Privacy and Data Protection Policy

Introduction

At GlassPredict, the commercial name of Mariela Cadenas Matheus I.E. (“the Data Controller”), we are committed to safeguarding the personal data we collect and process. This Privacy and Data Protection Policy outlines how we collect, use, share, and protect the personal information of our customers, employees, suppliers, and other stakeholders, in compliance with the General Data Protection Regulation (GDPR) and French Law No. 78-17 of 6 January 1978, relating to data processing, files, and freedoms (Loi Informatique et Libertés).

Data Controller

GlassPredict, the commercial name of Mariela Cadenas Matheus I.E., is the Data Controller responsible for ensuring that personal data is processed in compliance with applicable laws and regulations. As the Data Controller, we determine the purposes and means of the processing of personal data.

For any inquiries related to data protection or to exercise your data subject rights, you may contact us using the following channels:

• Email:
• Phone:
• Postal Address: 432 rue des Valets, 01120 Montluel, France

Definitions

• Personal data: Any information relating to an identified or identifiable natural person, such as name, address, phone number, email address, etc.
• Data processing: Any operation performed on personal data, such as collection, storage, use, modification, disclosure, or deletion.
• Data controller: The individual or entity that determines how and why personal data is processed.

Purposes of Data Processing

• Providing requested services and products to our customers.
• Managing relationships with suppliers and employees.
• Complying with legal and contractual obligations.
• Sending commercial communications and marketing materials, where consent has been obtained.
• Improving the quality of our services and products through statistical analysis.
• Managing user accounts, authentication, and access control to our services.

Principles of Data Processing

• Lawfulness, fairness, and transparency: Data will be processed lawfully, fairly, and transparently for data subjects.
• Purpose limitation: Data will be collected for specified, legitimate purposes and not processed further in ways incompatible with those purposes.
• Data minimization: Only the data necessary for the intended purposes will be collected.
• Accuracy: Data will be accurate and kept up to date.
• Storage limitation: Data will be retained only for as long as necessary for the purposes of the processing.
• Integrity and confidentiality: Data will be processed securely to prevent unauthorized access, loss, or damage.

Data Subject Rights

• Right of access: Individuals can request access to their personal data.
• Right to rectification: Individuals can request the correction of inaccurate or incomplete data.
• Right to erasure (right to be forgotten): Individuals can request the deletion of their data in certain circumstances.
• Right to restriction of processing: Individuals can request that the processing of their data be restricted under certain conditions.
• Right to data portability: Individuals can request to receive their data in a structured format and transfer it to another data controller.
• Right to object: Individuals can object to the processing of their data based on legitimate interests or for direct marketing purposes.

To exercise these rights, data subjects may contact us via contact@glasspredict.com or by post at 432 rue des Valets, 01120 Montluel, France.

Transfer of Data to Third Parties

We will not share personal data with third parties unless:

• It is necessary for providing our services (e.g., with service providers).
• It is required by law.
• We have obtained the consent of the data subject.

When transferring data to third parties, we ensure that appropriate safeguards are in place to protect the data.

Data Processors

OVH SAS

• Role: Mail hosting, SMTP relay, webmail access
• Location: France (EEA) – OVHcloud data centres (e.g. “eu-west-gra”)
• Data processed:
  • Contact form submissions (name, e-mail, message)
  • E-mail metadata (timestamps, IP addresses)
• Purpose: Delivery, storage and transmission of transactional e-mails
• Legal basis: Performance of contract (Art. 6 § 1 b GDPR)
• Retention: Contact-form emails are retained by GlassPredict for up to 24 months. OVHcloud retains deleted items (from the Trash/Deleted Items folder) for 14 days, after which they are permanently purged.
• DPA: Annexe “DPA” version 9 August 2023 – OVH Data Protection Agreement
• Security: TLS in transit; data at rest encrypted; ISO 27001 certified

Hetzner Online GmbH

• Role: Web-app hosting (Django), database storage
• Location: Germany (EEA) – Hetzner data centres
• Data processed:
  • Web server logs (IP addresses, timestamps, user agent)
  • Contact form data in transit
  • Authentication-related data (username, hashed password, login timestamps, session tokens)
• Purpose: Hosting and operation of our website and back-end
• Legal basis:
  • Performance of contract (Art. 6 § 1 b GDPR)
  • Legitimate interest (Art. 6 § 1 f GDPR)
• Retention: Until account deletion or as required by law
• DPA: Hetzner Data Processing Agreement (GlassPredict)
• Security: TLS for all traffic; ISO 27001 certified

International Transfers

Both OVH (France) and Hetzner (Germany) operate within the European Economic Area (EEA), so no additional safeguards are required under Chapter V of the GDPR.

Sub-processor Transparency

OVH and Hetzner may engage additional subprocessors (e.g. CDN providers, network carriers). Their current lists can be found here:

• OVH sub-processors (via Data Processing Agreement appendix): Data Processing Agreement (DPA)
• Hetzner sub-processors (GDPR/Data Privacy FAQ): Hetzner Data Privacy FAQ

We rely on their published lists to ensure compliance and transparency regarding the subprocessors they use.

Security Measures

• Encryption of sensitive data.
• Access control to our premises and IT systems.
• Information security policies.
• Regular training for staff on data protection.

Data Retention

• Contact-form submissions (names, email addresses, messages) are retained for up to 24 months to allow us to handle your request and provide follow-up service.
• Email exchanges with customers (support or commercial correspondence) are archived for 5 years in order to meet legal prescription requirements and to have records in the event of a dispute.
• Accounting and invoicing records are kept for 10 years in accordance with commercial law.

Cookies and Tracking Technologies

Our website uses cookies and similar technologies to ensure its proper functioning and enhance the user experience.

• Strictly necessary cookies: These are essential for the website to function (e.g., session management, CSRF protection) and cannot be switched off.
• Analytical cookies: Not used at this time.
• Marketing/third-party cookies: We use Google reCAPTCHA to protect our forms against spam and abuse. This may place cookies from Google on your device. Google reCAPTCHA is only loaded after you have accepted third-party cookies.

When you first visit our site, you are asked whether you accept or reject third-party cookies. You may change your preferences at any time using the “Manage Cookies” link in the footer.

For more information about Google reCAPTCHA, see Google’s privacy policy: policies.google.com/privacy

Modifications to the Privacy and Data Protection Policy

We reserve the right to modify this Policy at any time. Any changes will be published on our website and communicated to data subjects by appropriate means.