Privacy Policy

Last updated: October 15, 2025

1. Definitions / Principles

“Personal data” refers to any information that can directly or indirectly identify a natural person, as defined by the GDPR (EU Regulation 2016/679) and applicable data protection laws.

2. Data Controller

Little John SAS, represented by its legal representative, is the data controller.

Address: 29 rue des Gravilliers, 75003 Paris, France

Contact: admin@little-john.io

3. Purposes of Processing

Fraud and spam prevention
Improving user experience (analytics, statistics)
User satisfaction surveys
Marketing campaigns (email, SMS) with consent
Authentication and integrations required for the service (e.g., OAuth connections)

4. Legal Basis

Processing is based on contract performance, consent for operations requiring authorization (e.g., marketing, non-essential cookies), legal obligations, or legitimate interests (e.g., security and fraud prevention).

5. Recipients / Processors

Access is limited to authorized internal teams (support, technical). Data may be shared with processors offering GDPR-compliant guarantees, under documented instructions and processing agreements.

6. Transfers outside the EU

No transfers to non-adequate countries occur without appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules) and prior information to the user.

7. Data Retention

Data is retained only as long as necessary for the purposes outlined, then deleted or anonymized, except when longer retention is required by law.

8. User Rights

Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17)
Restriction (Art. 18), Objection (Art. 21)
Portability (Art. 20), Withdrawal of Consent
Post-mortem directives

To exercise your rights: admin@little-john.io or mail to the above postal address with proof of identity if needed. Complaints can be filed with the CNIL: www.cnil.fr.

9. Data Security

We implement appropriate technical and organizational measures: encryption, pseudonymization, network segmentation, access control, firewalls, logging, backup testing, access reviews, password policy and MFA.

10. Cookies and Trackers

Cookies are used for navigation, analytics, and personalization. Non-essential cookies are placed only after user consent via the consent banner. Browsers allow cookie management.

11. Incident Notification

In case of a personal data breach, relevant authorities will be notified and affected individuals informed as required by law.

12. Sensitive Data Protection

When processing special categories of personal data under the GDPR, Little John SAS applies additional safeguards:

Encryption in transit and at rest (TLS 1.2+ / TLS 1.3, AES-256)
Strong authentication and least privilege access control
Logging and monitoring of all access to sensitive data
Logical and physical segregation of environments
Encrypted backups with regular testing
Data minimization, anonymization, or pseudonymization whenever possible
Automatic deletion at the end of processing or upon valid request

No sensitive data is sold or used for purposes other than those explicitly stated, without explicit consent.

13. Google Services Data (OAuth / API) – Compliance

If you connect a Google account to our service, we may receive data through Google APIs strictly to provide the requested functionality (e.g., authentication, limited import of information).

Limited use: no advertising use, no sale, no sharing with unauthorized third parties.
Minimal access: only required scopes are requested. You can revoke access anytime at myaccount.google.com/permissions.
Storage: encrypted at rest and in transit. No Google API data is retained beyond what is strictly necessary.
Access control and logging of API-related operations.
Deletion: data is deleted upon request or account closure, and no later than the defined retention periods (see section 14).
Transparency: users are informed of data types and purposes at the connection point.

14. Deletion, Anonymization and Portability

Deletion: You can request deletion of your account and associated data at admin@little-john.io. We will erase or anonymize data unless legal obligations require retention.
Portability: Data will be provided in a structured, commonly used, machine-readable format where legally applicable.

15. Minors

Our service is not intended for individuals under 15 years of age. If we have collected a minor’s data in error, contact us to request deletion.

16. Policy Changes

We may update this Privacy Policy. The online version is authoritative. In case of material changes, we will inform users through the service.

17. Contact and Complaints

For questions, rights requests, or complaints:

Little John SAS
29 rue des Gravilliers, 75003 Paris, France
admin@little-john.io

Supervisory authority: CNIL.