Privacy Policy

Ontbo Privacy Policy

Effective date: 20 October 2025
Legal entity: Aphelior S.A.S (trading as “Ontbo”)
Address: 87 Rue Nationale, 59800 Lille, France
Contact (privacy & rights requests): contact@ontbo.com

Ontbo provides (i) a platform at my.ontbo.com (user account & data management) and api.ontbo.com (API keys, usage, and developer controls), and (ii) the Ontbo API that lets third-party apps send user data (e.g. chat history) to build a user profile that can be queried to personalize AI agent/chatbot responses.

This Policy explains how we handle personal data when we act as a controller (our sites, accounts, billing, communications, product analytics) and as a processor for our business customers using the Ontbo API to process their end-users' data. When we act as a processor, we process personal data on our customer's instructions and our Data Processing Addendum (DPA) applies (available on request at contact@ontbo.com).

1. Who we are & how to contact us

  • Controller: Aphelior S.A.S (Ontbo).
  • EU/UK presence: We are EU-based (France).
  • Data Protection Officer: Not appointed.
  • Privacy contact: contact@ontbo.com
  • Supervisory authority: You can lodge a complaint with the CNIL (France) or your local supervisory authority.

2. What we collect

Account & identity

  • Name (if provided)
  • Email (used as login)
  • Password hash
  • Organization name (if added)

Technical

  • IP address
  • Basic device / browser information
  • Authentication/session cookies needed to keep you logged in

Usage & content

  • Data you send to Ontbo or via the Ontbo API, including chat histories and other user-provided files/content, to build/query a user profile for personalization
  • Admin/config data (API keys, usage metrics shown in your dashboard)

Payments

  • Payments are processed by Stripe
  • Ontbo does not store full card numbers
  • Stripe may receive billing details and payment method data to process your payments

Connectors

If you actively connect a third-party connector (for example, integrations you choose to enable), we receive data from that service per your configuration and authorization. The current list of available connectors is displayed in your account and may change over time. You can disconnect at any time.

We do NOT collect

  • Government ID / KYC documents
  • Precise GPS location
  • Special category data unless you choose to submit it yourself in your content

3. How we collect it

  • Directly from you: forms, uploads, API calls from your apps
  • Automatically: essential cookies/session tokens, server logs, and security events
  • From third parties (optional): only when you connect a connector and authorize transfer

4. Why we use personal data & legal bases (EU/UK)

PurposeExamplesLegal basis
Service deliveryAccount creation, authentication, operate my.ontbo.com & api.ontbo.com, provide Ontbo APIContract necessity
Payments & billingProcess payments, prevent fraudContract necessity
SecurityDetect/prevent abuse, ensure service integrityContract necessity / Legitimate interests
Product analytics & improvementHigh-level metrics to understand feature usage and reliabilityLegitimate interests
PersonalizationUse your submitted data to tailor AI agent/chatbot outputsConsent
Support & communicationsAccount notices, service messagesContract necessity
Marketing (optional)Ontbo news/offers via emailConsent (opt-in; unsubscribe anytime)
Legal/complianceTax, accounting, responding to lawful requestsLegal obligation
R&D (internal)Anonymized/aggregated data to test and improve algorithmsOutside GDPR if truly anonymized; otherwise Legitimate interests (with opt-out, see Section 10)

R&D note:

  • We do not train third-party models on your identifiable content.
  • We may use anonymized or aggregated data internally to test/improve algorithms.
  • If any dataset cannot be irreversibly anonymized, we rely on legitimate interests and provide an opt-out (see Section 10).

5. Cookies & similar technologies

We use essential cookies only to keep you signed in and secure your session.

CookieTypePurposeRetention
ontbo_sessionEssentialMaintain login sessionSession
ontbo_remember (optional)Essential“Remember me” persistent login30 days
  • No advertising, retargeting, or social pixels
  • No Consent Management Platform currently required as we use only essential cookies
  • We do not “sell” or “share” personal information for cross-context behavioral advertising

6. Sharing & disclosures

We share data with service providers acting on our behalf:

  • Infrastructure & AI hosting: AWS and Azure in EU regions
  • Payments: Stripe (payment processing and fraud prevention)
  • Email/communications/support: to be added when enabled
  • Legal & compliance: we may disclose data if required by law or to protect rights, safety, and the service

We do not sell personal data.
We do not share for targeted advertising.

7. International transfers

  • Primary storage and processing occur in the EU
  • Some processors (e.g. Stripe or global support providers if added later) may transfer data outside the EU
  • Where that occurs, we use EU Standard Contractual Clauses and applicable UK addenda or rely on another valid transfer mechanism, plus appropriate safeguards

8. Security

We implement administrative, technical, and organizational measures, including:

  • Encryption in transit (TLS)
  • Access controls and least-privilege access
  • Audit logging and environment segregation
  • At-rest encryption is planned; until then, access is restricted and monitored
  • Incident response processes; if your rights are at high risk, we will notify you and authorities where required

If you believe your account has been compromised, contact contact@ontbo.com immediately.

9. Retention

  • We retain account and user-submitted data while your account is active and delete it within 1 month after termination
  • Email addresses may be retained to enforce “free trial” limits and suppression of future marketing unless you request deletion where legally permitted
  • Backups and logs are pruned on a routine schedule; deletions propagate on a monthly cycle
  • We may retain minimal records to comply with legal obligations (e.g. tax, fraud prevention)

10. Your rights & choices

If you are in the EU/UK (and, where applicable, in other jurisdictions), you can:

  • Access, correct, or delete your personal data
  • Object to or restrict processing in certain cases
  • Request portability (a copy of your data in a common format). The self-service feature is planned; until then, you may request via email
  • Withdraw consent (e.g. marketing; personalization where consent applies)
  • Opt out of internal R&D using non-anonymized data by emailing contact@ontbo.com

How to exercise:
Email contact@ontbo.com from your account email.
We verify identity via your login email (and may ask for additional verification if needed).
You also have the right to complain to the CNIL or your local data protection authority.

Marketing:
Marketing emails are opt-in only. Each email includes a one-click unsubscribe.

11. Children

Ontbo is for a general audience and is not directed to children.
We do not knowingly collect data from individuals under 16.
If you believe a child has provided data, contact us to delete it.

12. Developer & enterprise customers (processor terms)

For customers sending end-user data to the Ontbo API:

  • We process such data as a processor, under your instructions, to provide the Service
  • You are responsible for providing appropriate privacy notices and obtaining any required consents from your end-users for the data you send to Ontbo
  • Our DPA (with SCCs where needed) is available on request at contact@ontbo.com

13. Third-party connectors

When you enable a connector (for example, integrations you choose to enable), the third party may process your data under its own terms. We only receive the data you authorize. The available connectors are listed in your account and may change over time. You can disconnect at any time in your account settings.

14. Automated decision-making & profiling

  • We do not perform solely automated decisions that produce legal or similarly significant effects
  • Personalization involves profiling based on the data you (or your app) submit
  • You can withdraw consent or object (where legitimate interests apply)

15. Region-specific information

  • EU/UK: This Policy provides information required by GDPR/UK GDPR, including purposes, legal bases, rights, and transfers
  • California (CPRA): We do not sell or share personal information for cross-context behavioral advertising. You may still request access or deletion via contact@ontbo.com
  • Other regions: We honor applicable local rights to the extent required by law

16. Changes to this Policy

We may update this Policy to reflect changes to our services or legal requirements. We will notify you by email and/or an in-product notice for material changes and indicate the effective date at the top. If required by law, we will seek your consent for significant changes that affect how we process your data.

17. How to reach us

Aphelior S.A.S — Ontbo
87 Rue Nationale, 59800 Lille, France
contact@ontbo.com

© 2025 Aphelior S.A.S — Ontbo. All rights reserved.