Privacy Policy
Last updated: April 18, 2026
1. Data Controller
Oppchain SAS
SIRET: 825 255 664 00013
Registered office: 75 Boulevard Haussmann, 75008 Paris, France
Contact: privacy@oppchain.com
2. Description of the Service
Diane is a B2B SaaS ERP platform designed for French small businesses, specifically training organizations and consulting firms. Diane integrates with Google Workspace to provide document management and scheduling functionalities.
3. Google Workspace Data Accessed
3.1 Google Drive (scope: drive.file)
- Purpose: Diane stores documents generated by the application (invoices, quotes, training agreements, attendance sheets) in the tenant's Google Drive, within a dedicated "Diane" folder structure.
- Diane accesses only files created by Diane.
- Diane does not read, modify, or delete any other file in the user's Drive.
- Users may also deposit files in designated Drive folders for processing (e.g., supplier invoices for data extraction).
3.2 Google Calendar (scope: calendar.events)
- Purpose: Diane creates and synchronizes training session events in the tenant's Google Calendar.
- Diane creates, modifies, and deletes events related to training sessions managed within Diane.
- Diane reads calendar events to detect scheduling conflicts.
3.3 Email
Diane does not request access to Gmail. Diane does not read, scan, or access user emails in any way. Users may optionally forward specific emails to a dedicated Diane email address for processing. This is entirely user-initiated and does not involve any Gmail API scope.
Google API Services User Data Policy Compliance
Diane's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:
- Diane uses Google data only to provide and improve the functionalities described above.
- Diane does not transfer Google data to third parties, except as necessary for providing the service (hosting infrastructure), with user consent, or for legal compliance.
- Diane does not use Google data for advertising, marketing profiling, or any purpose unrelated to the core service.
- Diane does not allow humans to read Google data unless the user provides explicit consent, it is necessary for security purposes, or it is required by law.
4. Legal Basis for Processing (Art. 6 GDPR)
- Contract performance (Art. 6(1)(b)): Processing of business data (invoices, quotes, training documents) is necessary for the performance of the SaaS service contract between Oppchain and the tenant.
- Legitimate interest (Art. 6(1)(f)): Operational logging, security monitoring, and service improvement. Users can object at any time.
- Consent (Art. 6(1)(a)): Google Workspace integration requires explicit user consent via the OAuth2 authorization flow. Consent can be withdrawn at any time from the Diane dashboard.
- Legal obligation (Art. 6(1)(c)): Retention of invoicing data for 10 years as required by French fiscal law (Code général des impôts).
5. Data Storage and Security
- Infrastructure: Google Cloud Platform (Cloud Run), region europe-west1 (Belgium).
- Database: Supabase PostgreSQL with Row Level Security (RLS), per-tenant data isolation.
- Encryption: TLS 1.2+ in transit. Data encrypted at rest (AES-256).
- No Google user data is stored outside the European Economic Area (EEA).
6. Data Retention
- Documents in Drive: Remain in the tenant's Drive. Diane does not delete them upon account termination (they belong to the user).
- Calendar events: Synchronized in real time; no persistent copy stored by Diane.
- Metadata (document generation logs): Retained for the duration of the contract + 10 years (French fiscal obligation).
- Account data: Deleted within 30 days of contract termination.
7. Data Deletion
- Users can disconnect Google Workspace at any time from the Diane dashboard (Settings > Integrations).
- Upon disconnection, all stored tokens and integration metadata are deleted immediately.
- Upon contract termination, all tenant data is deleted within 30 days. A data export is available upon request before deletion.
8. Data Sharing
Diane does not sell, rent, or share Google user data with third parties. Technical sub-processors with access to operational data (not Google content data):
- Google Cloud Platform (hosting, compute)
- Supabase (database hosting)
- Resend (transactional email delivery -- outbound only, no Google data)
9. User Rights (GDPR)
Under the General Data Protection Regulation (EU 2016/679), you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time
To exercise these rights, contact: privacy@oppchain.com
Supervisory authority: CNIL (www.cnil.fr)
10. Cookies
Diane uses only essential technical cookies (session, CSRF protection). No advertising or third-party tracking cookies are used.
11. Changes to This Policy
Any material changes will be notified to tenant administrators by email at least 30 days before taking effect. Continued use after notification constitutes acceptance.
12. Contact
Oppchain SAS
privacy@oppchain.com
75 Boulevard Haussmann, 75008 Paris, France