← Back to home
GDPR compliance

Privacy Policy

Last updated: May 21, 2026

This is an English translation provided for convenience. The French version available at /privacy.html is the legally binding reference under French law and GDPR.

This policy describes how IILMIQ Labs ("we") collects, uses and protects your personal data when you visit iilmiqlabs.com or interact with our services. It is written in compliance with the General Data Protection Regulation (GDPR, EU 2016/679) and the French Data Protection Act.

1. Data controller

The controller of your personal data is:

Ilham Echemmakh — IILMIQ Labs
Micro-entreprise — SIRET: 104 768 890 00014
35520 Melesse, France
Email: [email protected]
Phone: +33 6 61 38 90 22

2. Data we collect

2.1 Data you actively provide

  • Contact form: last name, first name, email, project type, message
  • Newsletter signup: email address only
  • IRIS chatbot: content of the messages you exchange with our AI assistant

2.2 Data collected automatically (with your consent)

  • Anonymized browsing statistics: pages visited, visit duration, traffic source, device type, country (via Cloudflare header), browser language
  • Anonymous session ID: a random identifier stored in your browser's localStorage (rotated every 24h), allowing us to reconstruct your journey without identifying you
  • IP address: used only in hashed form (SHA-256 with a daily-rotating salt) to generate aggregate statistics — the raw IP is never stored

2.3 Data collected automatically (no consent required)

  • Cloudflare Web Analytics: aggregate statistics with no cookie or individual identifier

3. Purposes and legal bases

Purpose Legal basis Retention
Reply to your contact request Pre-contractual measure / legitimate interest 3 years after last contact
Send the monthly newsletter Consent (opt-in) Until unsubscribe
Audience measurement (Clarity, internal tracking) Consent 13 months (CNIL guidance)
Chatbot conversations Legitimate interest (service improvement) 12 months
Global Cloudflare stats Legitimate interest (CNIL-exempted) 6 months

4. Data recipients

Your data is never sold or shared for commercial purposes. It may be processed by the following sub-processors, all bound by Data Processing Agreements (DPA):

  • Hostinger International Ltd. (Lithuania, EU) — server hosting
  • Cloudflare Inc. (USA, DPF-certified) — CDN, security, anonymized analytics, email routing
  • Microsoft Corporation (USA, DPF-certified) — Clarity (audience measurement)
  • Anthropic PBC (USA) — Claude AI model used by the IRIS chatbot
  • Brevo (Sendinblue SAS) (France, EU) — email routing and future newsletter
  • Cal.com Inc. (USA) — appointment booking (if you click the link)

Transfers outside the EU are governed by the European Commission's Standard Contractual Clauses or appropriate certifications (Data Privacy Framework, etc.).

5. Your rights

Under the GDPR, you have the following rights:

  • Right of access: obtain a copy of the data we hold about you
  • Right to rectification: correct any inaccurate data
  • Right to erasure ("right to be forgotten"): have your data deleted
  • Right to object: object to processing based on legitimate interest
  • Right to portability: receive your data in a structured format
  • Right to withdraw your consent at any time (without retroactive effect)

To exercise these rights, email us at [email protected]. We reply within 30 days at the latest.

In case of an unresolved dispute, you can file a complaint with the CNIL (the French Data Protection Authority).

6. Cookies and trackers

Our site uses a limited number of local storage technologies:

6.1 Strictly necessary (no consent required)

  • localStorage – IRIS chatbot: anonymous session ID for conversation memory. Rotated based on your activity.
  • localStorage – cookie consent: stores your choice to accept or reject analytics trackers.

6.2 Subject to consent (audience measurement)

  • Microsoft Clarity: first-party cookies that anonymously record your journey (heatmaps, replays). Input fields are automatically masked.
  • IILMIQ Labs internal tracking: in-house pixel that records visited pages in our database, with no personal identification.

You can change your choice at any time by clicking at the bottom of this page.

7. Security

We implement appropriate technical and organizational measures to protect your data:

  • Encrypted HTTPS connection (TLS 1.3) across the entire site
  • Database isolated in a Docker container, accessible only locally
  • Administrator passwords hashed with bcrypt
  • Automatic security updates for the OS and dependencies
  • Regular database backups

8. Changes

This policy may be updated to reflect technical or regulatory changes. The last-updated date is displayed at the top of this page. In case of substantial change, we will inform affected users.

9. Contact

For any question regarding this policy or the protection of your data:

Email: [email protected]
Mail: Ilham Echemmakh — IILMIQ Labs, 35520 Melesse, France

← Back to home Legal notice