Privacy Policy
Last updated: June 2026
1. Data Controller
iojik SAS, RCS Paris 994 122 018.
Contact: dpa@corelayer0.com
2. Data Collected and Purposes
| Data | Purpose | Legal basis |
|---|---|---|
| Email address, name | Account creation and management | Contract performance |
| Email address, name (routed via our email delivery provider) | Sending account-related transactional emails (welcome, password reset, security notifications) | Contract performance |
| Marketing consent (opt-in) + timestamp | Sending product news and updates (unsubscribe anytime) | Consent |
| Password (Argon2 hash, never stored in plaintext) | Authentication | Contract performance |
| Imported OpenAPI specifications | Generation and execution of MCP servers | Contract performance |
| MCP tokens (Argon2 hash) and API credentials (AES-256-GCM encrypted) | MCP authentication and outbound auth injection | Contract performance |
| Call counters | Plan limit enforcement | Legitimate interest |
| Session data (HttpOnly cookie) | Maintaining the user session | Contract performance |
| Audience measurement data (Matomo): pages visited, product events (registration, project creation, MCP URL copy, etc.), anonymised IP address (last 2 octets masked), user-agent, language, referring site | Audience measurement and service improvement | Legitimate interest |
We do not collect advertising trackers, cross-site profiling data, or payment information (no paid plans are currently active).
Audience measurement relies on self-hosted Matomo on our own OVH infrastructure, configured without cookies and with IP address anonymisation. This configuration falls under the consent exemption provided by the CNIL for audience measurement tools strictly necessary for service operation. No data is shared with a third party or used for individual profiling.
3. Data Retention
- Account data: retained for the duration of account activity, then deleted within 30 days of a deletion request.
- Projects and OpenAPI specs: deleted immediately upon project or account deletion.
- Sessions: automatically expire after 30 days of inactivity.
- Technical logs: retained for 30 days for debugging purposes, without identifiable personal data.
- Matomo audience measurement data: retained for 13 months in accordance with the CNIL recommendation, then automatically purged.
4. Sub-processors and Recipients
We use the following sub-processors:
| Sub-processor | Location | Role |
|---|---|---|
| OVH Cloud SAS — VPS | Strasbourg, France | Application server hosting (API) |
| OVH Cloud SAS — Cloud Databases | Gravelines, France | PostgreSQL database |
| OVH Cloud SAS — KMS | Paris, France (eu-west-par, 3-AZ, HDS certified) | Encryption key management (Key Management Service) — master keys never leave the OVH HSM |
| OVH Cloud SAS — VPS Matomo | Strasbourg, France | Hosting of the self-hosted Matomo instance used for audience measurement (no third-party analytics provider is involved) |
| Scaleway SAS — Transactional Email (TEM) | Paris, France | Sending the service's transactional emails. Sovereign European infrastructure, no US sub-processor. |
No personal data is transferred outside the European Union. No US cloud provider is used in our infrastructure.
5. Security
Technical measures implemented:
- Passwords hashed (never stored in plaintext).
- API credentials encrypted at rest under keys managed by OVH KMS.
- MCP tokens stored as hashes, never in plaintext.
- TLS encryption on all communications.
- Per-project isolation: each project has its own encryption key.
6. Your Rights (GDPR)
In accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679), you have the following rights:
- Access: obtain a copy of the data concerning you.
- Rectification: correct inaccurate data.
- Erasure: request deletion of your data ("right to be forgotten").
- Portability: receive your data in a structured, readable format.
- Objection: object to processing based on legitimate interest.
- Restriction: request suspension of a contested processing operation.
To exercise these rights: dpa@corelayer0.com. We respond within a maximum of 30 days.
You also have the right to lodge a complaint with the CNIL (French data protection authority).
7. Cookies
We use only cookies strictly necessary for the operation of the service:
- Session cookie: expires after 30 days of inactivity.
- OAuth consent cookie: expires after 10 minutes.
Our audience measurement tool (Matomo) is configured without cookies: no identifier is stored in the browser between visits. No advertising cookies or third-party trackers are set.
8. Changes
We reserve the right to update this policy. The date of last update appears at the top of this document. For substantial changes, we will notify you by email.