GDPR: Data protection

Last updated: June 2026

Our commitment

Phano is built with personal data protection as a founding principle (Privacy by Design). We comply with the General Data Protection Regulation (GDPR, Regulation EU 2016/679).

Your rights as a user

Right of access (Article 15)

You can review all of your personal data at any time from Settings > GDPR > Export my data. The export is generated in JSON format and sent to you by secure email.

Right to data portability (Article 20)

The JSON export includes all of your data in a structured, commonly used, machine-readable format: profile, tracked accounts, diagnostics, signals and activity history.

Right to erasure (Article 17)

You can request the complete deletion of your account and all associated data from Settings > GDPR > Delete my account.

Deletion is irreversible and covers:

  • Your profile and identification data
  • All generated diagnostics and content
  • Signals and account analyses
  • OAuth tokens and third-party connections
  • Audit logs concerning you
  • Activity data

A confirmation email is sent once the deletion is complete. Processing time: 72 hours maximum.

Right to rectification (Article 16)

You can update your personal information at any time from your profile.

Right to object (Article 21)

You can object to the processing of your data based on legitimate interest by contacting us at privacy@phano.ai.

Technical protection measures

PII anonymization before AI

Before any data is sent to artificial intelligence providers, an automated anonymization pipeline:

  • Detects and replaces personal names with anonymous tokens ([PERSON_1], [PERSON_2]...)
  • Masks email addresses ([EMAIL_REDACTED])
  • Masks phone numbers ([PHONE_REDACTED])
  • Original data never leaves our European servers

Encryption

  • In transit: TLS 1.3 on every connection
  • At rest: AES-256 across the entire database
  • OAuth tokens: calendar and CRM access tokens are stored encrypted and never exposed in plain text

Data isolation

  • Row Level Security (RLS): each organization can only access its own data, enforced at the database level
  • Server-side verification: every request checks organization membership on top of RLS

Audit and traceability

  • Every sensitive operation is recorded in audit logs
  • Logs include: action, user, IP, timestamp, outcome
  • Retention: 12 months, then automatic purge

Transfers outside the EU

Some subprocessors are based in the United States. Transfers are governed by:

  • Standard Contractual Clauses (SCC) from the European Commission
  • Data Processing Agreements (DPA) signed with each subprocessor
  • Additional technical measures (PII anonymization, encryption)

The full list of subprocessors is available in our privacy policy.

DPA for B2B customers

A Data Processing Agreement (DPA) is available on request for subscribed customers. Contact privacy@phano.ai to obtain a copy.

Contact: data protection

For any question about the protection of your personal data:

  • Email: privacy@phano.ai
  • Response time: 30 days maximum

If a complaint remains unresolved, you can contact the French supervisory authority, the CNIL.