Privacy Policy
Last updated: 24 April 2026
About this Policy
This Privacy Policy describes how The Augmented Maison ("we", "us") collects, uses, and protects personal data in connection with the AUGMA website (www.augma-ai.com) and the AUGMA AI Brand Monitor application (app.augma-ai.com). It is drafted in accordance with Regulation (EU) 2016/679 ("GDPR") and the French Data Protection Act ("Loi Informatique et Libertés", as amended). By using our services you confirm you have read and understood this Policy.
Our Role: Controller and Processor
The Augmented Maison acts in two distinct roles depending on the data category:
Data Controller
For the data you provide directly when using the marketing site, signing up for AUGMA, managing your subscription, or contacting us (identification data, account data, billing data, support correspondence, site usage analytics).
Data Processor
For the monitoring data processed on behalf of our Maison clients (prompt banks, AI model responses, sentiment scores, citation sources, Brand Truth Profile content). This data belongs to the client, who remains the Data Controller. Processing is governed by the Data Processing Agreement (DPA) signed with each client.
Data Controller Identification
The Augmented Maison — SASU, RCS Paris 102 880 119 — 47 rue Vivienne, 75002 Paris, France. Contact for any privacy request: contact@theaugmentedmaison.com.
No Data Protection Officer (DPO) has been appointed, as we are not subject to the mandatory designation obligation under article 37 GDPR. Nonetheless, a dedicated privacy inbox is maintained and monitored.
Categories of Personal Data We Process
Depending on how you interact with our services, we may process the following categories of personal data:
- Identification data: first and last name, professional email, company / Maison name, job title.
- Account data: password (hashed, bcrypt), authentication tokens, session cookies, OTP verification hashes.
- Billing data: billing email, VAT number, Stripe customer ID, subscription status — raw card details are handled by Stripe and never touch our servers.
- Usage data: pages visited, features used, monitoring runs triggered, dashboard interactions, IP address (short-term server logs only).
- Support data: messages sent via the contact form, feedback submissions, customer-support email exchanges.
- Brand data (as Processor for clients): brand description, prompt banks, competitor names, territorial configuration, Brand Truth Profile assertions, AI model responses stored by the monitoring pipeline.
Lawful Bases and Purposes of Processing
We only process personal data when we have a valid lawful basis under article 6 GDPR. The table below summarises the main processing activities:
| Purpose | Lawful basis | Retention period |
|---|---|---|
| Create and manage your AUGMA account | Performance of a contract (art. 6.1.b) | Duration of the contract + 3 years (commercial prescription) |
| Send transactional emails (OTP, magic link, welcome, payment confirmation, 3-D Secure) | Performance of a contract (art. 6.1.b) | Until the service is no longer needed; email logs purged after 12 months |
| Process subscription payments and issue invoices | Legal obligation — tax and accounting (art. 6.1.c) | 10 years (article L.123-22 Code de commerce) |
| Run the monitoring pipeline on behalf of clients | Performance of a contract — DPA (art. 6.1.b + art. 28) | Duration of the contract; historical runs deleted on request |
| Reply to contact-form or support enquiries | Legitimate interest — commercial communication (art. 6.1.f) | 3 years from last contact |
| Measure website usage and improve UX | Legitimate interest — service improvement (art. 6.1.f) | 13 months maximum (CNIL recommendation) |
| Send commercial prospection emails | Consent (art. 6.1.a) — soft opt-in for existing B2B clients | 3 years from last interaction, or until withdrawal |
| Comply with legal requests and defend our rights | Legal obligation or legitimate interest (art. 6.1.c / f) | Duration of the legal requirement or proceeding |
Recipients and Sub-processors
Personal data is accessed only by authorised employees of The Augmented Maison on a need-to-know basis. We also rely on the following categories of sub-processors to operate our services:
- Cloud and application hosting — web front-end and serverless functions.
- Managed database — relational storage for the product (regions configured in the European Union where available).
- AI model providers — large-language-model inference for the monitoring pipeline (only aggregated prompts, no personal data beyond what is strictly necessary).
- Search and SERP enrichment — Google AI Overviews monitoring.
- Payment processor — subscription management and 3-D Secure authentication.
- Transactional email provider — delivery of OTP, magic links, welcome, billing, and support emails.
- PDF generation microservice — audit report delivery.
A detailed, up-to-date list of sub-processors is available on request at contact@theaugmentedmaison.com. We require every sub-processor to offer sufficient guarantees under article 28 GDPR and to be bound by a written data-processing agreement.
International Data Transfers
Some of our sub-processors are located outside the European Economic Area (EEA), notably in the United States. Each transfer is secured by at least one of the following GDPR-compliant mechanisms: (i) an adequacy decision issued by the European Commission — including the EU-US Data Privacy Framework (DPF) for certified US recipients; (ii) Standard Contractual Clauses (SCCs) adopted by the Commission in 2021; (iii) binding corporate rules where applicable. You can obtain a copy of the safeguards applicable to a specific transfer by contacting us at contact@theaugmentedmaison.com.
Security Measures
We apply technical and organisational measures appropriate to the risk, including: TLS 1.2+ encryption in transit, AES-256 encryption at rest for hosted databases, salted-and-hashed password storage (bcrypt, work factor 12), HMAC-signed OTP tokens, row-level security on the database, least-privilege access controls, multi-factor authentication for administrators, immutable audit logs for sensitive operations, and regular backups. Security incidents are logged, investigated, and — where required by articles 33-34 GDPR — notified to the CNIL within 72 hours and to affected data subjects without undue delay.
Your Rights
Subject to the conditions set out in articles 15 to 22 GDPR, you have the following rights regarding your personal data:
- Right of access — obtain a copy of the data we hold about you.
- Right to rectification — correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — delete data, subject to our legal retention obligations.
- Right to restriction of processing — suspend certain processing activities.
- Right to data portability — receive your data in a machine-readable format.
- Right to object — oppose processing based on legitimate interest, including profiling.
- Right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
- Right to define directives concerning the fate of your data after death (article 85 of the French Data Protection Act).
To exercise any of these rights, please write to contact@theaugmentedmaison.com. We will respond within one month. Proof of identity may be requested if there is reasonable doubt as to the identity of the requester.
If you consider that the processing of your personal data breaches the GDPR, you have the right to lodge a complaint with the French supervisory authority (CNIL, 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr) or with the supervisory authority of your country of residence.
Automated Decision-making
We do not take decisions producing legal or similarly significant effects on you based solely on automated processing within the meaning of article 22 GDPR. Our monitoring pipeline queries third-party AI models and aggregates results for informational and strategic purposes only; no automated decision is made about individuals.
Children
AUGMA is a business-to-business service aimed at professionals. It is not directed at individuals under the age of 16, and we do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it.
Cookies
Our website uses only cookies strictly necessary for authentication, security, and session management (no advertising, no third-party tracking). Detailed information — including cookie names, purposes, and retention periods — is available in our Cookie Policy.
Data Breach Notification
In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the CNIL without undue delay and, where feasible, no later than 72 hours after becoming aware of it, in accordance with article 33 GDPR. Where the breach is likely to result in a high risk, affected individuals will also be informed directly pursuant to article 34 GDPR.
Changes to this Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. The version in force is the one published on this page, with the "Last updated" date at the top. We encourage you to review this page periodically.
Contact
For any question regarding this Privacy Policy or the processing of your personal data, please contact us at contact@theaugmentedmaison.com — postal address: The Augmented Maison, 47 rue Vivienne, 75002 Paris, France.