Privacy Policy
Last updated: April 2026
1. Data controller
The data controller for personal data collected through the IliaCloud platform is:
Bruno Guns — Sole Proprietorship
34 rue du Verbote, 90350 Evette-Salbert, France
SIRET : 98960972200016
Email : contact@iliacloud.com
2. Data collected
IliaCloud collects and processes the following personal data, in accordance with the principle of data minimization (Article 5 of the GDPR):
| Data | Purpose | Retention period |
|---|---|---|
| Email address | Identification, authentication, communication | Account duration + 30 days |
| Hashed password | Authentication (bcrypt 12 rounds) | Account duration |
| IP address | Security, rate limiting, logging | 90 days |
| Encrypted SSH keys | Connection to the user's servers | Account duration |
| Encrypted API keys | AI integration (BYOK) | Account duration |
| Server metrics | Monitoring and alerts | 30 days (Free) / 90 days (Pro/Business) |
| Audit logs | Action traceability | 90 days |
The legal bases for processing are performance of the contract (Article 6.1.b of the GDPR) for data necessary for the operation of the service, and legitimate interest (Article 6.1.f) for security and abuse prevention.
3. Encryption and data security
IliaCloud implements advanced technical measures to protect user data:
- AES-256-GCM — encryption of SSH keys and API keys before database storage
- bcrypt (12 rounds) — irreversible password hashing
- PBKDF2 — encryption key derivation
- HTTPS (TLS 1.2+) — encryption of all communications between the browser and IliaCloud servers, via Let's Encrypt certificates
4. Sub-processors
Personal data may be processed by the following sub-processors:
| Sub-processor | Location | Purpose | GDPR compliance |
|---|---|---|---|
| OVH SAS | France | Server and data hosting | Compliant (data in France) |
| Stripe, Inc. | USA | Payment processing | Compliant (DPF, standard contractual clauses) |
| Let's Encrypt (ISRG) | USA | SSL/TLS certificate issuance | Minimal data (domain only) |
5. Your rights (GDPR)
In accordance with the General Data Protection Regulation (GDPR), you have the following rights:
- Right of access (Article 15) — obtain a copy of all your personal data
- Right to rectification (Article 16) — correct inaccurate or incomplete data
- Right to erasure (Article 17) — request deletion of your data (account deletion)
- Right to data portability (Article 20) — receive your data in a structured, machine-readable format (JSON)
- Right to object (Article 21) — object to the processing of your data in certain circumstances
To exercise these rights, contact us at contact@iliacloud.com. We commit to responding within 30 days.
You also have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertes), the French data protection authority: www.cnil.fr.
6. Cookies
IliaCloud uses only strictly necessary cookies for the operation of the service. No tracking, analytics or advertising cookies are used. No third-party cookies are set.
| Cookie | Type | Duration | Purpose |
|---|---|---|---|
| access_token | httpOnly, Secure, SameSite | 15 minutes | Authentication (JWT) |
| refresh_token | httpOnly, Secure, SameSite | 7 days | Session renewal |
| csrf_token | Session | Browser session | CSRF attack protection |
7. International data transfers
Personal data is primarily hosted in France (OVH). Transfers outside the European Union are limited to the following cases:
- OVH — data stored in France, no transfer outside the EU
- Stripe — payment processing in the USA, compliant with the EU-US Data Privacy Framework and standard contractual clauses
- AI providers — data sent to AI providers is chosen and transmitted by the user through the BYOK system. The choice of provider and associated processing conditions are the user's responsibility
8. Security measures
IliaCloud implements the following security measures to protect user data:
- Encryption — AES-256-GCM for sensitive data, bcrypt for passwords, HTTPS for communications
- Audit and traceability — logging of all sensitive actions with timestamps
- Rate limiting — request rate limiting to prevent brute force attacks
- Automated testing — over 612 unit and integration tests running continuously
- Code analysis — SonarQube for vulnerability detection and code quality maintenance
- CSRF tokens — protection against cross-site request forgery attacks
- Security headers — Content-Security-Policy, X-Frame-Options, X-Content-Type-Options
9. Policy changes
IliaCloud reserves the right to modify this privacy policy. Any substantial change will be notified to users by email at least 30 days before it takes effect. The current version is always available on this page.
10. Contact
For any questions regarding the protection of your personal data or to exercise your rights, contact our Data Protection Officer (DPO):
Email : contact@iliacloud.com
Response time: 30 days maximum