Privacy Policy
Last updated: June 1, 2026
This policy explains how Carredas Communication SAS, operator of the Websir brand, collects, uses and protects personal data of users of websir.fr (public website and SaaS application), in accordance with Regulation (EU) 2016/679 (GDPR) and French data protection law.
Controller
The controller is Carredas Communication SAS, registered at 7 Rue de la Distillerie, ZA de la Plaine, 59493 Villeneuve-d'Ascq, France.
Data Protection Officer (DPO): [email protected] — Carredas Communication SAS, Attn. DPO, 7 Rue de la Distillerie, ZA de la Plaine, 59493 Villeneuve-d'Ascq, France.
Data collected
- Identification data: name, first name, email address, bcrypt-hashed password and, where enabled, two-factor authentication secret.
- Third-party account data: provider identifier, name and email address when signing in with Google, Facebook or Apple.
- Billing data: company name, billing address and VAT number where applicable. Card details are stored only by Stripe and never pass through Carredas Communication SAS servers.
- Project data: AI briefs, conversations with the assistant, generated sites (HTML, CSS, JavaScript, images) and personalization variables entered in “My data”.
- Usage and technical data: sign-in timestamps, IP address, application events, generation/deployment events, browser, operating system, screen resolution and language.
- AI logs: language model calls, consumed tokens, latency, costs and payloads kept for audit, debugging and service quality.
- Form submissions: messages sent through forms on published client sites, processed on behalf of the client site owner.
Purposes
Data is used to provide website generation, hosting and maintenance; manage accounts, subscriptions and billing; provide support; secure the platform; improve the service; send service notifications; send marketing communications where consent has been given; and comply with accounting, tax and legal obligations.
Legal basis
- Performance of a contract (Art. 6.1.b GDPR): service provision, account and subscription management, payments.
- Legitimate interest (Art. 6.1.f GDPR): security, fraud prevention, service improvement and AI call audit.
- Consent (Art. 6.1.a GDPR): marketing communications and non-essential cookies.
- Legal obligation (Art. 6.1.c GDPR): accounting records, invoices and response to lawful requests.
Retention
- Account/profile data: during the subscription or free use, then 3 years from the last interaction for evidence purposes.
- Billing data: 10 years under Article L. 123-22 of the French Commercial Code.
- Technical and connection logs: 12 months.
- AI call logs: 12 months, with payloads containing significant user data purged after 90 days.
- Login attempts and lockouts: 6 months.
- Contact form submissions: according to the client site owner’s policy, and no longer than 3 years after the last interaction.
- Backups: 30 days after project deletion or subscription termination, then purge.
Your rights
Under Articles 15 to 22 of the GDPR, you have rights of access, rectification, erasure, restriction, portability, objection, withdrawal of consent and post-mortem instructions under French law.
To exercise these rights, contact [email protected]. We will respond within one month, extendable by two months for complex requests. You may also lodge a complaint with the CNIL: www.cnil.fr.
Data processed by AI models
Website generation relies on language models hosted by third-party providers. Briefs and conversations sent to the AI are transmitted to these providers for processing.
- structured sensitive data such as phone number, address, SIRET, IBAN, host and publisher identity is never sent to the model; it is injected locally during deployment through typed variables;
- user messages are sanitized before transmission;
- model self-references are filtered before display;
- selected providers contractually commit not to reuse transmitted data to train their models.
Users should not enter highly sensitive data such as health data, offences, political opinions or religious beliefs in AI briefs.
Subprocessors
Carredas Communication SAS uses subprocessors governed by GDPR-compliant agreements, including OVH (hosting), Cloudflare (CDN, R2, Workers, DDoS protection, SSL and anonymous analytics), Stripe (payments and invoices), Brevo (transactional and consent-based marketing emails), Cerebras and Z.AI (language model inference), OpenRouter (fallback model gateway) and Replicate (image generation).
The up-to-date subprocessor list can be requested at [email protected].
Third-party sign-in
Websir supports sign-in through Google, Facebook (Meta) and Apple. Only the strictly necessary information is collected: provider unique identifier, name and email address. No friend lists, contacts or publications are requested or stored. You may revoke Websir access from the provider’s security settings; this does not delete your Websir account, which must be deleted separately through the data deletion process.
Transfers outside the European Union
Some subprocessors may process data outside the European Union. These transfers are governed by European Commission Standard Contractual Clauses, the Data Privacy Framework where applicable, and transfer impact assessments where appropriate.
Cookies and trackers
Websir uses strictly necessary cookies such as websir_session, XSRF-TOKEN and theme. Websir also uses Cloudflare Web Analytics, which does not use cookies and does not collect data that identifies visitors.
No advertising cookies, social network pixels or behavioral tracking tools are placed on websir.fr. If such tools are introduced, a compliant consent banner will be implemented beforehand.
Security
Carredas Communication SAS implements appropriate technical and organizational measures, including TLS encryption, bcrypt password hashing, optional TOTP two-factor authentication, automatic lockouts after repeated attempts, access logging, encrypted backups and strict infrastructure access control.
If a data breach is likely to create a risk for the rights and freedoms of individuals, Carredas Communication SAS will notify the CNIL within 72 hours and inform affected persons where required by Article 34 GDPR.
Contact
- Email: [email protected]
- Postal mail: Carredas Communication SAS — DPO, 7 Rue de la Distillerie, ZA de la Plaine, 59493 Villeneuve-d'Ascq, France
Document updated on June 1, 2026.