Politique de Confidentialité
Last updated: January 19, 2026
1. Introduction
Welcome to Kreomnis ("we," "our," or "us"). We are committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our family organization platform.
This policy is designed to comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws. If you have any questions about this policy or our data practices, please contact us at contact@kreomnis.com.
2. Data Controller
Kreomnis is the data controller responsible for your personal data. Our Data Protection Officer (DPO) can be contacted at:
Email: contact@kreomnis.com
Objet: "Data Protection Inquiry"
3. Data We Collect
3.1 Information You Provide
- Account Information: Name, email address, password (securely hashed with bcrypt)
- Profile Data: Profile picture (optional), display name, preferences
- Household Data: Household name, member names, roles, invitations
- Content Data: Tasks, calendar events, meals, shopping lists, budgets, expense tracking, kids information (names, homework, activities, routines), inventory items
- Payment Information: Billing details processed securely through Stripe (we do not store full credit card numbers)
- Communications: Messages sent through our support system, feedback, feature requests
3.2 Information Collected Automatically
- Usage Data: Pages visited, features used, time spent, interactions, click patterns
- Device Information: Browser type and version, operating system, device type, screen resolution, IP address
- Cookies and Tracking: Session cookies, preference cookies, analytics cookies (see our Cookie Policy)
- Security Logs: Login attempts, security events, suspicious activities (for fraud prevention and platform integrity)
3.3 Information from Third Parties
- Google OAuth: Email address, name, profile picture (if you sign up with Google)
- Stripe: Payment confirmation, subscription status, billing history (no full card numbers)
- Google Calendar: Calendar events (PRO tier only, with explicit consent)
4. Legal Basis for Processing (GDPR Article 6)
We process your personal data based on the following legal grounds:
Contract Performance (Article 6(1)(b))
Processing necessary to provide our services: account creation, household management, feature access, subscription management, customer support
Consent (Article 6(1)(a))
Marketing communications, optional analytics, non-essential cookies, Google Calendar integration. You can withdraw consent at any time via Settings or by contacting us.
Legitimate Interest (Article 6(1)(f))
Fraud prevention, security monitoring, service improvement, business analytics, debugging, preventing abuse. We conduct legitimate interest assessments to ensure our interests don't override your rights.
Legal Obligation (Article 6(1)(c))
Tax compliance, financial record keeping, responding to legal requests from authorities, anti-money laundering requirements
5. How We Use Your Data
We use your personal data for the following purposes:
- Service Delivery: Provide and maintain Kreomnis features, sync data across devices, enable collaboration within households, deliver notifications
- Account Management: Create and manage your account, authenticate users, manage household memberships and invitations
- Payment Processing: Process payments through Stripe, manage subscriptions, handle billing inquiries, send invoices
- Communications: Send service updates, security alerts, billing notifications, respond to support requests
- Product Improvement: Analyze usage patterns (in aggregate), develop new features, improve user experience, fix bugs
- Security: Detect and prevent fraud, abuse, and security incidents; monitor for suspicious activity; enforce our Terms of Service; implement automatic banning for malicious actors
- Legal Compliance: Comply with legal obligations, respond to lawful legal requests, enforce our agreements
- Marketing (with consent): Send promotional emails about new features and updates (you can opt-out anytime via unsubscribe link or Settings)
6. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:
Retention Periods:
- Active accounts: Data retained while your account is active
- After account deletion: Up to 30 days for recovery, then permanent deletion (except data required for legal compliance)
- Backup retention: Encrypted backups retained up to 90 days for disaster recovery
- Payment records: 7 years (tax and accounting compliance)
- Security logs: 6 months (fraud prevention, security investigations)
- Marketing consent records: Until consent withdrawn + 30 days for processing
- Support tickets: 2 years after resolution
After the retention period, we securely delete or irreversibly anonymize your data. You can request immediate deletion by contacting us (subject to legal obligations that may require continued retention).
7. Data Sharing and Third Parties
We share your data only with trusted partners necessary to provide our services. All partners are bound by data processing agreements (DPAs) that ensure GDPR compliance.
💳 Stripe (Payment Processing)
Purpose: Process payments, manage subscriptions, handle refunds
Data shared: Name, email, billing address, payment method details
Location: USA (EU-US Data Privacy Framework certified)
Privacy Policy: stripe.com/privacy
🗄️ Neon (Database Hosting)
Purpose: Secure PostgreSQL database hosting
Data shared: All application data (encrypted at rest)
Location: USA (Standard Contractual Clauses in place)
Privacy Policy: neon.tech/privacy
☁️ Vercel (Hosting & CDN)
Purpose: Application hosting, content delivery, edge computing
Data shared: IP addresses, request logs, performance metrics
Location: Global CDN (GDPR compliant with DPA)
Privacy Policy: vercel.com/legal/privacy-policy
🔍 Google (OAuth & Calendar)
Purpose: Authentication (OAuth), calendar synchronization (PRO tier)
Data shared: Email, profile info; calendar events (with explicit consent)
Location: USA (EU-US Data Privacy Framework certified)
Privacy Policy: policies.google.com/privacy
⚠️ We do NOT sell your data
We will never sell, rent, or trade your personal information to third parties for their marketing purposes. We do not participate in data broker marketplaces.
8. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA), primarily in the United States. We ensure adequate protection for your data through:
- EU-US Data Privacy Framework: For certified US companies (Stripe, Google)
- Standard Contractual Clauses (SCCs): EU-approved contracts with all data processors ensuring equivalent protection
- Supplementary Measures: Additional technical and organizational measures as recommended by the EDPB
- Transfer Impact Assessments: We conduct assessments to ensure data protection in destination countries
You may request copies of our SCCs by contacting contact@kreomnis.com.
9. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
🔍 Right to Access (Art. 15)
Request a copy of all personal data we hold about you
Settings → Privacy → Export Data
✏️ Right to Rectification (Art. 16)
Correct inaccurate or complete incomplete data
Settings → Profile → Edit
🗑️ Right to Erasure (Art. 17)
"Right to be forgotten" - request deletion of your data
Settings → Account → Delete Account
🚫 Right to Restrict Processing (Art. 18)
Limit how we use your data while disputes are resolved
Contact contact@kreomnis.com
📦 Right to Data Portability (Art. 20)
Receive your data in machine-readable format (JSON/CSV)
Settings → Privacy → Export Data
⛔ Right to Object (Art. 21)
Object to processing based on legitimate interest or for marketing
Contact contact@kreomnis.com
🤖 Rights Related to Automated Decision-Making (Art. 22)
We do not make decisions based solely on automated processing that significantly affect you. Our security system may automatically block suspicious activity, but you can always appeal by contacting support.
📧 To exercise your rights:
Email us at contact@kreomnis.com with subject line "GDPR Request - [Your Right]"
Response time: We will respond within 30 days as required by law. Complex requests may take up to 60 days (we will notify you of any extension).
Identity verification: We may ask you to verify your identity to protect your data from unauthorized access.
Free of charge: Exercising your rights is free, except for manifestly unfounded or excessive requests.
10. Cookies and Tracking
We use cookies and similar technologies to improve your experience, analyze usage, and provide personalized content. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.
You can manage cookie preferences via our cookie consent banner, through your browser settings, or in Settings → Privacy → Cookie Preferences.
11. Data Security
We implement comprehensive security measures to protect your data:
- Encryption: TLS 1.3 for data in transit, AES-256 encryption at rest
- Password Security: Passwords hashed with bcrypt (work factor 12+)
- Access Control: Role-based access control (RBAC), principle of least privilege
- Admin Security: Multi-factor authentication (MFA) required for all admin accounts
- Security Monitoring: 24/7 intrusion detection, automated threat blocking, real-time alerting
- Vulnerability Management: Regular security assessments, penetration testing, bug bounty program
- Incident Response: Documented incident response procedures, breach notification within 72 hours as required by GDPR
- Employee Training: Regular security awareness training for all team members
While we implement industry-leading security measures, no system is 100% secure. We encourage you to use a strong, unique password and protect your account credentials.
12. Children's Privacy
⚠️ Age Restriction
Kreomnis accounts are intended for users 18 years and older. Children under 18 may use our service only with the direct involvement and consent of a parent or legal guardian.
We do not knowingly collect personal data directly from children under 13 (or 16 in some EU jurisdictions). If we become aware of such collection without proper parental consent, we will delete the data immediately.
Note: The "Kids" module in Kreomnis is designed for parents to track their children's activities (homework, routines, etc.), not for direct use by children. This data is managed by the parent/guardian account holder.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:
- We will update the "Last updated" date at the top of this page
- For material changes, we will notify you via email (if you have an account) at least 30 days before the changes take effect
- We may display a prominent notice in the application for significant changes
- For changes requiring consent, we will request your renewed consent before continuing to process your data
We encourage you to review this policy periodically. Your continued use of Kreomnis after changes constitutes acceptance of the updated policy.
14. Right to Lodge a Complaint
If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority:
EU Data Protection Authorities
Find your local supervisory authority at: EDPB Member List
For French residents: CNIL (Commission Nationale de l'Informatique et des Libertés)
We encourage you to contact us first at contact@kreomnis.com so we can address your concerns directly. We take all complaints seriously and will work to resolve issues promptly.
15. Contact Us
For questions about this Privacy Policy, your data rights, or our data practices:
Contact unique : contact@kreomnis.com
Pour toute question (support, RGPD, donnees personnelles, facturation). Nous repondons sous 48 heures ouvrables.
By using Kreomnis, you acknowledge that you have read and understood this Privacy Policy. This policy does not create any contractual or legal rights beyond those provided by applicable law.
Version 1.0 | Effective: January 19, 2026