Last updated: 16 April 2026

Privacy policy

Data controller

Nellahouse Signature, sole proprietor — 6 place du petit paradis, 91070 Bondoufle, France. SIRET 91856848600016, RCS Paris. For any GDPR request: contact@suppdevsync.com.

Data collected

When creating an account: email address and name if provided. When placing an order: shipping address, phone if given, cart contents. Payment: no card data is stored — payment is handled directly by Stripe. Navigation: if you accept via the consent banner, aggregated page views and behaviour via Google Analytics 4 (IP anonymised), orchestrated by Google Tag Manager with Consent Mode v2. Without consent, no navigation data is stored.

Purposes and legal bases

Performance of the sales contract: order processing, delivery, customer service. Legal obligation: retention of invoices for accounting and tax purposes. Legitimate interest: site security, fraud prevention, aggregated audience. Consent: no marketing processing is performed at the MVP stage.

Retention periods

User account: until voluntary deletion. Orders and invoices: 10 years from the close of the fiscal year (French Commercial Code art. L123-22). Technical logs: 12 months. Google Analytics 4 data (if consented): 13 months maximum, in line with CNIL guidance. Technical cookies: session duration.

Recipients and sub-processors

Amazon Cognito (authentication) and Amazon Aurora PostgreSQL (application database) — AWS, us-east-1 region. Resend (transactional email) — European Union. Amazon S3 and CloudFront (asset hosting and CDN delivery) — AWS global. Stripe Payments Europe Limited (payment processing) — EU and US. Google LLC (Google Tag Manager and Google Analytics 4, aggregated audience with Consent Mode v2, subject to your consent) — United States, transfers governed by the European Commission's Standard Contractual Clauses (SCC).

Transfers outside the European Union

The AWS services used run in us-east-1 (United States). Transfers are governed by the Standard Contractual Clauses (SCC) approved by the European Commission and by the AWS Data Processing Addendum. Stripe also applies SCC and holds international certifications.

Cookies and trackers

Strictly necessary cookies (set without consent): authentication session cookies (Amazon Cognito), a functional cart cookie, a CSRF security token, and a consent preference cookie. Optional analytics cookies (set only after you accept via the banner): Google Analytics 4 (_ga, _ga_*) with a maximum duration of 13 months for audience measurement, with IP anonymised. No advertising cookies, no behavioural trackers. You may change your choice at any time from the "Cookie preferences" link in the footer.

Your rights

Under the GDPR, you have rights of access, rectification, erasure, objection, portability and restriction of processing. You may exercise these rights by writing to contact@suppdevsync.com. We commit to responding within one month. You may also delete your account at any time from the My Account page: deletion is immediate and your personal data is anonymised. Invoices from your previous orders remain retained for 10 years in accordance with the legal obligation, with no link to an active account.

Complaint

If you believe your rights are not respected, you may contact the French data protection authority (CNIL) — www.cnil.fr.