Privacy Policy
Last updated: April 12, 2026
1. Data Controller Identity
The data controller for personal data collected on the IgnitionRAG platform is:
- Company: IgnitionAI (sole proprietorship)
- Founder: Salim Laimeche
- Address: Troyes, France
- Email: sa.laimeche@ignitionai.fr
- Website: ignitionai.fr / ignitionrag.com
2. Data Collected and Purposes
2.1 Account and Identification Data
- Data: name, email address, hashed password (via Clerk)
- Purpose: account creation, management, and authentication
- Legal basis: contract performance (Terms of Service)
2.2 Billing Data
- Data: payment information (processed exclusively by Stripe), subscription history
- Purpose: subscription and payment management
- Legal basis: contract performance, legal obligation (10-year accounting retention)
2.3 Uploaded Documents and Content
- Data: files (PDF, DOCX, CSV, etc.) and their content, associated vector embeddings
- Purpose: powering the user's RAG engine, service operation
- Legal basis: contract performance
2.4 Usage and Navigation Data
- Data: usage logs, RAG queries (anonymized), performance metrics, IP address
- Purpose: service improvement, abuse detection, technical support
- Legal basis: legitimate interest (service improvement, security)
2.5 Communications
- Data: email address for transactional emails (account confirmation, invoices, alerts)
- Purpose: service-related communication
- Legal basis: contract performance, legitimate interest
3. LLM API Keys (BYOK Model)
IgnitionRAG operates on a BYOK (Bring Your Own Key) model. LLM API keys (OpenAI, Anthropic, etc.) provided by the user are:
- Encrypted at rest using AES-256-GCM before database storage
- Used exclusively to execute that user's LLM requests
- Never shared with third parties or used for other purposes
- The user's contractual responsibility toward the LLM provider
4. Retention Periods
| Category | Duration | Justification |
|---|---|---|
| Account data | Contract duration + 3 years | Contractual limitation period |
| Billing data | 10 years | Accounting and tax obligation |
| Uploaded documents | Contract duration + 30 days | Grace period post-termination |
| Technical logs | 12 months | Security and support |
| Navigation data | Maximum 13 months | CNIL recommendation |
5. Sub-processors and Data Transfers
| Sub-processor | Role | Location | Safeguards |
|---|---|---|---|
| Clerk | Authentication and session management | USA (AWS us-east-1) | EUβUS SCCs, SOC 2 Type II |
| Stripe | Payment processing | USA / EU | SCCs, PCI DSS Level 1 |
| Resend | Transactional emails | USA (AWS) | EUβUS SCCs |
| OVH / Cloud | Infrastructure hosting (DB, servers) | France π«π· | Servers in France |
Transfers outside the EU: For sub-processors based in the United States, Standard Contractual Clauses (SCCs) approved by the European Commission are in place, in accordance with GDPR Art. 46.
6. Your Rights (GDPR)
Under Regulation (EU) 2016/679 (GDPR), you have the following rights:
- Right of access (Art. 15): obtain confirmation of processing and a copy of your data
- Right to rectification (Art. 16): have inaccurate data corrected
- Right to erasure (Art. 17): request deletion of your data ("right to be forgotten")
- Right to restriction (Art. 18): temporarily restrict processing
- Right to portability (Art. 20): receive your data in a structured, machine-readable format
- Right to object (Art. 21): object to processing based on legitimate interest
- Withdrawal of consent: at any time, without affecting the lawfulness of prior processing
To exercise these rights, contact us at: sa.laimeche@ignitionai.fr. We will respond within 30 days (GDPR Art. 12).
You also have the right to lodge a complaint with the CNIL (French data protection authority): cnil.fr.
7. Data Protection Contact
Given the size of the organization, IgnitionAI is not required to formally appoint a DPO. The contact point for any data protection questions is:
- Contact: Salim Laimeche
- Email: sa.laimeche@ignitionai.fr
8. Cookies and Trackers
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
__session (Clerk) | Functional | Maintaining authenticated session | Session |
__clerk_db_jwt | Functional | Clerk authentication | 7 days |
locale | Functional | Language preference | 1 year |
Strictly necessary cookies do not require consent (Art. 5Β§3 ePrivacy Directive). No advertising or third-party tracking cookies are used.
9. Security
- Data in transit encrypted (TLS 1.3)
- Sensitive data encrypted at rest (AES-256-GCM)
- Strong authentication via Clerk (2FA available)
- Multi-tenant data isolation per organization
- Production data access restricted to authorized personnel
- Regular database backups
10. Policy Updates
This policy may be updated. For substantial changes, you will be notified by email at least 30 days before the changes take effect. Continued use of the service after that date constitutes acceptance.