Skip to content
21Day
Privacy · v 1

Yourdata.
Strictlynecessary.

GDPR-compliant privacy policy. We collect what's useful to deliver the cycle. Nothing more. No reselling. No advertising tracking.

Last updated · April 2026This page contains markers in brackets [..] to be filled before official publication.

§ 01Data controller

01 · who decides

The data controller for personal data collected via 21day.io is 21Day Studio [TO COMPLETE before publication: legal form + full address of registered office]. The studio is represented by Maxence Foulon, founder.

For any question about your data: contact@21day.io

§ 02Data collected

02 · what we ask
  1. 01Identification information (first name, last name, work email, company) entered in the brief.
  2. 02Project details (description, sector, scope, budget, timeline) entered in the brief.
  3. 03Client reference generated upon brief validation.
  4. 04Ephemeral authentication tokens (15 minutes max) for sending magic links by email.
  5. 05Minimal technical logs (IP address, browser, timestamp) for security and abuse prevention.

§ 03Purposes

03 · why we use them
  1. 01Review your brief and prepare a fixed-price quote.
  2. 02Create and manage your client portal after validation.
  3. 03Communicate on cycle progress (update emails, notifications).
  4. 04Fulfil our contractual, accounting and tax obligations.
  5. 05Ensure site and data security and integrity.

§ 04Legal basis

04 · on what grounds
  1. 01Performance of pre-contractual measures or contract (brief submission, quote, cycle execution).
  2. 02Consent, when you write to us or tick an optional box.
  3. 03Legitimate interest, for site security and defence of our rights.
  4. 04Legal obligation, for accounting and tax requirements.

§ 05Retention period

05 · how long
  1. 01Brief without follow-up: 12 months after last exchange, then deletion.
  2. 02Validated brief / delivered cycle: 5 years after end of contract (accounting and warranty).
  3. 03Authentication tokens: 15 minutes maximum.
  4. 04Technical logs: 12 months maximum.

§ 06Subprocessors

06 · who can see your data

To run the site and honour our commitments, we use the following subprocessors. All are bound by a GDPR-compliant subprocessing contract.

  • 01
    Vercel Inc. (USA)
    Front-end hosting (EU-US Standard Contractual Clauses)
  • 02
    Hetzner Online GmbH (Germany, EU)
    Self-hosted Twenty CRM hosting (Person, Cycle, events, encrypted vault)
  • 03
    Twenty CRM (self-hosted)
    Internal database (briefs, opportunities, cycle events, vault requests) — OSS code, data resides at Hetzner EU
  • 04
    Stripe Payments Europe Ltd. (Ireland, EU)
    Online payments (deposit + balance Checkout Sessions)
  • 05
    Resend (USA)
    Transactional emails (confirmation, magic link, cycle notifications)
  • 06
    Mistral AI (France, EU)
    Sovereign FR AI models — only for cycles including AI, never on brief data without explicit consent

§ 07Your rights

07 · what you can ask
  1. 01Right of access: obtain a copy of your data.
  2. 02Right to rectification: correct inaccurate data.
  3. 03Right to erasure: delete your data, subject to legal obligations.
  4. 04Right to portability: retrieve your data in a reusable format.
  5. 05Right to object: contest processing based on legitimate interest.
  6. 06Right to withdraw consent at any time, when processing relies on it.

To exercise these rights, write to contact@21day.io. You also have the right to lodge a complaint with the CNIL (cnil.fr).

§ 08Cookies

08 · what we set

The site only uses strictly necessary cookies (session, authentication, security). No advertising cookies, no third-party tracking, no fingerprinting without explicit consent.

§ 09Updates to this policy

09 · if we change

In case of substantial modification, we notify active clients by email and publish the new version here. The last-updated date appears at the top of this page.

Brief us