Privacy policy

Last updated: June 2026

1. Data controller

Suleiman Mulla, sole proprietor (SIRET: 985 226 299 00040), publisher of the Phano platform (hereinafter "Phano", "we"), is the controller of the personal data collected through the platform (hereinafter "the Service").

Contact: privacy@phano.ai

2. Data we collect

We collect the following categories of data:

  • Identification data: first name, last name, professional email address
  • Connection data: IP address, user-agent, login timestamps
  • Usage data: interactions with the Service, analyzed accounts, generated diagnostics
  • Calendar data: events from connected calendars (Google Calendar, Microsoft Outlook), metadata only (title, date, attendees)
  • CRM data: account and contact information synced from your CRM (HubSpot, Salesforce) with your explicit consent
  • Email data: metadata of synced emails (sender, recipient, subject, date) from Gmail or Outlook, with your explicit consent

3. Purposes of processing

  • Providing the Service: customer account analysis, signal detection, diagnostic generation and delivery
  • Improving the Service: aggregated and anonymized usage analytics
  • Security: fraud detection, audit logs, rate limiting
  • Communication: transactional emails (confirmations, notifications, alerts)

4. Legal basis

  • Performance of the contract (Art. 6.1.b GDPR): processing necessary to provide the Service
  • Consent (Art. 6.1.a GDPR): connecting third-party calendars, email and CRM
  • Legitimate interest (Art. 6.1.f GDPR): security, fraud prevention

5. Processing by artificial intelligence

The Service uses third-party artificial intelligence providers to analyze data and generate contextual content. Before any data is sent to an AI provider:

  • Identifying data (names, emails, phone numbers) is anonymized automatically before anything is sent to an AI provider.
  • Data is sent on a per-request basis and is never used to train models.
  • The AI providers we use are SOC 2 Type II compliant and offer contractual guarantees of data non-retention.

6. Use of Google data

The Service accesses the following Google APIs with your explicit consent:

  • Google Calendar API (read-only): to import your customer meetings and generate contextual briefs before each appointment
  • Gmail API (read and send): to sync your customer emails and allow sending emails from the Service
  • Google UserInfo: to identify your sign-in email address

Use: Google data is used exclusively to provide the Service features described above. It is never used for advertising or profiling purposes, nor sold to third parties.

Sharing: Google data is not shared with any third party, except for the subprocessors listed in section 8, strictly for the purpose of providing the Service.

Retention: when a calendar integration is disconnected, future meetings are automatically deleted. Past meetings and their associated data (briefs, summaries, notes) are kept as CRM business data. All calendar data is permanently deleted when your account is deleted. Email data is deleted as soon as the corresponding integration is disconnected.

Revocation: you can revoke Phano's access to your Google data at any time from the Settings > Integrations page of the Service, or from myaccount.google.com/permissions.

The use of data received through Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

7. Retention periods

  • Account data: duration of the contractual relationship + 3 years
  • Audit logs: 12 months (purged automatically)
  • Calendar data: future meetings deleted on disconnection; past meetings kept as business data (deleted when the account is closed)
  • CRM/email data: deleted when the integration is disconnected
  • LLM cache: 30 days (configurable TTL)

8. Subprocessors

SubprocessorPurposeLocation
Cloud hostDatabase, authenticationEU (Ireland)
Application hostHosting and CDNEU
AI providers (SOC 2 Type II)Analysis and content generationUS (DPA signed)
StripePaymentsUS (SCC)
Transactional email providerNotification emailsUS (SCC)
OAuth managerSecure connections to third-party servicesEU

9. Your rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15): get a copy of your data
  • Right to rectification (Art. 16): correct your data
  • Right to erasure (Art. 17): delete your account and all associated data
  • Right to portability (Art. 20): export your data in JSON format
  • Right to object (Art. 21): object to processing based on legitimate interest

These rights can be exercised directly from your profile (Settings > GDPR) or by email at privacy@phano.ai. Response time: 30 days.

10. Security

  • Encryption in transit (TLS 1.3) and at rest (AES-256), third-party tokens encrypted server-side
  • Strict data isolation per organization (Row Level Security)
  • Connections through an OAuth manager, no stored passwords, mostly read-only
  • Audit logs for every sensitive operation (12 months)
  • Multi-factor authentication (MFA) available
  • Technical cookies only, no advertising cookies or third-party trackers

11. Cookies

The Service only uses technical cookies:

  • Supabase session: authentication (strictly necessary)
  • OAuth state: CSRF protection during third-party connections (temporary)
  • Language preference: next-intl cookie

No advertising or third-party tracking cookies are used.

12. Contact and complaints

For any question about the protection of your data: privacy@phano.ai

If a dispute remains unresolved, you can contact the French supervisory authority, the CNIL(Commission Nationale de l'Informatique et des Libertés):
www.cnil.fr/fr/plaintes