ZeriFlow places great importance on the protection of your personal data. This policy describes how we collect, use, and protect your data.
Last updated: 2026-02-15
DATA CONTROLLER
Antoine Duno
Email: contact@zeriflow.com
Address: [ADRESSE_A_COMPLETER]
DATA COLLECTED
Account data
- Email, name (upon registration)
- Authentication data (managed by Supabase Auth)
Legal basis: contractual performance (art. 6.1.b GDPR)
Scan data (URL)
- URLs submitted for analysis
- Scan results (score, findings)
- Retained as long as the account exists
Legal basis: contractual performance
Scan data (Source code)
- Source code uploaded or connected via GitHub
- Analyzed in memory and immediately deleted after scan
- No code is stored on our servers (zero retention)
- Only analysis results are retained
Legal basis: contractual performance
Payment data
- Processed exclusively by Stripe
- ZeriFlow never stores your banking data
Legal basis: contractual performance
Navigation data
- Essential cookies (session, authentication)
- Analytics cookies (only with your consent)
- See our Cookie Policy for more details
Legal basis: legitimate interest (essential) / consent (analytics)
PROCESSING PURPOSES
- Provide the security scanning service
- Manage your user account
- Process your payments
- Improve the service (anonymized analytics, with consent)
- Contact you when needed (support, service notifications)
DATA RECIPIENTS
Your data may be transmitted to the following processors:
| Processor | Role | Location | Safeguards |
|---|---|---|---|
| Supabase | Database, authentication | USA (AWS eu-central) | Standard Contractual Clauses (SCC) |
| Render | Backend hosting | USA | SCC |
| Vercel | Frontend hosting | USA (edge EU) | SCC |
| Stripe | Payments | USA | SCC + PCI DSS certified |
| Anthropic | AI analysis | USA | SCC, data not used for training |
Non-EU transfers: US processors are governed by Standard Contractual Clauses (SCC) per articles 46.2.c of the GDPR.
Anthropic (AI): Data sent to the Anthropic API for AI validation consists of scan metadata (HTTP headers, file names, 5-line code snippets). No complete source code is sent. Anthropic does not retain API call data and does not use it to train its models.
DATA RETENTION
| Data | Duration |
|---|---|
| User account | Until account deletion |
| Scan results | Until account deletion |
| Uploaded source code | Immediately deleted after analysis |
| Payment data | 10 years (accounting obligation) |
| Server logs | 12 months |
| Analytics cookies | 13 months maximum |
YOUR RIGHTS (GDPR art. 15-22)
You have the following rights:
- Right of access — obtain a copy of your personal data
- Right to rectification — correct inaccurate data
- Right to erasure — request deletion of your data
- Right to portability — receive your data in a structured format
- Right to object — object to the processing of your data
- Right to restriction — request restriction of processing
- Right to withdraw consent — at any time (for analytics cookies)
To exercise your rights: contact@zeriflow.com
Response time: 30 days maximum.
In case of disagreement, you may file a complaint with the CNIL:
Commission Nationale de l'Informatique et des Libertés — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr
SECURITY
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256 via Supabase)
- Secure authentication (bcrypt hashing)
- Restricted data access (least privilege principle)
- Zero retention of analyzed source code
CHANGES
This policy may be updated. The last update date is indicated at the top of the page. In case of a substantial change, we will inform you by email.
Contact
For any questions: contact@zeriflow.com