Privacy Policy
Last updated: 2026-05-06
This Privacy Policy describes how Veziro SASU ("Veziro," "we," "us") collects, uses, stores, and shares personal data in connection with the Veziro Software-as-a-Service application available at app.veziro.com (the "Service"). It is drafted to comply with the EU General Data Protection Regulation 2016/679 ("GDPR"), the French Data Protection Act of January 6, 1978 as amended ("Loi Informatique et Libertés"), and applicable platform requirements (Meta, Google, LinkedIn, TikTok, X, Pinterest).
1. Data Controller
Veziro SASU acts as the data controller for personal data collected through the Service.
For business clients of the Service, Veziro additionally acts as a data processor with respect to the personal data of the client's own end users / leads (as defined in any applicable Data Processing Agreement).
2. Categories of Personal Data Processed
2.1 Account and identity data
- Full name, email address, login credentials (password stored hashed, never in plaintext).
- Profile picture, agency branding details (logo, contact details, brand description) where provided by the user.
- Role within Veziro (user / admin).
2.2 Real-estate data ingested via Apimo
- Property listings, photos, addresses, prices, descriptions, energy performance, and any other field returned by the Apimo CRM API.
- Apimo provider credentials (encrypted at rest using AES via PostgreSQL
pgcrypto).
2.3 Generated content
- AI-rewritten property descriptions, AI-generated social media post text, voiceover audio, virtually staged images, generated PDFs and videos.
2.4 Connected social media accounts (when Social Publishing is enabled)
- Platform identifiers (Facebook Page ID, Instagram Business ID, LinkedIn Organization URN, etc.).
- OAuth access tokens and refresh tokens (encrypted at rest using AES via
pgcrypto). - Account display name, avatar URL, granted scopes.
- Schedules and history of posts published through Veziro.
2.5 Billing data
- Payment is processed by Polar.sh, our merchant of record. Veziro does NOT store credit-card numbers. We store: subscription status, plan, invoice references, customer ID at Polar.
2.6 Technical data
- IP address (used for rate limiting and abuse prevention; stored truncated where possible).
- HTTP request logs (path, status, latency, user agent).
- AI request logs (model used, token counts, duration, success).
- Notification history.
2.7 Cookies
We use strictly necessary cookies for authentication (session) and locale preference. We do not use advertising or analytics cookies that require consent under the ePrivacy Directive.
3. Purposes and Legal Bases (GDPR Article 6)
| Purpose | Legal basis |
|---|---|
| Provide the Service (account, sync, generation, publishing) | Performance of contract (Art. 6(1)(b)) |
| Send transactional notifications and emails | Performance of contract (Art. 6(1)(b)) |
| Process payments via Polar.sh | Performance of contract (Art. 6(1)(b)) |
| Rate limiting, kill switches, abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations (accounting, tax, fraud) | Legal obligation (Art. 6(1)(c)) |
| Marketing communications about the Service | Consent or legitimate interest (Art. 6(1)(a) / (f)); always with a clear opt-out |
| AI request logging for service improvement | Legitimate interest (Art. 6(1)(f)) |
4. How Long We Keep Your Data
| Data | Retention |
|---|---|
| Account & profile data | While the account is active + 3 years after closure (commercial prescription) |
| Apimo credentials | While the integration is active; deleted on disconnect |
| Generated content | Indefinitely while the account is active; deleted on user request |
| Social account OAuth tokens | While the connection is active; deleted within 30 days of disconnect |
| AI request logs | 12 months |
| HTTP / rate-limit logs | 90 days |
| Billing data and invoices | 10 years (statutory accounting requirement) |
| Notifications | 12 months |
5. Recipients and Sub-processors
We rely on the following sub-processors. Each is contractually bound by GDPR-compliant data-processing terms.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase (PostgreSQL, Auth, Storage) | Primary database & file storage | EU |
| Coolify self-hosted on third-party cloud | Application hosting | EU |
| OpenRouter.ai | LLM gateway for AI text/image generation | US (model providers vary) |
| Replicate.com | AI video clip generation (Kling) | US |
| ElevenLabs | Voice synthesis | US |
| MarkupGo | PDF rendering | EU/US |
| Polar.sh | Payment processing | EU/US |
| Apimo (RICA SAS) | Source of property data | France |
| Connected social platforms (Meta, LinkedIn, Google, TikTok, X, Pinterest) | Publishing user-initiated content | Varies |
| SMTP email provider | Transactional email delivery | EU |
| Redis (self-hosted) | Rate limiting, ephemeral state | EU |
6. International Transfers
When sub-processors are located outside the European Economic Area, we rely on:
- Standard Contractual Clauses approved by the European Commission (Decision 2021/914), and / or
- Adequacy decisions where applicable.
Where social media posts are published to platforms hosted outside the EU/EEA (e.g., Meta in the US), the user explicitly initiates each transfer by configuring the publishing connection.
7. Your Rights Under GDPR
You have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten"), subject to legal retention obligations.
- Restrict processing.
- Object to processing based on legitimate interest, including marketing.
- Data portability — receive your data in a structured, commonly used, machine-readable format.
- Withdraw consent at any time when processing is based on consent.
- Lodge a complaint with the French data-protection authority, the CNIL, or with the supervisory authority of your Member State.
To exercise any of these rights, contact support@veziro.com. We will respond within one month, extendable by two months for complex requests.
For instructions specific to deleting your data (including via Facebook's data-deletion callback), see Data Deletion Instructions.
8. Security
We protect your data using:
- TLS 1.2+ for all network traffic.
- AES symmetric encryption (PostgreSQL
pgcrypto) for sensitive credentials at rest, including Apimo tokens and OAuth access / refresh tokens. - Row-Level Security on the database, enforcing per-user isolation.
- Per-operation RLS policies; column-level UPDATE/INSERT restrictions on sensitive tables.
- Two-factor authentication on infrastructure admin accounts.
- Rate limiting, kill switches, and IP-based blocking against abuse.
- Regular dependency updates and code review.
No security measure is perfect. Promptly notify us at support@veziro.com if you suspect a security incident.
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data, contact support@veziro.com and we will delete the data.
10. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be communicated in-app or by email at least 30 days before they take effect.
11. Contact
- Email: support@veziro.com
- Postal mail: Veziro SASU — 15 Chemin du Tanit, Résidence Mas de Tanit, Bâtiment TYR 402, 06160 Antibes, France
Disclaimer. This document is a starter template. It does not constitute legal advice. Veziro SASU must ensure this policy reflects actual data processing operations and complies with current French and European law before relying on it. We strongly recommend a review by a French avocat specialized in privacy / GDPR before publication.