Privacy Policy
Last updated: March 22, 2026
1. Data Controller
The data controller for personal data is:
- Company: Olam Création (sole proprietorship / micro-enterprise)
- Representative: Jonas Nephtali
- Location: France
- DPO Contact: [email protected]
2. Data Collected
In the course of providing the service, PepFold collects the following data:
| Category | Data | Purpose |
|---|---|---|
| Identification | Email address | Account creation, API key delivery, support |
| Genomic | Variant identifiers (rsIDs) submitted via the API | Analysis report generation |
| Payment | Transaction data (processed by Stripe) | Billing, accounting compliance |
| Technical | IP address, API access logs | Security, abuse prevention |
3. Legal Basis
- 1.Contract performance (GDPR Art. 6.1.b): processing of data necessary to provide the service (email, genomic data, payment).
- 2.Legal obligation (GDPR Art. 6.1.c): retention of billing data in compliance with accounting and tax obligations.
- 3.Legitimate interest (GDPR Art. 6.1.f): service security, fraud prevention.
4. Sub-processors
Data may be shared with the following sub-processors, strictly for service provision:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe | Payment processing | Ireland (EU) |
| Cloudflare, Inc. | Frontend hosting, CDN, DDoS protection | United States |
| Google Ireland Limited | API hosting (Cloud Run) | Ireland (EU) |
| Resend, Inc. | Transactional email delivery | United States |
5. Transfers Outside the EU
Some sub-processors (Cloudflare, Resend) are located in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with GDPR Art. 46.2.c.
6. Data Retention
| Data | Retention Period |
|---|---|
| Account data (email, API key) | Duration of the business relationship + 3 years |
| Genomic data (submitted rsIDs) | Deleted after report generation |
| Billing data | 10 years (legal accounting obligation) |
| Technical logs | 12 months |
7. Your Rights
Under the General Data Protection Regulation (GDPR), you have the following rights:
- 1.Right of access — obtain confirmation that your data is being processed and receive a copy.
- 2.Right to rectification — correct inaccurate or incomplete data.
- 3.Right to erasure — request deletion of your data, subject to legal retention obligations.
- 4.Right to portability — receive your data in a structured, machine-readable format.
- 5.Right to object — object to the processing of your data on legitimate grounds.
- 6.Right to restriction — request restriction of processing in certain cases.
To exercise these rights, contact us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the CNIL (French Data Protection Authority): www.cnil.fr
8. Cookies & Local Storage
PepFold does not use any third-party cookies, tracking cookies, or advertising cookies.
The site uses only the browser's localStorage to store the user's API key client-side, to facilitate adding credits on subsequent purchases. This data remains exclusively on the user's device and is not transmitted to any third party.
9. Data Security
Olam Création implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or destruction, including: TLS encryption in transit, restricted access via API key, automatic deletion of genomic data after processing.
10. Changes
This privacy policy may be updated at any time. Changes will be published on this page with an updated date. In case of a substantial change, users with an account will be notified by email.
Contact
For any questions about the protection of your data: [email protected]