Privacy Policy

This Privacy Policy describes how CODALUX SARL-S collects, uses, retains and protects the personal data of users of the website monavisfacile.com and the Mon Avis Facile mobile application.

It complies with the General Data Protection Regulation (GDPR), Luxembourg data protection law, and the requirements of the App Store and Google Play.

1. Data Controller

Personal data processing is carried out by:

CODALUX SARL-S
Share capital: €12,000, with registered office at:
51 rue Pierre Schuetz
L-4946 Bascharage
Luxembourg

Luxembourg Trade and Companies Register: B297712
Registration number: 20252437933
Intra-community VAT: LU36711175

Publication director: Matthieu POULIN
Contact: Contact form

2. Data Collected

2.1. Data Provided Directly by the User

When logging in or using the service, the following data may be collected:

  • First and last name
  • Company name
  • Postal address
  • Email address
  • Landline and/or mobile phone number

Login is passwordless.
The user authenticates solely via a one-time code (OTP) sent by email, securely managed by Supabase Auth.
No password is created, stored or processed by CODALUX.

2.2. Data Related to NFC Plates / QR Codes

When an NFC plate or QR Code is scanned, the following data may be recorded:

  • scan date,
  • scan time,
  • device type used (e.g., Android, iOS),
  • browser type used (e.g., Safari, Chrome, Firefox, etc.).

This data is completely anonymous and cannot in any way identify an end user. No personal identifier is collected during a scan.

2.3. Technical and Usage Data

  • IP address
  • Device type and operating system
  • Connection logs
  • Actions performed on the website or in the application (e.g., modification of review links)

2.4. Location Data

No geolocation data is collected.
The application does not access the user's GPS location.

2.5. Data Collected via the Mobile Application

  • Push notifications: yes
  • Camera access: yes (solely for scanning QR Codes)
  • Storage access: no
  • NFC access: no
  • Advertising tracking (ATT): no

3. Purposes of Data Collection

The data collected is used to:

  • enable the creation and management of the account,
  • configure and administer NFC plates / QR Codes,
  • ensure the operation, security and improvement of the service,
  • analyze usage of the service,
  • provide assistance and communication with the user.

Data is never used for targeted advertising.

4. Legal Basis for Processing

Data is processed in accordance with the following legal bases:

  • performance of a contract (use of the service),
  • consent (push notifications),
  • legitimate interest (service security, abuse prevention),
  • legal obligations (invoicing, security).

5. Subcontractors and Service Providers

The following service providers may process certain data on behalf of CODALUX:

OVH (France)

  • Server hosting including database, authentication and application backend

Data is stored in France, on OVH servers compliant with the GDPR.

Stripe

  • Payment processing

No banking data is processed by CODALUX.

Google (United States - certified under the EU-U.S. Data Privacy Framework)

  • Google Analytics: website audience measurement
  • Google Ads: online advertising
  • Google Tag Manager: tag management

Data is anonymized as much as possible.

Firebase

  • Push notifications
  • Technical features of the application

LogRocket

  • User session recording
  • Navigation analysis and bug detection

Collected data includes: clicks, scrolling, navigation, UI interactions. No password or payment data is recorded (sensitive fields are automatically masked). Data hosted in the United States (LogRocket is certified under the EU-U.S. Data Privacy Framework).

Brevo (France)

  • Transactional email delivery (order confirmations, OTP codes, notifications)

Processed data includes the user's email address and first name. Data hosted in the European Union.

Ahrefs (Singapore)

  • SEO analysis and website ranking tracking

Collected data includes pages visited and browsing data. Ahrefs has a GDPR-compliant Data Processing Addendum.

Sentry

  • Technical error tracking

Cloudflare

  • Protection against attacks
  • CDN and performance optimization

No other third party receives the data.

6. Data Sharing

Personal data is neither sold nor rented.
It is only shared with:

  • the subcontractors listed above,
  • competent authorities when required by law.

7. Data Retention

Account data (name, email, phone)
Duration of the contractual relationship - basis: performance of contract

Inactive accounts
3 years after last activity, then deletion or anonymization

Invoicing and transaction data
10 years - basis: legal obligation

Connection logs
1 year - basis: legal obligation

Analytics and advertising cookies
13 months maximum

NFC/QR scan data (anonymous)
Duration of the contractual relationship - basis: legitimate interest

The user may request the permanent deletion of their data at any time via the contact form. Deletion is carried out within 30 days, except for data subject to a legal retention obligation.

8. User Rights

In accordance with the GDPR, the user has the following rights:

  • right of access,
  • right of rectification,
  • right of objection,
  • right to erasure,
  • right to restriction of processing,
  • right to data portability.

To exercise these rights, the user may use the contact form.

9. Security

CODALUX implements technical and organizational measures to ensure data security:

  • encrypted communications (HTTPS),
  • secure hosting on OVH servers in France,
  • Cloudflare protection,
  • error tracking via Sentry,
  • secure generation and management of temporary OTP codes by the self-hosted authentication system.

The user does not have a password associated with their account.
However, they must ensure the security of their email inbox, as it is used to receive the OTP code for login.

10. Transfers Outside the European Union

Core data (database, authentication, backend) is hosted in France by OVH.
Some service providers (Google, Firebase, LogRocket, Sentry, Stripe) may process data in the United States.
These providers are certified under the EU-U.S. Data Privacy Framework (DPF), an adequacy framework recognized by the European Commission (decision of July 10, 2023, upheld by the EU General Court on September 3, 2025).
Ahrefs, based in Singapore, processes data under GDPR-compliant Standard Contractual Clauses (SCCs).

11. Children

The service is exclusively intended for adult professionals.
No data concerning minors is intentionally collected.

12. Changes to the Privacy Policy

CODALUX may modify this policy at any time.
The applicable version is the one published on the website or in the application.

13. Contact

For any questions regarding privacy or personal data: Contact form

Last updated: 06/03/2026