Privacy Policy

1. Introduction

This Privacy Policy describes how Doaken Technology collects, uses, stores and protects the personal data of users of its website doaken.fr (and its English version doaken.com) and of its SaaS platform for responding to tenders.

Doaken Technology is committed to complying with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the French Data Protection Act of 6 January 1978 as amended.

2. Data Controller

The data controller for personal data is:

Legal name: Mr. Rodolphe Chane-Wai
Trade name: Doaken Technology
Legal form: Sole proprietorship (Entrepreneur individuel, French law)
Owner: Rodolphe Chane-Wai
SIREN number: 891 588 980
SIRET number (head office): 891 588 980 00021
Address: Paris, France
Email: contact@doaken.fr
Phone: +33 9 39 24 59 16

Data Protection Officer (DPO): no DPO has been appointed. Pursuant to Article 37 of the GDPR, appointing a DPO is not mandatory for Doaken Technology at this stage (the activity does not involve large-scale processing of sensitive data or systematic monitoring). The GDPR contact is Rodolphe Chane-Wai, reachable at contact@doaken.fr.

3. Data Collected

a) Via the Doaken website (demo request form)

Business email address
Company name
Number of tenders handled per year
Size of the bid / sales team
Main challenge encountered

b) Via the Doaken platform (SaaS application)

User's first and last name
Email address
Company information (legal name, business sector)
Uploaded documents (tender files, technical proposals, administrative documents)
Billing data

c) Technical data collected automatically

IP address
Browser type and version
Pages visited and navigation path
Cookies (see section 10)

4. Purposes of Processing

Personal data is collected and used for the following purposes:

Responding to demo requests: handling and following up on requests for a platform demonstration
Providing the SaaS service: creating and managing user accounts, processing documents, generating technical proposals
Improving the service: usage analytics to improve the user experience and features
Commercial communication: sending information about service updates (only with prior consent)
Legal obligations: compliance with accounting, tax and regulatory obligations

5. Legal Basis for Processing

Pursuant to Article 6 of the GDPR, each processing activity relies on an appropriate legal basis:

Consent (Art. 6.1.a): contact forms, demo requests, analytics cookies, commercial communications
Contractual performance (Art. 6.1.b): provision of the SaaS service, user account management, document processing
Legitimate interest (Art. 6.1.f): service improvement, platform security, fraud prevention
Legal obligation (Art. 6.1.c): invoicing, accounting, tax obligations

6. Retention Periods

Personal data is retained for the following periods:

Prospect data (demo form): 3 years after the last contact
Customer data (user account): duration of the contract + 5 years (accounting and tax legal obligations)
Uploaded documents (tender files, technical proposals): duration of the contract + 30 days after account deletion
Technical logs (IP addresses, access logs): 12 months
Cookies: 13 months maximum

Beyond these periods, data is deleted or anonymised irreversibly.

7. Data Processors

Doaken Technology uses the following data processors to process personal data:

Processor	Purpose	Location	DPA
Supabase	Database (PostgreSQL)	Europe (Frankfurt)	Yes
Cloudflare R2	Document storage	Europe	Yes
Anthropic	Document analysis	USA (DPA, no training)	Yes
Brevo	Transactional emails	France	Yes
Vercel	Website and application hosting	USA (Paris servers · DPA + SCC)	Yes
Google LLC (Analytics 4)	Website audience measurement (with consent)	USA (DPA + SCC)	Yes
Google LLC (Fonts)	Inter and Space Grotesk web fonts (CDN loading)	USA (SCC)	Yes

Data processors located outside the European Union are covered by Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Transfers of Data Outside the European Union

Some of our data processors are located in the United States. The following safeguards are in place for each transfer, in accordance with Articles 44 to 49 of the GDPR:

Anthropic PBC (USA): signed DPA and Standard Contractual Clauses (SCC 2021). Data transmitted for document analysis is not stored on a permanent basis and is never used to train models (Anthropic commercial API policy).
Vercel Inc. (USA): execution servers located in France (Paris region cdg1). DPA and SCC 2021 in place. Vercel only retains technical logs (IP, URLs, User-Agent) for security purposes.
Supabase Inc. (USA): data stored on Supabase servers located in Frankfurt (EU). DPA and SCC 2021 in place for the managed service.
Cloudflare Inc. (USA): R2 storage configured on the European region. DPA and SCC 2021 in place.
Google LLC (USA) — Analytics & Fonts: DPA and SCC 2021 in place. The use of Google Analytics is subject to the user's prior consent via our cookie consent banner.

All of these transfers are governed by the Standard Contractual Clauses (SCCs) approved by the European Commission through decision 2021/914, in accordance with Article 46.2.c of the GDPR.

9. Your Rights (GDPR — Articles 15 to 22)

Under the General Data Protection Regulation, you have the following rights over your personal data:

Right of access (Art. 15): obtain confirmation that your data is being processed and receive a copy
Right to rectification (Art. 16): have inaccurate or incomplete data corrected
Right to erasure (Art. 17): request the deletion of your personal data
Right to restriction (Art. 18): request the restriction of processing of your data
Right to portability (Art. 20): receive your data in a structured, commonly used and machine-readable format
Right to object (Art. 21): object to the processing of your data on legitimate grounds
Right to withdraw consent: withdraw your consent at any time for processing based on it

To exercise these rights, please contact us at: contact@doaken.fr

Response time: 30 days maximum from receipt of your request. This period may be extended by two months for complex requests, in which case you will be informed.

If you are not satisfied with our response, you may lodge a complaint with the French Data Protection Authority (CNIL):

Website: cnil.fr/en/plaintes
Postal address: CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Phone: +33 1 53 73 22 22

No profiling or automated decision-making: pursuant to Article 22 of the GDPR, Doaken Technology does not carry out any automated decision-making or profiling producing legal effects concerning you or significantly affecting you.

10. Cookies

The Doaken website and platform use the following categories of cookies:

Essential cookies (no consent required)

Session and authentication cookies
Security cookies (CSRF, rate limiting)
User preferences (language, theme)

Analytics cookies (with consent)

Google Analytics 4 (_ga, _ga_*) — anonymised audience measurement, retention period: 13 months. Set only after explicit consent via the cookie banner.

Advertising cookies

Doaken does not use any advertising cookies and does not carry out any advertising targeting.

You can withdraw your consent or manage your preferences at any time:

Via the website consent banner ("Manage cookies" link at the bottom of the page)
Via your browser settings (clearing cookies)

11. Data Security

Doaken Technology implements appropriate technical and organisational measures to ensure the security and confidentiality of personal data:

Communications encryption in TLS 1.3
Encryption of data at rest in AES-256
Per-customer data isolation via Row Level Security (RLS) on PostgreSQL
Strong authentication and brute-force protection
Access logging and monitoring
Signed URLs with expiry for document access

For more information about our security measures, please see our Security & Compliance page.

12. Procedure in the Event of a Data Breach

Pursuant to Articles 33 and 34 of the GDPR, in the event of a personal data breach likely to result in a risk to your rights and freedoms, Doaken Technology undertakes to:

Notify the French Data Protection Authority (CNIL) within 72 hours of becoming aware of the breach
Inform the persons concerned as soon as possible if the risk is high
Document all breaches (nature, categories of data concerned, measures taken) in an internal register

13. Changes to This Policy

Doaken Technology reserves the right to modify this Privacy Policy at any time. In the event of a material change, platform users will be notified by email or by an in-app notification.

The version in force is always available at: doaken.com/en/privacy