Record of Processing Activities

1. Controller / Processor

Edgar SAS (“Inrō”)
RCS Compiègne 920 349 073
20 rue des Maraîchers, 60700 Pontpoint, France

• Data-protection contact: Pierre de Milly (CTO) — privacy@inroapp.com
• Role: data controller for Service-user (customer) data; data processor for customers’ end-user / contact data.
• No special-category (Art. 9) data is processed, and no minors’ data is intentionally processed (the Service is for business use, 18+).

2. Processing activities

2.1 Customer accounts & billing (controller)

• Data subjects: Service users (customers and their team members)
• Personal data: identity & contact, account/organization, billing
• Purpose: provide the Service, billing, support
• Lawful basis: contract performance
• Recipients: Stripe (billing), Intercom (support), Google Workspace
• Transfers: EU-hosted; Stripe & Intercom (US) under SCCs / EU–US DPF
• Retention: account data deleted within 90 days of account closure; invoices/billing records kept 10 years (French commercial law)

2.2 Instagram conversations & CRM (processor, on behalf of customers)

• Data subjects: customers’ Instagram contacts / end-users
• Personal data: messages, comments, media; profile & interaction data; contact details (Instagram API only)
• Purpose: operate the inbox, automations, campaigns and AI agent on the customer’s behalf
• Lawful basis: the customer’s (controller’s) lawful basis
• Sub-processors: Heroku (EU), AWS (EU), Google Cloud (EU), OpenAI (US)
• Transfers: EU storage; AI processing via OpenAI (US) under SCCs / EU–US DPF
• Retention: messages/interactions ≤ 24 months; contacts deleted after 24 months of inactivity; backups 4 days

2.3 Product analytics & monitoring (controller)

• Data subjects: Service users / site visitors
• Personal data: usage, device/connection, event and error/performance data
• Purpose: improve the product; ensure security & reliability
• Lawful basis: consent for product analytics & non-essential cookies; legitimate interest for security/error monitoring
• Recipients: Mixpanel (US), Sentry (US)
• Transfers: US, under SCCs / EU–US DPF
• Retention: product analytics ~24 months; error logs (Sentry) 90 days

2.4 Marketing to own users (controller)

• Data subjects: Service users / prospects
• Personal data: contact details
• Purpose: marketing communications (with opt-out)
• Lawful basis: consent
• Recipients: Mixpanel (US), Postmark (US, email)
• Transfers: US, under SCCs / EU–US DPF
• Retention: until opt-out, or 2 years of inactivity

2.5 Employees (controller)

• Data subjects: employees
• Personal data: information required for the employment contract; personal social-media account (voluntary only)
• Purpose: employment administration
• Lawful basis: contract / legal obligation
• Recipients: Google Workspace, Qonto, payroll
• Transfers: EU (no non-EEA transfer)
• Retention: per French labour & tax law

3. International transfers

Data is stored in the EU. The following US-based sub-processors are covered by Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework: OpenAI, Stripe, Sentry, Mixpanel, Intercom, OneSignal, Postmark, Cloudflare. EU-resident services (no non-EEA transfer): Heroku Postgres, AWS S3 (eu-west-3), Google Cloud (webhook function).

4. Security measures

Encryption in transit and at rest, access controls, EU hosting, continuous monitoring, and erasure-based deletion.

5. Contact

privacy@inroapp.com

‍