Privacy Policy

Last updated: September 23, 2025

This privacy policy (the "Policy") describes how PROMESIA processes personal data in connection with the use of the BromeAI service available at https://brome.ai (the "Service").

1. Preamble and definitions

Processing is carried out in accordance with Regulation (EU) 2016/679 (GDPR) and French law No. 78-17 of January 6, 1978, as amended (Loi Informatique et Libertes).

For the purposes of this Policy:

Personal data: any information relating to an identified or identifiable natural person (Art. 4.1 GDPR).
Processing: any operation performed on personal data (Art. 4.2 GDPR).
Data controller: the entity that determines the purposes and means of processing (PROMESIA).
Processor: a service provider processing data on behalf of the data controller.
EEA: European Economic Area.

2. Data controller and Data Protection Officer (DPO)

Data controller

PROMESIA, SAS with share capital of EUR 300 SIRET: 932 526 932 00011 -- VAT: FR25932526932 Registered office: 11 rue Jehan de Marville, 21000 DIJON, France General contact: [email protected]

Data Protection Officer (DPO)

Name: Tanguy Jacotot DPO contact: [email protected]

3. Categories of data processed

PROMESIA processes data that is strictly necessary for providing and improving the Service.

3.1. Identity and contact

Last name, first name, email address.
IP address.

3.2. Account and authentication

Passwordless authentication (magic link via email) or OAuth (Google, Microsoft, GitHub).
Data received via OAuth: last name, first name, email address, profile picture (avatar).

3.3. Content and history

Prompts/messages, images, and files submitted.
Generated responses.
Usage history.

3.4. Payments and billing

Credit card data processed and stored exclusively by Stripe (we do not have access to it).
Payment/subscription metadata: Stripe customer ID, subscription ID, plan, status.
Information necessary for issuing invoices and receipts in the personal area.

3.5. Telemetry and usage metrics

Technical and usage data: browser (user agent), operating system, language, referring site, pages viewed, interaction events (clicks, etc.), timestamps, IP address, and approximate geolocation (inferred from IP, or more precise location if authorized).
Measurement primarily via PostHog (product analytics) and dub.co (attribution), subject to your consent where required (see Section 10).

Important note: PROMESIA does not require and does not wish to receive sensitive data (Art. 9 GDPR). Please do not include such information in your prompts.

4. Purposes and legal bases

Purpose	Examples of operations	Legal basis (Art. 6 GDPR)
Providing the Service	Account creation/management, routing prompts to AI services, delivering responses, history	Performance of a contract -- Art. 6(1)(b)
Payment & subscriptions	Billing, receipts, plan changes, fraud prevention	Performance of a contract -- Art. 6(1)(b) / Legal obligation -- Art. 6(1)(c)
Support & communications	Assistance, account security, important information	Performance of a contract -- Art. 6(1)(b) / Legitimate interest -- Art. 6(1)(f)
Security & continuity	Preventing abuse, spam, incidents, and ensuring availability	Legitimate interest -- Art. 6(1)(f)
Measurement, analytics & attribution	PostHog (events), dub.co (provenance), product improvement	Consent -- Art. 6(1)(a)
Marketing / newsletter	Sending marketing information, product news	Consent -- Art. 6(1)(a) or Legitimate interest -- Art. 6(1)(f)
Legal obligations	Accounting, taxation, responses to authorities	Legal obligation -- Art. 6(1)(c)

PROMESIA does not sell personal data.

5. Recipients and processors

Processing may involve the following service providers (acting as processors -- Art. 28 GDPR).

5.1. Hosting & network

Hetzner Online GmbH (European hosting services)
Cloudflare (CDN, network security, anti-bot)

5.2. Payments & subscriptions

Stripe

5.3. Authentication

Google, Microsoft, GitHub

5.4. Attribution & analytics

dub.co
PostHog

5.5. AI and search services

Google
OpenAI
xAI
Anthropic
Mistral AI
Groq
Perplexity
Cerebras
Black Forest Labs
Alibaba Cloud (Qwen)
DeepSeek AI (via Replicate)
Replicate
EXA.ai
OpenRouter
Cloudflare (AI services and advanced security)

Privacy note -- AI and search services: To provide Service features (generation, comprehension, augmented search), certain prompts, search terms, images, and instructions may be transmitted to the relevant services. PROMESIA enables restrictive settings when available. However, some providers contractually provide for broader uses (logging, security, service improvement). PROMESIA requests non-reuse but cannot guarantee it for every provider. Please do not include sensitive information in your prompts or searches.

6. Transfers outside the EEA

The main database is hosted in Europe (Hetzner Online GmbH).

Certain providers (e.g., Stripe, Cloudflare, EXA.ai, and various AI providers) are located or may process data outside the EEA (particularly in the United States). PROMESIA governs these transfers with appropriate safeguards (Standard Contractual Clauses from the European Commission) and, where available, adequacy mechanisms. Further information is available from the DPO.

7. Retention periods

Account, content, and history: for the duration of the account's activity.
Account deletion: immediate and permanent deletion of data (except temporary technical backups).
Accounting records: up to 10 years for legal obligations.

8. Security

PROMESIA implements appropriate technical and organizational measures: TLS encryption, access controls, environment separation, principle of least privilege, reasonable logging, Cloudflare protections.

No passwords are stored (authentication via magic link or OAuth).

In the event of a high-risk data breach, PROMESIA will notify the competent authority and affected individuals in accordance with Articles 33 and 34 of the GDPR.

9. Marketing and communications

PROMESIA may send:

Service communications (security, notifications, receipts, invoices).
Marketing communications (newsletter, product news) with consent or on the basis of legitimate interest (soft opt-in).

You can unsubscribe at any time via the link at the bottom of each email.

10. Cookies and trackers

Cookie name	Provider	Purpose	Indicative duration
`__stripe_mid`	Stripe	Customer identification and fraud prevention	Standard duration (variable)
`cf_clearance`	Cloudflare	Anti-bot validation and continued access	Standard duration (variable)
Session/auth cookies	BromeAI	Maintaining session/authentication	Session to 12-13 months
`ph_phc_*_posthog`	PostHog	Product usage measurement	Standard duration (variable)
`dub_id`	dub.co	Source/campaign attribution	Standard duration (variable)

Strictly necessary cookies and consent revocable at any time. Maximum lifetime limited to 13 months (CNIL).

11. Automated decisions

BromeAI does not make automated decisions producing legal effects within the meaning of Article 22 of the GDPR. AI-generated results require user judgment.

12. Rights of data subjects

You have the rights provided for in Articles 15 to 22 of the GDPR: access, rectification, erasure, restriction, objection, portability, withdrawal of consent (where applicable).

Deletion: possible directly from the application.
Portability: requests processed upon solicitation.

Exercising your rights: [email protected] (identity verification may be required). You may also file a complaint with the CNIL (https://www.cnil.fr).

13. Minors

In France, the Service is primarily intended for users aged 15 and over (or the legal age of digital consent applicable in the EEA). Outside the EEA, it is not intended for children under 13. PROMESIA may terminate any non-compliant account.

14. Amendments

PROMESIA may amend this Policy in the event of legal, technical, or organizational changes. In the event of a substantial change, information will be provided (notice in the application and/or email). The update date appears at the top of the document.

15. Contact

General contact: [email protected]
DPO: [email protected] (Tanguy Jacotot)
Postal address: PROMESIA -- 11 rue Jehan de Marville, 21000 DIJON, France