Version 1.0
May 1, 2026
Private Policy
Key Points of Our Privacy Policy
At Ignito, protecting your personal data is a priority. Here is what you should understand, transparently.
Who is responsible for your data?
When you use Ignito in a professional context, your organization, such as your employer, is responsible for how your data is used.
Ignito acts as a technical service provider: we process data only on behalf of your organization, based on its instructions and under a strict contractual framework.
When you interact with our marketing website, Ignito is responsible for the processing of your data, for example when you submit a contact request.
What data do we use?
We process only professional data necessary for the operation of the Platform, including:
your account information, such as name, professional email address, and organization;
data from your connected professional tools, such as calendar, tasks, and similar work tools;
technical data necessary for the security and reliability of the platform.
No sensitive data such as health data, opinions, or data relating to private life is intentionally processed.
Why do we use this data?
Data is used to:
provide and secure the Ignito platform;
generate work organization indicators, analyses, and recommendations;
improve the reliability and performance of the service;
communicate with you in a strictly professional manner.
Ignito is not a surveillance tool and is not a disciplinary tool.
What Ignito does… and what we do not do
No individual surveillance
No performance evaluation for disciplinary purposes
No automated decisions producing legal effects
No resale or sharing of personal data for advertising purposes
The analyses and recommendations provided are informational and are intended to help understand and improve work organization, without replacing human judgment.
How long is your data retained?
Data is retained only for as long as necessary for the operation of the Platform.
It is then securely deleted or irreversibly anonymized.
Retention periods are defined and documented transparently.
Is your data secure?
Yes. Ignito implements high security standards, including:
data encryption;
strict access controls;
continuous monitoring and incident management procedures.
What are your rights?
You have rights over your data, including access, correction, deletion, and other rights under applicable laws:
primarily through your organization, when Ignito is used in a professional context;
or directly through Ignito’s DPO at dpo@ignito.ai.
Specific rights also apply to California residents under the CCPA / CPRA.
👉 This summary does not replace the full Private Policy below, which defines all applicable rights, obligations, and responsibilities.
Private Policy
This Privacy Policy describes how IGNITO (hereinafter “Ignito,” “we,” “us,” or “our”) processes personal data in connection with:
the use of the Ignito Platform by professional clients and their users; and
the operation of Ignito’s marketing website.
In connection with the Ignito application, Ignito primarily acts as a processor within the meaning of the GDPR: our professional clients are the controllers, and we process data on their behalf in accordance with their contractual instructions.
In connection with the marketing website, Ignito acts as a controller within the meaning of the GDPR for the personal data processing activities implemented on the website, as described in the dedicated section of this Policy.
This Privacy Policy does not apply to processing activities carried out by client organizations for their own purposes, for which Ignito acts exclusively as a processor.
Who is responsible for processing?
Controller (clients)
For most processing activities, the controller is the client organization that uses Ignito for its teams, such as the employer, client company, or other professional organization. That organization determines the purposes and means of processing its users’ data.
Processor (Ignito)
Ignito is operated by:
IGNITO, simplified joint-stock company (SAS)
Registered office: 24 bis rue de Picpus, 75012 Paris – France
SIREN: 101 037 117
SIRET: 10103711700013
Business activity code (APE): 58.29C – Publishing of other software
Contact: support@ignito.ai
We act as a processor on behalf of our clients, under a data processing agreement (DPA) entered into with each client, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).
Data Protection Officer (DPO)
Ignito has appointed a DPO:
DPO contact email: dpo@ignito.ai
You may contact the DPO for any question relating to data protection or this Policy.
What data do we collect and for what purposes?
Ignito does not intentionally collect or process any “sensitive” data within the meaning of Article 9 of the GDPR, such as racial or ethnic origin, political opinions, health data, or other special categories of personal data, in connection with its services.
2.1. Account management and authentication
RoPA reference: IGN-010 – Account management and authentication
Purposes:
Create and manage user accounts.
Authenticate users through Google or Microsoft.
Manage organizations, teams, and roles.
Control access to the platform and log connections.
Categories of data processed:
Identification data: last name, first name, professional email address, organization, roles, avatar.
User preferences: account settings, display preferences, and similar settings.
Connection data: IP address, authentication logs, OAuth tokens with a maximum validity period of 90 days.
Legal bases:
Performance of a contract (Art. 6(1)(b) GDPR): making the platform available to our clients and their users.
Legitimate interest (Art. 6(1)(f) GDPR): securing access, preventing fraud, and preventing unauthorized access.
Retention periods:
Account data, including identity, email, organization, roles, and avatar: for the duration of the active account, then deletion within 30 days after closure.
Connection logs and IP addresses: 12 months.
OAuth tokens: technical validity period, up to 90 days.
2.2. Calendar connection and synchronization
RoPA reference: IGN-011 – Calendar connection and synchronization
Purposes:
Synchronize calendars, such as Google Calendar and Outlook, to generate indicators, including meeting volume and duration, availability, workload, and similar indicators.
Generate work organization recommendations, such as reducing unnecessary meetings.
Categories of data processed:
Event metadata and content: title, description, participants, schedules, availability status, and possible location.
Event-related identification data: identity and contact details of participants, depending on the data contained in the calendar.
Legal bases:
Performance of a contract (Art. 6(1)(b) GDPR): providing analysis and optimization services to clients.
Consent of data subjects where required by the client, for example for certain connections or specific uses.
Retention periods:
Raw calendar data: rolling 12 months.
Aggregated data and indicators: for the duration of the active account.
Beyond the retention periods above, data is either deleted or irreversibly anonymized for statistical purposes.
Third-party data
In connection with calendar synchronization and connected tools, some data may relate to individuals who are not direct users of the platform, such as external participants, clients, partners, or service providers.
This data is processed exclusively on behalf of the client, strictly within the contractual purposes defined by the client.
Ignito does not use this data for its own purposes, does not combine it with other sources, and does not retain it beyond the periods defined in this Policy.
2.3. Task connection and synchronization
RoPA reference: IGN-012 – Task connection and synchronization
Purposes:
Synchronize tasks, for example from Jira or Linear, to measure workload, cycles, types of work, and to provide organizational recommendations.
Categories of data processed:
Task metadata and content: titles, descriptions, statuses, dates, labels.
Legal bases:
Performance of a contract (Art. 6(1)(b) GDPR).
Consent, where required by the client.
Retention periods:
Raw task data: rolling 12 months.
Aggregated data and statistics: for the duration of the active account.
2.4. Calculation of analyses, opportunities, and recommendations
RoPA reference: IGN-013 – Analytics, opportunities, and recommendations
Purposes:
Produce indicators on time, meetings, and task usage.
Generate personalized opportunities and recommendations to improve individual and team effectiveness.
Categories of data processed:
Derived and aggregated data: scores, statistics, and indicators derived from actual calendar and task usage.
Legal basis:
Performance of a contract (Art. 6(1)(b) GDPR).
Retention periods:
Aggregated data and scores: for the duration of the active account.
After closure, data may be anonymized to create global statistics.
Clarification on the nature of analyses and recommendations
The indicators, scores, opportunities, and recommendations produced by Ignito are analyses designed to support the understanding and optimization of work organization.
They do not constitute a professional evaluation, a measure of individual performance, a disciplinary tool, or an automated decision-making tool.
The recommendations provided by the platform are informational and non-prescriptive and do not produce any legal or similarly significant effect on data subjects.
2.5. User and manager dashboards
RoPA references:
IGN-014 – User dashboard
IGN-015 – Manager dashboard
Purposes:
For the user: display individual opportunities and analyses.
For the manager: display aggregated team-level opportunities and analyses within the framework defined by the client.
Categories of data processed:
Aggregated usage data: opportunities, statistics, indicators relating to meetings and tasks.
Legal basis:
Performance of a contract (Art. 6(1)(b) GDPR).
Retention periods:
Data displayed in dashboards: for the duration of the active account.
The client remains responsible for configuring access rights and using dashboards in accordance with the applicable legal framework.
2.6. Communications and notifications
RoPA reference: IGN-002 – Communications and notifications
Purposes:
Send transactional emails, such as product notifications, alerts, and confirmations.
Manage communication preferences, including opt-in / opt-out and notification types.
Categories of data processed:
Identification data: last name, first name, professional email address.
Usage data: data from platform processing used for notification content.
Technical sending logs: timestamp, delivery status, opens, and clicks, depending on configuration.
Legal bases:
Performance of a contract (Art. 6(1)(b) GDPR) for communications strictly necessary for the service.
Legitimate interest (Art. 6(1)(f) GDPR) for certain B2B communications to professional contacts, within the applicable legal framework.
Consent for communications where required.
Retention periods:
Transactional emails and associated logs: 12 months.
Commercial prospecting communications through the marketing website are described in the dedicated section of this Policy.
2.7. Telemetry, monitoring, and technical logs
RoPA reference: IGN-001 – Telemetry, monitoring, and technical logs
Purposes:
Ensure the availability, security, diagnostics, and performance of the platform.
Detect and prevent security incidents.
Categories of data processed:
Application traces: technical events related to requests and processing activities.
Connection data: IP addresses, technical logs, pseudonymized technical identifiers.
Legal basis:
Legitimate interest (Art. 6(1)(f) GDPR): ensuring the proper operation and security of the service.
Retention periods:
Technical logs and telemetry: 12 months.
In the event of a security incident, extended retention until the incident is resolved plus 12 months.
2.8. Customer support and prospecting
In addition to the processing activities above:
Customer support: support exchanges, including emails and tickets, are retained for 3 years after resolution of the request, and longer in the event of a claim or dispute.
B2B prospecting: professional contact data is retained for 3 years after the last contact or the last meaningful interaction.
Where does your data come from?
Depending on the case, the data we process comes from:
You directly when you create an account or use the platform.
Third-party providers connected by your organization, including:
Google Workspace / Google Calendar.
Microsoft 365 / Outlook.
Task management tools, such as Jira, Linear, and similar tools.
Messaging and collaboration tools, such as Slack and Teams.
Our clients, such as your employer or organization, which configure and administer the use of the platform.
Connections to these services are always made through secure authentication mechanisms, such as OAuth through Logto, and may be revoked at any time from those services or through the client account configuration.
Who receives your data?
As a processor, we strictly limit access to data:
Within Ignito:
to individuals who need access to perform the contract, such as technical, support, and, where necessary, product team members, and who are bound by confidentiality obligations.
At our technical subprocessors:
AWS: hosting of the API, database, and analytics processing.
Vercel and Cloudflare: hosting / CDN / WAF for the web application.
Logto: authentication management (OpenID Connect) and storage of certain tokens.
Dash0: telemetry, logs, and application monitoring.
Customer.io and Mailgun: transactional emails and notifications.
Slack: where applicable, notifications and productivity integrations depending on the client’s configuration.
Contracts with these subprocessors include data protection clauses, such as DPA, SCC, DPF, and similar safeguards, documented in our subprocessor contract register.
Ignito prohibits any reuse of personal data processed on behalf of its clients for its own commercial or advertising purposes.
Ignito does not sell personal data that it processes.
Any use for statistical or service-improvement purposes is carried out exclusively using aggregated and irreversibly anonymized data, which no longer allows direct or indirect identification of data subjects.
Data transfers outside the European Union
We favor data localization within the European Union whenever possible. However, some providers may process data outside the EU.
When personal data is transferred outside the European Economic Area, Ignito ensures that such transfers are governed by appropriate safeguards in accordance with applicable regulations, including the implementation of Standard Contractual Clauses adopted by the European Commission or equivalent mechanisms.
Additional technical and organizational measures may be implemented to ensure an adequate level of data protection.
5.1. Providers concerned
Providers that may involve transfers outside the EU include:
Google – SCC / EU-US Data Privacy Framework (DPF) / DPA.
Microsoft – SCC / DPF / DPA.
Cloudflare – SCC / DPF / DPA.
Vercel – DPF / DPA.
Mailgun – DPA.
Details, including countries, types of safeguards, and contractual links, are documented in our register of non-EU transfers.
How long do we retain your data?
Retention periods are defined in our Data Retention Policy.
In summary:
Account and authentication data:
Duration of the active account.
Deletion within 30 days following account closure, excluding legal obligations such as billing records retained for 10 years.
Raw synchronization data, including calendars, tasks, and messaging:
Rolling 12 months, then deletion or aggregation/anonymization.
Technical data, including logs and telemetry:
12 months, unless extended in the event of an incident.
Prospecting / marketing:
Prospects: 3 years after the last contact.
Support / disputes:
Support tickets: 3 years after resolution, extended in the event of a dispute.
When retention periods expire:
Data is securely deleted, including from backups within standard rotation periods.
Or data is irreversibly anonymized according to standards designed to prevent re-identification, including removal of direct identifiers and aggregation, in accordance with our retention policy.
How do we protect your data?
Ignito implements technical and organizational security measures appropriate to the risks and in line with industry standards.
7.1. Encryption and data protection
Encryption in transit (TLS 1.2+) for all communications.
Encryption at rest for sensitive data, including databases and backups, using FIPS 140-2-compliant standards where applicable.
Secure management and rotation of encryption keys.
7.2. Network and infrastructure security
Isolated production environments with strict network access controls.
Use of Cloudflare WAF to protect against common attacks such as SQL injection and XSS.
Hosting on AWS (EU – Paris) with hardened configuration.
7.3. Access control and identity
Least privilege principle for access to data and systems.
Multi-factor authentication (MFA) for administrator access.
Logging and regular review of sensitive access.
7.4. Development security
Integration of security into the software development lifecycle (SDLC).
Code review, automated testing, and continuous monitoring.
Monitoring and updating of third-party dependencies.
7.5. Monitoring, logs, and incident response
Continuous monitoring of infrastructure and applications (Dash0, CloudWatch, etc.).
Secure and controlled storage of production logs.
Formalized data breach management procedure, including:
Detection, containment, and impact analysis.
Notification to the CNIL within 72 hours where required.
Communication to data subjects in the event of high risk.
What are your rights and how can you exercise them?
Depending on your situation, whether you are an employee of a client, a prospect, or a user, you may have the following rights over your data:
Right of access: obtain a copy of your data and information about the processing.
Right to rectification: correct inaccurate or incomplete data.
Right to erasure: request deletion of your data in certain cases.
Right to restriction: temporarily restrict processing.
Right to data portability: receive your data in a structured, machine-readable format.
Right to object: object to certain processing activities, in particular those based on legitimate interest.
Specific provisions may apply to California residents, in accordance with the section "Specific provisions applicable to California residents (CCPA / CPRA)".
8.1. Who should you contact?
In most cases, your primary point of contact is your employer / client organization, which remains the controller. We assist them as a processor to respond to your requests.
You may also contact Ignito (IGNITO SAS) directly:
By email: dpo@ignito.ai
We will handle your request in coordination with the relevant controller, in accordance with our rights exercise procedure and the requests register. Ignito does not determine the purposes or legal bases of processing carried out on behalf of client organizations.
8.2. Response times
We or the controller will respond to your request within one month of receipt. This period may be extended by two months in cases of complexity or a high number of requests, in which case you will be informed of the extension.
8.3. Complaint to the supervisory authority
You also have the right to lodge a complaint with a supervisory authority, and in particular with the CNIL in France:
CNIL – 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 – France
Website: https://www.cnil.fr
Personal data breaches
In the event of a personal data breach likely to result in a risk to your rights and freedoms:
We apply our internal data breach management procedure, including analysis, containment, remediation, and documentation of the incident.
When we act as a processor, we notify the controller (our client) without undue delay, who will then decide on notifications to the CNIL and, where applicable, to the data subjects.
Where required by law, a clear communication will be sent to you explaining the nature of the incident, its likely consequences, and the recommended measures.
Updates to this Policy
We may update this Privacy Policy, in particular to reflect:
Legal or regulatory developments.
Changes to our services, infrastructure, or subprocessors.
The applicable version is the one published on our website or communicated within the application, with the update date indicated at the top of the document.
In the event of a material change, we will inform clients and, where applicable, users through appropriate channels such as email or in-app notifications.
Processing activities related to the ignito.ai marketing website
Ignito's role
In connection with the operation of the marketing website accessible in particular at ignito.ai, Ignito (IGNITO SAS) acts as a controller within the meaning of the General Data Protection Regulation (GDPR).
The processing activities described in this section are distinct from those carried out through the Ignito application on behalf of professional clients, for which Ignito acts as a processor.
Collection of prospecting email addresses
RoPA reference: MKT-001 – Collection of prospecting email addresses
Purpose of processing
The purpose of this processing activity is to collect and manage professional prospect information through the marketing website, in particular to:
respond to information or contact requests;
send B2B commercial and marketing communications relating to Ignito's services;
manage commercial exchanges.
Categories of data subjects
Professional prospects (B2B contacts).
Categories of data processed
Professional identification data: last name, first name, professional email address, company, job title.
No sensitive data within the meaning of Article 9 of the GDPR is processed in this context.
Source of data
Data provided directly by the data subject through the website forms.
Legal basis
Consent of the data subject (Article 6(1)(a) GDPR), materialized in particular by the voluntary submission of the form and, where applicable, through explicit opt-in mechanisms.
Recipients of the data
Ignito's internal teams authorized to handle prospecting and contact requests;
Technical subprocessors involved in the hosting and operation of the marketing website.
Subprocessors
Framer (hosting and management of the marketing website).
Transfers outside the European Union
The service provider Framer may involve processing of data outside the European Union. These transfers are governed by appropriate safeguards in accordance with the GDPR, in particular standard contractual clauses and/or recognized mechanisms, documented in Ignito's register of non-EU transfers.
Retention period
Prospect data is retained for a maximum period of 3 years from the last contact or the last meaningful interaction with Ignito, or until consent is withdrawn (opt-out), whichever occurs first.
Security measures
Ignito implements appropriate technical and organizational measures to ensure the security and confidentiality of data collected through the marketing website, including:
encryption of data in transit and, where applicable, at rest;
access controls based on the least privilege principle;
traceability of access and processing activities;
contractual oversight of subprocessors;
protection measures for the software environments used to operate the website.
Rights of data subjects
Prospects have the rights provided under the GDPR, including access, rectification, erasure, restriction, objection, and withdrawal of consent at any time.
These rights may be exercised under the conditions described in the section "What are your rights and how can you exercise them?" of this Policy.
Specific provisions applicable to California residents (CCPA / CPRA)
This section supplements the Ignito Privacy Policy in order to provide the specific information required by the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
It applies only when personal data relates to residents of the State of California and the processing falls within the scope of California law.
The processing activities described in this section are to be read in conjunction with those presented in the preceding sections of this Policy.
12.2. Categories of personal information concerned
Over the past twelve (12) months, Ignito may have processed, depending on the case, the following categories of personal information within the meaning of the CCPA, as described in the preceding sections of this Policy:
professional identifiers and contact information (Category A);
online identifiers and technical data (Categories A and F);
information relating to professional activity and platform usage (Categories I and L);
B2B commercial information (contact requests, commercial exchanges).
Sensitive data: Ignito does not use sensitive personal information to infer characteristics about consumers or for behavioral profiling purposes. Ignito does not use this information to infer characteristics about consumers or for behavioral profiling purposes.
12.3. Sale and sharing of personal information
Ignito does not sell and does not share personal information within the meaning of the CCPA.
In particular:
no personal data is sold to third parties;
no personal data is shared for cross-context behavioral advertising purposes;
Ignito does not act as a data broker.
Although we do not sell or share your personal information, our systems are configured to recognize and respect opt-out preference signals (Global Privacy Control) from your browser.
Data transfers to technical service providers mentioned in this Policy are strictly governed by CCPA-compliant contracts, limiting data use to the sole purposes of providing Ignito's services.
12.4. Rights of California residents
Subject to the conditions provided by California law, California residents have the following rights:
right to know what personal information is collected, used, and disclosed;
right to deletion of personal information, subject to legal exceptions;
right to correction of inaccurate personal information;
right to limit the use of sensitive personal information, where applicable;
right to non-discrimination for exercising their rights.
These rights are exercised without prejudice to the rights recognized under the GDPR where applicable.
Section 1798.83 of the California Civil Code also allows California residents to request certain information regarding our disclosure of personal information to third parties for direct marketing purposes. As Ignito does not disclose any personal information to third parties for such purposes, no request is necessary.
12.5. Exercising CCPA rights
Requests relating to CCPA rights may be submitted by email to: dpo@ignito.ai.
Identity verification: In order to protect the confidentiality of data, Ignito will verify your request by matching the information provided with data already in our possession, or through your user account.
Coordination: When Ignito acts as a service provider for a client organization, the request may be handled in coordination with the relevant controller.
12.6. Retention and security
The retention periods and security measures applicable to personal information subject to the CCPA are those described in the sections "How long do we retain your data?" and "How do we protect your data?" of this Policy.
Contact
For any question relating to this Policy or the processing of your data:
Ignito DPO: dpo@ignito.ai
You may also contact your client organization when using Ignito in a professional context.