AgraMarket SARL ("AgraMarket", "we") operates the GrainBoard platform. This policy explains what personal data we collect, why, and how we handle it.
Data Controller:
AgraMarket SARL
124 rue Maurice Arnoux, 92120 Montrouge, France
contact@agramarket.fr
1. Data We Collect
1.1 Account Data
When you register, we collect:
- Email address (also serves as your username)
- First name
- Last name
- Password (stored as a cryptographic hash — never in plain text)
We also record your registration date and last login date.
1.2 Subscription and Billing Data
When you subscribe to a paid plan, payment is processed by Stripe, Inc. AgraMarket does not collect or store your payment card details. We receive from Stripe: subscription status, plan type, billing dates, and payment confirmation.
Stripe's privacy policy: https://stripe.com/privacy
1.3 Technical Data
- Session cookies: PHP session cookie (
PHPSESSID) and Django session/CSRF cookies, strictly necessary for the platform to function. - Server logs: standard web server logs may contain IP addresses and user-agent strings. These logs are used for security monitoring and debugging only.
- Analytics: we use PostHog for product analytics (page views, feature usage, conversion funnels). PostHog may set cookies for session identification. Analytics events are pseudonymized (for example, account-level identifier and plan only) and exclude direct identifiers such as name or email. We also use Fathom Analytics for website analytics. Fathom is privacy-focused, does not use cookies, and does not collect personally identifiable information.
1.4 Data We Do Not Collect
We do not collect: phone number, postal address, company name, country of residence, date of birth, or any financial data beyond what Stripe provides.
2. Why We Process Your Data
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email, name | Account creation, authentication, communication | Contract performance (Art. 6(1)(b)) |
| Password hash | Authentication | Contract performance |
| Subscription data | Service delivery, billing | Contract performance |
| Session cookies | Platform functionality | Contract performance |
| Server logs | Security, debugging | Legitimate interest (Art. 6(1)(f)) |
| Analytics (PostHog) | Product improvement | Legitimate interest (Art. 6(1)(f), with right to object) |
3. Data Sharing
We share personal data only with:
- Stripe, Inc. — payment processing (US-based; EU-US Data Privacy Framework certified)
- OVH SAS — hosting (Roubaix, France)
- PostHog — product analytics
- Fathom Analytics — privacy-focused website analytics (EU-based processing)
We do not sell personal data. We do not share data with advertisers.
We may disclose data if required by law or court order.
4. Data Storage and Security
Your data is stored on servers hosted by OVH in France. Passwords are stored using Django's default hashing (PBKDF2 with SHA-256).
We implement standard security measures: HTTPS encryption, CSRF protection, hashed credentials, and access controls. Server logs containing personal data are retained for a limited period for security purposes and are not used for profiling.
5. Data Retention
| Data | Retention |
|---|---|
| Active account data | Duration of the account |
| Account data after deletion request | Deleted within 30 days, except where legal obligations require longer retention (e.g., billing records: 10 years under French commercial law) |
| Server logs | 12 months maximum |
| PostHog analytics | Pseudonymized event data; retained per PostHog's data retention settings |
6. Cookies
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
PHPSESSID | PHP session management | Strictly necessary | Session |
| Django session cookie | Django session management | Strictly necessary | Session |
| Django CSRF cookie | Cross-site request forgery protection | Strictly necessary | Session |
| PostHog cookies | Product analytics | Analytics | See PostHog documentation |
The platform does not use advertising cookies or third-party tracking cookies.
PostHog analytics cookies are used under our legitimate interest to improve product performance and usability. You can object to this processing at any time by contacting contact@agramarket.fr.
7. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Delete your account and associated data
- Export your data in a portable format
- Object to processing based on legitimate interest
- Withdraw consent where processing is consent-based
- Lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés, www.cnil.fr)
To exercise any of these rights, contact: contact@agramarket.fr
We will respond within 30 days.
8. International Transfers
Your data is primarily stored and processed in France (OVH). Some data is processed by US-based services:
- Stripe: certified under the EU-US Data Privacy Framework
- PostHog: configured to minimize personal data transfer; pseudonymized analytics event data
9. Changes to This Policy
We may update this policy. Material changes will be communicated to registered users by email. The "last updated" date at the top reflects the latest version.
10. Contact
For any questions about this policy or your personal data:
AgraMarket SARL
contact@agramarket.fr
124 rue Maurice Arnoux, 92120 Montrouge, France