Tools Features Pricing Blog
Log in Start for free

Privacy Policy

Last updated: March 10, 2026

This policy explains how Asphorem collects and processes your personal data when you use our website (asphorem.com) and application (app.asphorem.com). It is written in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable French law.

1. Data Controller

The data controller is:

Antoine Bielawski (Asphorem)
66 Avenue des Champs-Élysées, 75008 Paris, France
Email: [email protected]

2. Data We Collect

Account data

When you create an account, we collect your first name, last name, and email address. This is the only personal information required to use Asphorem.

Usage data

We use Umami Analytics (cloud.umami.is) to measure traffic on our marketing website. Umami does not use cookies and does not collect any personally identifiable information — only anonymised, aggregate page view data. This does not constitute personal data processing under the GDPR.

Payment data

When you subscribe to the Pro plan, payment is processed by Lemon Squeezy (lemonsqueezy.com), which acts as the Merchant of Record for all Asphorem subscriptions. We do not receive or store your card details. Lemon Squeezy processes your payment information under their own privacy policy and applicable PCI DSS standards.

File data

Your CSV files are never uploaded to our servers. File processing happens locally in your browser and your file rows are never transmitted anywhere. However, when you use the AI matching feature, the unique values from the picklist columns you choose to map are sent to OpenAI for analysis — this allows the AI to suggest canonical matches. No full rows, no personally identifiable data from your file, and no file contents beyond these unique column values are ever shared.

3. How We Use Your Data

We process your personal data for the following purposes:

  • Account management — to create and maintain your account. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
  • Service delivery — to provide you access to Asphorem tools and save your mapping configurations. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
  • Billing and payment — to manage your subscription and comply with accounting obligations. Legal basis: performance of a contract and legal obligation (Art. 6(1)(b) and 6(1)(c) GDPR).
  • Service communications — to send you important notices about your account or the service (e.g. changes to terms, security notices). Legal basis: legitimate interests (Art. 6(1)(f) GDPR).

4. Data Recipients and Processors

Your data may be shared with the following service providers acting as data processors on our behalf. We have Data Processing Agreements (DPAs) in place with each processor:

  • Vercel Inc. (USA) — application hosting. Data transfers to the USA are covered by Standard Contractual Clauses (SCCs).
  • Supabase Inc. (USA) — database hosting. Data transfers to the USA are covered by Standard Contractual Clauses (SCCs).
  • Lemon Squeezy LLC (USA) — payment processing and merchant of record. Data transfers to the USA are covered by Standard Contractual Clauses (SCCs).
  • OpenAI OpCo LLC (USA) — AI value matching. When you use the AI matching feature, unique picklist values from the columns you map are sent to OpenAI for processing. No file rows or personally identifiable file contents are transmitted. Data transfers to the USA are covered by Standard Contractual Clauses (SCCs).
  • Umami Software Inc. (USA) — anonymised analytics. No personal data is transferred.

We do not sell your personal data. We do not share it with any third party for marketing purposes.

5. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), specifically in the United States. Where such transfers occur, we ensure that appropriate safeguards are in place — in particular, Standard Contractual Clauses (SCCs) approved by the European Commission — to ensure your data receives a level of protection equivalent to that within the EEA.

6. Data Retention

  • Account data: retained for the duration of your account, then deleted within 90 days of account closure, except where retention is required by law.
  • Billing records: retained for 10 years in accordance with French accounting law (Code de commerce, Art. L. 123-22).
  • Mapping configurations: retained for the duration of your account and deleted upon account closure.

7. Cookies

We do not use cookies for tracking or advertising. Our analytics tool (Umami) is cookieless by design. We may use strictly necessary session cookies to keep you logged in to the application; these are essential to the service and do not require your consent.

8. Data Breach Notification

In the event of a personal data breach, we will notify the CNIL without undue delay and at most within 72 hours of becoming aware of it, where feasible, in accordance with Art. 33 GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Art. 34 GDPR.

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — to obtain a copy of the data we hold about you.
  • Right to rectification — to correct inaccurate or incomplete data.
  • Right to erasure — to request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
  • Right to restriction — to request that we limit how we process your data in certain circumstances.
  • Right to data portability — to receive your data in a structured, machine-readable format.
  • Right to object — to object to processing based on our legitimate interests.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the French data protection authority:

CNIL — Commission Nationale de l'Informatique et des Libertés
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
www.cnil.fr

10. Changes to This Policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top and, where changes are material, notify you by email. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact

For any questions about this privacy policy or how we handle your data, contact us at [email protected].