Privacy Policy

Last updated: February 27, 2026

1. Data Controller

Keonwoo Kim Address: 20 Rue Albert, Paris Contact: bonjouradmin.com/contact

2. Data Collected

Identification: email, encrypted password. Profile (optional): visa type, residence duration, language preferences. Usage: conversation history, community posts, uploaded documents. Navigation: anonymized IP, browser type, pages visited (with consent). Payment: processed exclusively by Paddle.com Market Ltd (Merchant of Record).

3. Purposes and Legal Bases

Account management and service delivery: contract execution (Art. 6.1.b GDPR). Payment processing: contract execution (Art. 6.1.b GDPR). Service improvement (usage analysis): legitimate interest (Art. 6.1.f GDPR). Statistics and analytics (PostHog): consent (Art. 6.1.a GDPR). Email communications: consent (Art. 6.1.a GDPR). Community sharing: consent (Art. 6.1.a GDPR). Anonymized RAG data: legitimate interest after anonymization (Art. 6.1.f GDPR).

4. Data Recipients

Supabase (AWS) — database hosting, United States, EU-US Data Privacy Framework. Vercel Inc. — web hosting, United States, EU-US Data Privacy Framework. OpenAI / Anthropic — AI processing, United States, Standard Contractual Clauses (SCC). Paddle.com Market Ltd — payment processing (Merchant of Record), United Kingdom, SCC / UK GDPR adequacy. PostHog — web analytics, United States / EU. Conversation data is transmitted to AI providers (OpenAI/Anthropic) to generate responses. These providers process data in accordance with their respective API privacy policies.

5. International Transfers

Some data is transferred to the United States and the United Kingdom. These transfers are protected by: • The EU-US Data Privacy Framework adequacy decision (July 10, 2023), where applicable. • The UK adequacy decision (June 28, 2021), where applicable. • Standard Contractual Clauses (SCC) approved by the European Commission.

6. Retention Periods

Account data: duration of registration + 30 days after account deletion. Conversation history: 12 months, then automatically deleted. Community posts: duration of publication + anonymization upon account deletion. Uploaded documents: automatically deleted after processing (maximum 24 hours). Payment data: retained by Paddle per its legal obligations. Analytics cookies: 13 months maximum (CNIL recommendation). Billing data: 10 years (French accounting law).

7. Your Rights

Under the GDPR (Regulation EU 2016/679), you have the following rights: • Right of access (Art. 15) • Right to rectification (Art. 16) • Right to erasure (Art. 17) — "right to be forgotten" • Right to restriction of processing (Art. 18) • Right to data portability (Art. 20) • Right to object (Art. 21) • Right to withdraw consent at any time To exercise these rights, please use our contact form at bonjouradmin.com/contact We will respond within one (1) month of receiving your request.

8. CNIL Complaint

If you believe that the processing of your data constitutes a violation of the GDPR, you have the right to file a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL): CNIL 3 Place de Fontenoy TSA 80715 75334 Paris Cedex 07 https://www.cnil.fr

9. Cookies

Essential cookies (no consent required): authentication cookies (user session), language preference cookies. Analytics cookies (consent required): PostHog — audience measurement and navigation behavior analysis. These cookies are only placed after obtaining your explicit consent via the cookie management banner. You may modify your cookie preferences at any time via the "Manage cookies" link in the footer. In accordance with CNIL recommendations, the maximum lifespan of analytics cookies is 13 months.

10. Artificial Intelligence and Data

10.1 Conversation processing — Messages sent to the AI chatbot are transmitted to third-party AI providers (OpenAI and/or Anthropic) to generate responses. 10.2 Community experience system (RAG) — Shared user experiences may be used, in anonymized form, to enrich AI responses. Personally identifiable data (names, emails, phone numbers) is removed before integration. 10.3 Uploaded documents — Documents submitted for interpretation are processed in real time and automatically deleted within a maximum of 24 hours.

11. Security

We implement appropriate technical and organizational measures to protect your data, including: • Data encryption in transit (TLS/HTTPS) • Password encryption (bcrypt) • Data access control (Row Level Security) • Regular backups • Monitoring for unauthorized access

12. Policy Changes

We reserve the right to modify this Privacy Policy. Any substantial changes will be communicated to registered users by email at least 30 days before taking effect.