Legal
Privacy Policy
Last updated: 2026-04-21
This Privacy Policy describes how SBCQ SAS collects, uses and protects personal data in connection with the Ma Belle Note service and the public website mabellenote.fr. It is drafted in accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act.
01Controller
The controller of the processing activities described in this policy is SBCQ SAS, registered at 48 quai Clémenceau, 69300 Caluire-et-Cuire (SIREN À définir, RCS À définir).
For any question about your data, you may contact us at [email protected].
02Who this policy applies to
This policy applies to three categories of people:
- Website visitors: people who browse the public pages without creating an account (marketing, pricing, blog, contact form).
- Business customers and their users: holders of an account on the Service, acting under a subscription taken out by a professional.
- Review authors: people whose public reviews are aggregated from third-party platforms connected by our customers (notably Google Business Profile). In this latter case, our business customer is the controller and we act as processor within the meaning of the GDPR (see DPA).
03Data we collect
| Category | Data | Source |
|---|---|---|
| Account and identification | First name, last name, professional email, hashed password, preferred language, time zone | Voluntary sign-up input |
| Subscription and billing | Company name, company ID / VAT, billing address, subscribed plan, invoice history, payment means (token, never the full card number) | User input and payment processor |
| Service usage | Managed Locations, connected platforms, drafts and published replies, generated visuals, automation rules, activity logs, audit trail | Customer actions within the Service |
| Aggregated customer reviews | Review text, rating, date, author as published on the source platform, public replies | Official APIs of third-party platforms |
| Private forms | Name, email, message content, Location concerned | Voluntary end-customer input |
| Technical data | IP address, session ID, device type, browser, date/time, pages visited | Automatic collection via server logs |
| AI prompts and outputs | Content sent to AI models (source review, context, instructions) and generated replies | Derived from the use of AI features |
04Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Provision of the Service, account management, review processing, reply and visual generation | Performance of a contract (art. 6(1)(b) GDPR) |
| Invoicing, debt collection, accounting, tax obligations | Legal obligation (art. 6(1)(c) GDPR) |
| Transactional emails (confirmation, password change, alerts, invoices) | Performance of a contract (art. 6(1)(b) GDPR) |
| Marketing communications to existing customers about similar products | Legitimate interest, with opt-out at any time (art. 6(1)(f) GDPR, art. L. 34-5 CPCE) |
| B2B commercial prospecting toward professionals | Legitimate interest, with opt-out at any time (art. 6(1)(f) GDPR, CNIL recommendation) |
| Security, fraud prevention, abuse detection, audit trail | Legitimate interest (art. 6(1)(f) GDPR) |
| Service improvement, aggregated statistical analysis | Legitimate interest (art. 6(1)(f) GDPR) |
| Compliance with legal obligations, response to a court order | Legal obligation (art. 6(1)(c) GDPR) |
05Retention periods
- Active account data
- Throughout the subscription, then 30 days after termination to allow data export.
- Inactive account / unconverted trial
- 90 days after the end of activity, then automatic deletion.
- Invoices and accounting records
- 10 years from the fiscal year-end (art. L. 123-22 of the French Commercial Code).
- Technical logs and audit trail
- 12 months, unless longer retention is required for security logs.
- Review authors' data
- Retention period defined by our business customer (controller). By default, we retain the data as long as it remains available on the source platform and the subscription is active.
- Prospects who filled a form without subscribing
- 3 years from the last contact.
06Recipients and processors
Your data may be shared with the following recipients, strictly to the extent necessary for the purposes set out above:
- authorised members of the Ma Belle Note team (engineering, support, finance);
- our technical sub-processors, listed in the DPA (hosting, email delivery, payment, AI model providers, monitoring and security);
- competent administrative and judicial authorities, on legally compliant requests;
- a potential acquirer or successor in the context of a sale, merger or restructuring, subject to equivalent confidentiality and protection undertakings.
We do not sell or rent your data to third parties for commercial purposes. The up-to-date list of our sub-processors is maintained in the DPA schedule.
07Transfers outside the European Union
Some of our sub-processors (notably the AI model providers) are established outside the European Union, including in the United States. Such transfers are framed by:
- an adequacy decision of the European Commission where one exists (e.g. EU-US Data Privacy Framework for certified organisations);
- failing that, the European Commission's Standard Contractual Clauses (SCCs), supplemented by additional technical and organisational measures (encryption, pseudonymisation, minimisation);
- a Transfer Impact Assessment (TIA) for every sub-processor not covered by an adequacy decision.
Details of the transfers are set out in the DPA.
08Cookies and trackers
The marketing website uses a limited number of cookies, strictly necessary to operation (language preference, light/dark theme, session) or subject to your consent (anonymised analytics, support tools).
No third-party advertising cookie is set upon entering the website. You may change your choices at any time via the consent module accessible at the bottom of the page.
09Security
We implement state-of-the-art technical and organisational measures to protect your data: transport encryption (TLS 1.2+), encryption at rest, password hashing (bcrypt/Argon2), role-based access control, sensitive-action logging, continuous monitoring, vulnerability management, disaster recovery plan, and encrypted backups.
Despite our efforts, no system can guarantee absolute security. In the event of a personal data breach likely to cause a risk to your rights and freedoms, we will notify the French Data Protection Authority (CNIL) within 72 hours and, where applicable, affected individuals as soon as possible.
10Your rights
Under the GDPR, you have the following rights:
- Right of access: obtain confirmation that your data is being processed and receive a copy.
- Right to rectification: have inaccurate or incomplete data corrected.
- Right to erasure: request deletion of your data in the cases provided by law.
- Right to restriction: have processing temporarily frozen.
- Right to portability: receive your data in a structured, machine-readable format.
- Right to object: object to a processing based on legitimate interest or to commercial prospecting.
- Right to issue post-mortem directives on the fate of your data.
You may exercise these rights by writing to [email protected]. We respond within a maximum of one month, extendable by two further months for complex requests.
If you believe your rights are not being respected, you may lodge a complaint with the French Data Protection Authority (CNIL), 3 place de Fontenoy, 75007 Paris — www.cnil.fr.
11Minors
The Service is intended for professional use and is not designed to be used by minors. No data collection is intentionally directed toward people under 15 years old. If you believe a minor has created an account, contact our DPO to obtain immediate deletion of the associated data.
12Changes to this policy
This policy may change to reflect evolutions of the Service, our sub-processors, or applicable regulation. Any material change is notified by email and within the Service at least 30 days before it takes effect. The current version remains permanently accessible from the website footer.