INSTRIA SAS ("Instria", "we", "us") builds AI-powered software and data services available at instria.fr (the "Services"). This policy explains how we collect, use, share, and protect personal data when you browse our site, create an Instria account, or use our platform.
INSTRIA SAS is a French simplified joint-stock company with a share capital of €1,000, registered in France (RCS Paris 103 288 718), VAT number FR54103288718, with its registered office at 60 Rue François 1er, 75008 Paris, France. Unless stated otherwise, Instria acts as the data controller for personal data that we collect through the Services. When we process customer content on behalf of your organisation, we act as your data processor and only use that data according to your documented instructions and our Data Processing Agreement (DPA).
You can reach our privacy team at contact@instria.fr. EU residents may also contact the French Data Protection Authority (CNIL) or your local authority if you believe your rights were infringed.
Account and contact details. We collect your name, work email address, company name, job title, phone number, and password (hashed) when you register or are invited to an Instria account. Account owners may also provide seat assignments, usage policies, and access roles for their teammates.
Customer content and configuration. When you use our Services you may provide instructions, prospecting data, files, or other materials describing the tasks you want Instria to perform. These materials can include personal data relating to your employees, contractors, or end users. We treat this content as confidential customer data.
Billing and commercial information. If you purchase a paid plan, we collect billing contact information, purchase order references, VAT or tax identification numbers, and transaction records. Payment card details are processed directly by our payment providers and are not stored on Instria's systems.
Support and communications. We keep records of emails, chat conversations, form submissions, surveys, and other communications with you, including information you provide when you contact our support team or register for an event.
We automatically collect technical data about how the Services are accessed and used, including IP address, browser type, operating system, device identifiers, timestamps, feature usage metrics, error logs, and diagnostic information. We generate aggregate analytics from this data to understand feature performance and to secure the platform.
We use cookies, local storage, and similar technologies to operate the Services, remember your preferences, and analyse how visitors interact with our website. You can adjust your cookie preferences at any time through the cookie banner or within your browser settings.
Provide, secure, and maintain the Services, including creating and administering accounts, and providing customer support.
Authenticate users, prevent fraud or abuse, and enforce our Terms and other agreements.
Process transactions, send invoices, and collect payments.
Respond to inquiries, send operational communications, and inform you about product updates or events. You can opt out of marketing emails at any time.
Improve and develop the Services by analysing aggregated or de-identified usage patterns, running experiments, and developing new features.
Comply with legal obligations and respond to lawful requests from public authorities.
For individuals located in the European Economic Area (EEA), the United Kingdom, and Switzerland, we rely on one or more of the following legal bases: performance of a contract (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR) such as securing and improving the Services, compliance with legal obligations (Art. 6(1)(c) GDPR), or your consent where required (Art. 6(1)(a) GDPR).
We share personal data only with the following categories of recipients and only for the purposes described in this policy:
Service providers and sub-processors. We use carefully selected vendors to host infrastructure, store data, send communications, provide analytics, and run our AI pipeline. We ensure appropriate data processing agreements and safeguards are in place with each vendor.
Integration partners at your direction. When you connect Instria to third-party services, we share the outputs you request with those services.
Professional advisors. We may share data with lawyers, accountants, auditors, or insurers where necessary to obtain professional advice or manage risk.
Corporate transactions. Personal data may be transferred in connection with a merger, financing, acquisition, or dissolution of Instria, subject to appropriate safeguards.
Legal compliance. We may disclose data when we believe it is necessary to comply with applicable law, a court order, or lawful requests from authorities.
We never sell personal data and we do not use customer content for advertising.
We use both necessary and optional cookies:
Essential cookies keep you logged in, store your consent preferences, and support security features. These cookies cannot be disabled through the cookie banner.
Analytics cookies help us understand how visitors use the website so we can improve content and performance. We request your consent before enabling these cookies, and you can withdraw it at any time.
You can control cookies through your browser settings or by using the "Cookie preferences" link in the website footer.
We retain personal data for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:
Account information: retained for the lifetime of the account and deleted within 30 days after termination, unless we must keep certain records for legal or accounting purposes (in France, invoicing records are retained for 10 years).
Support communications and incident reports: retained for up to three years for audit and compliance.
Security and usage logs: retained for up to 12 months to investigate incidents and monitor reliability.
Backups: encrypted backups may persist for up to 35 days before being overwritten as part of our disaster-recovery procedures.
When retention periods expire, we delete or irreversibly anonymise the data unless we are legally required to keep it longer.
We primarily host customer data in the European Union. Some of our service providers are located outside the EU, including in the United States. When we transfer personal data outside the EEA, UK, or Switzerland, we implement appropriate safeguards such as the European Commission's Standard Contractual Clauses, UK Addendum, or rely on adequacy decisions where available.
Depending on your location, you may have rights regarding your personal data, including the right to access, correct, update, delete, restrict, or object to our processing, as well as the right to data portability. You also have the right to withdraw consent at any time when we process data based on consent.
EU/EEA, UK, and Swiss residents can exercise these rights under the GDPR by contacting us at contact@instria.fr. We will respond within one month, or sooner where required. California residents can submit a request under the CCPA/CPRA to know, delete, or correct personal information. We will respond to verifiable requests within 45 days.
When Instria processes personal data on behalf of a customer, we may redirect your request to that customer so they can respond as the data controller.
The Services are designed for business users and are not intended for children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to Instria, please contact us so we can delete it.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Services before the changes take effect. The "Last updated" date at the top of this page indicates when the latest version became effective.
If you have any questions about this Privacy Policy or about Instria's privacy practices, please contact us at contact@instria.fr.