Privacy Policy
This is an English translation provided for information only. The French-language version — governed by French law — is the sole legally binding text. In the event of any discrepancy, the French version prevails.
Date last updated: 12 May 2026
This Privacy Policy describes how Vertaya (hereinafter "we", "our", or "us") collects, uses, processes and protects your personal data when you use our website www.vertaya.com and our services, including Lucas AI.
We are committed to respecting your privacy and protecting your personal data in accordance with the General Data Protection Regulation (GDPR) No 2016/679 of 27 April 2016 and the French Data Protection Act (Loi Informatique et Libertes) of 6 January 1978 as amended.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person (hereinafter the "Data Subject"); an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
- Processing: Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Data Controller: The natural or legal person who, alone or jointly with others, determines the purposes and means of the processing.
2. Identity of the Data Controller
The Data Controller of your personal data is:
Sylvain Chastang — sole trader (micro-enterprise scheme)
Trading name: Vertaya
SIREN 518 676 663 — SIRET 518 676 663 00033 — APE 62.01Z
6 Impasse des Magnolias, 26250 Livron-sur-Drome, France
VAT not applicable, art. 293 B of the French General Tax Code (CGI)
contact@vertaya.com
3. Personal data collected and purposes of processing
We collect personal data for specific and legitimate purposes, and we ensure that this data is adequate, relevant and limited to what is necessary in relation to those purposes.
| Type of Data Collected | Purposes of Processing | Legal Basis for Processing |
|---|---|---|
| Identification data: Surname, first name, company name, e-mail address, telephone number, job title. | - Respond to your requests for contact, information or a demo via our forms. - Manage the commercial and contractual relationship relating to our services (preparation of quotes, invoicing, project follow-up). - Carry out the diagnosis and develop recommendations. - Communicate about the progress of your project or our services. | Performance of pre-contractual measures or of a contract (Art. 6.1.b GDPR) Legitimate interest (Art. 6.1.f GDPR) for managing the client relationship |
| Connection and usage data: IP address, browser type, operating system, pages viewed, duration of visit, behaviour on the Site. | - Improve the operation and usability of our Site. - Analyse the performance and effectiveness of our marketing campaigns. - Measure the audience of our Site. - Detect and prevent fraudulent activity or security breaches. | Legitimate interest (Art. 6.1.f GDPR) for service improvement and audience analysis (with consent where non-essential cookies are used) |
| Financial data: Payment information (transmitted only to our secure payment providers). | - Processing of payments for our services. | Performance of a contract (Art. 6.1.b GDPR) Legal obligation (Art. 6.1.c GDPR) for invoicing |
| Marketing targeting data (if opt-in): Preferences, history of interaction with our communications. | - Send you commercial information, newsletters or personalised promotional offers about our AI services. | Consent (Art. 6.1.a GDPR) |
4. Recipients of personal data
Your personal data may be accessible to the following categories of recipients:
- Authorised personnel of Vertaya (commercial, technical and administrative teams) who need access to it in order to carry out the purposes mentioned above.
- Our sub-processors and third-party service providers acting on our behalf and on our instructions (e.g. website host OVH, CRM tools, emailing tools, payment providers, audience analysis tools). We ensure that these providers offer sufficient guarantees for the protection of data.
- Administrative or judicial authorities where required by law.
5. Data retention period
We retain your personal data for no longer than is necessary in relation to the purposes for which it is processed, plus any applicable statutory limitation periods.
- Contact and identification data (forms, demo): Retained for as long as necessary to manage your request and the commercial relationship, and thereafter for a period of 3 years after the last contact for commercial prospecting purposes (subject to consent).
- Data relating to the performance of the service (contract, invoicing): Retained for the entire duration of the contract and for up to 10 years after the end of the contract for legal and accounting reasons.
- Connection and usage data (analytics): Generally retained for a limited period (e.g. 13 months for audience cookies) in an anonymised or pseudonymised format once the analysis purpose has been achieved.
6. Transfer of data outside the European Union
As part of the use of certain third-party services (e.g. analysis or CRM tools), your personal data may be transferred to countries located outside the European Union.
In such cases, we ensure that these transfers are carried out in compliance with the requirements of the GDPR and that appropriate safeguards are put in place (e.g. the European Commission's standard contractual clauses, adequacy decisions, or another legally recognised mechanism).
7. Data security
We implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of your personal data and to protect it against destruction, loss, alteration, unauthorised disclosure or unauthorised access. These measures include in particular:
- Physical protection of premises.
- Strict access control to data.
- Data encryption measures (where necessary).
- Use of secure communication protocols (HTTPS).
- Staff awareness and training.
- Regular backups.
8. Your rights (GDPR)
In accordance with the GDPR and national legislation, you have the following rights concerning your personal data:
- Right of access (Art. 15 GDPR): Obtain confirmation that your data is being processed and, where applicable, access it.
- Right to rectification (Art. 16 GDPR): Request the correction of inaccurate or incomplete data.
- Right to erasure (right to be forgotten) (Art. 17 GDPR): Request the deletion of your data under certain conditions.
- Right to restriction of processing (Art. 18 GDPR): Request that the processing of your data be restricted.
- Right to data portability (Art. 20 GDPR): Receive the data you have provided to us, in a structured, commonly used and machine-readable format, and transmit it to another data controller.
- Right to object (Art. 21 GDPR): Object to the processing of your data on grounds relating to your particular situation or for prospecting purposes.
- Right to withdraw your consent (Art. 7.3 GDPR): At any time, for processing based on your consent.
- Right to set post-mortem directives: Concerning the fate of your data after your death.
- Right to lodge a complaint with the CNIL: If you consider that your rights have not been respected, you may lodge a complaint with the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertes, CNIL) in France (www.cnil.fr).
To exercise any of these rights, please contact us by e-mail at: contact@vertaya.com or by post at our registered office. We undertake to respond to your request within one month.
9. Cookies
Our Site uses cookies to improve your browsing experience and analyse use of the Site. For more information about the cookies we use, their purposes and how to manage them, please consult our Cookie Policy: Cookie Policy.
10. Special case: the Lucas AI product
Under the trading name Vertaya, Sylvain Chastang also operates the SaaS product Lucas AI (an AI assistant for construction-trade professionals). Lucas AI has a separate privacy policy, applicable to users of the application, available at lucas.vision-btp.fr/pdc.
This policy describes in particular:
- The tradesperson memory (preferences and facts remembered by Lucas to personalise its responses within an account) on a contractual basis;
- The explicit and revocable consent (a dedicated opt-in at registration) for contributing anonymised interactions to the training of a future proprietary AI, in accordance with Articles 6.1.a and 11 of the GDPR.
This Vertaya policy covers only the processing relating to the www.vertaya.com site and to the consulting services (audit, pilot, bespoke production) described below.
11. Data processed during the Operational Pilot
As part of the Vertaya commercial journey (Audit · Pilot · Production), if the Client accepts phase 2, the "Operational Pilot", the Client's business data may be processed by Vertaya for the exclusive purposes of the Pilot:
- Purpose: feed the vertical AI under development, measure its adoption and the reality of the priority use cases identified during the Audit.
- Legal basis: contract (Article 6.1.b GDPR).
- Categories of data: professional data provided by the Client (clients, suppliers, quotes, invoices, scheduling, employees, business documents) depending on the piloted modules deployed. No sensitive personal data is processed unless specifically agreed.
- Hosting: European Union (GDPR sovereignty).
- No sharing with third-party LLMs: business data is not exposed to third-party language models without the Client's prior written agreement.
- Retention period: for the duration of the Pilot (3 weeks of development + 1 month of use), extended until 30 days after signature of the validation report. In the event of an unfavourable validation, the business data is returned or destroyed at the Client's request within 30 calendar days.
- Sub-processing: any technical sub-processors (host, LLM provider whose API is called) are indicated in the Pilot quote and are contractually bound by the same GDPR obligations.
In the event of going into Production (phase 3), a contractual amendment or a detailed Data Processing Agreement (DPA) is signed between the Parties.
12. Changes to the Privacy Policy
We reserve the right to amend this Privacy Policy at any time. Any change will take effect immediately upon its publication on the Site. We encourage you to consult this page regularly to keep informed of updates.