Noticia / RETAIL
FR EN Book a demo
← Back

LEGAL

Privacy policy.

How Noticia collects, uses, and protects the data flowing through our platform. Written to be read — not to drown you.

Last updated · April 26, 2026 · Version 2.0

CONTENTS

  1. Who we are
  2. Data we process
  3. Purposes
  4. Legal basis
  5. Sharing & sub-processors
  6. Retention
  7. Your rights
  8. Security
  9. International transfers
  10. Contact us

1. Who we are

Noticia SAS, a French simplified joint-stock company with a share capital of €10,000, registered with the Marseille Trade and Companies Register under number 881 378 830, with its registered office in Marseille (France). For the purposes of Regulation (EU) 2016/679 (the "GDPR"), Noticia acts as controller for the data of its customers and prospects, and as processor for the customer data that you, the retailer, entrust to us through the platform.

Privacy contact: [email protected].

2. Data we process

To run our AI copilot, we process three broad families of data.

2.1 Customer account data (controller: Noticia)

  • Professional identity: first/last name, role, brand
  • Contact: business email, phone
  • Encrypted authentication data
  • Technical logs: IP, user-agent, timestamps

2.2 Retailer operational data (processor: Noticia)

  • Anonymized or pseudonymized receipts
  • Product catalogs (SKU, categories, prices, margins)
  • Stock and inter-store transfer data
  • Aggregated HR and scheduling metadata
  • SMS opt-in lists from loyalty programs you entrust to us

For loyalty data, the retailer remains the controller. Noticia acts strictly on documented instructions via the Data Processing Agreement (DPA) signed at onboarding.

2.3 Browsing data (controller: Noticia)

  • Technical cookies and anonymized analytics
  • Pages visited on noticia.ai

Details in our cookie policy.

3. Purposes

We only process your data for explicit purposes:

  • Deliver the service: run the contracted features (receipt analysis, recommendations, segmentation, SMS sends).
  • Improve the platform: produce aggregated and anonymized statistical and AI models. No Noticia AI model is trained on your nominative data without explicit written consent.
  • Security and compliance: prevent fraud and abuse, meet legal obligations.
  • Customer communication: support, billing, service-related communications.
  • B2B prospecting: only on legitimate-interest basis with opt-out on every message.

4. Legal basis

ProcessingLegal basis
Customer contract performanceContract (Art. 6.1.b GDPR)
Security and loggingLegitimate interest (Art. 6.1.f)
Newsletter and product communicationsB2B legitimate interest
Non-strictly-necessary measurement cookiesConsent (Art. 6.1.a)
Accounting and tax obligationsLegal obligation (Art. 6.1.c)

5. Sharing & sub-processors

Noticia does not sell or rent your data. We work with a limited number of carefully selected sub-processors:

  • Hosting — OVHcloud (Roubaix & Strasbourg, France) and Scaleway (Paris) — EU infrastructure.
  • AI models — Mistral AI (Paris) by default; Anthropic optional opt-in for clients without sensitive-data constraints.
  • SMS routing — Twilio Ireland Ltd. or OVH Telecom by country.
  • CRM & support — HubSpot Ireland (encrypted at rest, restricted access).
  • Product analytics — PostHog (self-hosted in France).
  • Payment — Stripe France SAS.

The up-to-date sub-processor list is available on request at [email protected].

6. Retention

CategoryDuration
Active customer account dataFor the duration of the contract
Customer data after termination30 days (final deletion or export on request)
Accounting records10 years (legal requirement)
Security logs12 months
Inactive prospects3 years
Measurement cookies13 months max

7. Your rights

Under Articles 15–22 GDPR, you have the following rights:

  • Access — obtain a copy of your data.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion under Article 17 conditions.
  • Restriction — temporarily freeze processing.
  • Portability — receive your data in a structured format.
  • Objection — object to processing, including direct marketing.
  • Automated decisions — request human intervention on any purely automated decision.

To exercise these rights: [email protected]. We respond within one month. You may also lodge a complaint with the CNIL.

8. Security

  • TLS 1.3 in transit and AES-256 at rest.
  • SSO/SAML available on Scale and Enterprise plans.
  • Least-privilege staff access, logged and audited.
  • Annual penetration tests by a French-government-qualified provider (PASSI).
  • Continuity plan with RPO ≤ 1 h and RTO ≤ 4 h.
  • ISO 27001 in progress (target Q3 2026).

9. International transfers

All retailer operational data is hosted and processed in the European Union (France). When a peripheral sub-processor (CRM, support) involves a transfer outside the EU, it relies on the Standard Contractual Clauses adopted by the European Commission in 2021, plus the supplementary measures recommended by the EDPB.

10. Contact us

For any question about this policy: