Privacy Policy
Preamble
This Privacy Policy describes how Marketing Accompagnement (hereinafter “MA Utility” or “we”), publisher of the MA Utility platform accessible at https://mautility.com, collects, uses, shares, and retains the personal data of its users (hereinafter “you” or “the User”).
We are committed to complying with Regulation (EU) 2016/679 of 27 April 2016 (hereinafter “GDPR”) as well as French Law No. 78-17 of 6 January 1978, as amended, known as the “Informatique et Libertés” Act.
1. Identity of the data controller
The data controller is MARKETING ACCOMPAGNEMENT, a simplified joint-stock company (SAS) with share capital of 1 000 €, SIREN 995 379 740, SIRET 995 379 740 00013, registered office at 80 rue Emile Zola, 29820 Guilers, France (RCS Brest).
Contact: hello@mautility.com
Data Protection Officer (DPO):
hello@mautility.com (pending the appointment of a
dedicated DPO).
2. Data collected
We collect the following categories of data:
2.1 Account data
- Email address, first name, last name, company name, role.
- Password (hashed via bcrypt — never stored in plaintext).
- Phone number (optional).
2.2 Pipeline and third-party connection data
- WhatsApp Business Account (WABA) identifier, WhatsApp phone number identifiers.
- Meta / Google / Stripe access tokens (encrypted at rest using AES-256-GCM).
- Connected Facebook Pages, selected Lead Ads forms.
- Connected Google Calendars (OAuth read/write events).
2.3 Lead and conversation data
- Phone number, display name, and email of contacts (leads).
- Inbound and outbound WhatsApp messages (text, media, documents).
- Conversation metadata: timestamps, delivery status, campaign identifier.
- Data synchronised from connected CRMs (HubSpot, Pipedrive, Salesforce, Zoho, etc.).
- Data imported from Google Sheets, Airtable, or CSV files.
2.4 Billing data
- Billing address, EU VAT number (where applicable).
- Payment history and credit consumption history.
- Payment card data: processed exclusively by our provider Stripe; no card numbers are stored on our servers.
2.5 Technical and browsing data
- IP address, session identifier, browser type (user-agent).
- Application logs (30-day rotation).
- Essential cookies (see our Cookie Policy).
3. Purposes and legal bases for processing
In accordance with Article 6 of the GDPR, each processing activity is based on one of the following legal grounds:
| Purpose | Legal basis |
|---|---|
| Providing the Service (WhatsApp automation, lead processing) | Performance of a contract (Art. 6.1.b) |
| Billing and debt collection management | Performance of a contract and legal obligation (Art. 6.1.b and 6.1.c) |
| Service improvement, fraud prevention, and security | Legitimate interests (Art. 6.1.f) |
| Marketing communications and newsletters | Consent (Art. 6.1.a) — withdrawable at any time |
| Accounting retention of invoices | Legal obligation (Art. 6.1.c — Art. L123-22 of the French Commercial Code) |
| Meta WhatsApp alerts (restrictions, suspensions) | Performance of a contract and legitimate interests |
4. Recipients of data
Your data is accessible only to authorised personnel within Marketing Accompagnement, as well as to the following sub-processors, all governed by a data processing agreement compliant with Article 28 of the GDPR:
| Sub-processor | Purpose | Location |
|---|---|---|
| Meta Platforms (WhatsApp Cloud API, Lead Ads) | Sending/receiving WhatsApp messages, lead ingestion | EU / United States |
| Google LLC (Calendar, Sheets, Drive APIs) | Calendar integration, Sheets synchronisation | EU / United States |
| Anthropic PBC (Claude API) | AI response generation. No data is used to train their models. | United States |
| Stripe Inc. | Payment processing (PCI-DSS) | EU / United States |
| Brevo (formerly Sendinblue) | Sending transactional emails (confirmations, alerts) | EU (France) |
| n8n GmbH (self-hosted) | AI workflow orchestration | Self-hosted on our VPS (EU) |
| Hostinger International Ltd | VPS hosting of the platform (Larnaca, Cyprus) | EU |
5. Transfers of data outside the European Union
Certain sub-processors (Anthropic, Meta, Stripe, Google) may process data outside the European Union, in particular in the United States. Such transfers are governed by:
- The European Commission’s Standard Contractual Clauses (SCCs) (Implementing Decision 2021/914 of 4 June 2021);
- The EU-US Data Privacy Framework (adequacy decision of 10 July 2023) for certified US-based sub-processors;
- Supplementary technical measures: encryption at rest and in transit (TLS 1.2+), pseudonymisation where possible.
6. Retention periods
- User account: for the duration of the contract, then 3 years after the last activity (commercial prospecting purposes).
- WhatsApp conversations and leads: for the duration of the subscription, then 1 year after account closure (unless deleted earlier at your request).
- Meta / Google / Stripe tokens: deleted immediately upon disconnection of the pipeline or closure of the account.
- Invoices: 10 years (statutory accounting obligation, Art. L123-22 of the French Commercial Code).
- Technical logs: maximum 12 months (30-day rotation for application logs, 12 months for security logs).
7. Your rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights:
- Right of access: to obtain confirmation that your data is being processed and to receive a copy.
- Right to rectification: to correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”): to request the deletion of your data.
- Right to restriction of processing.
- Right to object, in particular to processing for prospecting purposes.
- Right to data portability: to receive your data in a structured, machine-readable format.
- Right to withdraw consent, without affecting the lawfulness of processing carried out prior to withdrawal.
- Right to lodge a complaint with the CNIL (www.cnil.fr).
To exercise these rights, write to us at hello@mautility.com. We respond within 30 days, extendable by 2 months for complex requests (Art. 12.3 GDPR). Proof of identity may be requested if there is reasonable doubt as to your identity.
For the complete deletion of your account, please consult our data deletion procedure.
8. Security
We implement appropriate technical and organisational measures:
- Encryption of data at rest (AES-256-GCM) for all sensitive tokens.
- Encryption in transit (TLS 1.2 minimum, HSTS, HTTPS throughout).
- HMAC SHA-256 signatures on all inbound webhooks.
- Password hashing via bcrypt (cost factor 12).
- Database access restricted by IP address and audit logging.
- Encrypted daily backups.
- Dependency auditing for security vulnerabilities.
9. Cookies
We primarily use cookies that are essential to the operation of the Service (authentication, session management). Non-essential cookies (analytics, marketing) are only placed with your consent. For more information, please consult our Cookie Policy.
10. Minors
MA Utility is a B2B service intended for professionals. We do not knowingly collect data relating to individuals under the age of 16. If you believe that data concerning a minor has been collected, please contact us immediately.
11. Changes to this policy
We reserve the right to amend this policy. Any material changes will be notified to you by email at least 30 days before they take effect. The date of the last update appears at the top of this document.
12. Contact
For any questions regarding the processing of your personal data or to exercise your rights, please contact us:
- Email: hello@mautility.com
- Post: Marketing Accompagnement — 80 rue Emile Zola, 29820 Guilers, France
Effective date: May 11, 2026.