This policy describes how Freelance OS processes your personal data, in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national laws.
Data controller
MEIZ (EURL) (RCS Paris 854 034 683), publisher of Freelance OS, represented by Jean Saunie. GDPR contact: contact@freelance-os.fr.
No Data Protection Officer (DPO) is currently designated. The GDPR contact is the official channel for any data-related question.
Scope
This policy covers:
- The public site freelance-os.fr and its sub-pages
- The Kernel SaaS (kernel.freelance-os.fr) and the member app (app.freelance-os.fr and workspace subdomains *.freelance-os.fr)
When you use a workspace administered by a third party (e.g. solodevagency.fr), Freelance OS acts as a processor under GDPR for the data entered in that workspace. The third party remains the controller for its own end users. See /en/dpa.
Data collected
Identity and account data
- Email, first name, last name (optional)
- Hashed password (never stored in clear, via Supabase Auth)
- Internal UUID
- Role and workspace membership
Billing data
- Billing email, postal address, business name, VAT number
- Stripe customer ID
- Payment method identifiers (never the full card number, which stays at Stripe)
- Invoice and subscription history
User content
- Drafts and content created in Studio (drafts, ideas, scripts)
- Voice configs, briefs, AI prompts
- Counsel documents (quotes, contracts, invoices)
- Presentations, published web pages, knowledge base items
- Bookings and external invitee data (name, email, timezone)
- Support threads and multi-channel conversations (DM, email)
Third-party integration tokens
- OAuth tokens (AES-256-GCM encrypted, isolated per workspace) for Google, Google Ads, YouTube, TikTok, TikTok Marketing API, Instagram, LinkedIn, LinkedIn Advertising API, Meta, Meta Ads, WhatsApp Business, Stripe Connect
- Connection metadata (account/advertiser id, granted scopes, expiration)
- Tokens are deleted immediately when you disconnect an integration from the UI
Data retrieved via advertising APIs
When you connect an ads account (Meta Ads, Google Ads, TikTok Marketing API, LinkedIn Advertising API), Freelance OS periodically queries those APIs to sync:
- Ad accounts you authorize (id, name, currency, timezone)
- Campaigns, ad groups, ads you create or view from Kernel (objective, budget, status, targeting, creatives)
- Aggregated performance metrics (impressions, clicks, conversions, spend, CPM, CPC, CPA, ROAS) per campaign, ad group, ad, day, demographic
- Custom audiences you configure (estimated size, source, status). PII hashes optionally uploaded (SHA-256 hashed emails) are transmitted to platforms but never stored in cleartext on Freelance OS
- Product catalogs and DPA feeds (for dynamic ads)
- Pixel events and server-side conversions (CAPI) you send to platforms, Freelance OS acts as a gateway
- Leads collected via Lead Ads (form fields, timestamp) returned to you in Kernel
This data is stored in the EU region (Supabase Frankfurt) and associated exclusively with your workspace. It is deleted 30 days after integration disconnection or account closure.
Technical and telemetry data
- IP address (for security and auth logs)
- User agent, browser, OS
- Pages visited, analytics events (if consented)
- Audit logs (super_admin actions, sensitive operations)
Public form submissions
- Waitlist and webinar signups: email, first name, phone (optional), country
- UTM, referer, locale, user agent at submission time
Purposes and legal basis
| Purpose | GDPR legal basis |
|---|---|
| Account creation and management | Contract performance (art. 6.1.b) |
| Billing, payment, accounting | Contract + legal obligation (art. 6.1.b and c) |
| Provision of SaaS features (Studio, Counsel, etc.) | Contract performance |
| Cross-platform ad campaign management (Meta Ads, Google Ads, TikTok Marketing API, LinkedIn Advertising API) | Contract performance |
| AI content generation (Anthropic, Gemini, OpenAI) | Contract performance |
| Transactional emails (Resend) | Contract performance |
| Security, fraud prevention, audit logs | Legitimate interest (art. 6.1.f) |
| Audience measurement (Google Analytics 4) | Consent (art. 6.1.a) |
| Waitlist, webinar, newsletter signups | Consent |
| Responding to GDPR requests and support | Legal obligation + legitimate interest |
Recipients and sub-processors
Your data is accessible to authorized Freelance OS staff and contractors, and to the technical sub-processors listed at /en/subprocessors (hosting, payment, email, AI, OAuth, analytics).
Your data is never sold nor transferred for advertising purposes.
Transfers outside the European Union
Some sub-processors are located in the United States or operate US infrastructure. Transfers are made under Standard Contractual Clauses approved by the European Commission (decision 2021/914), complemented by technical measures (TLS 1.3 in transit, AES-256 at rest, tenant isolation).
Sub-processors involved in non-EU transfers:
- Stripe (payments, US)
- Anthropic, Google Gemini, OpenAI (generative AI, US)
- Apify (LinkedIn scraping, US)
- Fathom (meeting transcripts, US)
- Vercel (hosting, US)
- Meta, Meta Ads (Pixel, Conversions API, Marketing API, US)
- Google Ads (Marketing API, US)
- TikTok Marketing API (US/SG)
- LinkedIn Advertising API (US)
- Resend (transactional email, US/EU)
See /en/subprocessors for the exhaustive list and associated safeguards.
Retention
| Data | Duration |
|---|---|
| Active account | Duration of the account |
| Closed account | Deletion within 30 days of closure |
| Counsel documents (quotes, contracts, invoices) | 10 years from issuance (Art. L123-22 French Commercial Code) |
| Audit and security logs | 12 months |
| Authentication IPs | 12 months (French LCEN) |
| Waitlist email without follow-up | 24 months max |
| Analytics cookies (GA4) | 13 months max |
| Commercial prospection data | 3 years from last contact (CNIL) |
Your rights
Under GDPR articles 15 to 22, you have the following rights:
- Access to a copy of your data
- Rectification of inaccurate information
- Erasure ("right to be forgotten")
- Restriction of processing
- Objection to processing based on legitimate interest
- Portability of your data in a structured, machine-readable format
- Not to be subject to automated decision-making with legal effects
- Withdrawal of consent at any time (without retroactive effect)
- Post-mortem directives about your data
To exercise these rights: contact@freelance-os.fr or via /en/data-deletion. Response within 30 days maximum.
Cookies
See our cookie policy.
Security
See our security page for technical and organizational measures.
Complaint
You can file a complaint with the French data protection authority (CNIL): https://www.cnil.fr/en/plaintes, or with your local supervisory authority.
Modification
This policy may evolve. Material changes will be notified by email to active accounts with a 30-day notice period.