU servers)
Sherpa: Infrastructure hosting (EU servers)
Datafast: Analytics (consent-based, EU servers)

We never sell personal data or use it for advertising.

Data Sharing

We don't share personally identifying information with third parties, except when required by law.

Data Retention

Data Type	Retention Period	Purpose
IP addresses	24 hours	Abuse prevention
Device fingerprints	90 days	Fraud detection
Account data	Account lifetime + 1 year	Legal obligations
Focus session data	User-controlled deletion	Service provision
Analytics data	26 months maximum	Product improvement
Trial user data	7 days after trial expiration (if no subscription)	Data minimization

What this means: We only keep your data as long as we need it. Most data is deleted quickly (like IP addresses after 24 hours), while your account data stays until you delete your account. If you don't subscribe after your free trial, we'll delete your data within a week.

Your GDPR Rights

Access: Request a copy of your personal data
Rectification: Correct inaccurate information
Erasure: Delete your data ("right to be forgotten")
Portability: Export data in machine-readable format
Restriction: Limit processing in certain circumstances
Objection: Opt-out of legitimate interest processing
Withdraw consent: Revoke analytics consent anytime

Exercise rights: Email help@entract.me with your request.

What this means: You have control over your personal data. You can ask us to show you what data we have about you, correct wrong information, delete your data, or export it. Just email us and we'll help you out.

Cookies & Tracking

Essential (No consent required)

Authentication and security
User preferences and settings

Analytics (Consent required for EU users)

Datafast analytics for product improvement
Consent obtained via cookie banner on first visit
Consent can be withdrawn anytime by managing cookie preferences
No analytics cookies set without explicit consent for EU users

Data Protection Measures

Encryption: Data encrypted in transit and at rest
Access control: Strict authentication and authorization
EU residency: All data remains within European Union
Security monitoring: Regular assessments and updates
Incident response: CNIL notification within 72 hours if required
Transmission Security: We take reasonable steps to protect your personal and non-personal data from unauthorized access, disclosure, or misuse. However, no method of transmission over the internet or electronic storage is 100% secure.

Minors

We don't knowingly collect data from children under 16 without parental consent. Users 13-16 require parental permission.

International Transfers

Web Application: No international data transfers - all processing occurs within the EU using EU-based processors.

Browser Extension: Extension data (blocked websites, focus session status) is processed locally on your device and synchronized with our EU-based servers. No data leaves the EU jurisdiction.

Data Breach Response

Immediate investigation and containment
CNIL notification within 72 hours (if high risk)
User notification without unreasonable delay
Clear communication about the incident and response measures

Policy Updates

Changes communicated via email or platform notification. Continued use indicates acceptance of updated terms.

Contact & Complaints

Data protection requests: help@entract.me

Supervisory authority: File complaints with CNIL (Commission Nationale de l'Informatique et des Libertés) at cnil.fr

Our Role Under GDPR

We act as both data controller and processor for personal data processed through Entract.me in accordance with GDPR and applicable data protection laws.