Legal information

Privacy policy

leggit is committed to protecting your privacy in accordance with GDPR and the French Data Protection Act. TODO translate.

Last update : 2026-05-08 — [À VALIDER PAR AVOCAT]

1. Data collected

In the course of providing our service, we collect:

  • Identification data: name, first name, email address, optional phone;
  • Technical data: IP address, browser, connection date and time;
  • Billing data: billing address, payment history (the card itself is processed by Stripe);
  • Vault data: vault titles, recipient identifiers, file metadata (size, type, date);
  • Communication data: messages sent to support.

Important: thanks to zero-knowledge encryption, vault content (texts, files, passwords) is never accessible to leggit in clear. We cannot read it.

2. Purposes

Your data is used to:

  • Provide the digital vault service (creation, management, transmission);
  • Manage the contractual relationship (billing, support);
  • Ensure service security (fraud detection, audit);
  • Comply with our legal and regulatory obligations.

3. Legal basis

We process your data on the following legal bases:

  • Contract performance: provision of the subscribed service;
  • Legitimate interest: service security and fraud prevention;
  • Legal obligation: retention of billing data, anti-money-laundering;
  • Consent: for newsletter or non-essential audience-measurement cookies.

4. Retention period

Your data is retained for the following periods:

  • Account data: while the account is active, then 90 days after termination;
  • Billing data: 10 years (accounting obligation, art. L123-22 Commercial Code);
  • Technical data (logs): 12 months;
  • Vault data: according to transmission wishes defined by the user, or until account closure.

5. Your rights

In accordance with articles 15 to 22 of GDPR, you have the following rights:

  • Right of access — obtain a copy of your data;
  • Right of rectification — correct inaccurate data;
  • Right to erasure — request deletion of your data ("right to be forgotten");
  • Right to portability — receive your data in a structured, machine-readable format;
  • Right to object — object to processing on legitimate grounds;
  • Right to restriction — request a temporary freeze on processing.

To exercise these rights, write to support@leggit.org.

In case of difficulty, you may file a complaint with the CNIL (www.cnil.fr).

6. Data Protection Officer (DPO)

leggit has appointed a Data Protection Officer in accordance with article 37 of GDPR. You may contact them for any question regarding the processing of your data.

DPO : [À COMPLÉTER]
Email : support@leggit.org

7. Cookies

The leggit.org site uses a minimal number of cookies:

  • Essential technical cookies (session, language, CSRF): exempt from consent;
  • Audience-measurement cookies: no third-party cookies; anonymized internal measurement only.

No advertising or marketing-profiling cookie is set.

8. Processors and transfers

To deliver our service, we rely on the following processors, bound by GDPR-compliant data processing agreements (DPA):

  • Stripe — payment processing (États-Unis — transfers governed by the EU/USA Data Privacy Framework)
  • SMSFactor — sending notification SMS (2FA, alerts) (France)
  • DocuSeal — electronic document signature (Union européenne)
  • Cloudinary — image and video storage and delivery (États-Unis — transfers governed by the EU/USA Data Privacy Framework)
  • OVHcloud / Plesk — application hosting and email (Plesk) (France)

No transfer outside the EU is performed without appropriate safeguards (standard contractual clauses or DPF).

9. Modifications to this policy

leggit may amend this policy. Substantial changes are notified by email with reasonable notice.