Privacy Policy
TL;DR
This summary is for convenience only. The full policy below is the actual document.
- ✅ We collect only what we need to run Stormz: account details, workshop content, participant data, and service logs.
- ✅ We do not sell personal data.
- ✅ We use essential cookies for authentication and event participation.
- ✅ We plan to use Plausible Analytics, a privacy-friendly analytics service without advertising cookies.
- ✅ AI features are optional and require explicit user action.
- 🇪🇺 Stormz is operated by a French company and follows GDPR requirements.
1. Introduction
This Privacy Policy explains how Stormz collects, uses, shares, and protects your personal data when you use the Stormz platform, including public pages, account access, events, workshops, AI features, and related communications.
Stormz is operated by Stormz SAS, a French company. Company details are available on the Legal Information page.
We comply with the French Data Protection Act (Loi Informatique et Libertés) and the General Data Protection Regulation (GDPR).
2. Data We Collect
2.1 Account and profile information
When you create or use an account, we may collect:
- Email address
- Name, avatar, and optional profile information such as bio
- Authentication provider information, such as Google, LinkedIn, or magic-link identity proof
- Tenant, organization, role, and membership information
2.2 Event, workshop, and participant information
When you join or facilitate workshops, we may collect:
- Event and workshop participation records
- Guest participant names and avatars when provided
- Cards, images, documents, votes, classifications, comments, and other workshop content you create
- Presence and realtime collaboration events needed to run live workshops
- Event-scoped session tokens stored in HTTP-only cookies
2.3 Contact and communication information
When you request access, join an invitation flow, or subscribe to updates, we may collect:
- Email address
- Name, company, LinkedIn URL, and other optional context you provide
- Subscription preferences and unsubscribe status
- Attribution data such as UTM parameters or referral context
2.4 Information collected automatically
When you use Stormz, we may collect:
- IP address, browser, device, operating system, and access times
- Server logs, error logs, and security events
- Approximate location when needed for location-based workshop features
- Usage data needed to improve reliability and understand product adoption
3. How We Use Your Data
| Purpose | Legal basis |
|---|---|
| Provide and operate the Stormz platform | Contract performance |
| Manage accounts, authentication, and access control | Contract performance / legitimate interest |
| Run events, workshops, realtime collaboration, and guest participation | Contract performance |
| Send transactional emails, magic links, and service notifications | Contract performance |
| Send newsletters or product updates when you subscribe | Consent |
| Improve the product, fix bugs, and maintain security | Legitimate interest |
| Prevent abuse, spam, fraud, and unauthorized access | Legitimate interest |
| Comply with legal obligations | Legal obligation |
4. AI Features and Meeting Bots
Stormz offers optional AI-assisted features for workshop facilitation, such as chat assistance, card extraction, image generation, activity blueprint generation, classification suggestions, and meeting-bot transcript processing.
When you use AI features, relevant prompts, workshop context, images, or transcript excerpts may be sent to AI infrastructure or model providers through services such as Vercel AI Gateway. Meeting-bot features may use Recall.ai to join meetings and provide transcripts.
AI features require explicit facilitator or user action. We use this data to deliver the requested feature, not to sell your information.
5. Cookies and Tracking
Essential cookies
We use required cookies for authentication, user sessions, and event-scoped participant sessions. These cookies are necessary for Stormz to function and are not used for advertising.
Analytics
We plan to use Plausible Analytics to understand aggregate usage patterns. Plausible does not use cookies and is designed to avoid tracking individuals across websites.
What we do not use
- Advertising cookies
- Social media tracking pixels
- Third-party marketing trackers for behavioral advertising
6. Data Sharing and Service Providers
We share data only with providers needed to operate Stormz, deliver requested features, secure the service, or communicate with you.
| Provider | Purpose | Data involved |
|---|---|---|
| Render | Application and realtime hosting | Server logs, IP addresses, application traffic |
| Postgres / Neon / NuxtHub | Database infrastructure | Account, tenant, event, workshop, and contact data |
| Cloudflare R2 | Blob and image storage | Uploaded images and files |
| Amazon SES | Transactional email | Email addresses and email content |
| Mailcoach | Newsletter and contact list management | Email, name, preferences, subscription status |
| Cloudflare Turnstile | Abuse and spam protection | Challenge verification data |
| Recall.ai | Meeting-bot and transcript features | Meeting metadata, participant names, transcript data |
| OpenCage | Location/geocoding features | Location search queries |
| Vercel AI Gateway and model providers | AI-assisted features | Prompts, images, transcript excerpts, and workshop context needed for the requested feature |
| Plausible | Planned privacy-friendly analytics | Aggregate usage metrics |
We do not sell your personal data to third parties.
7. International Data Transfers
Some service providers may process data outside the European Union. When this happens, we rely on appropriate safeguards such as Standard Contractual Clauses, data processing agreements, provider certifications, and equivalent legal mechanisms where applicable.
8. Data Retention
- Account data: retained while your account is active, then for up to three years for legal and administrative purposes unless a longer legal period applies.
- Workshop content: retained while the relevant tenant, event, workshop, or account remains active, unless deleted by authorized users or upon validated request.
- Event participant sessions: retained only as long as needed to support event and workshop participation, security, and operational troubleshooting.
- Newsletter data: retained while you are subscribed. If you unsubscribe, your email may remain on a suppression list to prevent future mailings.
- Logs: retained for a limited time for reliability, security, and debugging.
9. Data Security
We implement technical and organizational measures to protect personal data, including:
- Encrypted connections using HTTPS/TLS
- HTTP-only session cookies where appropriate
- Server-side authorization checks for protected resources
- Access controls for administrative functions
- Use of reputable infrastructure providers
- Security reviews during product development
No system is 100% secure. If you believe you have found a security issue, please contact us using the details on the Legal Information page.
10. Your Rights Under GDPR
You have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Correct inaccurate or incomplete data |
| Erasure | Request deletion of your data |
| Restriction | Request limited processing of your data |
| Portability | Receive your data in a machine-readable format |
| Objection | Object to processing based on legitimate interest |
| Withdraw consent | Withdraw consent for optional processing such as newsletters |
To exercise your rights, contact us using the details on the Legal Information page. We will respond within one month, unless the request is complex and GDPR allows an extension.
11. Data Breach Notification
If we discover a personal data breach that poses a high risk to your rights and freedoms, we will notify the relevant supervisory authority and affected users as required by GDPR.
12. Children’s Privacy
Stormz is not intended for users under 16 years old. We do not knowingly collect personal data from children under 16. If we discover such data, we will delete it promptly.
13. Supervisory Authority
If you believe your data protection rights have been violated, you may lodge a complaint with a supervisory authority. In France, this is the Commission Nationale de l’Informatique et des Libertés (CNIL).
- Website: www.cnil.fr
- Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
14. Changes to This Policy
We may update this Privacy Policy from time to time. When changes are made, the “Last updated” date will be revised. For significant changes, we may notify users by email or platform notice when appropriate.
15. Contact
For questions about this Privacy Policy or to exercise your data rights, contact us using the details on the Legal Information page.