Privacy Policy
Version 2.0 - March 2026
1. Data Controller
The data controller is:
SAFEE (SAS), trading as SAFEE CASES
SAS with share capital of EUR 6,084.93
2 Place Castellane, 13006 Marseille, France
Trade Register: Marseille B 918 825 449
Email: contact@safee.fr
2. Data Protection Contact
Safee has appointed a data protection contact reachable at: contact@safee.fr. This contact serves as the point of contact for any questions regarding personal data processing and for exercising data subject rights.
Given the nature of the data processed (real-time geolocation, audio/video data in a security context), Safee regularly evaluates the need to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR and complies with CNIL recommendations.
3. Data Collected and Purposes
3.1 Account data
| Data | Purpose | Legal basis | Retention period |
|---|---|---|---|
| Name, surname, email, phone | Account management and Service provision | Performance of contract (Art. 6.1.b GDPR) | Duration of subscription + 3 years |
| Postal address | Device delivery, billing | Performance of contract | Duration of subscription + 3 years |
| Payment data (Stripe token) | Payment processing | Performance of contract | Duration of subscription (held by Stripe) |
| Profile photo (optional) | Account personalization | Consent (Art. 6.1.a GDPR) | Until consent withdrawal or account deletion |
3.2 Security and alert data
| Data | Purpose | Legal basis | Retention period |
|---|---|---|---|
| Real-time geolocation | Alert location, journey tracking | Vital interests (Art. 6.1.d) / Contract | Alerts: 30 days. Journeys: 90 days |
| Live audio streams | Alert verification by monitoring center | Vital interests / Contract | 30 days after alert ends |
| Live video streams | Emergency broadcast, alert verification | Vital interests / Contract | 30 days after alert ends |
| Alert and event history | Traceability, service improvement | Legitimate interest (Art. 6.1.f) | 12 months |
4. Sub-processors and Data Recipients
Safee uses the following sub-processors for personal data processing. Each sub-processor is bound by a data processing agreement (DPA) in accordance with Article 28 of the GDPR.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure hosting (servers, database, storage) | European Union (eu-west-1, eu-central-1) |
| AWS IVS | Live video streaming during alerts | Primarily EU. Some streams may transit via non-EU servers (see Section 5) |
| Stripe | Payment processing and subscription management | EU / United States (SCCs) |
| OneSignal | Push notification delivery | United States (SCCs) |
| RevenueCat | In-app subscription management (mobile) | United States (SCCs) |
| Monitoring provider | Security alert processing | France |
| Mailjet | Transactional email delivery | European Union |
| Twilio | SMS delivery (verification, alerts) | United States (SCCs) |
| PostHog | Product usage analytics | European Union |
| Apollo.io | B2B website visitor identification (marketing) | United States (SCCs) |
| Calendly | Meeting scheduling | United States (SCCs) |
5. Data Transfers Outside the European Union
Primary data hosting is on servers located in the European Union (AWS EU). However, certain sub-processors (Stripe, OneSignal, RevenueCat, Twilio, Apollo.io, Calendly) are established in the United States. For these transfers, Safee ensures appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Implementing Decision 2021/914);
- Supplementary measures in accordance with EDPB recommendations (encryption, pseudonymization, transfer impact assessment);
- EU-US Data Privacy Framework where the sub-processor is certified.
Regarding AWS IVS (video streaming), while the primary configuration targets European entry points, the nature of live streaming may involve occasional data transit through non-EU servers for performance and availability. Safee works to minimize these transfers and ensures the above safeguards apply.
6. Data Protection Impact Assessment (DPIA)
Given the nature of the processing (real-time geolocation, audio/video streams in a security context, large-scale processing of sensitive data), Safee has conducted a Data Protection Impact Assessment (DPIA) in accordance with Article 35 of the GDPR and CNIL guidelines.
This assessment identifies risks associated with the processing and the technical and organizational measures implemented to mitigate them, including: data encryption in transit and at rest, strict access controls, data minimization, limited retention periods, and staff training.
7. Data Security
Safee implements the following technical and organizational measures to protect personal data:
- Data encryption in transit (TLS 1.2+) and at rest (AES-256);
- Multi-factor authentication for administrator access;
- Role-based access control (RBAC);
- Access logging and monitoring;
- Regular backups and disaster recovery plan;
- Regular security testing and system updates;
- Staff training on data protection best practices.
8. Data Subject Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15): obtain confirmation that your data is processed and receive a copy;
- Right to rectification (Art. 16): correct inaccurate or incomplete data;
- Right to erasure (Art. 17): request deletion of your data, subject to legal retention obligations;
- Right to restriction of processing (Art. 18): request limitation of processing in certain cases;
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format;
- Right to object (Art. 21): object to processing based on legitimate interest;
- Right to withdraw consent: withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise your rights, send your request to: contact@safee.fr, accompanied by a copy of an identity document. Safee will respond within one (1) month, extendable by two (2) months for complex requests.
If you have difficulty exercising your rights, you may file a complaint with the French data protection authority (CNIL): www.cnil.fr.
9. Cookies and Trackers
9.1 Types of cookies used
- Strictly necessary cookies: essential for website operation (authentication, security, language preferences). No consent required.
- Analytics and performance cookies: measure site audience and usage (PostHog). Subject to consent.
- Marketing cookies: used for B2B website visitor identification (Apollo.io). Subject to consent.
- Third-party cookies: placed by integrated third-party services (Stripe for payments). Subject to consent.
9.2 Cookie management
On your first visit, a consent banner allows you to accept, refuse, or customize your choices for each cookie category. You can change your preferences at any time via the "Cookie settings" link in the footer or by contacting us at contact@safee.fr.
Cookie consent validity is thirteen (13) months in accordance with CNIL recommendations.
10. Data Breach
In the event of a personal data breach within the meaning of Article 33 of the GDPR, Safee will notify the CNIL within 72 hours of becoming aware, if the breach is likely to result in a risk to the rights and freedoms of data subjects.
If the breach is likely to result in a high risk, Safee will also inform the affected individuals without undue delay, in accordance with Article 34 of the GDPR.
11. Record of Processing Activities
In accordance with Article 30 of the GDPR, Safee maintains a record of processing activities, regularly updated and available to the CNIL upon request. This record lists all personal data processing operations, their purposes, categories of data and data subjects, recipients, retention periods and security measures.
12. Contact
For any questions regarding this privacy policy or the processing of your personal data:
Email: contact@safee.fr
Post: SAFEE CASES - Data Protection, 2 Place Castellane, 13006 Marseille, France
Supervisory authority: CNIL - Commission Nationale de l'Informatique et des Libertés, 3 Place de Fontenoy - TSA 80715, 75334 PARIS CEDEX 07 (www.cnil.fr)
Last updated: March 2026