1. Data Controller
The data controller is Un Interlude, a simplified joint-stock company with a sole shareholder (SASU) registered under SIREN 880 245 931, publisher of the Thermoremix.ai service. For any questions regarding your personal data, contact us at hello@thermoremix.com.
2. Data We Collect
We apply the principle of data minimization: we only collect data strictly necessary for the service to function.
Identity and Account
Email, username, password (argon2id hashed — never stored in plain text), Thermomix® model owned, preferred language. If connecting via Google or Apple: unique identifier provided by the provider and associated email.
Content You Provide Us
Recipes you submit (text, URL, photos, descriptions), adapted recipes stored in your notebook, notes and comments. Photos are kept for the duration of the adaptation process and then deleted after 30 days, unless you save them with a recipe.
Payment Data
Stripe customer ID, subscription ID, chosen plan, payment status. Bank details (card number, CVV, IBAN) never pass through our servers — Stripe collects and stores them directly, in compliance with PCI-DSS Level 1 standard.
Technical and Usage Data
IP address (anonymized after 30 days), approximate country/city deduced from IP, device type, browser, service usage events (pages viewed, adaptations launched) for product improvement purposes.
3. Purposes and Legal Basis
In accordance with Article 6 of the GDPR, each processing operation is based on a specific legal basis:
- Contractual performance — creation and management of your account, recipe adaptation, subscription and payment management (Art. 6.1.b GDPR).
- Legal obligations — retention of invoices for 10 years (Article L.123-22 of the Commercial Code), tax traceability.
- Legitimate interest — service security, fraud prevention, product improvement based on aggregated usage statistics (Art. 6.1.f).
- Consent — post-registration email sequence (cancellable in 1 click via the 'unsubscribe' link), non-essential cookies (Art. 6.1.a).
4. Sub-processors and Transfers
We use a limited number of sub-processors selected for their security level and GDPR compliance. They only have access to your data within the scope of their mission.
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe Ltd. | Payment processing | Irlande (UE) |
| MongoDB Atlas | Database hosting | UE (Francfort) |
| Heroku (Salesforce, Inc.) | Application hosting | UE (Dublin) |
| Google Gemini API | Automatic recipe adaptation | USA |
| OVH SAS | Transactional email sending | France (UE) |
| Google / Apple OAuth | Social login (optional) | USA |
Transfers to the United States (Google, Apple) are governed by the standard contractual clauses adopted by the European Commission and, where applicable, by the Data Privacy Framework (EC 2023/1795) certifying the US subcontractors involved.
5. How long do we keep your data?
- Active account: as long as you use the service.
- Inactive account: 24 months without logging in → warning email, then automatic deletion 30 days later.
- Unsaved uploaded photos: 30 days after adaptation.
- Invoices and billing data: 10 years (legal accounting obligation).
- Technical logs and IP: 30 days, then anonymization.
- Account deleted upon request: immediate deletion of identifying data; invoices are kept in anonymized form.
6. Your Rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights:
- Right of access — obtain a copy of the data we hold about you.
- Right to rectification — correct inaccurate information (can be modified directly from your account).
- Right to erasure — delete your account and data ("right to be forgotten").
- Right to data portability — retrieve your recipes and data in a readable format (JSON or CSV export).
- Right to object — object to certain processing based on legitimate interest (analytics).
- Right to restriction of processing — temporarily freeze the processing of your data.
- Right to withdraw your consent — at any time for marketing emails.
- Post-mortem directives — you can tell us what happens to your data after your death.
To exercise these rights, write to hello@thermoremix.com specifying the subject of your request. We will respond within a maximum of one month. Proof of identity may be requested to verify your identity.
7. Cookies and Local Storage
The service uses a minimal number of browser-side storage mechanisms:
- Session JWT (essential) — stored locally to keep you logged in. Not shared with third parties.
- Anonymous session ID (essential) — UUID generated to track your registration funnel before account creation.
- Language preference (essential) — to display the interface in the correct language for you.
We do not use any advertising cookies, third-party tracking pixels (Facebook, TikTok, etc.), or external analytics tools (Google Analytics). Our usage tracking is entirely first-party and anonymized.
8. Security
All communications are encrypted in transit (HTTPS/TLS 1.2+). Passwords are hashed with argon2id (OWASP standard, with adaptive memory cost). Authentication tokens are signed with a secret stored as an environment variable, never in the source code. Database access is restricted by IP and requires authentication. In the event of a data breach affecting your rights and freedoms, we will notify you within 72 hours in accordance with Article 34 of the GDPR.
9. Minors
In accordance with Article 8 of the GDPR and French law, the service is open to individuals aged 16 and over. Users under 16 must obtain prior consent from a parent or guardian. If we discover that an account has been created by a minor without parental consent, we will delete it.
10. Changes to this policy
This policy may be updated to reflect legal or technical changes. In the event of substantial changes, you will be informed by email with 30 days' notice. The most recent version is always accessible at this URL.
11. Complaint to the CNIL
If you believe your rights are not being respected despite a request addressed to Thermoremix.ai, you can file a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL): www.cnil.fr/fr/plaintes — 3 place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07.