Privacy Policy
Last updated: February 26, 2026
OSFeed ("we", "us", "our") is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable French data protection law. This Privacy Policy explains what data we collect, how we use it, and your rights as a data subject.
1. Data Controller
The data controller is OSFeed, operating as an individual entrepreneur registered in France. For privacy inquiries, contact us at privacy@osfeed.com or via our contact page.
2. Data We Collect
2.1 Account data
- Email address — required for account creation, authentication, and communications
- Password hash — bcrypt-hashed, never stored in plain text
- Display language preference — the language you chose during onboarding
- Selected topics — the geopolitical topics you monitor
- GDPR consent timestamp — the date and time you gave explicit consent
- Account creation date
2.2 Beta access requests
When you submit a beta access request via our "Join the Beta" form, we collect your email address and, optionally, your name and use case description.
2.3 Contact form submissions
When you use our contact form, we collect your name, email address, and message content.
2.4 Usage data (technical logs)
We collect standard server logs including IP addresses, browser type, pages visited, and timestamps for security, debugging, and service improvement. Logs are retained for a maximum of 30 days.
3. Legal Basis for Processing
| Data | Legal Basis |
|---|---|
| Account data (email, password hash) | Contract performance (Art. 6(1)(b) GDPR) |
| Language & topic preferences | Contract performance (Art. 6(1)(b) GDPR) |
| GDPR consent record | Legal obligation (Art. 6(1)(c) GDPR) |
| Beta access requests | Legitimate interest / pre-contractual steps (Art. 6(1)(f) GDPR) |
| Contact form messages | Legitimate interest (Art. 6(1)(f) GDPR) |
| Technical logs | Legitimate interest — security (Art. 6(1)(f) GDPR) |
4. Data Retention
- Account data: retained for the duration of your account plus 30 days after deletion
- Beta access requests: retained for 12 months, then deleted
- Contact form messages: retained for 24 months, then deleted
- Technical logs: retained for 30 days
5. Data Sharing — Sub-processors
We share your data with the following sub-processors, solely for the purpose of operating the Service:
| Sub-processor | Role | Location | Data shared |
|---|---|---|---|
| OVH | Cloud hosting & infrastructure (servers, database) | France (EU) | All data stored on our servers |
| OpenRouter | LLM API routing for message translation | USA | Message content (no personal data) |
| OpenAI | Text embedding generation | USA | Translated message content (no personal data) |
| Resend | Transactional email (password reset, account verification) | USA | Email address, email content |
Transfers to the USA are covered by the EU-US Data Privacy Framework (where applicable) or Standard Contractual Clauses (SCCs).
We do not sell your data to any third party. We do not share your data with advertising networks.
6. Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15): obtain a copy of your personal data
- Right to rectification (Art. 16): correct inaccurate data
- Right to erasure (Art. 17): request deletion of your data ("right to be forgotten")
- Right to restriction (Art. 18): restrict processing in certain circumstances
- Right to data portability (Art. 20): receive your data in a machine-readable format
- Right to object (Art. 21): object to processing based on legitimate interest
- Right to withdraw consent: where processing is based on consent, withdraw it at any time
To exercise your rights, contact us at privacy@osfeed.com or via the account settings page. You may also delete your account directly from account settings, which will trigger erasure of all personal data within 30 days.
You have the right to lodge a complaint with the French data protection authority, the CNIL: cnil.fr.
7. Cookies
OSFeed uses the following cookies:
- Authentication session cookie (httpOnly, Secure, SameSite=Strict): stores your session token. Required for login. Expires after 7 days.
We do not use analytics cookies, tracking cookies, or advertising cookies. No third-party cookies are set by the OSFeed platform.
8. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- All data in transit is encrypted using TLS 1.3
- Passwords are hashed using bcrypt with a work factor of 12
- Database access is restricted to application servers via private network
- Authentication tokens are stored in httpOnly cookies inaccessible to JavaScript
- Infrastructure is hosted in OVH EU data centers under ISO 27001 certification
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users by email of material changes at least 30 days in advance. Continued use of the Service after the effective date constitutes acceptance.
10. Contact
For privacy-related requests or questions, contact us at privacy@osfeed.com or via our contact page.