Legal
Privacy Policy
Last updated: May 13, 2026
This policy describes how StatHall (“the Service”) collects, processes and protects your personal data, in compliance with the General Data Protection Regulation (GDPR, EU 2016/679).
1. Data controller
Sébastien Soulier, individual entrepreneur — 12 Rue Georges Brassens, 32600 Lias (France) — SIRET: 10483848700015 — contact: contact@stathall.com. No Data Protection Officer (DPO) is designated at this stage, as the publisher handles rights-related requests directly.
2. Data collected
2.1 Account data
- Email: login identifier, recipient of transactional emails and — if you consent — operational notifications.
- Password: stored only as a bcrypt hash (cost 12).
- Consents: dates and values of acceptance for the Terms, Privacy Policy and marketing opt-in.
- TOTP secret (if 2FA enabled): stored Fernet-encrypted.
- 2FA recovery codes: stored only as bcrypt hashes.
- Email subscriptions (since v1.0.0-alpha.17): your operational notification settings (anomaly alerts, weekly AI digest), including frequency, send day and optional per-app overrides. Disabled by default.
- Approval status (since v1.0.0-alpha.19): for accounts created via public signup, the
pendingorapprovedstatus, along with — where applicable — the administrator id who decided, the decision date and the rejection reason. This history is deleted with the account. - Signup motivation message (since v1.0.0-alpha.19): the free-text you can attach to your account request (
Why this account?) is visible only to super-administrators. Deleted with the account.
2.2 Usage data
- Audit log: every sensitive action (login, password change, export, deletion, credential addition, manual sync, signup approval decision) is logged with timestamp, IP address, user-agent and actor id. Retention: 1 year for standard entries, 3 years for entries related to account export and deletion as well as signup approval decisions (GDPR evidence requirement + anti-fraud).
- Outbound email log (
email_log): every attempt to send an opt-in notification (anomaly alert, AI digest) or transactional message (invitation, approval decision) is logged with subject, status (sent/failed/ deduplicated / unsubscribed) and timestamp. Retention: 1 year. Included in your data export (article 20). A user can never read another account’s outbound emails (Row-Level Security). - Push notifications log (
push_log): every push notification attempt (anomaly alert, admin diagnostic test) is logged with server-rendered title, status (sent/failed/ deduplicated / unsubscribed) and timestamp. Retention: 1 year. Included in your data export. When a StatHall administrator sends a diagnostic push to your device (typical case: you reported not receiving your notifications), you systematically receive a transactional transparency email informing you of the action, the administrator’s name, the targeted device name and the timestamp. These tests are recorded in the audit log (1-year retention). - Invitations (since v1.0.0-alpha.19): when you invite a user on an app, a row is created containing their email address, the proposed role, your inviter id, a bcrypt hash of the invitation token (the plain token is never stored), emission and expiry dates, and the invitation status (
pending/accepted/revoked/expired). These rows are kept for audit and replay prevention. The bcrypt hash makes reconstruction of the token from the database technically impossible. - Preferences: theme, language, currency, default app.
2.3 Ingested business data
Data from your third-party accounts (store reviews, Sentry/Firebase crashes, ASC/Play metrics, versions, editor notes) is stored in the database to render the dashboard. This data may contain personal data of third parties (e.g. review author handle) which you are responsible for as a controller for your own applications.
Access to business data — minimization principle: since v1.0.0-rc.27, a platform super-administrator does not have access to this business data for an app they are not a member of. They only see the technical metadata needed for support (name, configured connectors, sync status). To access business data temporarily in a support context, they must grant themselves a tracked temporary access (see section 2.5), which you are notified of immediately by email, or be explicitly added as owner, co-owner or viewer by a member of your team. This restriction is enforced both at the application level and at the database level (Postgres Row-Level Security).
2.4 App ownership transfers
At your initiative (from the Team tab of an app), you can transfer principal ownership of an app to an existing co-owner or to a super-administrator. The event is logged in the audit trail (actor, recipient, timestamp) and both parties receive a confirmation email. You keep a co-owner access after the transfer.
A super-administrator can, in exceptional and traced cases (death, dismissal, unreachable owner), force a transfer from the admin console at the request of a legitimate third party (heir, HR, support). This operation requires a written reason kept in audit and triggers an immediate email to the previous owner with a contest channel.
Supporting document attached to a forced transfer: the super-administrator can attach a supporting file (PDF, PNG or JPEG, max 5 MB) provided by the third party who initiated the request — for example a death certificate, a termination attestation, a power of attorney. This file:
- is optional but strongly recommended to materialize the proof of the request
- may contain personal data of third parties (civil status, signatures, requester identity); you are responsible as the sender for the legitimacy of ingesting that data into StatHall (cf. Terms section 5)
- is kept encrypted at rest in a dedicated table linked to the audit log, with a SHA-256 integrity hash recorded in the journal
- has a legal basis of legitimate interest (proof of operation, anti-fraud) and a retention of 3 years aligned with other sensitive events
- is accessible to super-administrators (audit); the previous owner can obtain a copy on request to
contact@stathall.com(official contestation channel).
2.5 Super-administrator temporary access (“break-glass”)
A super-administrator can grant themselves a temporary access (1 to 72 hours) to an app they are not a member of for technical support purposes. Each temporary access:
- requires a written reason (20-character minimum), shared with you via email
- triggers an immediate email to the app owner at grant time
- is recorded in the audit trail (creation, revocation, expiration) with a 30-day retention after expiration
- can be revoked by the owner in one click from the app page
- expires automatically at the deadline, with a confirmation email to the owner.
This mechanism replaces the unlimited permanent access of super-administrators that existed in versions prior to v1.0.0-rc.27.
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Service provision (account, dashboard) | Performance of contract (Terms) |
| Transactional emails (verification, password reset, invitation, approval decision) | Performance of contract |
| Product emails (announcements, news) | Consent — global opt-in controlled from My account → Privacy, revocable at any time |
| Per-app operational notifications (anomaly alerts, weekly AI digest) | Consent — fine-grained per-app opt-in controlled from My account → Email notifications, revocable at any time. Disabled by default. |
| Account request approval | Legitimate interest (abuse prevention, ramp-up load control during launch) |
| Multi-tenant invitation handling | Performance of contract (sharing app access between authorized users) |
| Security audit log | Legitimate interest (Service security) |
| Retention of consent and GDPR requests | Legal obligation |
The marketing opt-in (general product communications) and the operational notification opt-in (per-app alerts, AI digest) are independent: you may enable one without the other.
4. Recipients and processors
Your data is neither sold nor rented. The following technical processors may handle data on the publisher’s behalf:
| Processor | Role | Location |
|---|---|---|
| Hosting provider (TBD) | Application servers | European Union |
| SMTP provider | Transactional email delivery and opt-in notifications (anomaly alerts, weekly AI digest) | European Union |
| Cloudflare Turnstile | Anti-bot captcha (cookie-free) | United States (DPF-compliant) |
| Third-party APIs (Sentry, Apple App Store Connect, Google Play, Firebase Crashlytics) | Source of business data, opened by YOUR credentials | Provider-dependent |
| LLM provider (DeepSeek / OpenAI / Anthropic) | AI review summaries, explicit opt-in at app configuration | Provider-dependent |
Analytics: if the publisher enables its self-hosted Plausible instance, it runs without cookies and exports no personal data (no raw IPs stored, no fingerprinting). No cookie consent is required on that basis.
5. Retention periods
- User account: kept as long as the account is active. After a deletion request, a 30-day cancellation window then permanent erasure.
- Audit log: 1 year (3 years for export/deletion events).
- Outbound email log: 1 year.
- Ingested business data: kept as long as the associated app exists. Long history is necessary for trend and anomaly computation.
- Server technical logs: 30 days maximum.
6. Your rights
Pursuant to articles 15 to 22 of the GDPR, you have the following rights:
| Right | How to exercise |
|---|---|
| Access (art. 15) | GET /account/export from the UI or contact contact@stathall.com |
| Rectification (art. 16) | Edit from My account, or email request |
| Erasure (art. 17) | My account → Privacy → Delete my account (30-day cancellation then erasure) |
| Portability (art. 20) | Full JSON export via My account → Privacy → Export my data |
| Objection (art. 21) | Toggle off the marketing opt-in from My account → Privacy and/or the operational notifications from My account → Email notifications |
| Restriction (art. 18) | Email request; processing paused during review |
| Complaint | You may lodge a complaint with the CNIL at any time: www.cnil.fr |
Any request received is handled within 30 days maximum, extendable by 2 months for complex cases (with notification).
7. Cookies and similar technologies
StatHall uses a minimal number of cookies, all strictly necessary for the Service to operate. See the cookie policy for details.
8. Security
The publisher implements the following technical and organizational measures:
- End-to-end TLS 1.2+ encryption (HTTPS enforced at the reverse proxy)
- Fernet database-level encryption for every secret (third-party credentials, TOTP, user LLM keys)
- Passwords hashed with bcrypt cost 12, never stored in clear
- Postgres Row-Level Security for multi-tenant isolation (a tenant cannot read another’s data via direct SQL)
- Session cookies
HttpOnly; Secure; SameSite=Strict - Rate limiting on sensitive endpoints (login, signup, reset)
- Timestamped audit log on every sensitive action.
Despite these measures, no system is risk-free. In the event of a data breach likely to result in a risk to your rights and freedoms, the publisher will notify the CNIL within 72 hours and notify you as soon as possible (GDPR art. 33-34).
9. Transfers outside the EU
Transfers outside the European Union are limited to the processors listed in section 4 and are systematically covered by Standard Contractual Clauses adopted by the European Commission or by adherence to the Data Privacy Framework.
10. Contact and complaints
For any question regarding your data: contact@stathall.com. Reply within 30 days.
You have the right to lodge a complaint with the CNIL: Commission Nationale de l’Informatique et des Libertés — 3 place de Fontenoy, 75007 Paris — www.cnil.fr.