This translation is provided for information purposes only: only the French version is legally binding.
This notice forms an integral part of the terms of use of the VivAccess service, accepted by the user when using or subscribing to the service.
What is VivAccess?
The VivAccess service allows users to access content, tools, or features related to accessibility, particularly in the context of events, training courses, or support programs.
Roles in the processing
VivAccess acts as data controller for all data processed through the service.
Organizers using VivAccess to welcome participants at their events also remain responsible for their own GDPR obligations towards those participants. VivAccess provides the technical tools and security measures required for this compliance.
Purposes and legal bases
VivAccess processes the user's personal data for the following purposes:
| Purposes | Legal basis | Population concerned |
|---|---|---|
| Account creation and management | Performance of the contract (Art. 6.1.b) | Organizer, staff |
| Authentication and access to the service | Performance of the contract (Art. 6.1.b) | Organizer, staff |
| Processing of assistance requests | Performance of the contract (Art. 6.1.b) | Participant |
| Processing of accessibility (health) data | Explicit consent (Art. 9.2.a) | Participant |
| Error monitoring and security | Legitimate interest (Art. 6.1.f) | All |
| Non-essential cookies | Consent (Art. 6.1.a) | All |
Data processed by population
Organizer
- Identification: last name, first name, email, password (hashed);
- Billing: company name, SIRET number, address, payment method;
- Connection: session logs, IP address, user agent.
Staff
- Identification: last name, first name, email;
- Operation: role, assigned event, session token.
Participant
- No account created — anonymous technical UUID identifier;
- Data provided voluntarily in the assistance request (description of the need, location within the event);
- Accessibility data (Art. 9 GDPR) if declared with explicit consent;
- Written exchanges with staff in connection with the request.
Who has access to the data?
| Processor | Service | Region | Safeguards |
|---|---|---|---|
| Supabase | Database + Realtime | EU (Frankfurt) | DPA + standard clauses |
| LiveKit | WebRTC audio/video | France (OVH Bare Metal) | DPA OVH |
| Sentry | Error monitoring | EU | DPA |
| Better-Auth | Authentication (self-hosted) | EU | n/a |
| Resend | Transactional email delivery | US | DPF + CCT |
| Vercel | Edge hosting | France (Paris) | DPF + CCT |
The data collected is accessible only to authorized persons, within the scope of their duties: VivAccess internal teams; the technical providers listed above; where applicable, the competent authorities in the context of a legal obligation.
Retention periods
| Data category | Active period | Archiving / deletion |
|---|---|---|
| Active organizer account | Duration of the contract | — |
| Inactive organizer account | — | Deletion after 3 years of inactivity |
| Billing data | Duration of the contract | 10 years (Art. L.123-22 of the French Commercial Code) |
| Closed event data | 13 months | Anonymization |
| Participant assistance requests | Event duration + 30 days | Anonymization |
| Accessibility data (Art. 9) | Event duration | Immediate deletion after the event unless explicit consent is given |
| Technical logs / Sentry monitoring | 90 days | Deletion |
| Session cookies | Session duration | — |
| Other cookies | 13 months max (CNIL) | — |
| Support emails | Duration of the exchange | Deletion 3 years after last contact |
Hosting and transfers
VivAccess favors European hosting for the most sensitive data: LiveKit (real-time audio/video streams) in France on OVH Bare Metal infrastructure; Supabase (database and Realtime) in the EU region (Frankfurt); Sentry (monitoring) in the EU region; Better-Auth (sessions) self-hosted in the EU.
Some providers involve a transfer of data to the United States: Resend (transactional emails), Vercel (edge hosting — data at rest in the US), and Deepgram (voice transcription). These transfers are governed by adherence to the Data Privacy Framework (DPF) for certified providers and by the European Commission's standard contractual clauses (SCC 2021/914).
Data falling under Article 9 of the GDPR (accessibility needs, treated as health data) is never transferred outside the European Union.
For processing based on legitimate interest, VivAccess has assessed that this interest does not disproportionately infringe upon users' rights: data is minimized, aggregated where possible, retention periods are limited, and the right to object is guaranteed at any time via rgpd@vivaccess.com.
Cookies
Strictly necessary cookies (no consent required):
| Cookie | Purpose | Duration |
|---|---|---|
| Better-Auth session | User authentication | Session duration |
| staff-session-token | Staff authentication | Event duration |
| NEXT_LOCALE | Interface language | 1 year |
Monitoring tools (legitimate interest, no tracking cookies): Sentry collects a technical session only in the event of an error — all input fields are masked and media are blocked before collection. No third-party analytics cookies (Google Analytics, Mixpanel, etc.) are used.
Data breach notification
In the event of a data breach likely to result in a risk to users' rights and freedoms, VivAccess notifies the CNIL within 72 hours of becoming aware of the incident (Article 33 GDPR). Where the breach is likely to result in a high risk, VivAccess informs the affected users directly without undue delay (Article 34 GDPR).
Your rights
In accordance with applicable regulations, users have the following rights: access, rectification, erasure, restriction of processing, objection, portability (where applicable), and withdrawal of consent at any time where the processing is based on consent. Users may also set out directives regarding the fate of their data after their death.
To exercise their rights, users may contact VivAccess at rgpd@vivaccess.com. Proof of identity may be requested. VivAccess responds within one month, extendable by two months for complex requests (Article 12.3 GDPR).
CNIL contact details
Users have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL, the French data protection authority):
CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr/plaintes. VivAccess nevertheless invites users to contact it first at rgpd@vivaccess.com in order to seek an amicable solution.
Data Protection Officer
VivAccess has not appointed a Data Protection Officer, as its activity does not meet the mandatory designation criteria of Article 37 of the GDPR. For any questions: rgpd@vivaccess.com or by post: VivAccess, 140 rue Yves Montand, 29820 Guilers.
Changes
This policy may change to reflect changes to the service, the applicable regulations, or VivAccess practices.
Version history — V1.0 · 21/05/2026 · Initial publication.