Privacy Policy
Last updated: February 2026
1. Introduction & Data Controller
This Privacy Policy describes how CryptoGuard SRL (hereinafter “the Company,” “we,” “our”) collects, uses, stores, and protects your personal data in connection with the use of the ResiPlan platform (hereinafter “the Service”).
In accordance with the General Data Protection Regulation (GDPR - Regulation EU 2016/679) and applicable national laws, we are committed to protecting your privacy and personal data.
Data Controller:
- Company: CryptoGuard SRL
- Email: privacy@continuity-resilience.com
- Website: https://continuity-resilience.com
2. Data We Collect
We collect different categories of data in connection with providing the Service:
2.1 Account Data
- First name, last name, professional email address.
- Organization name and role within it.
- Login credentials (encrypted password).
- Language and notification preferences.
2.2 Usage Data
- IP address, browser type, operating system.
- Pages visited, features used, login times.
- Performance metrics and error logs (via Sentry).
- Web Vitals indicators (browser performance).
2.3 Business Continuity Data
- Business Impact Analyses (BIA), continuity plans (BCP, DRP, IRP, ERP), risk assessments.
- IT asset information (CMDB): applications, servers, contracts.
- Organizational charts, business processes, critical dependencies.
- Incident and crisis management data.
- AI assistant conversations and generated recommendations.
3. How We Use Your Data
We use your data for the following purposes:
3.1 Service Delivery
- Creating and managing your user account.
- Hosting and processing your business continuity data.
- Real-time data synchronization between users within your organization.
- Generating reports and dashboards.
3.2 AI Features
- Transmitting contextual data to the Anthropic Claude API to generate continuity plans, risk analyses, and recommendations.
- Data sent to the AI is not retained by Anthropic for model training (in accordance with Anthropic's commercial API policy).
- AI assistant conversations are stored in your data space for future reference.
3.3 Improvement & Analytics
- Analyzing aggregated usage metrics to improve the Service.
- Monitoring errors and technical performance (Sentry, Web Vitals).
- Analytical data is anonymized and aggregated; it does not allow individual user identification.
3.4 Communications
- Sending transactional emails (registration confirmation, password reset, invitations).
- Notifications regarding account security and Service updates.
- Alerts and reports configured by the user.
4. Legal Basis for Processing (GDPR Article 6)
We process your personal data on the following legal bases:
- Performance of a contract (Art. 6.1.b): processing is necessary for the performance of the subscription agreement to which you are a party (account creation, Service delivery, billing management).
- Legitimate interest (Art. 6.1.f): Service improvement, fraud prevention, system security, aggregated usage analysis.
- Consent (Art. 6.1.a): for marketing communications (if applicable) and non-essential cookies.
- Legal obligation (Art. 6.1.c): retention of billing data in compliance with accounting and tax obligations.
5. Data Sharing & Third Parties
We never sell your personal data. We share your data only with the following sub-processors, necessary for providing the Service:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Convex | Real-time database and serverless functions | All business and account data | United States (AWS) |
| Anthropic | AI processing (Claude) for plan generation and analysis | Contextual data for AI queries | United States |
| Resend | Transactional email delivery | Email addresses, email content | United States |
| Sentry | Error monitoring and performance | Technical data (errors, metrics, anonymized IP) | United States / EU |
All our sub-processors are bound by Data Processing Agreements (DPA) compliant with the GDPR. We may also disclose data in response to a valid legal request from a competent authority.
6. International Data Transfers
Some of our sub-processors are located outside the European Economic Area (EEA), particularly in the United States. For these transfers, we implement the following safeguards:
- Standard Contractual Clauses (SCCs): we use the SCCs approved by the European Commission (Implementing Decision 2021/914) with each sub-processor located outside the EEA.
- EU-US Data Privacy Framework (DPF): where applicable, our US sub-processors are certified under the Data Privacy Framework.
- Additional measures: data encryption in transit (TLS 1.3) and at rest, transfer impact assessment, and technical measures to prevent unauthorized access.
7. Data Retention
We retain your data according to the following periods:
- Account data: for the duration of your subscription, then 30 days after termination to allow data export.
- Business data: for the duration of your subscription, then deleted 30 days after termination.
- Billing data: 10 years in compliance with French accounting and tax obligations.
- Access and security logs: 12 months in compliance with legal obligations.
- Backups: daily backups are retained for 30 days, then automatically deleted.
- Free trial data: 30 days after the trial period expires, unless a subscription is activated.
At the end of retention periods, data is securely deleted from our systems and backups.
8. Your Rights (GDPR)
Under the GDPR, you have the following rights:
- Right of access (Art. 15): obtain confirmation that your data is being processed and receive a copy of it.
- Right to rectification (Art. 16): correct inaccurate or incomplete data concerning you.
- Right to erasure (Art. 17): request the deletion of your data under the conditions provided by law.
- Right to data portability (Art. 20): receive your data in a structured, commonly used, and machine-readable format (JSON). The Service provides built-in export tools.
- Right to object (Art. 21): object to the processing of your data based on legitimate interest.
- Right to restriction of processing (Art. 18): request restriction of processing in certain cases.
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.
- Right to lodge a complaint: with the CNIL (Commission Nationale de l'Informatique et des Libertes) or any other competent supervisory authority.
To exercise your rights, contact us at privacy@continuity-resilience.com. We will respond to your request within 30 days.
9. Cookies & Tracking
The Service uses the following cookies and technologies:
Strictly Necessary Cookies
- Authentication session: manages your login session (secure, HttpOnly cookie).
- Language preferences: stores your language choice (fr/en).
- Theme preferences: stores your light/dark mode selection.
These cookies are necessary for the operation of the Service and do not require consent.
Performance Cookies
- Sentry: error collection and performance metrics to improve the quality of the Service.
- Web Vitals: measurement of browser performance indicators.
The Service does not use advertising cookies or third-party marketing tracking. We do not use Google Analytics or any other advertising tracking tool.
10. Security Measures
We implement appropriate technical and organizational measures to protect your data:
- Encryption: all data is encrypted in transit (TLS 1.3) and at rest (AES-256).
- Authentication: passwords are hashed with secure algorithms; two-factor authentication (2FA) is available.
- Data isolation: multi-tenant architecture with strict data isolation between organizations.
- Access control: two-level role system (platform and organization) with the principle of least privilege.
- Security headers: HSTS, X-Frame-Options, X-Content-Type-Options, Content-Security-Policy.
- API protection: rate limiting, input validation (Zod), webhook signature verification (HMAC SHA-256).
- Backups: automated daily backups with 30-day retention.
- Monitoring: continuous error and anomaly monitoring via Sentry.
11. Children's Privacy
The Service is intended for professional use and is not designed for individuals under 16 years of age. We do not knowingly collect personal data from minors. If we discover that a minor's data has been collected, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal developments. In case of substantial changes:
- We will notify you by email and in-app notification at least 30 days before the changes take effect.
- The “last updated” date at the top of this page will be changed accordingly.
- Your continued use of the Service after the effective date constitutes acceptance of the modified policy.
13. Contact & DPO Information
For any questions regarding this Privacy Policy or to exercise your rights, contact us:
- Data Protection Officer: CryptoGuard SRL - DPO Service
- Email: privacy@continuity-resilience.com
- General email: contact@continuity-resilience.com
- Website: https://continuity-resilience.com
You may also file a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertes): www.cnil.fr