Privacy policy
Last updated: 2026-05-13
Data controller
The data controller for personal data collected on this site is {{LEGAL_ENTITY_NAME}}, registered office: {{LEGAL_ENTITY_ADDRESS}}.
Data Protection Officer (DPO): dpo@swarmforge.fr.
Our privacy stance
This site is designed to collect the minimum of personal data:
- No advertising cookies, no remarketing pixels, no sharing for commercial targeting purposes.
- No third-party service is loaded without your explicit consent, with the exception of strictly necessary cookies (CNIL exemption).
- Server logs (nginx) are anonymised at collection: the last octet of IP addresses is zeroed before writing to disk. Logs are kept for 30 days, then automatically erased.
Cookies and trackers
Strictly necessary cookies (no consent required)
In line with CNIL deliberation 2020-091, the following cookies are set without prior consent because they are strictly necessary to deliver the service:
| Cookie | Issuer | Purpose | Duration |
|---|---|---|---|
sw_consent | swarmforge.fr | Stores your cookie choice | 6 months |
sw_oauth_tx | accounts.swarmforge.fr | Google OAuth handshake | 10 minutes |
sw_sess | accounts.swarmforge.fr | Authenticated session (accounts subdomain) | 30 days |
Audience measurement — Google Analytics 4 (consent required)
With your explicit consent only, we use Google Analytics 4 (property
ID G-PX0965Q4RH) to measure site traffic in aggregate.
- Cookies set:
_ga(13 months) and_ga_PX0965Q4RH(13 months). - Data collected: IP address anonymised at collection by Google
(
anonymize_ip), pages viewed, session duration, device type, browser language, traffic source. - Purpose: aggregated statistical traffic measurement. No
advertising, no remarketing, no signal sharing with other Google
products is enabled (
ad_storage,ad_user_data,ad_personalizationare permanently denied via Consent Mode v2). - Legal basis: explicit consent (GDPR art. 6.1.a), collected via the cookie banner on first visit. The Google Analytics script is not loaded until you accept.
- Retention on Google’s side: 14 months (GA4 minimum setting), then automatic deletion.
- Sub-processor: Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Transfers to the United States (Google LLC) may occur under the EU-US Data Privacy Framework, reinstated by European Commission adequacy decision of 10 July 2023.
- Withdraw consent: at any time, via the “Cookies” link in the site footer. Withdrawal applies immediately and deletes the analytics cookies on the next navigation.
No consent, no analytics load
Until you have given your consent, no analytics cookie is set and
no request is sent to Google’s servers. The gtag.js script is
simply not loaded in your browser.
Demo-request form
The form published on app.swarmforge.fr allows you to request a platform demo. Submitting the form involves collecting the following data:
- Data collected: name, work email address, firm or company (optional), role (optional), free-text message (optional).
- Purpose: to organise and conduct the requested demo; if you have explicitly accepted, to send you product communications (news, invitations).
- Legal bases:
- pre-contractual measure (organising the demo);
- explicit consent (tick-box, GDPR art. 6.1.a) for marketing communications.
- Recipients: SwarmForge staff handling your enquiry.
- Retention:
- active lead (before demo + 12 months): kept on our infrastructure;
- no follow-up: 3 years after last contact;
- marketing consent withdrawal: applied immediately;
- erasure on request: within 30 days.
Consent ledger
Each consent (T&Cs + marketing) is timestamped, versioned and stored in an immutable append-only ledger. A withdrawal appears as a new entry, never as a modification of an earlier entry. You can request an export of your consent history at any time.
Visitor account (Google OAuth)
You can create a visitor account on accounts.swarmforge.fr by signing in with Google. This account lets you track the status of your demo request, manage your GDPR consents, and self-delete your data at any time.
- Data collected at sign-in: opaque Google identifier (
sub), verified email address, name, profile picture URL, preferred language. We do not store your Google password or access tokens; the identity token (id_token) is verified then discarded. - Purpose: tracking your demo request, managing your communication preferences, exercising your GDPR rights.
- Legal basis: explicit consent (GDPR art. 6.1.a) at the first Google sign-in.
- Strictly-necessary cookies:
sw_oauth_tx(10 minutes, duration of the OAuth round-trip) andsw_sess(30 days, authenticated session). No cookie banner is required for these two cookies (CNIL guidance for strictly-necessary cookies). - Retention: as long as your account exists. You can delete it at
any time from
accounts.swarmforge.fr/en/me/. Deletion erases your demo requests, linked consents, and your session. A cryptographic trace (SHA-256 hash of your email and your Googlesub) is kept as proof of erasure for GDPR audit purposes.
Unsubscribing
Every marketing message contains a one-click unsubscribe link. You can also:
- click the native Unsubscribe button in your mail client (Gmail, Outlook, Apple Mail) — we implement RFC 8058;
- write to dpo@swarmforge.fr with subject “unsubscribe”.
Sub-processors
The following sub-processors may process your personal data, strictly within the scope of their assignment:
| Sub-processor | Purpose | Data location | DPA |
|---|---|---|---|
| Google Ireland Limited (Google Workspace) | Receiving and sending email from contact@swarmforge.fr and dpo@swarmforge.fr | EU | Workspace DPA |
| Google Ireland Limited (Google Identity Services) | Verifying identity during the Google OAuth handshake — only at sign-in | EU / international | Google API Services User Data Policy |
| Google Ireland Limited (Google Analytics 4) | Aggregated audience measurement for swarmforge.fr — only after explicit consent | EU, with possible transfers to the United States under the Data Privacy Framework | Google Ads Data Processing Terms |
No other sub-processor is used. The website and platform servers are hosted in France (Côte d’Azur) on dedicated infrastructure controlled by SwarmForge.
Your GDPR rights
Under the EU General Data Protection Regulation (2016/679), you have:
- right of access, rectification, and erasure;
- right to restrict and object to processing;
- right to data portability;
- right to define post-mortem directives;
- right not to be subject to automated decision-making;
- right to withdraw your consent at any time.
To exercise these rights, write to dpo@swarmforge.fr. You will receive a response within one month.
Recourse
If after contacting us you consider your rights are not respected, you may lodge a complaint with the CNIL (French data protection authority): 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, www.cnil.fr.