Legal information
Privacy Policy
Effective date: 14 June 2026 — v1.1
Preamble
This Privacy Policy describes how QR Communication SAS (hereinafter "we", "our" or "the Data Controller") collects, uses, stores and protects the personal data of users of the jefacturebien.fr platform (hereinafter the "Platform").
This policy complies with the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — and the amended French Data Protection Act.
1. Data Controller
QR Communication SAS Simplified joint-stock company with a share capital of EUR 5,000 Paris Trade and Companies Register 940 163 496 Intra-EU VAT: FR43940163496 Registered office: 23 rue de Richelieu, 75001 Paris, France Legal representative: Joëlle Azogui, President
DPO (Data Protection Officer) contact: Email: dpo@jefacturebien.fr
2. Data collected
2.1 Identification data
| Data | Purpose | Legal basis |
|---|---|---|
| First and last name | Account identification | Performance of the contract |
| Email address | Communication, authentication | Performance of the contract |
| Phone number | 2FA authentication, support | Performance of the contract |
| SIRET / SIREN | Business verification (KYB) | Performance of the contract |
| Company name | Invoicing, identification | Performance of the contract |
| Business address | Invoicing | Performance of the contract |
| Intra-EU VAT number | Invoicing | Legal obligation |
2.2 Technical data
| Data | Purpose | Legal basis |
|---|---|---|
| IP address | Security, connection logs | Legitimate interest |
| User-agent (browser, OS) | Compatibility, support | Legitimate interest |
| Access logs | Security, audit | Legitimate interest |
| Action timestamps | Traceability, security | Legitimate interest |
2.3 Payment data
| Data | Purpose | Legal basis |
|---|---|---|
| Bank card information | Payment | Performance of the contract |
Note: Bank card data is processed directly by our payment provider Stripe and is never stored on our servers.
2.4 Data contained in documents
As part of the use of the invoicing services, we process the data present in documents submitted by users (invoices, contracts, etc.). This data may include personal data of third parties (names, addresses, etc.).
Important: The user is responsible for ensuring that they have the necessary rights to submit these documents and that the persons concerned have been duly informed.
3. Purposes of processing
We process your personal data for the following purposes:
3.1 Performance of the contract
- Provide the invoicing services
- Manage your user account
- Process your payments
- Provide customer support
3.2 Legal obligations
- Retention of invoices (10 years — Commercial Code)
- Response to requests from authorities
- Combating tax fraud
3.3 Legitimate interest
- Improvement of our services
- Platform security
- Fraud prevention
- Anonymized usage statistics
3.4 Consent (where applicable)
- Sending marketing communications (newsletter)
- Non-essential analytics cookies
4. Legal bases for processing
| Processing | Legal basis | GDPR article |
|---|---|---|
| Account management | Performance of the contract | Art. 6.1.b |
| Invoicing | Performance of the contract | Art. 6.1.b |
| Tax retention | Legal obligation | Art. 6.1.c |
| Security | Legitimate interest | Art. 6.1.f |
| Direct marketing | Consent | Art. 6.1.a |
5. Retention period
| Data type | Retention period |
|---|---|
| Active account data | Duration of the contractual relationship |
| Inactive account data | 3 years after last activity |
| Issued invoices | 10 years (legal obligation) |
| Connection logs | 1 year (LCEN) |
| Access logs | 1 year |
| Payment data | 13 months (+ 5-year archives) |
| Prospects (non-clients) | 3 years after last contact |
Upon expiry of these periods, data is irreversibly deleted or anonymized.
6. Data recipients
6.1 Internal access
Only authorized QR Communication staff have access to personal data, within the limits of their duties.
6.2 Subprocessors
We use the following subprocessors, all located in the European Union and GDPR-compliant:
| Subprocessor | Service | Location | Compliance |
|---|---|---|---|
| Scaleway SAS | Hosting (servers, DB, S3) | France | ISO 27001, HDS |
| Stripe, Inc. | Online payments | Ireland (EU) | PCI-DSS, GDPR |
| SuperPDP | Transmission of electronic invoices (Factur-X) | EU | GDPR |
| Resend | Transactional emails | European Union | GDPR |
6.3 Transfers outside the EU
No data transfer outside the European Union takes place.
All our data is hosted in France at Scaleway. Our subprocessors have their registered office or processing servers within the EU.
6.4 Authorities
We may be required to disclose data to the competent authorities (tax administration, courts) upon legal request.
7. Data security
We implement the following security measures:
7.1 Technical measures
- Encryption of data in transit (TLS 1.3)
- Encryption of data at rest (AES-256)
- Two-factor authentication (2FA) available
- Secure password hashing (bcrypt)
- Secrets and credentials hashed (not stored in clear text)
- Web application firewall (WAF)
- Intrusion detection
7.2 Organizational measures
- Restricted access based on the principle of least privilege
- Staff security training
- Incident management policy
- Regular security audits
7.3 Certifications
- Infrastructure hosted on ISO 27001-certified servers
- Compliance with ANSSI recommendations
8. Your rights
In accordance with the GDPR, you have the following rights:
8.1 Right of access (Art. 15) You may obtain confirmation that data concerning you is being processed and obtain a copy of it.
8.2 Right to rectification (Art. 16) You may request the correction of inaccurate or incomplete data.
8.3 Right to erasure (Art. 17) You may request the deletion of your data, subject to legal retention obligations.
8.4 Right to restriction (Art. 18) You may request the restriction of processing in certain cases (contesting accuracy, unlawful processing, etc.).
8.5 Right to portability (Art. 20) You may receive your data in a structured, machine-readable format and transmit it to another data controller.
8.6 Right to object (Art. 21) You may object to the processing of your data based on legitimate interest or for direct marketing purposes.
8.7 Right to withdraw consent Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
8.8 Right to lodge a complaint You may lodge a complaint with the CNIL:
- Website: https://www.cnil.fr
- Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
9. Exercising your rights
9.1 How to exercise your rights
You may exercise your rights:
By email: dpo@jefacturebien.fr
By post: QR Communication SAS For the attention of the DPO 23 rue de Richelieu 75001 Paris, France
Via your client area: Some actions (data export, account deletion) are available directly in your account settings.
9.2 Response time
We undertake to respond to your request within one month of receipt. This period may be extended by two months for complex requests, in which case you will be informed.
9.3 Identity verification
For security reasons, we may ask you to prove your identity before processing your request.
10. Cookies
The use of cookies on our site is described in our Cookie Policy.
11. Amendment of the policy
We reserve the right to amend this Privacy Policy at any time. In the event of a substantial change, we will inform you by email or via a notification in your client area.
The "last updated" date at the top of this page indicates the version in force.
12. Contact
For any question relating to this Privacy Policy or the protection of your data:
Data Protection Officer (DPO) Email: dpo@jefacturebien.fr
QR Communication SAS Email: contact@qrcommunication.com Website: https://jefacturebien.fr