Privacy Policy

Last updated: 2026-03-07 — Version 1.0

1. Data Controller

DAN RADU OPRITA EI, 314 Route de la Plaine, 46100 Planioles, France.
Privacy contact: privacy@secusteri.com

2. Data We Collect

We collect the following categories of personal data:

  • Account data: name, email address, encrypted password, role, locale
  • Sterilization records: autoclave cycle data, instrument traceability records, digital signatures — linked to your user account
  • Activity and audit logs: actions performed in the application, timestamps, IP addresses
  • Billing data: billing email and organization name (managed by Stripe; we do not store payment card details)
  • Technical data: error reports and diagnostic information collected by Sentry

3. Legal Basis for Processing

  • Account and billing data: performance of a contract (GDPR Art. 6.1.b)
  • Sterilization and compliance records: performance of a contract + legal obligation (Art. 6.1.b and 6.1.c)
  • Audit logs: legitimate interest in maintaining a tamper-evident compliance trail (Art. 6.1.f) + legal obligation (Art. 6.1.c)
  • Error tracking (Sentry): legitimate interest in maintaining service quality (Art. 6.1.f)

4. Retention Periods

  • Account data: duration of the subscription relationship, then anonymised on account deletion
  • Sterilization and compliance records: per your plan's retention window (minimum 3 years, up to unlimited on Clinic+), subject to the legal obligation described in section 5
  • Backup snapshots: 30 days rolling
  • Error logs (Sentry): 90 days

5. Mandatory Retention of Compliance Records

Signed sterilization records and audit logs are subject to mandatory retention obligations under applicable French sanitary law. These records are retained for the legally required period even after account cancellation, pursuant to GDPR Article 17(3)(b). Personal information not required by law is anonymised at account deletion. This retention is also in your interest as a regulated professional — you may need these records for ARS or CNIL inspections after cancellation.

6. Sub-Processors

We use the following sub-processors to deliver the service:

  • Scaleway SAS — hosting, managed database, object storage — Paris, France
  • Stripe Inc. — payment processing — USA (Standard Contractual Clauses)
  • Postmark / ActiveCampaign — transactional email — USA (SCCs)
  • Sentry — error tracking and diagnostics — USA (SCCs)

7. International Transfers

Stripe, Postmark, and Sentry are based in the United States. Personal data transferred to these processors is governed by Standard Contractual Clauses (SCCs) approved by the European Commission, providing an appropriate level of protection for your data.

8. Your Rights

Under the GDPR, you have the right to: access your personal data (Art. 15); rectify inaccurate data (Art. 16); request erasure, subject to the retention limitations described above (Art. 17); restrict processing (Art. 18); receive a portable copy of your data (Art. 20); object to processing based on legitimate interest (Art. 21).

To exercise any of these rights, contact us at privacy@secusteri.com. We will respond within 30 days.

9. Cookies

SecuSteri uses only strictly necessary cookies: a session cookie for authentication, a CSRF protection token, and functional cookies set by Stripe to enable secure payment processing (__stripe_mid, __stripe_sid). No advertising or analytics cookies are used. No consent banner is required for strictly necessary cookies under the applicable CNIL guidelines.

10. Right to Lodge a Complaint

If you believe your data is being processed unlawfully, you have the right to lodge a complaint with the French data protection authority, the CNIL: cnil.fr.

11. Changes to This Policy

We will notify you by email of any material changes to this policy before they take effect. The date at the top of this page indicates the most recent update.