Skip to content
BackArvens

Privacy policy

Updated on May 3, 2026

This document is a courtesy translation. Only the French version is legally binding.

This policy describes the personal data processing carried out by ARVENS as part of its secure Off-Market sharing service. It is drafted in accordance with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act No. 78-17.

Data controller

ARVENS is a brand of QUASARIA, a sole proprietorship. Data controller: Eliott Faivre, Entrepreneur Individuel, 6 rue d'Armaillé, 75017 Paris, France. GDPR contact: contact@arvens.app.

Categories of data subjects

Processing carried out by ARVENS concerns two distinct categories: · Agents: registered real-estate professionals, contractually bound to ARVENS and holders of an authenticated account. · Buyers: third parties identified by Agents, receiving a shared link and accepting the digital NDA. Buyers do not hold an account; no direct identification data (name, email) is collected about them — only the technical elements related to NDA acceptance, for legal proof purposes.

Data collected — Agents

When an agent creates an account, we collect: · professional email address; · full name; · password (stored hashed via bcrypt, never in plain text); · where applicable, agency name and Stripe customer identifier. Legal basis: performance of the contract (Art. 6.1.b GDPR). Retention: duration of the contractual relationship, then three (3) years for prospecting or accounting purposes, unless objected to.

Data collected — Buyers

When a buyer clicks « I accept » on the NDA gate, the following are recorded: · public IP address; · user agent (browser, operating system); · approximate location derived from the IP (city and country); · exact timestamp of acceptance. Legal basis: legitimate interest of the agent in retaining legal proof of NDA acceptance (Art. 6.1.f GDPR), expressly disclosed to the buyer on the gate before clicking. Retention: five (5) years from the date of acceptance, in accordance with applicable civil limitation periods.

Photograph storage

Photographs uploaded by agents are stored on Cloudflare R2, a contractually bound processor pursuant to Article 28 GDPR. They are never made public. Access is only possible through time-limited signed URLs, after the buyer has accepted the NDA.

Profiling and automated decision-making

ARVENS does not carry out any automated decision-making producing legal effects within the meaning of Article 22 GDPR. No data is used for marketing, advertising or scoring profiling. The agent's review of NDA logs constitutes a simple factual reading, without any evaluation algorithm.

Minors

ARVENS is a service strictly reserved for adult real-estate professionals carrying out a regular activity. No data is knowingly collected from minors. The service is in no way intended for persons under 18. Any account discovered to belong to a minor will be immediately deleted.

Cookies

The service uses exclusively strictly necessary cookies: · Supabase session cookies, to maintain agent authentication; · cookie nda_accepted_[id], signed by HMAC SHA-256, to remember a buyer's NDA acceptance (30-day duration, per dossier); · Cloudflare technical cookies for security and attack prevention. No advertising, profiling or third-party analytics cookies are placed.

Processors and recipients

Your data is shared only with the following processors, bound by contractual commitments: · Supabase Inc. (Singapore / European Union) — database and authentication; · Cloudflare, Inc. (United States / European Union) — application hosting and file storage; · Stripe Payments Europe Ltd (Ireland) — credit card payment processing; · where applicable, a transactional email provider. No data is transmitted to a third party for commercial or advertising purposes.

Transfers outside the European Union

Some processors operate from the United States (Cloudflare, Stripe). Such transfers are framed by the Standard Contractual Clauses adopted by the European Commission (decision 2021/914), in accordance with Article 46 GDPR.

Your rights

In accordance with Articles 15 to 22 GDPR, you have at any time the following rights: access, rectification, erasure, restriction of processing, portability, objection, and the right to withdraw your consent. You may exercise these rights by writing to: contact@arvens.app. A reply will be provided within one month. You also have the right to lodge a complaint with the French Data Protection Authority (CNIL — cnil.fr) or your local supervisory authority.

Procedure for exercising your rights

To ensure the security of your data, any request to exercise your rights must be accompanied by elements allowing the requester to be authenticated: · copy of a valid identity document (the document will be destroyed once verification is complete); · specification of the right invoked and the data concerned. Response time: one (1) month from receipt of the complete request, extendable by two months for complex requests (Art. 12 GDPR). In the event of reasoned refusal, ARVENS will indicate the available remedies. No fee will be charged, except for manifestly unfounded or repetitive requests.

Security

ARVENS implements the following technical and organisational measures: · end-to-end TLS 1.3 encryption; · password hashing (bcrypt); · database isolation via Row Level Security; · HMAC SHA-256 signing of sensitive cookies; · timestamped access logging; · request origin checks (anti-CSRF); · rate limiting on sensitive endpoints; · HTTP security headers (X-Frame-Options, HSTS, COOP, etc.).

Data breach notification

In accordance with Articles 33 and 34 GDPR, in the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, ARVENS commits to: · notify the CNIL within seventy-two (72) hours of becoming aware of it; · inform without delay the data subjects concerned when the breach is likely to result in a high risk to their rights and freedoms; · document any breach, its effects and corrective measures, in an internal register made available to the CNIL.

Updates to this policy

This policy may be updated to reflect legal, technical or organisational changes. The date of last update appears at the top of this document. In the event of a material change, registered agents will be notified by email.