European compliance

GDPR & data protection

Last updated: 18 May 2026

This page complements our privacy policy by detailing Bourselo's compliance with the General Data Protection Regulation (EU Regulation 2016/679, "GDPR") and the Swiss Federal Act on Data Protection (FADP / nLPD) applicable to the site publisher Infinity Aurora Sàrl, whose registered office is located in Chambésy (Geneva).

1. Applied principles

• Lawfulness, fairness and transparency — data is collected only with your explicit consent, with clear information on its use.
• Purpose limitation — data is used only for the purposes stated on the form.
• Data minimisation — we only ask for what is strictly useful. All "optional" fields may be left blank.
• Accuracy — you may request corrections at any time.
• Storage limitation — maximum 3 years after the last interaction.
• Integrity and confidentiality — HTTPS, restricted access, encrypted backups.
• Accountability — Infinity Aurora Sàrl documents its practices and maintains a register of processing activities.

2. Register of processing

Processing	Purpose	Legal basis	Retention
Waiting list / pilot application	Project follow-up, pilot selection, product communication	Consent (Art. 6.1.a)	3 years after last contact
Project email delivery	Inform subscribers of progress and launches	Consent	As long as subscription is active
Open/click stats (Brevo)	Measure engagement, improve messaging	Legitimate interest + transparency	13 months

3. Processors and transfers

Bourselo relies on two identified processors, chosen for their European compliance:

3.1 Brevo (Sib SAS)

• Role: contact hosting, email delivery, pilot list management.
• Head office: 7 rue de Madrid, 75008 Paris, France.
• Data hosting: European Union (OVHcloud datacentres, ISO 27001 certified).
• DPA: we have signed Brevo's data processing agreement, compliant with GDPR Articles 28 and 30.
• More info: Brevo privacy policy.

3.2 Infomaniak Network SA

• Role: hosting of the Bourselo website.
• Head office: Rue Eugène-Marziano 25, 1227 Les Acacias, Geneva, Switzerland.
• Data hosting: Switzerland (a country covered by an adequacy decision from the European Commission).
• More info: Infomaniak privacy policy.

No data transfer to a third country outside the EU or Switzerland is performed.

4. Cookies and trackers

The Bourselo site uses no advertising cookies, no external analytics tracker (no Google Analytics, no Facebook Pixel) and no profiling tools.

No cookie banner is needed because no non-essential cookie is placed on your browser.

5. Data security

• TLS 1.3 encryption on all connections (HTTPS enforced).
• Brevo storage encrypted at rest, ISO 27001 compliant.
• Restricted access: only authorised Infinity Aurora staff can access the contact list.
• Protected API key on server side, never exposed to clients.
• Anti-spam honeypot and rate limiting on the form.
• Daily backups automatically performed by Brevo and Infomaniak.

6. Data breach procedure

In case of a data breach likely to result in a risk to your rights and freedoms, Infinity Aurora commits to:

• Notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) and/or the CNIL in France depending on the scope, within a maximum of 72 hours (GDPR Art. 33).
• Notify you directly by email, as soon as possible, describing the nature of the breach, the measures taken and any potential risks.
• Record the incident in our internal register and implement the necessary corrective measures.

7. How to exercise your rights

For any request — access, rectification, deletion, portability, objection or withdrawal of consent:

8. Related documents

• Legal notice — publisher identity, hosting, intellectual property.
• Privacy policy — detail of data collected and uses.
• GDPR (this page) — European compliance, processors, security.