Aller au contenu principal

Legal document

FR →

Privacy policy

This consolidated document describes how BackToMe collects, uses, retains and protects personal data, in accordance with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act. It comprises the privacy policy (Part I), the technical security measures within the meaning of Article 32 GDPR (Part II), the list of subprocessors (Part III) and the Data Processing Agreement / DPA entered into with professional Clients (Part IV).

Last updated: May 10, 2026

Table of contents

Part I — Privacy policy

1. Controller

The controller of personal data collected on backtome.fr and through the BackToMe service is:

  • BTM BACKTOME, SASU with share capital of EUR 1,000
  • 17 rue Jean Philippe Rameau, 70400 Héricourt, France
  • SIREN 990 637 233 — RCS Vesoul
  • Represented by Anis Mokadym, President

2. Contact for your rights (DPO)

For any question regarding your personal data or to exercise your rights, you may write to:

Email: contact@backtome.fr
Postal mail: BTM BACKTOME — GDPR Request, 17 rue Jean Philippe Rameau, 70400 Héricourt, France

A response will be provided within one (1) month, extendable by two (2) months in the case of complex requests (Article 12 GDPR).

3. Data we collect

3.1. Merchants using the service (Clients)

When you create an account, subscribe, and use the service, we collect:

  • Identification data: email, first name, last name, password (stored as a hash);
  • Professional data (optional): company name, phone number, website;
  • Payment data: Stripe customer identifier, subscription status, plan selected; credit card information is collected and retained exclusively by our provider Stripe, and BackToMe never has access to it;
  • Technical data: connection IP address, activity logs, session identifiers.

3.2. Consumers submitting a withdrawal request

When a consumer submits a request through the widget installed on a Client's website, we collect, acting as a processor for the Client, the following data:

  • first name and last name;
  • email address;
  • order number / reference (depending on the Client's configuration);
  • date and time of submission;
  • IP address and browser user-agent (for evidentiary purposes and fraud prevention — purged after 90 days).

The Client (the merchant) is the controller of this data; BackToMe hosts and processes it on their behalf under the conditions defined in the Data Processing Agreement (Part IV) compliant with Article 28 GDPR, which supplements the Terms of Use and Terms of Sale.

3.3. Visitors to backtome.fr

Our website uses no tracking cookies and no third-party analytics tools (no Google Analytics, Meta Pixel, etc.). Only cookies strictly necessary for the operation of the service (session, preferences) are set.

4. Purposes and lawful bases

PurposeLawful basis (Article 6 GDPR)
Creation and management of the client accountPerformance of contract (6.1.b)
Invoicing and collection of paymentsPerformance of contract (6.1.b) + legal obligation (6.1.c)
Hosting of consumer withdrawalsProcessing on behalf of the merchant — lawful basis of the merchant (legal obligation under article L.221-21 of the French Consumer Code)
Retention of withdrawal evidenceLegal obligation (Article L.110-4 of the French Commercial Code — 5 years)
Service security, fraud preventionLegitimate interest (6.1.f)
Sending of transactional emails (reminders, alerts)Performance of contract (6.1.b)
Anonymized internal statisticsLegitimate interest (6.1.f)

5. Retention periods

CategoryRetention period
Active client account (profile, settings)For the entire subscription period + 30 days (soft-delete) after deletion is requested
Inactive client accountDeletion notice after 36 months without login, then effective deletion within 30 days in the absence of a response
Consumer withdrawals (live mode)5 years from the date of submission (Article L.110-4 of the French Commercial Code), then permanent deletion
Withdrawals in demonstration mode90 days, then deletion
IP addresses and user-agents (withdrawals)90 days, then automatic anonymization
Invoices and accounting data10 years (Article L.123-22 of the French Commercial Code)
Technical logs and activity records30 days (standard logs), 12 months (security logs)
Audit log (deletions, exports)2 years
Password reset tokens24 hours
Invitation tokens7 days

6. Cookies

The backtome.fr website uses only strictly necessary cookies for the operation of the service:

  • session cookies (Supabase Auth): keep you logged in to the dashboard, duration of 1 hour, renewable;
  • preference cookies: storage of interface settings, duration of 1 year.

No third-party audience-measurement, advertising, or tracking cookies are set. The withdrawal widget embedded on Clients' sites sets no cookies.

7. Your rights

In accordance with the GDPR, you have the following rights regarding your personal data:

  • Right of access (Article 15) — obtain confirmation that data concerning you is being processed and receive a copy of it.
  • Right to rectification (Article 16) — correct inaccurate or incomplete data.
  • Right to erasure (Article 17) — request deletion of your data, subject to our legal retention obligations (in particular for withdrawals retained for 5 years as evidence).
  • Right to restriction (Article 18) — request the suspension of processing in certain cases.
  • Right to portability (Article 20) — receive your data in a structured, machine-readable format, or request its transfer to a third party.
  • Right to object (Article 21) — object to processing based on legitimate interest.
  • Right to set post-mortem directives (article 85 of the French Data Protection Act).
  • Right to withdraw your consent at any time (Article 7) where processing is based on consent.

To exercise these rights: contact@backtome.fr. We may request proof of identity in case of reasonable doubt. Our services are designed to allow direct exercise of most of these rights from the dashboard (profile editing, CSV export, account deletion with a 30-day recovery window).

8. Consumer withdrawals — specific case

When a consumer submits a withdrawal through the widget, the merchant (BackToMe Client) is the controller within the meaning of the GDPR; BackToMe acts as a processor.

If you are a consumer wishing to exercise your rights (access, deletion of your withdrawal once it is no longer required for evidentiary purposes, etc.), you may:

  • contact directly the merchant to whom you submitted the request (the acknowledgment of receipt you received states their contact details);
  • or contact us at contact@backtome.fr, specifying the merchant concerned and your reference number; we will forward your request to the merchant or act on it if the lawful basis allows.

Withdrawals are retained for 5 years from the date of submission, as legal evidence (Article L.110-4 of the French Commercial Code). Beyond that period, they are permanently deleted.

9. Recourse before the CNIL

If, after contacting us, you consider that your rights are not respected, you may lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):

Part II — Security measures

This part consolidates the technical and organizational measures implemented by BackToMe under article 32 GDPR. It constitutes a contractual commitment under Part IV (DPA, article 28.3).

10. Architecture and hosting

BackToMe is an application entirely hosted within the European Union for data storage:

  • Database and authentication: Supabase, physical infrastructure in Paris (France). All account, site and withdrawal-request data resides there.
  • Frontend (page rendering): Vercel, global edge network with EU PoPs prioritized, platform-level DDoS protection.
  • Domain name, DNS zone and professional email: OVH SAS, hosted entirely in France.

No customer data is stored outside the EU. Occasional transfers to U.S. processors (Vercel, Resend) are framed by the Data Privacy Framework and standard contractual clauses — see details in Part III.

11. Encryption

In transit — all communications with BackToMe (dashboard, widget, API) are encrypted via TLS 1.2 minimum, with a modern configuration (HSTS enabled, restricted cipher suite). The pages are rated A+ by standard tools (SSL Labs, Mozilla Observatory).

At rest — PostgreSQL database data is encrypted with AES-256 at the Supabase storage layer. Backups inherit the same level of encryption.

User passwords — hashed using bcrypt with a unique salt per user. No password is stored in clear text, nor accessible by BackToMe at any time. A reset is always done via a single-use email link.

12. Multi-tenant isolation — Row-Level Security

BackToMe applies strict data isolation between customers via PostgreSQL's Row-Level Security (RLS) mechanism. Concretely:

  • Each row in the database carries a reference to its owner (account, organization).
  • RLS policies are evaluated by the database engine itself, on every query, independently of the application code.
  • A flaw in the application code cannot leak data from another customer: the PostgreSQL engine would block the query.
  • Multi-user invitations respect the roles defined in the Terms of Use (owner, administrator, reader).

Every table of the public schema of the database is created with the ENABLE ROW LEVEL SECURITY directive and at least one access policy. Supabase security advisors are consulted on every schema change to verify the absence of unintentional exposure.

13. Audit log

Sensitive actions affecting the lifecycle of accounts, sites and shared access are recorded in a server-side timestamped audit log, retained for twenty-four (24) months:

  • site deletion (soft-delete then permanent purge after 30 days) and possible restoration;
  • account deletion (soft-delete then permanent purge after 30 days) and possible restoration;
  • removal of shared access on a site, whether through revocation by an administrator or self-leave by a member;
  • CSV export of withdrawal requests for a site (actor, timestamp, exported scope).

Authentication events (logins, failed attempts, logouts, password resets, email changes) are recorded separately in the native log of the host Supabase (auth.audit_log_entries), retained according to the host's policy.

Upon a reasoned request to contact@backtome.fr, the Customer can obtain the audit extract concerning them.

14. Availability and backups

BackToMe targets availability above 99% on an annual basis, excluding announced maintenance windows. In the event of unavailability exceeding 48 consecutive hours directly attributable to BackToMe, the Customer may request a credit pro-rated to the days of interruption (cf. Terms of Sale art. 11).

Backups — the database benefits from Supabase automatic daily backups and from a Point-in-Time Recovery feature allowing rollback to any second within the last seven (7) days, under the Supabase plan to which BackToMe subscribes.

15. Internal access control

  • No direct database access by default — only application operations (via authenticated API) are allowed.
  • Administrator access is protected by strong authentication (2FA enforced on Supabase, Vercel, GitHub and Stripe accounts).
  • Sensitive operations (schema migrations, access to nominal data for debugging) are tracked and recorded in the provider audit log.
  • Strict application of the principle of least privilege.

16. Abuse protection

  • Application-level rate-limiting per IP and per account on sensitive endpoints (withdrawal-request creation, login, password reset), with persisted counters purged regularly and a violations log;
  • Platform-level DDoS protection (Vercel) across the entire domain;
  • Strict server-side validation of all user inputs;
  • CSRF protection on all mutating actions of the dashboard, via Next.js Server Actions;
  • Security headers applied globally: HSTS (two years, preload-ready), X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Referrer-Policy: strict-origin-when-cross-origin, restrictive Permissions-Policy.

17. Secure development lifecycle

  • Systematic code reviews with particular attention to classic flaws (OWASP Top 10).
  • Regular dependency updates, with automatic CVE monitoring through Dependabot.
  • Targeted integration tests on sensitive paths: authentication, RLS, payments, audit log.
  • No secrets in source code: API keys and JWTs are stored exclusively in environment variables managed by Vercel.

18. Reporting a vulnerability

Have you identified a security issue? Contact us at contact@backtome.fr with "Security — " in the subject line. We acknowledge receipt within 48 business hours.

For responsible disclosure:

  • Do not attempt to retrieve, modify or delete data that does not belong to you.
  • Give us a reasonable timeframe to fix issues before any public disclosure.
  • Do not run destructive tests (DoS, large-scale brute-force, social engineering of staff).

In return, we undertake not to pursue legal action against researchers who respect these rules, to fix confirmed vulnerabilities promptly, and to publicly credit (if you wish) significant contributions.

19. Personal data breach notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects:

  • BackToMe shall notify affected Customers within 72 hours of becoming aware of the incident, by email to the contact address on file;
  • BackToMe shall notify the CNIL within the timeframe set out in Article 33 GDPR;
  • data subjects shall be informed without undue delay if the risk is high (Article 34 GDPR);
  • the contractual detail of this obligation in the processor capacity is set out in Part IV, article 28.

Part III — Subprocessors

As a processor for the Client (cf. Part IV), BackToMe is required, in accordance with Article 28.4 GDPR, to disclose the list of third-party providers it relies on to deliver the Service. All are bound contractually by agreements offering safeguards equivalent to those of Part IV.

20. Up-to-date list

ProviderFunctionLocationTransfer safeguards
Supabase Inc.PostgreSQL database and authentication (core storage of accounts and withdrawal requests)EU — Paris, FrancePhysical hosting in the EU, signed DPA
Stripe Payments Europe LtdCredit-card payments, subscription and billing managementIreland (EU)European entity — DPA included in Stripe's terms
Vercel Inc.Frontend hosting (page rendering, edge network, platform-level DDoS protection)United States (EU PoPs)EU-US Data Privacy Framework + Standard Contractual Clauses (SCC)
OVH SASDomain name registrar, authoritative DNS zone, and professional email hosting (@backtome.fr mailboxes) — no Client personal data transits there, except technical DNS logs and the email addresses of inbound correspondentsEU — FranceHosted entirely in France. ISO/IEC 27001, 27017, 27018 and HDS certifications
Resend, Inc.Sending of transactional emails: confirmations, acknowledgments to consumers, notifications to professional Clients, billing remindersUnited StatesStandard Contractual Clauses (SCC) + Transfer Impact Assessment
GitHub Inc.Source-code hosting (no Client personal data is stored there — application code only)United StatesEU-US Data Privacy Framework + SCC

21. Modification procedure

When BackToMe contemplates adding or replacing a subprocessor, it informs professional Clients by email to the contact address registered in their account, with reasonable prior notice of at least thirty (30) days before effective deployment.

During this period, the Client may raise a reasoned objection (incompatibility with internal policy, transfer-country uncertainty, etc.) by writing to contact@backtome.fr. If the objection is legitimate and no alternative solution can be found, the Client may terminate its subscription at no cost, in accordance with article 8 of the Terms of Sale.

The absence of written objection beyond the 30-day deadline constitutes tacit acceptance of the modification.

22. Transfers outside the European Union

For transfers outside the EU listed above, BackToMe ensures appropriate safeguards within the meaning of Chapter V GDPR: reliance on the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) where applicable, otherwise reliance on the standard contractual clauses (Implementing Decision EU 2021/914), together with an assessment of the actual level of protection (Transfer Impact Assessment).

Part IV — Data Processing Agreement (DPA)

This Part IV constitutes the Data Processing Agreement (DPA) entered into between BackToMe and its professional Clients, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR). It governs the processing by BackToMe of personal data for which the Client acts as Controller, and in particular data collected through the withdrawal widget installed on its website.

23. Framework and acceptance

This Part IV constitutes an addendum to the Terms of Sale and the Terms of Use entered into between:

  • BTM BACKTOME, a French SASU with share capital of EUR 1,000, registered with the Vesoul Trade and Companies Register under number 990 637 233, acting as Processor (hereinafter "BackToMe");
  • and the Client who has subscribed to the paid mode of the Service, acting as Controller (hereinafter the "Controller").

Acceptance of the Terms of Sale by the Controller upon subscription carries full and unreserved acceptance of this Part IV, without the need for a separate signature (Article 28.9 GDPR — electronic form admitted).

In the event of a conflict between this Part IV and the Terms of Sale or the Terms of Use, this Part IV prevails solely with respect to matters relating to the processing of personal data.

24. Definitions

Capitalized terms have the meaning given to them in Article 4 of the GDPR: "personal data", "processing", "controller", "processor", "personal data breach", "data subject", etc. Service-specific terms (Client, Account, Site, Widget, paid mode) have the meaning given to them in the Terms of Use.

25. Subject matter of the processing

BackToMe processes, on behalf of the Controller, the personal data transmitted through the Service for the following purposes:

  • collection and hosting of withdrawal requests submitted by the Controller's end consumers via the Widget installed on the Controller's websites;
  • time-stamped archiving with evidentiary value, in accordance with article L.221-21 of the French Consumer Code;
  • automatic dispatch of acknowledgments of receipt on a durable medium to consumers;
  • email notifications to the Controller for each request received;
  • provision of the dashboard enabling the Controller to view, export and manage withdrawal requests.

26. Categories of data and data subjects

The processing covers exclusively the following categories of data, transmitted by the Controller's end consumers or end customers who exercise or have exercised their right of withdrawal:

  • first name and last name;
  • email address;
  • order number or product reference (depending on the Controller's configuration);
  • free-text content entered by the consumer (optional reason for withdrawal);
  • IP address and browser user-agent (for evidentiary and anti-fraud purposes — anonymized after 90 days);
  • submission timestamp.

No sensitive data within the meaning of Article 9 GDPR (health, opinions, biometrics, etc.) is collected by default. The Controller undertakes not to configure the Widget in a manner that would cause such data to be collected.

27. Duration of the processing

BackToMe processes the data for the entire duration of the Controller's subscription to the paid mode. Upon termination of the subscription, the data is retained under the conditions set out in Article 30 below, within the limits of the legal retention obligations applicable to the Controller (in particular 5 years for commercial evidence under Article L.110-4 of the French Commercial Code).

28. Obligations of BackToMe (Processor)

28.1. Processing on documented instructions

BackToMe processes the data only on the documented instructions of the Controller, which consist of this Part IV, the parameters chosen by the Controller in its dashboard, the Terms of Use and Terms of Sale, and any subsequent written instruction sent to contact@backtome.fr.

If BackToMe considers that an instruction is contrary to the GDPR, it shall immediately inform the Controller and may suspend execution until clarification. If BackToMe is required, under Union or Member State law, to carry out a processing operation not covered by the Controller's instructions, BackToMe shall inform the Controller before processing, unless that law prohibits such information on important grounds of public interest.

28.2. Confidentiality of personnel

BackToMe ensures that persons authorized to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to the data is strictly limited to persons whose duties so require (least privilege principle).

28.3. Security measures

BackToMe implements appropriate technical and organizational measures within the meaning of Article 32 GDPR to ensure a level of security appropriate to the risk. These measures are described in Part II and constitute a contractual commitment under this Part IV.

28.4. Subprocessors

The Controller expressly authorizes BackToMe to engage subprocessors for the performance of the Service. The authoritative up-to-date list appears in Part III. BackToMe imposes on each of its subprocessors, by contract, data protection obligations equivalent to those set out in this Part IV (Article 28.4 GDPR). The information and objection procedure is described in article 21 (Part III).

28.5. Assistance with data subjects' rights

BackToMe makes available to the Controller, in the dashboard, the tools necessary to respond to requests from data subjects under Articles 15 to 22 GDPR: search by email, individual or bulk export, manual deletion, audit log. If a request is addressed directly to BackToMe by a data subject, BackToMe shall forward it to the Controller without delay and shall assist the Controller, to the extent possible, in responding to it.

28.6. Personal data breach notification

In the event of a personal data breach, BackToMe shall notify the Controller without undue delay and, in any event, within seventy-two (72) hours of becoming aware of the incident, by email to the contact address registered in the account. The notification shall specify, to the extent the information is available: the nature of the breach, the categories and approximate volume of data and data subjects concerned, the likely consequences, the measures taken or proposed, the BackToMe point of contact for follow-up. See also article 19 (Part II).

28.7. Assistance with DPIAs

BackToMe shall assist the Controller, to a reasonable extent and taking into account the information available to BackToMe, in carrying out DPIAs (Data Protection Impact Assessments, Article 35 GDPR) and any prior consultations with the CNIL (Article 36 GDPR).

29. Obligations of the Controller

The Controller:

  • is responsible for the lawfulness of the processing and, in particular, for providing appropriate information to the consumers concerned (information notices under Article 13 GDPR within its own privacy policy);
  • warrants that the parameters it configures in the Widget (fields collected, labels, email templates) comply with the GDPR and with applicable law;
  • is solely responsible for deciding how to act on withdrawal requests received and for actually processing them (in particular issuing refunds) with the consumers concerned;
  • keeps the dashboard credentials in a safe place and notifies BackToMe without delay in the event of suspected compromise.

30. Fate of data at end of service

At the end of the service (termination, non-renewal, expiry), the Controller has access for ninety (90) days to its dashboard in read-only mode, allowing it to export its data in CSV format. After that period:

  • submitted withdrawal requests are retained for five (5) years from the date of submission, for legal evidentiary purposes (Article L.110-4 of the French Commercial Code) — for the benefit of the Controller;
  • upon expiry of that period, the data is permanently deleted;
  • account elements (profile, settings, sites) are deleted within 30 days following the end of the service, unless otherwise requested by the Controller.

The Controller may, at any time during the 90-day window, request early deletion by email to contact@backtome.fr, provided that no legal retention obligation incumbent on the Controller prevents such deletion.

31. Audits

BackToMe shall make available to the Controller, upon reasonable request sent to contact@backtome.fr, all information necessary to demonstrate compliance with this Part IV (technical documentation, up-to-date list of subprocessors, audit reports or certifications — SOC 2, ISO 27001).

The Controller may, at its own expense, conduct an annual audit or mandate an independent auditor bound by professional secrecy. The date, scope and modalities of the audit shall be agreed by mutual consent, observing reasonable prior notice and avoiding any disruption to the Service. The audit report may not be communicated to third parties without the prior written consent of BackToMe.

32. Liability

Each party is liable for the consequences of a breach of the obligations incumbent on it under the GDPR. In accordance with Article 82 GDPR, BackToMe is liable only for damage caused by processing carried out in breach of the obligations specifically incumbent on Processors or by failure to comply with the lawful instructions of the Controller; the Controller is liable for damage resulting from its own processing choices, configurations, instructions, and from the lawfulness of the processing.

The liability cap set out in Article 12 of the Terms of Sale (the last twelve months of payments) also applies to this Part IV, subject to mandatory provisions applicable to damage caused to data subjects by a violation of the GDPR.

33. Term — amendments — governing law

This Part IV takes effect on the date of subscription to the paid mode and remains in force for as long as BackToMe processes personal data on behalf of the Controller, extended by the time necessary to perform the operations set out in Article 30.

BackToMe may amend this Part IV to bring it into line with changes in regulations, in CNIL or EDPB recommendations, or to reflect changes in the Service. Material amendments are notified by email at least thirty (30) days before they take effect. Continued use of the Service after that date constitutes acceptance. Failing this, the Controller may terminate at no cost in accordance with the Terms of Sale.

This Part IV is governed by French law and by Union law. The competent courts are those designated in Article 17 of the Terms of Sale.

34. Contact

Any question, request or notification under this Part IV must be sent to contact@backtome.fr, with the subject line "DPA — [account name]".

35. Modifications to this policy

This privacy policy (all parts) may be updated to reflect changes to the service, our infrastructure, or applicable regulation. Any substantial modification will be notified to Clients by email at least fifteen (15) days before its entry into force — or thirty (30) days for modifications affecting Part IV (DPA). The date of the last update is shown at the top of this page.

Question about this document? Email us at contact@backtome.fr.

Note: BackToMe is operated from France and the authoritative version of these documents is the French one. The English version is provided for convenience. In case of discrepancy, the French version prevails.

Contact us →← Back to home