Back to home

Privacy policy

Version 2.0 — June 3, 2026

Preamble

This policy describes how Backhurry collects, uses, and protects your personal data, in accordance with Regulation (EU) 2016/679 (GDPR) and the loi Informatique et Libertés (French Data Protection Act).

It covers the Backhurry showcase website (public pages, forms) as well as the Backhurry web and mobile application (authenticated area).

1 Controller

The controller of the data collected via the Backhurry application and website is:

EPREYN — SAS with capital of 100,00 €

40 Avenue du Canigou, 66370 Pézilla-la-Rivière, France

RCS Perpignan 892 742 297 • SIRET : 892 742 297 00021

VAT: FR61 892742297

Publication director: Pierre Reynal, President

GDPR Contact: contact@backhurry.com

2 Data collected

Account and registration

  • Email address; first and last name (if provided, in particular via Google)
  • User identifier (Firebase UID); login method (email, Google, biometrics)
  • Date of registration, date and method of last login

Billing (via Stripe)

  • Your bank details are never stored by Backhurry: they are processed by our provider Stripe (certified PCI-DSS Level 1).
  • Backhurry retains a Stripe customer identifier, the subscription status history, and the billing dates and status.

Business data entered by the user

  • Projects, entities, custom fields, dashboards, documents, automations, imports.
  • This data belongs to the Client; Backhurry acts as a processor within the meaning of the GDPR.

Technical and connection data

  • IP address, browser type and version, operating system, timestamp
  • Access, usage, and error logs

Audience measurement and product improvement

To understand and improve product usage, we measure usage via Firebase Analytics (Google) and PostHog:

  • Usage events: actions performed in the application (creating a project, generating a document, launching an import, etc.), with technical properties (object type, counters, durations, success/failure, language, platform, version). No entered content (field values, free text, AI prompts) is included in these events.
  • Pages and screens viewed, and navigation path.
  • User identifier associated with these events when you are logged in, and non-sensitive profile properties (language, plan, role).
  • Session recording ("session replay") via PostHog: a visual reconstruction of your use of the interface in order to diagnose usability issues and bugs. Input fields are masked by default (see section 10).

Error diagnostics (via Sentry)

In the event of a technical error, a report is sent to Sentry (EU region, Germany): error type, call stack, technical context, and user identifier for tracking. This makes it possible to fix anomalies.

Feedback

Feedback sent via the internal widget is retained to improve the service; it may be anonymised on request.

3 Purposes and legal bases
  • Provide and operate the service — Performance of the contract
  • Account authentication and security — Performance of the contract
  • Billing and payment management — Performance of the contract / legal obligation
  • Customer support and response to requests — Performance of the contract
  • Trial reminders and transactional notifications — Performance of the contract
  • Diagnosis and correction of errors (Sentry) — Legitimate interest
  • Fraud and abuse detection — Legitimate interest
  • Audience measurement and usage statistics (Firebase Analytics, PostHog) — Consent
  • Session recording (PostHog session replay) — Consent
  • Product improvement based on feedback — Legitimate interest

Audience measurement and session recording rely on your consent. You may grant or refuse it, and withdraw it at any time (see section 8).

No processing is carried out for behavioural advertising purposes or for resale to third parties.

4 Retention periods
  • Active account and business data: duration of the subscription + 30 days after termination
  • Billing data (accounting obligations): 10 years
  • Technical logs: 12 months
  • Audit log (security): 5 years
  • Audience-measurement data (PostHog / Firebase): up to 24 months
  • Session recordings (PostHog): limited duration, then deletion
  • Error reports (Sentry): 90 days
  • Feedback: anonymised after account deletion
5 Recipients and processors

Your data is accessible to Backhurry teams (strict need-to-know) and to the following processors:

  • Google Cloud / Firebase — app hosting, database, authentication, analytics (EU, europe-west1)
  • Squarespace — showcase website hosting (United States)
  • PostHog — product audience measurement + session recording (EU, eu.i.posthog.com)
  • Sentry — error diagnostics (EU, Germany)
  • Stripe — payment (EU / USA, PCI-DSS L1)
  • SendGrid (Twilio) — transactional emails (United States)
  • Google Vertex AI / Gemini — AI assistant (EU — prompts/responses processed temporarily, not used for training)

No data is sold, rented, or exchanged for commercial purposes.

6 Transfers outside the EU

The main hosting and audience measurement are located in the European Union. Transfers to the United States (Squarespace, Stripe, SendGrid) are governed by the European Commission's Standard Contractual Clauses.

7 Cookies and trackers
  • Strictly necessary — authentication session, preferences (language, theme). Exempt from consent.
  • Payment — Stripe cookies when entering card details. Necessary for the transaction.
  • Audience measurement — PostHog and Firebase Analytics cookies/identifiers, session recording. Subject to your consent.

You may withdraw your consent at any time and configure your browser to block cookies.

8 Your rights

In accordance with the GDPR ((EU) 2016/679) and the loi Informatique et Libertés (French Data Protection Act):

  • Access and portability — Personal area → Personal data → Export my data (JSON export, link valid for 7 days).
  • Rectification — from your personal area.
  • Erasure — Personal area → Personal data → Delete my account (irreversible: account, projects, and data).
  • Objection and restriction — contact@backhurry.com
  • Withdrawal of consent — for audience measurement and session recording, via the cookie preference centre or on request at contact@backhurry.com. Withdrawal does not affect the lawfulness of prior processing.
  • Complaint — with the CNIL: cnil.fr/fr/plaintes
9 Security
  • TLS encryption in transit, AES at rest (Firestore)
  • Strict isolation of data between accounts (multi-tenant)
  • Authentication (Google OAuth, hashed password, biometrics)
  • Audit log of sensitive operations
  • Encrypted daily backups (30-day retention)

In the event of a breach, notification to the CNIL and to the data subjects within 72 h (art. 33 GDPR).

10 Session recording

To improve usability and diagnose bugs, we may record sessions of your use of the application via PostHog:

  • The recording reconstructs what is displayed on the screen during your use.
  • Input fields are masked; we strive to limit the capture of sensitive data.
  • As the application is rendered in "canvas" mode, fine-grained masking on an element-by-element basis is not always possible: displayed data may appear.
  • The recordings are hosted in the European Union and retained for a limited period (section 4), then deleted.
  • You may refuse this recording (preference centre or on request).
11 Minors and modifications

Minors: Backhurry is a professional (B2B) tool not intended for minors; we do not knowingly collect data from persons under the age of 15.

Modifications: Any substantial modification will be notified by email at least 30 days before it takes effect.

Contact

GDPR / DPO contact: contact@backhurry.com

Address: EPREYN — 40 Avenue du Canigou, 66370 Pézilla-la-Rivière

In-app feedback widget: side menu → "Send feedback"

Policy applicable as of June 3, 2026.