Privacy Policy

Last updated: 2026-03-22 — Version 1.1

1. Data Controller

DAN RADU OPRITA EI, 314 Route de la Plaine, 46100 Planioles, France.
Privacy contact: privacy@secusteri.com

2. Data We Collect

We collect the following categories of personal data:

  • Account data: name, email address, encrypted password, role, locale
  • Sterilization records: autoclave cycle data, instrument traceability records, digital signatures — linked to your user account
  • Activity and audit logs: actions performed in the application, timestamps, IP addresses
  • Billing data: billing email and organization name (managed by Stripe; we do not store payment card details)
  • Technical data: error reports and diagnostic information collected by Sentry
  • Analytics and advertising data: when you consent to non-essential cookies, Google Analytics collects anonymised usage data (pages visited, session duration, device type) and Google Ads tracks conversion events (ad click to registration). No personal data is shared with Google without your consent. With consent denied, only anonymous aggregate data is collected via Google Consent Mode.
  • Lead capture data: when you request a free resource (such as an inspection checklist) via our website, we collect your email address, the resource requested, and your IP address. If you additionally opt in to marketing communications, we store that consent separately. This data is not linked to any SecuSteri account.

3. Legal Basis for Processing

  • Account and billing data: performance of a contract (GDPR Art. 6.1.b)
  • Sterilization and compliance records: performance of a contract + legal obligation (Art. 6.1.b and 6.1.c)
  • Audit logs: legitimate interest in maintaining a tamper-evident compliance trail (Art. 6.1.f) + legal obligation (Art. 6.1.c)
  • Error tracking (Sentry): legitimate interest in maintaining service quality (Art. 6.1.f)
  • Analytics and advertising cookies: consent (GDPR Art. 6.1.a) — you can accept or decline via the cookie banner, and withdraw consent at any time by clearing your cookies
  • Lead capture (checklist delivery): legitimate interest in delivering a requested resource (Art. 6.1.f). Marketing communications: consent (Art. 6.1.a) — you can opt in when requesting a resource, and withdraw at any time by contacting us

4. Retention Periods

  • Account data: duration of the subscription relationship, then anonymised on account deletion
  • Sterilization and compliance records: per your plan's retention window (minimum 5 years, up to unlimited on Clinic+), subject to the legal obligation described in section 5
  • Backup snapshots: 30 days rolling
  • Error logs (Sentry): 90 days

5. Mandatory Retention of Compliance Records

Signed sterilization records and audit logs are subject to mandatory retention obligations under applicable French sanitary law. These records are retained for the legally required period even after account cancellation, pursuant to GDPR Article 17(3)(b). Personal information not required by law is anonymised at account deletion. This retention is also in your interest as a regulated professional — you may need these records for ARS or CNIL inspections after cancellation.

6. Sub-Processors

We use the following sub-processors to deliver the service:

  • Scaleway SAS — hosting, managed database, object storage — Paris, France
  • Stripe Inc. — payment processing — USA (Standard Contractual Clauses)
  • Postmark / ActiveCampaign — transactional email — USA (SCCs)
  • Sentry — error tracking and diagnostics — Frankfurt, Germany
  • Google LLC — Google Analytics (anonymised usage analytics), Google Ads (conversion measurement), Google Pay (when used at checkout) — USA (Standard Contractual Clauses). Analytics and Ads are subject to your cookie consent. See Google Privacy Policy.

7. International Transfers

Stripe and Postmark are based in the United States. Personal data transferred to these processors is governed by Standard Contractual Clauses (SCCs) approved by the European Commission, providing an appropriate level of protection for your data.

8. Your Rights

Under the GDPR, you have the right to: access your personal data (Art. 15); rectify inaccurate data (Art. 16); request erasure, subject to the retention limitations described above (Art. 17); restrict processing (Art. 18); receive a portable copy of your data (Art. 20); object to processing based on legitimate interest (Art. 21).

To exercise any of these rights, contact us at privacy@secusteri.com. We will respond within 30 days.

9. Cookies

Strictly necessary cookies (no consent required): a session cookie for authentication, a CSRF protection token, a cookie consent preference cookie, and functional cookies set by Stripe for secure payment processing (__stripe_mid, __stripe_sid).

Analytics and advertising cookies (consent required): when you accept non-essential cookies via the consent banner, SecuSteri loads Google Analytics 4 (cookie: _ga) for anonymised usage statistics and Google Ads conversion tracking (cookie: _gcl_aw) to measure advertising effectiveness. These cookies are not set if you decline. With Google Consent Mode v2, anonymous aggregate data may still be collected without cookies to provide modeled conversion reports — this data contains no personal identifiers.

You can change your cookie preference at any time by clearing your browser cookies. Your consent preference is stored in the cookie_consent cookie for one year.

When you choose to pay using Google Pay, Google may collect data about your device and transaction as described in the Google Privacy Policy.

10. Right to Lodge a Complaint

If you believe your data is being processed unlawfully, you have the right to lodge a complaint with the French data protection authority, the CNIL: cnil.fr.

11. Changes to This Policy

We will notify you by email of any material changes to this policy before they take effect. The date at the top of this page indicates the most recent update.