Legal document

Privacy Policy

Updated June 2, 2026

Preamble

This privacy policy applies to the veya.studio website and to all services offered by VEYA. It complies with the General Data Protection Regulation (GDPR — EU 2016/679) and the amended French Data Protection Act.

Data controller

VEYA — Alaa Mourad, SIREN 832 503 395
Email: [email protected]

VEYA acts as data controller for data collected on the veya.studio website (visitors, prospects), and as data processor for data handled within Clients' Brains.

Data collected

1. Data collected via the veya.studio website:

  • Name, first name, email (contact forms, assessment requests)
  • Browsing data (IP, browser, pages visited) — anonymised analytics use
  • Technical cookies (see cookie policy)

2. Data processed within Clients' Brains (as processor):

  • Corpus provided by the Client (text, documents, voice)
  • Data of the Client's prospects/customers (managed via the integrated CRM)
  • Interaction logs

Purposes of processing

  • Respond to prospect requests (contact, assessment)
  • Manage the contractual relationship (quotes, invoicing, follow-up)
  • Improve the service (aggregated analytics)
  • Comply with legal obligations (accounting, tax)

VEYA does not sell or transfer data to third parties.

Legal basis

  • Consent (contact forms)
  • Performance of a contract (Client relationship)
  • Legal obligation (accounting)
  • Legitimate interest (security, anonymised audience measurement)

Retention period

  • Prospects (not converted): 3 years from last contact
  • Clients: term of the contract + 10 years (accounting and tax obligation)
  • Cookies: 13 months maximum

Subprocessors

VEYA relies on the following subprocessors:

  • Vercel Inc. (United States — website hosting) — DPA in place, non-EU transfers governed by Standard Contractual Clauses
  • Supabase Inc. (United States — data storage) — EU region (Dublin, Ireland), DPA in place
  • Hostinger International Ltd. (Cyprus — application infrastructure) — datacenter in Paris (FR)
  • Cloudflare Inc. (United States — CDN and security) — DPA in place
  • Anthropic (Claude), OpenAI (GPT), Google (Gemini) and Perplexity (language-model providers) — occasional technical use, DPA in place

All subprocessors are contractually bound by security and confidentiality obligations compliant with the GDPR.

Transfers outside the EU

Some subprocessors (Vercel, Supabase, Cloudflare) are located in the United States. Transfers are governed by the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, by the additional measures recommended by the EDPB.

Your rights

In accordance with the GDPR, you have the following rights:

  • Right of access, rectification and erasure
  • Right to data portability
  • Right to object and to restriction
  • Right to withdraw your consent at any time
  • Right to set post-mortem directives

To exercise these rights: [email protected]

In the event of an unresolved dispute, you may lodge a complaint with the French data protection authority, the CNIL (cnil.fr).

Security

VEYA implements appropriate technical and organisational measures: encryption at rest and in transit, multi-factor authentication on administrator accounts, regular backups, access logging, and security training.