Privacy Policy

Protection of your personal data

Last update : June 18, 2026

In accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act, we are committed to protecting your personal data.

GDPR Compliant Site

Your personal data is protected and processed in accordance with European data protection regulations (EU Regulation 2016/679).

Protected dataNever soldRight to be forgotten

Data collected

Minimum required

Retention

up to 3 years (excl. legal billing obligations)

Security

TLS + RLS

Hosting

EU / US (DPF)

Introduction

This privacy policy aims to inform users of the Mon Simulateur Immobilier site about how their personal data is collected, used and protected, in accordance with Regulation (EU) 2016/679 of April 27, 2016 (GDPR) and French Law No. 78-17 of January 6, 1978 as amended (Data Protection Act).

1. Data Controller

Controller

RIANN SAS

Address

200 rue de la Croix-Nivert, 75015 Paris — RCS Paris 101 434 009

Data Protection Officer (DPO)

dpo@monsimulateurimmobilier.fr

2. Personal Data Collected

We only collect data necessary for the operation of the service. Here is the detail of data collected according to the features used:

Identification data

Email address (required)
First and last name (optional)
Password (bcrypt hashed — irreversible)

Simulation data

Simulation parameters
Calculation results
Saved simulations

Navigation data

IP address (anonymized)
Browser type
Pages visited

Bank file data

Declared income (optional)
Professional status
Estimated wealth

Consequences of refusing to provide data

Data marked as "optional" may be withheld. However:

Without simulation data: you will not be able to save your real estate simulations.
Without name: communications will be generic.
Without bank file data: specialized simulators (viager, dismemberment, holding) will not be fully usable.
Without analytics cookies: we will not be able to improve the service based on your usage.

Access to the basic service and authentication is never compromised by refusing optional data.

3. Processing Purposes

Your data is processed for the following purposes:

Service provision

Creation and management of your account, execution of simulations, saving your data.

Communication

Sending transactional emails, notifications related to your account, customer support.

Service improvement

Anonymous statistical analysis to improve user experience and features.

Legal obligations

Compliance with accounting and tax obligations, response to judicial requisitions.

4. Legal Basis for Processing

Purpose	Legal basis (GDPR)
Service provision	Contract execution
Marketing communication (newsletter, promotions)	Consent
Statistical analysis	Legitimate interest
Legal obligations	Legal obligation

5. Data Retention Period

Purpose	Retention
Account data	Subscription duration + 3 years
Simulation data	Deleted with account
Billing data	10 years (Legal accounting obligations)
Newsletter data / regulatory alerts (separate consents)	Until unsubscription + 3 years (Separate consent for each purpose (unsubscription available at any time))
Cookies	13 months maximum (In accordance with CNIL recommendations)

6. Data Recipients

Your data may be transmitted to the following categories of recipients, in strict compliance with the principle of data minimization:

Our internal teams (support, technical) - limited access as needed

Supabase (database hosting) - EU standard contractual clauses

Vercel (application hosting) - Data Privacy Framework

Stripe (payments) - PCI-DSS Level 1 certified

Google Analytics (audience analysis) - consent required, anonymized IP, Data Privacy Framework

Upstash Redis (anti-abuse protection) - technical data processing (IP addresses) only

Cloudflare Turnstile (anti-spam protection) - technical data processing only

Vercel Speed Insights (performance measurement) - anonymized data, no cookies

Sentry / Functional Software Inc. (technical error monitoring) - processing of technical diagnostic data, transfers governed by standard contractual clauses

IGN Géoplateforme / api-adresse.data.gouv.fr (address geocoding) - public API, servers in France, no personal data transmitted

ADEME (DPE energy certificate database) - public API, servers in France, no personal data transmitted

OpenStreetMap (map tiles) - open CDN, no personal data transmitted

Judicial authorities (upon requisition only)

🔒 Your data is never sold or transferred to third parties for commercial or advertising purposes.

When you delete your account, propagation to third-party services (analytics, hosting) may take up to 72 hours.

7. Transfers Outside the European Union

Some of our providers are located in the United States (Supabase, Vercel, Google, Upstash). These transfers are governed by:

The European Commission's standard contractual clauses (Decision 2021/914)

Data Privacy Framework (DPF) certification for eligible providers

Additional security measures (Supabase at-rest disk encryption, pseudonymization of technical identifiers)

8. Your Rights

In accordance with the GDPR, you have the following rights regarding your personal data:

Right of access

Obtain confirmation of processing and a copy of your data

Right to rectification

Correct your inaccurate or incomplete data

Right to erasure

Request the deletion of your data (right to be forgotten)

Right to restriction

Restrict processing in certain cases

Right to portability

Receive your data in a structured format (JSON/CSV)

Right to object

Object to processing for legitimate reasons

How to exercise your rights?

By email: dpo@monsimulateurimmobilier.fr with a copy of your ID.

From your account: Profile → Data export / Account deletion

CNIL complaint: www.cnil.fr

Consent withdrawal: you can withdraw your consent at any time (e.g., newsletter unsubscription, cookie preference changes). Withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal.

9. Cookie Policy

Our site uses cookies to improve your browsing experience and analyze site usage anonymously.

Types of cookies used

Strictly necessary cookies

Essential for site operation: authentication, security, session.

Cannot be disabled.

Preference cookies

Remember your preferences (language, dark/light theme, last page visited). Can be disabled.

Analytics cookies (Google Analytics)

Allow anonymous analysis of site usage (page views, session duration). Can be disabled.

Cookie management

You can change your preferences at any time by clicking the "Manage cookies" button at the bottom of every page, via your browser settings (Chrome, Firefox, Safari, Edge), or using our consent banner on your first visit.

9b. Contact Form

When you use our contact form, we collect the following data:

Full name, email address, phone (optional), company (optional), contact reason, subject and message body

Technical data: your IP address is used transiently for rate-limiting and abuse prevention (Cloudflare Turnstile anti-spam). It is not stored with your message.

Purpose: processing your request and preventing abuse

Legal basis: contract execution / legitimate interest (security)

Retention: request processing duration + 1 year for archiving

10. Automated Decisions

In accordance with Article 22 of the GDPR, we inform you of the existence of automated processing within our services:

Real estate simulation calculations are performed automatically from the data you enter. These results are purely indicative and have no contractual value.

No decision producing legal effects or significantly affecting you is made solely on the basis of automated processing.

You can modify your simulation parameters at any time and obtain new results.

11. Data Breach Notification

In the event of a personal data breach, we are committed to notifying the CNIL within 72 hours in accordance with Article 33 of the GDPR, and to informing affected data subjects if the breach is likely to result in a high risk to their rights and freedoms (Article 34 of the GDPR).

14. Minors

Our service is not intended for persons under the age of 15. We do not knowingly collect personal data from minors. If you are a parent or guardian and become aware that a minor has provided us with personal data without your consent, please contact our DPO: such data will be deleted as soon as possible.

12. Data Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure or destruction:

Transit encryption

HTTPS/TLS 1.3 on all communications

At-rest disk encryption

AES-256 disk encryption provided by Supabase (AWS/GCP) on the hosting infrastructure. Data remains readable in plaintext via the authenticated API — there is no client-side application-level encryption. Application-level protection relies on authentication, row-level access control (RLS) and TLS connection.

Passwords

Bcrypt hashing with unique salt

Restricted access

Least privilege principle, 2FA authentication

Backups

Daily automatic backups

Monitoring

24/7 monitoring, anomaly detection

13. Contact

For any questions regarding this policy or your personal data:

Data Protection Officer

dpo@monsimulateurimmobilier.fr

Version 2.7 — Updated on June 18, 2026

Legal Notice|Terms of Use

Purpose

Legal basis (GDPR)

Service provision

Contract execution

Marketing communication (newsletter, promotions)

Consent

Statistical analysis

Legitimate interest

Legal obligations

Legal obligation

Purpose

Retention

Account data

Subscription duration + 3 years

Simulation data

Deleted with account

Billing data

10 years (Legal accounting obligations)

Newsletter data / regulatory alerts (separate consents)

Until unsubscription + 3 years (Separate consent for each purpose (unsubscription available at any time))

13 months maximum (In accordance with CNIL recommendations)