Atelier · GDPR Art. 28

Data Processing
Agreement.

The contract you (Controller) sign with us (Processor). EU-only sub-processors, no extra-EU transfers, full audit rights. Updated 17 May 2026.

In one paragraph

By signing up for Linkette, you appoint us as a data processor under GDPR Art. 28. We only process personal data on your documented instructions. All sub-processors live in the EU. We never transfer data outside the bloc. You can audit, end the contract, or get your data back at any time.

Parties

Controller: you, the Linkette account holder, who decides what personal data to put on your page.
Processor: Parallactic AI (operator of Linkette), an entreprise individuelle registered in France. Contact: privacy@linkette.eu.

Parallactic AI

Entreprise individuelle · Jesiel Rombley

60 rue François 1^er, 75008 Paris, France

SIRET 94266255200010

Subject matter, duration, nature, purpose

Subject matter: hosting your link-in-bio page, storing your links + bio + avatar, counting visitor activity, and generating an optional weekly editorial brief.
Duration: as long as your Linkette account exists. Terminates immediately when you delete the account in Settings.
Nature of processing: storage, retrieval, statistical analysis (cookie-free), occasional generative-AI inference (opt-out toggle).
Purpose: providing the Linkette service to you.

Types of personal data + data subjects

Account data (you): email, language preference, billing details when applicable.
Page content (you + anyone you mention): slug, bio, avatar, links, social handles, notes.
Visitor logs (your audience): daily-salted IP hash, edge-derived country/region/city, device class, referrer hostname. No raw IP stored, no cookies set on visitors.
Data subjects: you, and anyone who visits your public page at /linkette.eu/your-slug.

Sub-processors

We use these sub-processors. All are located inside the EU. By accepting this DPA you authorize them as a single batch. We’ll email you at least 30 days before any new sub-processor is added — you can object and terminate without penalty.

OVHcloud SAS
Roubaix, France 🇫🇷
Web hosting (Next.js app, Coolify)
Their DPA →
Supabase Inc. (EU region)
Paris, France 🇫🇷
Database, auth, storage
Their DPA →
Bunny.net d.o.o.
EU edges 🇪🇺
CDN, image storage, video streaming
Their DPA →
Sendinblue SAS (Brevo)
Paris, France 🇫🇷
Transactional + digest email
Their DPA →
Mistral AI SAS
Paris, France 🇫🇷
Editorial AI (weekly brief, onboarding draft, link enrichment)
Their DPA →
Mollie B.V.
Amsterdam, Netherlands 🇳🇱
Payment processing
Their DPA →

Security measures (Art. 32)

Postgres encryption at rest (Supabase Paris, AES-256).
TLS 1.3 in transit everywhere; HSTS preload-eligible.
Row-Level Security policies scope every row to its owner — even our service-role lookups are explicit.
Magic-link auth (PKCE), no passwords stored.
IP addresses hashed with a daily-rotating salt before storage.
Access to production restricted to two engineers, audited via Supabase activity logs.
Pen-test scheduled annually starting v1.0.

Data subject rights

We process subject requests forwarded to us within 30 days as required by GDPR Art. 12. Most rights are self-service in Settings: download (Art. 15), portability (Art. 20), rectification (Art. 16), restriction (Art. 18), erasure (Art. 17), and opt-out (Art. 21).

International transfers

None.Every sub-processor listed above operates within the European Economic Area. No Standard Contractual Clauses, Data Privacy Framework, or other transfer mechanism is invoked because no transfer happens. If a sub-processor ever changes its hosting region, we’ll re-issue this DPA with 30 days’ notice and you can terminate without penalty.

Breach notification (Art. 33)

If we become aware of a personal data breach, we will notify you within 72 hours, with all the information required by GDPR Art. 33(3) to enable you to notify your supervisory authority and affected data subjects.

Audit rights

You may request, once per year and with 30 days’ notice, evidence of our compliance with this DPA (organisational measures, sub-processor list, security overview). For paying business customers (Atelier, Founding Member with VAT invoice), we will respond within 14 days. Audit beyond document review is available on agreed terms at the requester’s cost.

Return + deletion

On termination (account deletion or contract end), all personal data is deleted within 7 days. You can also export everything as JSON via Settings before deletion. We retain the minimum metadata required for legal/accounting purposes (invoices: 10 years per French commercial law).

Liability + governing law

Linkette’s liability under this DPA is limited to the amount you paid us in the 12 months preceding the incident. EU consumer law and statutory rights in your country are unaffected. French law applies; jurisdiction is French courts with EU consumer-protection venues remaining available to you.

How to sign

Creating an account = electronic acceptance of this DPA, sufficient under eIDAS for ordinary commercial use. If your legal team needs a counter-signed paper version (e.g. for procurement records), write to privacy@linkette.eu and we’ll send a PDF you can sign and return.