Privacy Policy
Last updated: February 2026
Data Controller
Meridiane (Entrepreneur Individuel — EI) is the data controller for personal data processed through this service.
Contact: contact@meridiane.fr
Data We Collect
We collect the following categories of personal data:
| Category | Data |
|---|---|
| Identification | Full name, email, date of birth, nationality |
| Profile | Visa type, arrival date, study programme, university, city, financial situation |
| Documents | Administrative documents uploaded (passport, visa, enrolment certificate, etc.) |
| AI Interactions | Questions asked and answers received through the AI chat |
| Payment | Billing information processed by Stripe (card details not stored) |
| Navigation | IP address, browser type, pages visited, timestamps |
We do not intentionally collect sensitive data. If documents contain such data, it is processed solely to provide the requested service.
Legal Basis
- Contract performance: processing necessary to provide the service (account, AI, procedures)
- Consent: analytics cookies and non-essential tracking
- Legitimate interest: fraud prevention, service security, service improvement
- Legal obligation: retention of billing records as required by French law
Data Retention
| Data type | Duration |
|---|---|
| Account data | Duration of account + 3 years |
| Uploaded documents | Duration of account + 30 days |
| AI chat history | Rolling 12 months |
| Billing records | 10 years (French law) |
| Security logs | 12 months |
| Cookies | 13 months max |
Sub-Processors
We use the following sub-processors. Transfers to the USA are governed by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework.
| Provider | Role | Guarantee |
|---|---|---|
| Supabase | Database & authentication | EU hosting (Dublin), SOC 2 Type II |
| Mistral AI | AI processing (chat & document analysis) | French company, EU data processing |
| Stripe | Payment processing | PCI-DSS Level 1, EU-US DPF |
| Vercel | Website hosting | SOC 2 Type II, EU-US DPF |
AI Data Processing
Your questions and conversation history are processed by Mistral AI to generate relevant responses. Your data is NOT used to train AI models.
Documents uploaded for verification are analysed by Mistral AI's vision model to extract administrative information.
No automated decision-making with legal or similarly significant effects is applied (Article 22 GDPR). All AI outputs are informational.
Your Rights
Under the GDPR, you have the following rights:
- Right of access: obtain a copy of all personal data we hold about you
- Right of rectification: correct inaccurate or incomplete data
- Right of erasure: request deletion of your data
- Right of portability: receive your data in a structured, machine-readable format
- Right to object: object to processing based on legitimate interest
- Right to withdraw consent for analytics cookies at any time
- Post-mortem rights: provide instructions regarding your data after your death
To exercise any of these rights, contact us at contact@meridiane.fr
You may also lodge a complaint with the CNIL: cnil.fr/fr/plaintes
Security
We implement the following security measures:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest
- JWT-based authentication with short-lived tokens
- Row-level security (RLS) — users can only access their own data
- Passwords hashed with bcrypt — never stored in plain text
Minors
The service is not intended for persons under 15. Contact contact@meridiane.fr if you believe we have collected data from a minor.