Privacy Policy

1. Company Information

This Privacy Policy is issued by MEGAMOUNT, a French single-member limited liability company (EURL) with share capital of €1,000, registered under SIRET number 944 778 984 00012, R.C.S 944 778 984 Paris and VAT number FR68944778984.

Registered office: 30 BOULEVARD DE SEBASTOPOL, 75004 PARIS, France
Managing director: Adam Fontaine
Contact: info@index10.com

2. About the Service

Index 10 is an AI-powered platform that generates complete web applications, SaaS products and websites. Users describe their product in natural language, configure options and deploy production-ready projects.

This policy covers data related to the use of Index 10. Data processed by applications created by our customers is the responsibility of those customers (data controllers).

3. Data We Collect

We collect the following categories of personal data:

• Identity data: Name, surname, email address, hashed and salted password
• Usage data: Visited pages, features used, session duration, generation history
• Technical data: IP address, browser type, operating system, device identifiers
• Creation data: Generated code, prompt history, project configurations
• Billing data: Payment information processed securely by Stripe
• Communication data: Support tickets, feedback, incident reports

4. Purposes and Legal Bases

Your data is processed for the following purposes:

• Contract performance: Delivering the platform, generating applications and managing your workspace
• Legitimate interest: Improving features, monitoring performance, securing the infrastructure (subject to a balancing test and limited to what is strictly necessary)
• Legal obligation: Accounting, tax compliance, anti-fraud requirements
• Consent: Optional marketing communications and non-essential cookies

5. Data Recipients

We may share data with trusted partners strictly necessary to operate the service:

• Technical infrastructure: Vercel (hosting), Supabase (databases, managed cloud hosting for Index10 Cloud), DigitalOcean (preview isolation)
• Payments: Stripe for secure payment processing
• AI providers: Anthropic (code generation - 30-day retention for security and abuse prevention), OpenAI (image generation via DALL-E 3 and complementary AI models - 30-day retention for abuse prevention)
• Infrastructure: Cloudflare (CDN, DDoS protection, DNS), Upstash (caching), Resend (transactional emails)
• Support tools: Ticketing and communication providers with restricted access

For detailed information on sub-processors, see our Data Processing Agreement (DPA).

6. International Transfers

Some providers are located outside the European Economic Area. Transfers are protected by:

• EU-US Data Privacy Framework (DPF) for certified US-based providers (where applicable)
• Standard contractual clauses (SCCs) issued by the European Commission (Implementing Decision 2021/914) and/or provider Data Processing Addenda
• Swiss Addendum adapting the SCCs to the Swiss Federal Act on Data Protection (FADP/nLPD), designating the Federal Data Protection and Information Commissioner (FDPIC) as the competent authority, where applicable
• Enhanced security measures including encryption, access controls and pseudonymisation
• Contractual commitments by sub-processors to comply with GDPR requirements (Art. 28 GDPR)
• Transfer Impact Assessments (TIAs) where required

Transfer details are available in our DPA.

7. Retention Periods

• Account data: Stored while the account is active then deleted within 30 days
• Prompts and conversations: Retained while the account is active, unless deletion is requested
• Billing data: Retained for 10 years to meet statutory obligations
• Technical logs: Kept up to 90 days (security and observability)
• Marketing consents: Stored for 3 years from the last active contact, or until you opt-out (in accordance with CNIL deliberation no. 2016-264)
• Support history: Retained for 24 months after resolution

8. Your GDPR Rights

You can exercise the following rights regarding your personal data:

• Access: Request a copy of the data we hold
• Rectification: Correct inaccurate or incomplete data
• Erasure: Ask for deletion when legally possible
• Restriction: Limit processing in specific circumstances
• Portability: Receive your data in a structured format
• Objection: Object to processing based on legitimate interest
• Withdraw consent: Revoke consent at any time, without affecting the lawfulness of prior processing
• Post-mortem directives: Define directives regarding the retention, erasure and disclosure of your data after your death (Art. 85 French Data Protection Act)

How to exercise your rights: Send your request to privacy@index10.com, specifying your identity and the right you wish to exercise. We may request proof of identity for verification. Exercising these rights is free of charge.

Response time: We will respond within one (1) month of receiving your request. This period may be extended by two additional months where requests are complex or numerous, in which case we will inform you within the initial month.

Portability format: Exported data will be provided in a structured, commonly used and machine-readable format (JSON or CSV).

9. Data Security

We apply strict security controls to protect your information:

• Encryption in transit (TLS); technical and organisational measures intended to protect data at rest in accordance with industry standards
• Secure authentication and role-based access control for administrative access
• Role-based access control and least-privilege policies
• Security reviews and controls appropriate to the nature of the Services
• Business continuity and disaster recovery plans

10. Cookies

On the Index 10 platform: We use essential cookies (mandatory) and optional cookies (analytics, marketing). Manage your preferences at any time in our Cookie Policy.

On deployed user applications: The built-in analytics system for published projects does not use any cookies, localStorage, or any client-side storage technology. See section 15 below for details.

11. Questions and Complaints

Controller: MEGAMOUNT
General contact: info@index10.com
Data protection contact: privacy@index10.com
Address: 30 BOULEVARD DE SEBASTOPOL, 75004 PARIS, France

If you believe your rights have been infringed, you may lodge a complaint with the CNIL (France) or your local supervisory authority. In particular, you may contact the Federal Data Protection and Information Commissioner (FDPIC) if you reside in Switzerland (www.edoeb.admin.ch), the Office of the Privacy Commissioner of Canada (OPC) if you reside in Canada (www.priv.gc.ca), or any other competent supervisory authority in your jurisdiction.

12. Policy Updates

We may update this policy to reflect changes in our practices or applicable regulations. Non-material changes (typographical corrections, clarifications) may be made without prior notice. Material changes affecting your rights or data processing will be announced via email and/or in-app notification at least 30 days before they take effect. Where a change relies on your consent, we will request your explicit consent before the change comes into effect.

13. IP Address Storage for Consent Records

When you accept our Terms of Service and Privacy Policy (during registration), we record your IP address and user-agent.

Legal basis: Legal obligation (GDPR Art. 6.1.c, read together with Art. 7.1 GDPR) — the controller must be able to demonstrate that the data subject has given consent. Storing this evidence is an obligation imposed by the GDPR.

Purpose: To prove that you accepted the legal documents on a specific date, in case of dispute.

Retention period: Duration of the contractual relationship, then 5 years from the end of the contract (statute of limitations under French law — Art. 2224 Civil Code).

Your rights: You may request access to this data by contacting privacy@index10.com.

14. Use of AI

Our platform leverages AI models provided by Anthropic (code generation) and OpenAI (image generation via DALL-E 3 and complementary AI models). Prompts and data you submit are transmitted to these providers' commercial APIs, whose terms include Data Processing Addendums incorporated by reference. Both Anthropic and OpenAI may retain this data for a maximum of 30 days for security, abuse prevention and compliance purposes, after which it is deleted. Under Anthropic's Commercial Terms (Section B), Anthropic may not use data submitted via the API ("Customer Content") to train its AI models. Similarly, under OpenAI's business terms, OpenAI does not use data submitted via the API to train its models. For more details, see Anthropic's Commercial Terms and OpenAI's Business Terms.

MEGAMOUNT does NOT use any Customer Data to train its own AI models.

14bis. Access to AI Conversations

As part of delivering the service, MEGAMOUNT has technical access to the prompts and conversations you exchange with the AI through the platform, as well as to the generated code.

Purposes of this access:

• Service delivery: Storing and displaying your conversation history to ensure continuity of your experience
• Technical support: Diagnosing and resolving technical issues reported by you
• Security and abuse prevention: Detecting uses that violate our terms of service or applicable law

Legal bases: Contract performance (GDPR Art. 6.1.b) and legitimate interest (GDPR Art. 6.1.f — security and abuse prevention).

Restricted access: Only authorised MEGAMOUNT personnel, bound by confidentiality obligations, may access this data and only when necessary for the purposes described above. We do not systematically read your conversations.

Your rights: You can request deletion of your conversation history at any time by contacting privacy@index10.com or by deleting your account.

15. Analytics for Deployed Projects

When you publish an application through Index 10, a lightweight analytics script is automatically embedded to provide traffic statistics (visitor count, page views, bounce rate, traffic sources, devices). This system is designed to be GDPR-compliant without requiring visitor consent.

How It Works

• Zero client-side storage: No cookies, no localStorage, no persistent identifiers are placed on the visitor's device.
• Anonymous server-side hash: Unique visitors are identified via a SHA-256 hash computed server-side from the truncated IP address (last octet removed), User-Agent and a daily rotating cryptographic salt. This hash is irreversible.
• Computed sessions: Sessions are determined by 30-minute windows, computed server-side. No session information is stored on the device.
• Daily salt rotation: The cryptographic salt changes every 24 hours. It is impossible to link a visitor from one day to another.
• IP addresses never stored: The IP is truncated then hashed. The raw IP is never stored in databases or logs.
• Browser signals respected: The script honours Do Not Track (DNT) and Global Privacy Control (GPC). Visitors can also be excluded via a programmatic opt-out.

Legal Basis

This processing relies on legitimate interest (GDPR Art. 6(1)(f)) for audience measurement. No ePrivacy consent (Art. 5(3) of the ePrivacy Directive) is required because nothing is stored on the visitor's device.

References

• CNIL — Sheet n°16: Use analytics on your websites and applications
• EDPB — Guidelines on audience measurement technologies
• Directive 2002/58/EC (ePrivacy Directive) — Article 5(3)

Data Collected

• Page URL visited
• Page title
• HTTP referrer (where the visitor came from)
• Device type (mobile/desktop/tablet), browser
• Screen resolution (width × height)
• Browser language
• Country (derived from IP, without storing the IP)
• Visit timestamp and duration
• Custom events and conversions (if configured by the application owner)

Retention period: Aggregated data is retained for as long as the project is active. Raw event data is retained for a maximum of 90 days.

Opt-Out

You can disable analytics collection for any project at any time from the project settings (Settings > Analytics). Disabling analytics triggers an automatic redeployment of your application without the analytics script. No visitor data will be collected after disabling.

Responsibility: Index 10 users who publish applications are data controllers for their own visitors' data. Index 10 acts as a data processor for this processing.

16. Protection of Minors

Index 10 is a professional web application generation service intended for adults. The service is not intended for individuals under 16 years of age (as set by Art. 45 of the French Data Protection Act, in accordance with Art. 8 GDPR).

We do not knowingly collect personal data from minors under 16. If we become aware that a minor under 16 has provided us with personal data without the required parental consent, we will take steps to delete such data as soon as possible.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@index10.com so we can arrange deletion.

17. Automated Decision-Making and Profiling

In accordance with Article 22 GDPR, we inform you that:

• AI code generation: The use of artificial intelligence models to generate code constitutes automated processing. However, this processing does not produce decisions with legal or similarly significant effects on you. The generated code is a tool at your disposal that you remain free to modify, accept or reject.
• Fraud and abuse detection: We may use automated systems to detect abusive or fraudulent behaviour (abnormal credit usage, unauthorised access attempts). These systems may result in the temporary suspension of your account, in which case you will be informed and may contest the decision by contacting privacy@index10.com.
• No advertising profiling: We do not profile our users for advertising or commercial targeting purposes.

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

18. Data Breach Notification

In accordance with Articles 33 and 34 GDPR, in the event of a personal data breach:

• Supervisory authority notification: We will notify the competent supervisory authority (CNIL) within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to your rights and freedoms.
• Individual notification: Where the breach is likely to result in a high risk to your rights and freedoms, we will inform you without undue delay via email and/or in-app notification, describing the nature of the breach, its likely consequences and the measures taken to address it.
• Breach register: We undertake to maintain an internal register of all personal data breaches, in accordance with Article 33(5) GDPR.

19. Requests from Authorities and Legal Process

MEGAMOUNT may disclose personal data when required by law, including in response to:

• A court order, judicial requisition or request from a competent administrative authority
• A request from a supervisory authority (CNIL) in the exercise of its investigative powers
• A mandatory reporting obligation (anti-money laundering, counter-terrorism or criminal law)

Unless legally prohibited, we will endeavour to notify you before any such disclosure. Any data disclosed will be restricted to the minimum required and processed in accordance with applicable law.

20. Links to Third-Party Services

Index 10 may integrate with or provide access to external services such as version control platforms, cloud infrastructure providers, payment processors and other tools. These third-party services operate under their own privacy policies and terms, over which MEGAMOUNT exercises no control. We recommend reviewing the applicable privacy documentation before sharing personal data with any external service. MEGAMOUNT cannot be held liable for the data protection practices of these third parties, which we encourage you to verify before use.

21. Non-Discrimination

Exercising your data protection rights (access, rectification, erasure, objection, etc.) will never result in adverse treatment. You will not be penalised, discriminated against or subjected to different service conditions for having exercised these rights.

22. Severability

Should a competent court or authority declare any provision of this policy invalid or unenforceable, the remaining provisions shall continue to apply in full. The affected provision shall be replaced by a valid provision that most closely achieves the intended legal and economic purpose.

23. Survival

Provisions of this policy that, by their nature, must survive termination of the contractual relationship shall continue to apply after termination or expiration of your account. This includes in particular obligations relating to data retention (§7, §13), data subject rights (§8), breach notification (§18) and proof of consent.