Skip to main content

Privacy Policy

In effect as of May 4, 2026 — GDPR-compliant (EU Regulation 2016/679)

This Privacy Policy describes how NUNC SASU collects, uses, shares and protects the personal data of users of the Referys service (referys.com and app.referys.com). It is supplemented by the specific statements published on the App Store (Apple Privacy Labels, section 4bis) and the Google Play Store (Data Safety, section 4ter), and by the account deletion procedure described in section 10.

1. Data controller

NUNC SASU — contact@referys.com

Important note : when you use Referys to manage the contacts in your network, you act as data controller for your contacts' data. Referys acts as data processor for that data.

2. Data collected

User account data : first name, last name, email address, phone number, geographic area, subscription status and history.

Contact data (entered by the user): first name, last name, phone, email, date of birth, address, segment, interests, personal notes, exchange history. This data belongs to the user and is never shared with other accounts.

Usage data : login logs, actions performed in the app, AI feature usage counters.

Technical data : IP address (rate limiting, security), anonymized error reports.

3. Purposes and legal bases

  • Performance of the contract (art. 6.1.b GDPR): provision of the Referys service, subscription management, transactional emails.
  • Legitimate interest (art. 6.1.f GDPR): platform security, abuse prevention, product improvement, technical error monitoring.
  • Consent (art. 6.1.a GDPR): marketing communications, push notifications (revocable at any time).

4. Subprocessors and transfers

Data is processed by the following subprocessors, each bound to Referys by a GDPR-compliant data processing agreement:

SupabaseDatabase — eu-west-1 (Ireland, EU)
VercelApplication hosting — cdg1 (Paris, EU). Contracting entity: Vercel Inc. (United States), EU-US DPF certified; SCCs signed as a contractual safeguard.
CloudflareProxy, CDN and DDoS protection — Cloudflare, Inc. (United States), EU-US DPF certified; SCCs signed. Only request metadata (IP, headers, route) is processed in transit.
StripePayments — billing data only. Transfer covered by EU Standard Contractual Clauses.
ResendTransactional emails (Magic Link, confirmations). Transfer covered by EU Standard Contractual Clauses.
MailerLiteMarketing emails (optional, unsubscribe at any time). Hosted in the EU.
AnthropicAI features (assistant, suggestions). Data processed in transit, not stored by Anthropic as part of API usage.
Google PlacesAddress autocomplete. Only geocoding queries are transmitted. Transfer covered by EU Standard Contractual Clauses.
SentryTechnical error tracking (anonymized data, no contact data). Transfer covered by EU Standard Contractual Clauses.

4a. Apple Privacy Labels (App Store)

Standardized summary of the data collected by the Referys iOS app, in the format required by Apple on the App Store listing:

TypeDonnéesFinalitéLien identité
IdentifiersAccount identifier, emailAuthentication, app functionalityLinked to identity
Contact infoEmail, phone (optional)Transactional communication, supportLinked to identity
User contentContacts entered, notes, exchange historyCore service functionalityLinked to identity
Usage dataAction logs, AI countersProduct analytics, credit billingLinked to identity
DiagnosticsCrash reports, error logsApp stabilityNot linked to identity

No data is used for advertising tracking. No App Tracking Transparency (ATT) permission is requested. No data is shared with data brokers or advertising networks.

4b. Google Play Data Safety

Equivalent declaration for the Play Store listing of the Referys Android app:

Data collected:

  • Personal information (name, email, phone) — for authentication and communication.
  • In-app activity (interactions, settings) — for service functionality.
  • Device identifiers (via Sentry) — for stability only.

Data shared with third parties:

  • No data sold or transferred for advertising purposes.
  • Anonymized technical data shared with Sentry for error monitoring.
  • Billing data shared with Stripe (web payment) or Google (Play Store payment).

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

Users may request deletion of their data from the app (Settings > Account > Delete my account) or via the public URL app.referys.com/auth/delete-account.

5. Retention period

  • Account data : subscription duration + 3 years (legal accounting obligations).
  • Contact data : duration of the active subscription.
  • Technical data : 90 days maximum.

Upon account deletion, all data is erased within 30 days.

6. Your GDPR rights

You have the following rights, exercisable at : contact@referys.com :

  • Right of access to your data
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to data portability (CSV export available directly from the app settings)
  • Right to object to processing
  • Right to restrict processing
  • Right to withdraw your consent at any time (push notifications, marketing emails)

You may also lodge a complaint with your competent Data Protection Authority (CNIL in France, AEPD in Spain, CNPD in Portugal, ICO in the UK, or any equivalent authority depending on your country of residence).

7. Cookies

Marketing site (referys.com) : Google Analytics is used to measure audience (page views, traffic source). No advertising cookies, no social network trackers. You can decline via the consent banner or by using private browsing mode.

App (app.referys.com) : no third-party analytics tools. A session cookie is used to maintain your authentication.

8. Security

  • Encryption in transit (TLS)
  • Encryption at rest (AES-256, at the Supabase infrastructure level)
  • Row Level Security (RLS) — strict per-account data isolation, configured at the database level
  • Admin access restricted to the service_role key (technical support only)
  • Rate limiting per IP and per user
  • Authentication via Magic Link or Google OAuth

9. Native permissions (iOS and Android apps)

The native Referys mobile apps may request the following system permissions. Each permission is requested explicitly when the user first uses the corresponding feature. All permissions can be revoked at any time from the phone settings.

Address book (Contacts iOS / READ_CONTACTS Android) : Lets the user import their contacts from the phone's address book into Referys, on an explicit action via the Import page. Contacts are only read at the moment the user triggers the import. No background reading, no continuous synchronization, no transmission to third parties. Imported contacts become Referys contacts and follow the same rules as contacts entered manually (section 2).

Photo gallery (Photos iOS / READ_MEDIA_IMAGES Android) : Lets the user pick a profile picture for a contact or for the user account. Reading is limited to the selected image. No analysis, no upload without an explicit action, no reading of other images in the gallery.

Camera (Camera iOS / CAMERA Android) : Lets the user take a profile picture as an alternative to the gallery. No background capture, no use outside an explicit context.

Notifications (POST_NOTIFICATIONS) : Enables daily reminders (contacts to follow up with, deadlines). Can be disabled at any time in the phone settings or in Referys (Settings > Notifications).

App Tracking Transparency (iOS) : No tracking permission is requested. Referys uses no advertising identifier (IDFA) and performs no cross-app tracking.

No permission is used to collect data for advertising purposes. No data resulting from native permissions is shared with third parties.

10. Account deletion

Users may delete their account at any time, without justification, through any of the following channels:

  • From the app : Settings > Account > Delete my account. The request is confirmed by email.
  • From the web (public URL) : app.referys.com/auth/delete-account accessible without prior authentication, in line with App Store and Play Store requirements.
  • By email : contact@referys.com — reply within 5 business days.

Deletion triggers the permanent erasure of account data and associated contact data within 30 days. Backups are purged within 90 days. Accounting data (invoices) is retained for 10 years in accordance with applicable French legal obligations (article L123-22 of the French Commercial Code).

11. Sale, rental and monetization of data

NUNC SASU never sells, rents or monetizes the personal data of its users or their contacts. No data is shared with data brokers, advertising networks or third parties for commercial purposes.

The only transmissions of data to third parties are those strictly necessary to operate the service, listed in section 4, and covered by data processing agreements compliant with article 28 of the GDPR.

12. Protection of minors

The Referys service is intended exclusively for professionals of legal age or in the process of starting their professional activity. Creating an account is reserved for individuals aged 16 or older (European Union) and 18 or older in countries where legal majority is required to carry out a commercial activity.

If we become aware of an account created by a minor outside these conditions, the account is suspended and the associated data is deleted without delay.

13. Changes to this policy

This Privacy Policy may be updated to reflect changes in the service, subprocessors or regulation. Any substantial change is notified by email with 30 days' notice. The last update date is shown at the top of the document. The history of previous versions is available on request at contact@referys.com.

Google API Services — Limited Use disclosure

Referys' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Referys ne connecte les services Google que pour les besoins strictement nécessaires au fonctionnement de l'application (Google Sign-In, et toute autre API Google explicitement autorisée par l'utilisateur). Les données reçues via les APIs Google ne sont jamais vendues, utilisées pour cibler de la publicité, ni transférées à des tiers à des fins non autorisées par cette politique. Aucune donnée utilisateur Google n'est utilisée pour entraîner de modèles de machine learning généralistes.

14. Contact

For any question about this policy or to exercise your rights: contact@referys.com. Privacy contact: legal representative of NUNC SASU.

CGV · CGU · Mentions légales