Privacy policy

1. Controller

The controller of personal data collected through the Quillmule website and service is the publisher identified in the legal notice : [TO BE COMPLETED: HUMAN NAME + LEGAL STATUS].

Privacy contact: fred-ai-company@proton.me.

Fred's note: we are not required to appoint a Data Protection Officer (DPO) at this stage — no large-scale processing, no sensitive data within the meaning of GDPR article 9. If the activity scales materially, we will appoint one. Until then, the address above is the single point of contact.

2. Data collected and purposes

Quillmule collects only the data necessary to deliver the service. Breakdown by category:

Payment data: Quillmule stores no card information. Payment processing is fully delegated to Stripe Inc. (see §5).

3. General purposes

• Production of newsletters and related deliverables.
• Invoicing and accounting.
• Client support (responses to requests, revision handling).
• Internal service improvement (anonymized qualitative analysis of feedback).
• Compliance with applicable legal obligations (commercial, tax).

No client data is used for marketing prospecting targeted at third parties, and no client data is sold or transferred for value.

4. Retention periods

• Waitlist email: until deletion is requested, or automatic removal 24 months after the last interaction.
• Active client data: for the duration of the contract.
• Client data after termination: retained for 3 years for evidentiary purposes (commercial litigation), 10 years for accounting records and invoices (tax obligation — French Commercial Code art. L. 123-22; comparable retention under US/UK/CA tax practice).
• Weekly inputs (notes, transcripts): deleted on client request at any time, otherwise archived 12 months after end of contract and then erased.
• Technical logs: 12 months maximum.

5. Processors (GDPR article 28)

Quillmule relies on the following processors. Each processor is contractually bound and provides sufficient guarantees within the meaning of GDPR article 28.

• Stripe Inc. (payment) — United States. Policy: stripe.com/privacy. No card data stored by Quillmule.
• Vercel Inc. (website hosting) — United States. vercel.com/legal/privacy-policy.
• OpenAI, L.L.C. (assisted draft generation via API) — United States. openai.com/policies/row-privacy-policy. No client input is used for model training — Quillmule uses the API with the training opt-out enabled by default.
• Anthropic PBC (assisted draft generation via API) — United States. anthropic.com/legal/privacy. Same model-training opt-out guarantees.
• Transactional email provider (confirmations, deliveries): [TO BE COMPLETED: Resend / Postmark / other — name, address, link to privacy policy, once selected].
• Tally (intake / waitlist forms) — Belgium (EU). tally.so/help/privacy-policy.
• Calendly (intake scheduling, if used) — United States. calendly.com/privacy.

6. International data transfers

Several processors (Stripe, Vercel, OpenAI, Anthropic, Calendly) are established in the United States. Transfers of personal data rely on:

• The European Commission's Standard Contractual Clauses (SCCs), version 2021/914, incorporated into processor agreements;
• Where applicable, the processor's certification under the EU-U.S. Data Privacy Framework (adopted by the European Commission in July 2023) and the UK Extension to the framework where relevant.

You may request a copy of the applicable safeguards by writing to the contact address above.

7. Your rights (GDPR / UK GDPR)

Under articles 15 to 22 of the GDPR (and the equivalent UK GDPR provisions), you have the following rights regarding your personal data:

• Right of access to your data.
• Right to rectification in case of inaccuracy.
• Right to erasure ("right to be forgotten"), within the limits of legal retention obligations.
• Right to data portability (retrieval in a structured format).
• Right to object to processing based on legitimate interest.
• Right to restriction of processing.
• Right to define directives regarding the fate of your data after death (French Data Protection Act).

To exercise these rights: fred-ai-company@proton.me. Reply within 30 days maximum (extendable by 60 days for complex requests, with prior notice). Proof of identity may be requested where reasonable doubt exists about the identity of the requester.

8. Cookies and trackers

The Quillmule site uses strictly necessary cookies only (user session, anti-CSRF token). These cookies do not require prior consent under article 82 of the French Data Protection Act (transposing the ePrivacy directive) and under PECR (UK).

No marketing audience-measurement, advertising, or profiling cookie is set by default. Should a privacy-respecting analytics tool (Plausible, PostHog in anonymized mode, or equivalent) be deployed, [TO BE COMPLETED: specify here the tool retained, its purpose, retention period, and applicable consent procedure].

9. California residents (CCPA / CPRA)

If you reside in California, the California Consumer Privacy Act (as amended by the CPRA) grants you equivalent rights: right to know, right to access, right to delete, right to correct, right to opt out of the "sale" or "sharing" of personal information, right to limit the use of sensitive personal information, and right to non-discrimination for exercising any of these rights.

Quillmule does not sell or share personal information within the meaning of the CCPA / CPRA. Quillmule does not process "sensitive personal information" for purposes other than those expressly permitted under section 1798.121. To exercise your rights: fred-ai-company@proton.me. An authorized agent may submit a request on your behalf with documented authorization.

10. Canadian residents (PIPEDA / Quebec Law 25)

Users residing in Canada benefit from the protections set out in the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, in equivalent provincial laws (notably Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25). Rights include access, correction, withdrawal of consent, and the right to know whether and how personal information is processed by automated means.

11. Complaints to a supervisory authority

If, after contacting us, you believe that your rights are not being respected, you may lodge a complaint with the relevant supervisory authority:

• France: Commission Nationale de l'Informatique et des Libertés (CNIL), 3 place de Fontenoy, 75007 Paris — cnil.fr.
• Other EU member state: the supervisory authority of your place of residence or work.
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk.
• Canada: Office of the Privacy Commissioner of Canada — priv.gc.ca; Quebec residents may also complain to the Commission d'accès à l'information du Québec — cai.gouv.qc.ca.
• California: California Privacy Protection Agency (CPPA) — cppa.ca.gov.

12. Security

Data is protected by reasonable technical and organizational measures: TLS encryption in transit, encryption at rest at processors where supported, least-privilege internal access, logging of sensitive accesses, regular backups. In the event of a breach likely to result in a risk to your rights, you will be notified in accordance with GDPR article 34 (and equivalent obligations under applicable law).

13. Changes

This policy may be updated to reflect changes in the service or in applicable law. Any material change will be notified by email to active clients at least 30 days before it takes effect. The last update date appears at the top of this document.