1. Introduction
This privacy policy describes how Doaken Technology collects, uses, stores and protects the personal data of users of its website doaken.com and its SaaS tender response platform.
Doaken Technology is committed to complying with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and the French Data Protection Act of 6 January 1978 as amended.
2. Data controller
The personal data controller is:
- Trading name: Doaken Technology
- Legal form: Sole proprietorship (Entrepreneur individuel)
- Director: Rodolphe Chane-Wai
- SIRET number: 891 588 980 00021
- Address: Rue Camille Honore, 94120 Fontenay-sous-Bois, France
- DPO email: contact@doaken.fr
3. Data collected
a) Via the doaken.com website (demo request form)
- Work email address
- Company name
- Number of tenders processed per year
- Bid team / commercial team size
- Main challenge encountered
b) Via the Doaken platform (SaaS application)
- User first and last name
- Email address
- Company information (legal name, sector)
- Uploaded documents (tender documents, technical proposals, administrative files)
- Billing information
c) Technical data collected automatically
- IP address
- Browser type and version
- Pages visited and browsing journey
- Cookies (see section 10)
4. Processing purposes
Personal data collected is used for the following purposes:
- Responding to demo requests: processing and follow-up of platform demo requests
- Providing the SaaS service: creating and managing user accounts, processing documents, generating technical proposals
- Improving the service: analysing usage to improve user experience and features
- Commercial communication: sending information about service updates (only with prior consent)
- Legal obligations: compliance with accounting, tax and regulatory obligations
5. Legal basis for processing
In accordance with Article 6 of the GDPR, each processing operation is based on an appropriate legal basis:
- Consent (Art. 6.1.a): contact forms, demo requests, analytics cookies, commercial communications
- Contractual performance (Art. 6.1.b): providing the SaaS service, managing user accounts, processing documents
- Legitimate interest (Art. 6.1.f): service improvement, platform security, fraud prevention
- Legal obligation (Art. 6.1.c): billing, accounting, tax obligations
6. Retention period
Personal data is retained for the following periods:
- Prospect data (demo form): 3 years after last contact
- Customer data (user account): contract duration + 5 years (legal accounting and tax obligations)
- Uploaded documents (tender documents, technical proposals): contract duration + 30 days after account deletion
- Technical logs (IP addresses, access logs): 12 months
- Cookies: 13 months maximum
After these periods, data is irreversibly deleted or anonymised.
7. Sub-processors
Doaken Technology uses the following sub-processors for personal data processing:
| Sub-processor | Usage | Location | DPA |
|---|
| Supabase | Database (PostgreSQL) | Europe (Frankfurt) | Yes |
| Cloudflare R2 | Document storage | Europe | Yes |
| Clerk | Authentication | USA (DPA + SCC) | Yes |
| Anthropic | Document analysis | USA (DPA, no training) | Yes |
| Brevo | Transactional emails | France | Yes |
| Vercel | Website hosting | USA (DPA + SCC) | Yes |
Sub-processors located outside the European Union are covered by Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) approved by the European Commission.
8. Data transfers outside the European Union
Some of our sub-processors are located in the United States. The following safeguards are in place for each transfer:
- Anthropic (USA): DPA signed. Data sent for document analysis is not stored permanently and is never used to train models (Anthropic API policy).
- Vercel (USA): static hosting of the marketing website only. No sensitive personal data processed.
- Clerk (USA): DPA and Standard Contractual Clauses (SCCs) in place for authentication management.
All these transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with Article 46.2.c of the GDPR.
9. Your rights (GDPR - Articles 15 to 22)
In accordance with the General Data Protection Regulation, you have the following rights regarding your personal data:
- Right of access (Art. 15): obtain confirmation that your data is being processed and receive a copy
- Right to rectification (Art. 16): have inaccurate or incomplete data corrected
- Right to erasure (Art. 17): request deletion of your personal data
- Right to restriction (Art. 18): request restriction of the processing of your data
- Right to portability (Art. 20): receive your data in a structured, commonly used, machine-readable format
- Right to object (Art. 21): object to the processing of your data on legitimate grounds
- Right to withdraw consent: withdraw your consent at any time for processing based on consent
To exercise these rights, contact us at: contact@doaken.fr
Response time: 30 days maximum from receipt of your request. This period may be extended by two months for complex requests, in which case you will be informed.
If our response is unsatisfactory, you can lodge a complaint with the French data protection authority (CNIL): www.cnil.fr
10. Cookies
The doaken.com website and the Doaken platform use the following categories of cookies:
Essential cookies (no consent required)
- Session and authentication cookies
- Security cookies (CSRF, rate limiting)
- User preferences (language, theme)
Analytics cookies (with consent)
- Google Analytics: audience measurement and browsing behaviour analysis
Advertising cookies
Doaken uses no advertising cookies and does not engage in any advertising targeting.
You can manage your cookie preferences at any time via your browser settings.
11. Data security
Doaken Technology implements appropriate technical and organisational measures to ensure the security and confidentiality of personal data:
- Communications encrypted with TLS 1.3
- Data at rest encrypted with AES-256
- Per-client data isolation via Row Level Security (RLS) on PostgreSQL
- Strong authentication and brute-force protection
- Access logging and monitoring
- Time-limited signed URLs for document access
12. Changes to this policy
Doaken Technology reserves the right to modify this privacy policy at any time. In the event of substantial changes, platform users will be notified by email or through an in-app notification.
The current version is always available at: doaken.com/privacy