Privacy policy
Last updated : 2026-07-01
1. Who we are
The data controller is CONTRÉ Clément, operating under the trade name CCFlow, SIREN 104 836 903, with its registered office in Val d'Oise, France.
In the absence of an obligation to appoint a data protection officer (DPO), the "data protection" point of contact is: contact@naskel.io.
Important note: for the personal data of the contacts, clients and prospects you manage in Naskel (CRM, content of emails read, calendar), Naskel acts as a processor on your behalf (see the data processing agreement). This policy describes the processing of your own account data, for which Naskel is the data controller.
2. Data we collect
- Account data: email, name, password (encrypted).
- Business data: clients, quotes, invoices, notes, briefs, provided by you.
- Technical data: anonymized access logs, performance metrics.
3. Legal bases
Each processing operation relies on a legal basis (art. 6 GDPR):
- Performance of the contract: account creation and management, provision of the service, access to the Google data you connect.
- Legal obligation: accounting and tax retention of invoices.
- Legitimate interest: service security, prevention of abuse and fraud, product improvement.
- Consent: cookies and analytics that are not strictly necessary (see the Cookies section).
4. Google data (Gmail & Google Calendar)
When you connect your Google account to Naskel, the application accesses certain data from your Google services through the Google APIs, solely for the purposes described below. This access is optional and revocable at any time from your Google account settings (myaccount.google.com/permissions) or from Naskel.
- Reading emails (
gmail.readonly) : to display your inbox inside Naskel, automatically categorize messages (prospect, client, notification) and answer your questions about a client's history. - Sending emails (
gmail.send) : only to send, at your request, the emails you write or approve in Naskel (replies, follow-ups). - Reading the calendar (
calendar.readonly) : to display your appointments in the built-in calendar and prepare your meeting briefs.
Processing by artificial intelligence. For the categorization and assistance features, the relevant content (subject, body excerpt) is sent to our AI subprocessor Mistral AI (hosted in the European Union) for the sole purpose of providing the requested feature. This data is never used to train AI models, nor read by a human (except where strictly necessary: security, abuse, or legal obligation, or with your explicit consent).
Limited Use. Naskel's use and transfer of information received from Google APIs comply with the Google API Services User Data Policy, including its Limited Use requirements. In particular, Google data is not used for advertising purposes, nor sold, nor transferred to third parties, except to provide or improve user-facing features, for security reasons, or to comply with the law.
5. Recipients & subprocessors
Naskel relies on the following subprocessors, all bound by contract. All personal data is hosted in the European Union:
- Vercel Inc.: Application hosting EU (Frankfurt, fra1). US company: standard contractual clauses (SCC).
- Neon Inc.: Database EU (eu-central-1). US company: standard contractual clauses (SCC).
- Mistral AI: Artificial-intelligence processing. No training on customer data. European Union (France).
- Stripe: Subscription payments EU / US, certified provider: standard contractual clauses (SCC).
- Resend: Transactional emails US: standard contractual clauses (SCC).
- PostHog: Product analytics (application) European Union.
- Google (API Gmail / Calendar): Reading the mailbox and calendar of the account the user connects themselves. Depending on the user's own account.
The up-to-date list is also available in the data processing agreement.
6. Hosting, location & transfers outside the EU
All data is hosted in the European Union: Neon databases (Frankfurt region), Vercel application (EU regions), Mistral AI models (France).
Some providers (Vercel, Neon, Stripe, Resend) are US-based companies. Any transfer or possible access is covered by the European Commission's standard contractual clauses (SCC), in accordance with article 46 of the GDPR.
7. AI usage & automated decisions
Your data is never used to train AI models. This is contractual with our provider Mistral (no retention, no retraining on customer data).
Naskel uses AI to categorize emails and suggest priorities. No decision producing legal effects, or significantly affecting you, is taken solely on the basis of automated processing (art. 22 GDPR). You stay in control of every action.
8. Retention period
Your data is kept for the entire duration of the contract, then 30 days after suspension (grace period). The audit log is kept for 365 days. Beyond that, permanent deletion, except for legal obligations (accounting retention).
9. Your rights
In accordance with the GDPR, you have the right of access, rectification, erasure, portability, objection and restriction. You can export all of your data from the application settings at any time. For any other request: contact@naskel.io.
10. Security
TLS 1.3 in transit, AES-256 at rest. Encrypted secrets. Multi-factor authentication available. Daily encrypted backups.
11. Cookies
The naskel.io marketing website uses no analytics cookies: the analytics tool (Plausible, hosted in the EU) sets no cookie.
The application app.naskel.io distinguishes three categories of cookies (art. 82 of the French Data Protection Act):
- Necessary: technical authentication cookie, essential to the operation of the service. Exempt from consent.
- Analytics: product analytics via PostHog (hosted in the EU). If they set cookies that are not strictly necessary, they are subject to your consent.
- Marketing: none set to date; where applicable, subject to your prior consent.
A consent banner in the application lets you accept or refuse the non-essential categories.
12. Complaint
If you disagree, you can lodge a complaint with the CNIL, the French data protection authority: cnil.fr.