Privacy Policy — VanStock (Application & Website)

Effective as of 04/04/2026

Article 1 – Preamble

This Privacy Policy applies to the VanStock Application, available on iOS, iPadOS, and macOS, as well as to the associated website accessible at vanstock.app (hereinafter “the Website”), published by SAS SECURI’M.

Its purpose is to inform users of the Application and the Website:

  • How their personal data is collected and processed;
  • What rights they have regarding such data;
  • The identity of the data controller responsible for the data collected and processed;
  • The recipients of such data;
  • The policy regarding cookies and trackers.

This Privacy Policy supplements the Legal Notice and the Terms of Use, which can be consulted in the Application and on the Website.

Article 2 – General Principles for Data Collection and Processing

In accordance with the provisions of Article 5 of European Regulation 2016/679 (GDPR), the collection and processing of user data from the Application comply with the following principles:

  • Lawfulness, fairness, and transparency: data may only be collected and processed with the consent of the data owner. Each time personal data is collected, the user is informed that their data is being collected and for what reasons;
  • Purpose limitation: data collection and processing are carried out to fulfil one or more specific purposes as set out in these terms;
  • Data minimization: only data necessary for the proper execution of the purposes pursued by the Application is collected;
  • Limited retention period: data is retained for a limited period, of which the user is informed;
  • Integrity and confidentiality: the data controller undertakes to guarantee the integrity and confidentiality of the data collected.

In accordance with Article 6 of the GDPR, the collection and processing of personal data may only take place if at least one of the following conditions is met:

  • The user has expressly consented to the processing;
  • The processing is necessary for the performance of a contract;
  • The processing fulfils a legal obligation;
  • The processing is necessary to protect the vital interests of the data subject;
  • The processing is necessary for the purposes of the legitimate interests pursued by the data controller.

Article 3 – Personal Data Collected and Processed

A. Data Collected and Method of Collection

The personal data collected by the VanStock Application is as follows:

Upon registration / account creation (via Firebase Authentication):

  • First and last name
  • Email address
  • Password (encrypted, never stored in plain text)
  • When signing in via Google Sign-In: first name, last name, email address, and profile photo associated with the User’s Google account

During use of the Application:

  • Stock and inventory data: items, references, quantities, descriptions
  • Photographs: images of products, items, or equipment taken or imported by the user
  • Technical data: unique device identifier, operating system, Application version
  • Biometric authentication (Face ID / Touch ID): the Application offers quick sign-in via Face ID or Touch ID. Biometric data is processed exclusively locally by the device’s operating system (iOS / macOS) and is never collected, stored, or transmitted by the publisher or its subcontractors

During use of the Website and contact addresses:

  • Email address (contact form or direct email to [email protected], [email protected], or [email protected])
  • First and/or last name (if provided in the form or email)
  • Message content (feature suggestions, support requests, general inquiries)
  • Connection data: IP address, browser type, pages viewed (Cloudflare server logs)

This data is collected when the user performs the following actions:

  • Registering on the Application (via email/password or Google Sign-In);
  • Adding, editing, or deleting items and stock;
  • Taking or importing photographs;
  • Using the barcode scanner;
  • Sending a message via the Website contact form or by email to [email protected], [email protected], or [email protected].

B. Retention Periods

The data controller retains the collected data under reasonable security conditions for the following periods:

  • User account data: lifetime of the account + 3 years after account deletion, in accordance with applicable limitation periods;
  • Stock and inventory data: lifetime of the account, deleted at the user’s request or upon account closure;
  • Photographs: lifetime of the account, deleted at the user’s request or upon account closure;
  • Technical data: 13 months maximum;
  • Contact form data (Website): 3 years from the date the message was sent.

C. Purposes of Processing

Data collection and processing serve the following purposes:

  • Creation and management of the user account;
  • Provision of stock management and inventory services;
  • Storage and display of photographs associated with items;
  • Improvement of the Application and correction of malfunctions;
  • Processing of support requests and suggestions submitted via the Website contact form;
  • Compliance with legal obligations.

The legal bases for processing are:

  • Performance of the contract between the user and the Application publisher;
  • Consent of the user;
  • Legal obligation where applicable.

D. Transmission of Data to Third Parties

Personal data may be transmitted to the following third parties, exclusively for the purposes described above:

  • Google LLC / Firebase: hosting of Application data, user authentication, file storage (Firebase Authentication, Cloud Firestore, Firebase Storage);
  • Cloudflare, Inc.: Website hosting, protection against attacks (CDN, WAF). Cloudflare may process certain connection data (IP address, HTTP headers) to ensure the security of the Website;
  • Apple Inc.: distribution of the Application via the App Store and the Mac App Store, management of subscriptions and billing via StoreKit 2. Apple processes the User’s payment data; the publisher does not have access to banking information;
  • Competent authorities: if required by law, the publisher may transmit data to comply with administrative and judicial proceedings.

No personal data is sold to third parties for commercial or advertising purposes.

E. Data Hosting

Application data: hosted by Google LLC — Firebase, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States. Website: https://firebase.google.com. Google LLC adheres to the EU-U.S. Data Privacy Framework and provides guarantees in compliance with Chapter V of the GDPR for data transfers outside the European Union.

Website: hosted by Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, United States. Website: https://www.cloudflare.com. Cloudflare adheres to the EU-U.S. Data Privacy Framework and offers standard contractual clauses for data transfers outside the EU.

Article 4 – Data Controller

A. The Data Controller

The controller of personal data is:

M. Matthieu DANTAN
Président de la SAS SECURI’M
Email: [email protected]
Phone: +33 7 66 97 47 76

The data controller is responsible for determining the purposes and means of processing personal data.

B. Obligations of the Data Controller

The data controller undertakes to:

  • Protect the personal data collected;
  • Not transmit it to third parties without informing the user;
  • Respect the purposes for which such data was collected;
  • Notify the user in the event of rectification or deletion of data, unless doing so would involve disproportionate formalities, costs, or procedures.

Data exchanges between the Application and Firebase servers are secured by TLS (Transport Layer Security) encryption.

In the event that the integrity, confidentiality, or security of the user’s personal data is compromised, the data controller undertakes to inform the user by any means within 72 hours, in accordance with Article 33 of the GDPR.

Article 5 – User Rights

In accordance with the regulations on the processing of personal data (GDPR and French Data Protection Act), the user has the following rights:

a. Right of Access, Rectification, and Right to Erasure

The user may access, update, modify, or request the deletion of their data by sending an email to the data controller at: [email protected] (or [email protected]), specifying the subject of their request.

The user may also request account deletion directly from the Application settings.

b. Right to Data Portability

The user has the right to request the portability of their personal data held by the Application to another service, by sending their request by email to the address indicated above.

c. Right to Restriction and Right to Object

The user has the right to request the restriction of or to object to the processing of their data by the Application, without the Application being able to refuse, unless it can demonstrate the existence of compelling legitimate grounds that override the interests, rights, and freedoms of the user.

d. Right Not to Be Subject to a Decision Based Solely on Automated Processing

In accordance with the provisions of the GDPR, the user has the right not to be subject to a decision based solely on automated processing if the decision produces legal effects concerning them or significantly affects them.

e. Right to Determine the Fate of Data After Death

In accordance with French Law No. 2016-1321 of October 7, 2016, the user may organize the future of their data collected and processed after their death. For more information: https://www.cnil.fr

f. Right to Lodge a Complaint with the Competent Supervisory Authority

If the data controller decides not to respond to the user’s request, or if the user believes that one of their rights has been infringed, they are entitled to lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés): https://www.cnil.fr, or with any competent court.

How to Exercise Your Rights

Any request must be sent by email to: [email protected] (or [email protected])

It must be accompanied by a copy of a valid, signed identity document and must include the address at which the publisher may contact the requester.

A response will be provided within one (1) month of receiving the request. This period may be extended by two (2) months if warranted by the complexity or number of requests.

We recommend contacting us first before filing a complaint with the CNIL, as we are fully available to resolve your issue.

Personal Data of Minors

In accordance with the provisions of Article 8 of the GDPR and the French Data Protection Act, only minors aged 15 or over may consent to the processing of their personal data. If the user is a minor under the age of 15, the consent of a legal guardian is required before personal data may be collected and processed.

Article 6 – Cookies and Trackers

A. Native Application (iOS / macOS)

The VanStock Application is a native application and does not use cookies in the traditional sense. It does not integrate any analytics tracking tools (no Google Analytics, Firebase Analytics, or any other advertising or audience measurement tracker).

Only data strictly necessary for the technical operation of the Application is processed (authentication via Firebase, stock data synchronization).

B. Website (vanstock.app)

A “cookie” is an electronic file stored on a device (computer, tablet, smartphone) and read when visiting a website.

When browsing the Website, strictly necessary cookies may be placed by Cloudflare to ensure the security and proper functioning of the Website (DDoS protection, traffic management). These technical cookies do not require user consent in accordance with Article 82 of the French Data Protection Act.

The Website does not use any advertising, audience measurement, or profiling cookies.

Information collected via technical cookies is used solely to ensure the security and proper functioning of the Website. Their lifespan does not exceed thirteen (13) months.

The user may disable cookies from their browser settings. For more information on cookie management:

Disabling technical cookies may affect the proper functioning of the Website.

Article 7 – Data Security

The publisher implements appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

  • Encryption of communications via TLS;
  • Secure authentication via Firebase Authentication;
  • Storage of passwords in encrypted (hashed) form;
  • Restriction of data access to authorized persons only.

Article 8 — International Scope

The VanStock Application is available in multiple countries via the App Store and Mac App Store. This Privacy Policy is drafted in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act (Loi Informatique et Libertés).

Users in the EU/EEA: the provisions of the GDPR apply fully. The competent supervisory authority is that of the user’s country of residence (in France: the CNIL).

Users outside the EU/EEA: the publisher commits to applying a level of data protection equivalent to that of the GDPR for all users, regardless of their country of residence. The rights described in Article 5 are available to all users without geographical distinction.

Article 9 – Changes to the Privacy Policy

This Privacy Policy may be consulted at any time in the Application settings and on the Website.

The publisher reserves the right to modify it to ensure compliance with applicable law. The user is encouraged to review this policy regularly to stay informed of any changes.

In the event of a substantial modification, the user will be notified by a notification in the Application or by email.

Article 10 – Contact

For any questions regarding this Privacy Policy, the user may contact the publisher:

Last updated: April 4, 2026