Privacy Policy

Last updated: May 6, 2026

Presengo ("we", "our", "us") is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, how we protect it and what rights you have under the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

The data controller for your personal data is a French sole proprietorship (entreprise individuelle) operating under the trade name Presengo, registered under APE code 6201Z (computer programming) and headquartered in Cagnes-sur-Mer (06800), France. The full identity of the operator, SIRET number and registered address are available on the Legal Notice page, in accordance with Article 6-III of the French Law for Confidence in the Digital Economy (LCEN).

Given the nature and scale of the processing carried out, no Data Protection Officer (DPO) has been appointed. Any question, request or complaint regarding your personal data can be sent to presengo.support@gmail.com.

When you use Presengo to manage attendance within your organisation (school, club, association, company, etc.), you are the data controller for the personal data of your members (students, athletes, volunteers, employees, etc.) and Presengo acts as a data processor on your behalf within the meaning of Art. 28 of the GDPR. A Data Processing Agreement (DPA) compliant with Art. 28 is available upon request at presengo.support@gmail.com.

2. Data We Collect

Account Data

Email address and display name (only if you create an account -- accounts are optional for most features). Authentication is handled securely via Supabase Auth.

Usage Data

Groups, members, events, attendance records, custom statuses, custom fields, QR check-in sessions (tokens, timestamps, check-in status), signatures and any data you enter while using the service. This is the core content you create and manage in Presengo.

Technical Data

Device identifier (UUID), platform (iOS, Android or Web), app version, language preference and local storage data (analytics consent, notification preferences, QR check-in cache for rate limiting and session deduplication). This data is collected to ensure proper operation of the service and enforce licence restrictions.

Media Data

Member photos, group photos, attendance photos, signatures captured during check-in, custom field photos and imported files -- uploaded voluntarily by you. All media are compressed client-side before upload (maximum 1 MB) and stored in private, access-controlled storage buckets.

Notifications

The notifications and reminders you configure in the app are generated and displayed locally on your device via native operating system APIs (iOS, Android). No notification data is transmitted to any third-party push notification service (FCM, APNs, OneSignal, etc.). The content of your notifications never leaves your device.

3. How We Use Your Data

We process your personal data strictly for the following purposes:

Provide and operate the attendance management service (groups, members, events, roll calls, QR check-in, real-time synchronisation, statistics).
Manage your subscription and process payments via Apple In-App Purchase, Google Play Billing or Stripe (web).
Enable shared spaces for real-time collaboration with your colleagues: when a space is shared, invited users access the data in that space according to the permissions granted by the owner (read, edit).
Generate attendance statistics and exportable reports for your own use (Excel, CSV, PDF formats).
Schedule and display locally the notifications and reminders you have configured in the app.
Operate QR check-in sessions: generation of temporary tokens, processing of check-in requests (including optional signature and photo capture), and real-time synchronisation of attendance data across connected devices.
Send transactional emails essential to account operation (sign-up confirmation, password reset) via Supabase Auth. No marketing or commercial emails are sent.

4. Legal Basis for Processing (GDPR Art. 6)

We rely on the following legal bases for processing your data:

Performance of a Contract

Processing is necessary to provide the service you use -- creating groups, recording attendance, operating QR check-in sessions, synchronising data in real time across devices, managing your subscription and sending essential transactional emails (sign-up confirmation, password reset).

Consent

For optional features such as analytics cookies (Google Analytics 4 on the web version), photo uploads and permission to display local notifications. You can withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to such withdrawal.

Legitimate Interest

To ensure the security of the service: logging of authentication attempts and QR check-in requests, rate limiting (3 attempts per 5 minutes on QR endpoints, rate limiting also applied to authentication), detection of abnormal or fraudulent usage patterns, and protection against unauthorised access. This processing is strictly limited to security purposes, the data processed is minimised (technical identifiers, timestamps, status codes), and security logs are automatically deleted after 90 days. A Legitimate Interest Assessment (LIA) has been carried out and concludes that this interest does not disproportionately override your fundamental rights and freedoms. You may object to this processing at any time (Art. 21 GDPR).

5. Data Storage and Security

Your data is hosted on Supabase infrastructure located within the European Union (Frankfurt region, Germany). We implement robust technical and organisational measures to protect your data:

Encryption at rest via AES-256 on all database records and stored files.
Encryption in transit via HTTPS/TLS for every request between your device and our servers.
Row-Level Security (RLS) enforced at the database level -- each user can only access their own data or data shared with them. QR check-in endpoints include rate limiting (3 attempts per 5 minutes) to prevent abuse.
UUID-based identifiers containing no personally identifiable information.
Private storage buckets for all uploaded media (photos, signatures, imports) -- no public access, no guessable URLs.
Secure authentication via Supabase Auth with password hashing (bcrypt) and short-lived JWT tokens.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (CNIL) within 72 hours in accordance with Art. 33 of the GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also inform you directly and without undue delay, in accordance with Art. 34 of the GDPR.

6. Data Sharing and Third Parties

We do not sell, rent or trade your personal data. We share data only with the following sub-processors, strictly for operational purposes:

Supabase -- Supabase Inc. (United States, actual hosting in the EU -- Frankfurt) -- Database hosting, authentication, file storage and sending of transactional emails (sign-up confirmation, password reset).
Apple -- Apple Inc. (United States) -- Processing of in-app purchases on iOS devices. Apple processes payment data in accordance with its own privacy policy.
Google -- Google LLC (United States) -- Google Play Billing on Android devices and optional analytics (Google Analytics 4, only with your explicit consent). Google processes data in accordance with its own privacy policy.
Stripe -- Stripe Inc. (United States) -- Payment processing for web subscriptions. Stripe processes payment data in accordance with its own privacy policy. Presengo does not store any credit card data.
RevenueCat -- RevenueCat Inc. (United States) -- In-app purchase management and subscription status verification on mobile devices (iOS and Android). RevenueCat processes transaction data in accordance with its own privacy policy.

We never sell your personal data to third parties. We never use your data for advertising, commercial profiling or artificial intelligence model training purposes.

Each sub-processor operates under its own privacy policy and data processing terms. For more details on their practices: Supabase (supabase.com/privacy), Stripe (stripe.com/privacy), Apple (apple.com/legal/privacy), Google (policies.google.com/privacy), RevenueCat (revenuecat.com/privacy).

7. Data Retention

We retain your data only for as long as necessary for the purposes described in this policy:

Active account -- Your data is retained as long as your account is active and you continue to use the service.
Deleted account -- When you delete your account, all associated data (groups, members, events, attendance records, photos, signatures, custom fields) is permanently and irreversibly deleted from our servers within a maximum of 30 days.
Shared spaces -- Shared spaces automatically expire 30 days after the owner’s last login. Once expired, all associated shared data is permanently deleted.
Billing data -- Subscription information (plan type, billing period, transaction identifiers) is retained by the relevant payment provider (Stripe, Apple, Google, RevenueCat) in accordance with their own policies and applicable accounting obligations (up to 10 years under Art. L.123-22 of the French Commercial Code). Presengo only stores a reference to your subscription status and does not retain any credit card data.
Technical logs -- Security and access logs (authentication attempts, QR check-in requests, error logs) are retained for 90 days for security monitoring purposes, then automatically deleted.
Analytics data -- When you consent to Google Analytics 4 on the web version, analytics data is retained for a maximum of 14 months, then automatically deleted.

8. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR and applicable data protection laws:

Right of access (Art. 15) -- You may request a copy of all personal data we hold about you.
Right to rectification (Art. 16) -- You may correct any inaccurate or incomplete data directly in the app, or by contacting us.
Right to erasure (Art. 17) -- You may request the deletion of all your personal data. This can be done directly from the app (Settings > Delete my account).
Right to data portability (Art. 20) -- You may export your data in standard formats (Excel, CSV, PDF) using the built-in export feature.
Right to restriction of processing (Art. 18) -- You may request that we restrict the processing of your data under certain conditions (for example, if you contest the accuracy of the data).
Right to object (Art. 21) -- You may object at any time to the processing of your data based on legitimate interest, in particular the security processing described in section 4.
Right to withdraw consent -- Where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out prior to such withdrawal.
Right to lodge a complaint -- You have the right to lodge a complaint with your local supervisory authority (in France, the CNIL -- www.cnil.fr) if you believe your data is being processed unlawfully.

To exercise any of these rights, contact us at presengo.support@gmail.com.

Exercising your rights is free of charge. We may ask you to verify your identity through proportionate means before processing your request, where necessary to prevent impersonation. We will respond within one month of receiving your request, in accordance with Art. 12.3 of the GDPR. This period may be extended by a further two months for complex or numerous requests, in which case we will inform you within the initial one-month period and explain the reasons for the extension. We may refuse manifestly unfounded or excessive requests, providing you with a reasoned explanation and informing you of your right to lodge a complaint with the CNIL.

Presengo does not carry out any solely automated decision-making or any profiling producing legal effects or similarly significant effects concerning you within the meaning of Art. 22 of the GDPR.

9. Account Deletion

Presengo provides a self-service account deletion mechanism that is simple and compliant with Art. 17 of the GDPR (right to erasure):

Open the app and go to Settings.
Tap "Delete my account".
Confirm the deletion by entering the required confirmation text.

After confirmation, all your data is permanently deleted within a maximum of 30 days: account credentials, groups, members, events, attendance records, custom fields, photos, signatures and any shared space ownership. This action is irreversible. Only billing data retained by payment providers for legal accounting purposes (see section 7) will persist beyond this deletion.

10. Photos and Media

Presengo allows you to upload photos and capture signatures as part of attendance management. Here is how we handle your media:

All images are compressed client-side before upload (maximum 1 MB) to minimise data transfer and storage.
All media files are stored in private Supabase storage buckets (member-photos, signatures, attendance-photos, imports). Access is restricted to authenticated users with appropriate permissions, enforced through Row-Level Security rules.
Media files are never shared with third parties, never used for machine learning or artificial intelligence model training, and never made publicly accessible.
No biometric processing within the meaning of Art. 9 of the GDPR is performed. Signatures and photos are stored as static files for traceability purposes only. No comparison, matching, facial recognition or automated identification is carried out on these media.

11. Children’s Privacy

Presengo is not intended for direct use by children. The minimum age required to create an account corresponds to the digital age of consent applicable in the user’s country of residence, in accordance with Art. 8 of the GDPR: 15 in France, 16 in most other EU Member States (each Member State may set this threshold between 13 and 16). Below this age, consent must be given or authorised by the holder of parental responsibility. We do not knowingly collect personal data from children below this threshold without such authorisation. If you believe a child has provided us with personal data without the required authorisation, please contact us at presengo.support@gmail.com and we will promptly delete the data concerned.

When Presengo is used by an institution (school, sports club, association) to manage the attendance of minors, it is the institution that acts as the data controller and is responsible for obtaining the appropriate consents from the holders of parental responsibility, in accordance with applicable law.

12. Cookies and Analytics

Presengo uses cookies on its web version as follows:

Essential cookies -- Required for authentication and basic functionality. They cannot be disabled and do not require consent.
Analytics cookies (Google Analytics 4) -- Used to measure audience and improve the service. They are only activated with your explicit consent via our cookie banner. IP address anonymisation is enabled (anonymize_ip), no cross-site tracking is performed, no data is used for advertising purposes, and analytics data retention is limited to 14 months.

You can change your cookie preferences at any time by clearing your browser cookies or using the dedicated link in the footer. Declining analytics cookies does not affect the operation of the application in any way.

13. International Data Transfers

Your core data is stored and processed within the European Union (Supabase Frankfurt region, Germany). Some technical sub-processors (Apple, Google, Stripe) are US entities certified under the EU-US Data Privacy Framework (DPF), which provides an adequate level of protection as recognised by the European Commission adequacy decision of July 10, 2023. For US sub-processors not certified under the DPF (notably RevenueCat), Standard Contractual Clauses (SCCs) approved by the European Commission are in place to ensure an equivalent level of protection. No personal data is transferred outside the EU/EEA without appropriate safeguards within the meaning of Art. 44 to 49 of the GDPR. The DPF certification status of our sub-processors can be verified at any time on the official registry: https://www.dataprivacyframework.gov/list

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable regulations. In the event of substantial changes affecting your rights or the purposes of processing, we will notify you via an in-app notification and by email (if you have an account) at least 30 days before the changes take effect. Minor changes (corrections, clarifications) will be indicated by updating the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

15. Contact

For any question, concern, request to exercise your rights or complaint relating to this Privacy Policy or the processing of your personal data, you can contact us at: presengo.support@gmail.com. We are committed to responding to any request within the applicable legal timeframes.