Privacy Policy

1. Data Controller

2. Data Collected

Browsing data:
Technical cookies required for the operation of the site. Google Analytics (with prior consent) for audience measurement: pages visited, visit duration, browser type, anonymised IP address.

User account:
Email address, name (optional), profession (optional), hashed password. You can create an account via email/password or through a third-party service (Google, LinkedIn).

OAuth login (Google, LinkedIn):
Only your email address and name are transmitted by these services. We do not receive your password, contacts, or any other data from your third-party account. Authentication is managed by Supabase Auth via the OAuth 2.0 / OpenID Connect protocol.

Simulation data:
Data entered in calculators and simulators (amounts, areas, energy parameters, rental lots, etc.) is stored in your browser localStorage and — if you are signed in — synced to Supabase so you can access it from any device. 500-item cap per free user (10,000 for a Pro plan), 180-day retention from last modification, automatic daily purge thereafter.

Valuer profile:
Name, company, professional contact details — stored in your browser's localStorage or in Supabase if you are logged in. This data is used to personalise valuation reports.

Professional B2B operational data:
Professional users (syndics, real estate agencies, hoteliers) enter into the Syndic/CRM/PMS modules data concerning third parties: co-owners (name, lot, IBAN, balance), hotel guests (name, stay dates, address, tokenised card number), CRM contacts (name, email, phone, purchase criteria), real estate mandates. For this data, tevaxia acts as processor under GDPR art. 28: the professional user is the controller and must have an appropriate legal basis (performance of a syndic contract, accommodation contract, real estate mandate).

PSD2 banking data (Enable Banking connection):
If you connect a bank account via the Enable Banking PSD2 service (AIS — Account Information Service) for automatic reconciliation, retrieved transactions (label, amount, date, reference) are processed in memory during reconciliation and not stored on our servers beyond the session. The PSD2 link has a maximum duration of 90 days imposed by EU regulation 2015/2366, renewable by your bank via SCA. The JWT private key used to sign requests remains on the tevaxia server, never exposed to the browser.

Invoice OCR & documents — local processing:
PDFs and images uploaded in the invoice OCR module are processed exclusively in your browser (PDF.js for text extraction, Tesseract.js for scan OCR). No file, no image, no extracted text is sent to any third-party AI service (OpenAI, Anthropic, Google, Mistral) nor to our servers. Only the structured data extracted (supplier, amount, IBAN, VAT…) that you explicitly validate is then saved to Supabase.

Payment data (Stripe):
If you subscribe to a paid plan, payment processing (credit card, SEPA) is entirely handled by Stripe Payments Europe Limited (Ireland). tevaxia never receives or stores your full card number: only a Stripe customer ID, the last 4 digits of your card and its expiration date are kept in our database to allow you to manage your subscription.

3. Purposes of Processing

Service operation (calculations, simulations, display of results)
Saving simulations and valuations to your account
Personalisation of valuation reports (valuer profile)
Service improvement (anonymised audience statistics)

4. Legal Basis for Processing

Consent (Art. 6.1.a GDPR): Google Analytics analytical cookies.
Performance of a contract (Art. 6.1.b GDPR): creation and management of your account, saving your simulations.
Legitimate interest (Art. 6.1.f GDPR): service improvement, platform security.

You may withdraw your consent at any time for processing based on this legal basis.

5. Sub-processors

Provider	Role	Location
Supabase Inc.	Database hosting and authentication	EU servers (AWS eu-central-1, Frankfurt)
Vercel Inc.	Frontend hosting	United States (standard contractual clauses)
Render.com	energy-api API hosting	United States
Google LLC	Analytics, OAuth authentication	United States (EU-US Data Privacy Framework)
LinkedIn (Microsoft)	OAuth authentication	United States (standard contractual clauses)
Stripe Payments Europe Ltd	Subscription payment processing (paid plans)	Stripe Payments Europe Ltd — Ireland (EU)
Enable Banking Oy	PSD2 bank connection (AIS) for reconciliation	Enable Banking Oy — Finland (EU)

6. Data Retention

Account data: kept until the user deletes their account.
Simulation data (saved valuations, rental lots): 180 days from last modification, 500-item cap per free account (10,000 for a Pro plan). Automatic daily purge at 03:00 UTC for rows exceeding these thresholds. Local data (localStorage) remain available as long as the browser is not cleared.
Public share links: 90 days by default, duration configurable by the user (1 to 365 days) at creation, with optional view cap.
Cookies: maximum 13 months.
B2B operational data (co-owners, hotel guests, CRM contacts): retained for the duration of the service contract with the professional user. Specific LU legal retention obligations apply (accounting and invoices 10 years under art. L.16-2 Commercial Code, general meeting minutes 10 years, AML/KYC data 5 years).
PSD2 Enable Banking data: bank transactions accessed in memory, not persisted beyond the session. PSD2 link: 90 days maximum (renewable via SCA).
Invoice OCR: PDFs/images uploaded are never stored on our servers — 100% browser processing. Only structured data validated by the user is saved.

7. Your Rights

In accordance with the General Data Protection Regulation (GDPR) and the Luxembourg law of 1 August 2018, you have the following rights:

Right of access to your personal data
Right to rectification
Right to erasure ('right to be forgotten')
Right to data portability — a button « Export all my data (JSON) » is available in the « Data & plan » section of your profile
Right to object to processing

To exercise these rights, contact us at contact@tevaxia.lu.

8. Cookies

Technical cookies (necessary): essential for the operation of the site (language preferences, session). No consent required.
Analytical cookies (consent): Google Analytics, only set after explicit consent. Enable anonymised audience measurement.
Authentication cookies: Supabase session management (login token). Required for user account functionality.

9. Data Transfers Outside the European Union

Some of our sub-processors are located in the United States. These transfers are governed by standard contractual clauses approved by the European Commission and/or the EU-US Data Privacy Framework adequacy decision.

Account and simulation data are hosted by Supabase on servers located in the European Union (AWS eu-central-1, Frankfurt, Germany).

10. Security Measures

We implement the following technical and organisational measures to protect your data:

Encryption of communications via HTTPS (TLS)
Content Security Policy (CSP)
Row Level Security (RLS) on Supabase: each user can only access their own data
Hashed passwords (never stored in plain text)
Local browser processing for invoice OCR (PDF.js + Tesseract.js): no document sent to any external AI service
PSD2 keys stored in server environment variables, JWT RS256 signature for every bank request

11. Data Protection Officer / Contact

For any questions regarding the protection of your personal data, you can contact us at contact@tevaxia.lu.

12. Right to Lodge a Complaint

If you believe that the processing of your personal data constitutes a violation of the GDPR, you have the right to lodge a complaint with the Luxembourg supervisory authority:

Commission Nationale pour la Protection des Données (CNPD)
15 Boulevard du Jazz, L-4370 Belvaux, Luxembourg
cnpd.public.lu