Privacy Policy
Last updated: February 18, 2026
This privacy policy describes how Playbookly SAS (“Playbookly”, “we”) collects, uses, and protects your personal data when you use our AI-powered financial benchmarking platform, accessible at playbookly.ai.
We are committed to complying with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the French Data Protection Act (Loi Informatique et Libertés).
1. Data Controller
The data controller for your personal data is:
- Company: Playbookly SAS
- Address: [to be filled]
- Email: privacy@playbookly.ai
- DPO Contact: dpo@playbookly.ai
Playbookly is not required to appoint a Data Protection Officer under Article 37 of the GDPR (fewer than 250 employees, no large-scale systematic monitoring). We nevertheless provide a dedicated contact point.
2. Data Collected and Legal Basis
We collect the following data, each associated with a specific legal basis under Article 6 of the GDPR:
| Data | Legal Basis (GDPR Art. 6) | Purpose |
|---|---|---|
| Email address | Contract performance (6.1.b) | Account creation, login, service notifications |
| Company name, SIREN | Contract performance (6.1.b) | Benchmark report generation |
| Financial data (revenue, EBITDA, margins, balance sheet) | Contract performance (6.1.b) + Explicit consent (6.1.a) | Benchmark analysis, gap identification |
| Computed ratios and percentiles | Legitimate interest (6.1.f) | Providing the benchmark service |
| AI-generated insights | Contract performance (6.1.b) + Consent for AI processing (6.1.a) | Personalized executive analysis |
| IP address, browser info | Legitimate interest (6.1.f) | Security, fraud prevention |
| Authentication cookies | Strictly necessary — no consent required | Session authentication |
| Marketing email preference | Consent (6.1.a) | Product updates (opt-in only) |
3. Sub-processors and International Transfers
Your data may be processed by the following sub-processors:
| Processor | Location | Purpose | Safeguards |
|---|---|---|---|
| Supabase Inc. | EU (AWS eu-central-1, Frankfurt) | Database, authentication | Data stays in EU, DPA signed |
| Anthropic PBC | United States | AI analysis generation | EU-US Data Privacy Framework |
| Vercel Inc. | EU edge nodes, US origin | Application hosting | EU-US Data Privacy Framework |
| Stripe Inc. | EU + US | Payment processing | EU-US Data Privacy Framework, PCI DSS compliant |
Regarding AI processing (Anthropic / Claude):
- Your financial data sent to Anthropic's Claude API is not used to train AI models.
- Data is processed only to generate your personal report.
- Data is not retained by Anthropic after processing.
- Only the data strictly necessary for report generation is transmitted, and only at the time of generation.
4. Data Retention
| Data | Retention Period | Reason |
|---|---|---|
| Account data | Until account deletion | Service operation |
| Benchmark reports | Until user deletes report or account | Service operation |
| QuickBooks OAuth data | 30 days | Intuit compliance + data minimization |
| Consent records | 5 years after last interaction | Legal obligation (proof of consent) |
| Deletion audit logs | 5 years | Legal obligation |
| Server logs (Vercel) | 30 days | Security |
5. Your Rights (GDPR Articles 15–22)
Under the GDPR, you have the following rights:
Right of Access (Art. 15)
You can obtain a copy of all your personal data via Settings → Data & Privacy → “Export My Data”. The export is provided in machine-readable JSON format.
Right to Rectification (Art. 16)
You can correct your data by uploading a new benchmark with corrected data, or by contacting privacy@playbookly.ai.
Right to Erasure (Art. 17)
You can delete your data via Settings → Data & Privacy → “Delete My Account”, or delete individual reports from your dashboard.
Right to Data Portability (Art. 20)
Same as the right of access — the export is in structured JSON format, directly reusable.
Right to Object (Art. 21)
You can revoke your consent in Settings, or by emailing privacy@playbookly.ai.
Right to Restrict Processing (Art. 18)
Revoke the “data processing” consent in Settings. Your existing reports will be kept but no new reports will be generated.
Right to Withdraw Consent
You can withdraw your consent at any time via Settings, without affecting the lawfulness of processing carried out before withdrawal.
Right to Lodge a Complaint
You have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés):
- Address: 3 Place de Fontenoy, 75007 Paris, France
- Website: www.cnil.fr
6. Automated Decision-Making (Art. 22)
- Playbookly uses automated processing to generate benchmark scores and percentiles.
- These results are informational only — no legal or similarly significant decisions are made automatically.
- AI-generated insights are advisory and non-binding.
- You can always request a human review by contacting our support team.
7. Security Measures
- All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
- Row Level Security (RLS) ensures each user can only access their own data.
- Financial data is stored as integers (cents) to avoid precision issues.
- No passwords are stored — authentication is delegated to Supabase Auth (bcrypt).
- Admin access requires a restricted service role key, accessible only server-side.
8. Children
The Playbookly service is intended for business professionals and is not directed at individuals under 16 years of age. We do not knowingly collect data from minors.
9. Updates to This Policy
- Users will be notified of material changes via email.
- Continued use of the service after notification constitutes acceptance of the changes.
- Previous versions are available upon request.
10. Contact
For any questions regarding this policy or your personal data:
- Email: privacy@playbookly.ai
- DPO: dpo@playbookly.ai