How sobrii collects, uses and protects your personal data.
Last updated: February 2026
This Privacy Policy is issued by: SOBRII, a simplified joint-stock company (SAS) with a share capital of €8,000, registered with the Montpellier Trade and Companies Register under number 978 484 384, headquartered at 8 rue de la Bandido, 34070 Montpellier, France. Email: contact@sobrii.io Data protection officer: dpo@sobrii.io Note: SOBRII has not appointed a Data Protection Officer (DPO), as it is not required under Article 37 of the GDPR. An internal data protection contact has been designated to address any questions regarding your data.
This Privacy Policy informs you about how SOBRII collects, uses and protects your personal data, in accordance with Regulation (EU) 2016/679 (GDPR) and French Law No. 78-17 of January 6, 1978. It applies to: • Visitors of the sobrii.io website • Prospects and commercial contacts of SOBRII • Users of the SOBRII Application dashboard • Individuals whose workstations are monitored by the SOBRII Agent (in this case, the employer is the data controller and SOBRII acts as a data processor — see section 3.3)
3.1. Website visitors (sobrii.io) When you visit our website, we may collect: • Navigation data: IP address, browser type, operating system, pages visited, visit duration, traffic source • Cookies: strictly necessary cookies and, subject to your consent, audience measurement cookies • Contact forms: if you fill out a form, we collect the information you provide (name, professional email, company, message) 3.2. SOBRII Dashboard users If you have access to the SOBRII Application dashboard, we process: • Identification data: name, professional email address • Connection data: login logs, IP address, access timestamps, actions performed • Authentication data: account credentials (password is hashed via BCrypt and never stored in plain text) 3.3. Workstations monitored by the SOBRII Agent — SOBRII acts as data processor When the SOBRII Agent is deployed on an employer's workstations, the employer (client) is the data controller. SOBRII acts as a data processor under Article 28 of the GDPR. The Agent collects exclusively technical data about the workstation: • Device identification (brand, model, serial number) • Hardware configuration (processor, memory, storage, peripherals) • Battery health (charge cycles, capacity, health) • Software inventory (installed applications, versions, publishers) • Performance data (boot time, stability, resources) • Energy consumption (power usage, charge profiles) • Security status (updates, certificates, disk encryption) • Network configuration (without communication content) Core principle — SOBRII monitors the machine, not the person. The Agent does not collect any of the following: • Personal or professional file content • Internet browsing history • Email or message content • Keystrokes (no keylogging) • Screenshots • GPS location data • No sensitive data under Article 9 of the GDPR
• Website operation — Legitimate interest (Art. 6(1)(f)) — Website visitors • Audience measurement and site improvement — Consent (Art. 6(1)(a)) — Website visitors • Contact requests and B2B commercial prospecting — Legitimate interest (Art. 6(1)(f)) — Prospects, contacts • Customer relationship management and SaaS contract execution — Contract performance (Art. 6(1)(b)) — Clients • Dashboard access and user account management — Contract performance (Art. 6(1)(b)) — Dashboard users • Access logging and Application security — Legitimate interest (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)) — Dashboard users • Telemetry collection on behalf of client (processing) — Determined by client — Monitored employees • Anonymized and aggregated statistics — Legitimate interest (Art. 6(1)(f)) — Anonymized data
Your data may be shared with the following recipients: • SOBRII team: strictly within their responsibilities • Microsoft Azure (Microsoft Ireland Operations Limited): infrastructure hosting in Azure France Central region (EU) • Google Ireland Limited: website audience measurement via Google Analytics 4, subject to your consent • GitHub (Microsoft): CI/CD and source code management • Accounting firm: for billing data SOBRII never sells, rents or transfers your personal data to third parties for commercial purposes.
All SOBRII application data is hosted on Microsoft Azure infrastructure, France Central region (European Union). This data does not leave the European Union. Exception — Google Analytics 4: audience measurement data collected via Google Analytics (subject to your consent) may be transferred to Google LLC servers in the United States. This transfer is governed by: • The European Commission adequacy decision of July 10, 2023 regarding the EU-US Data Privacy Framework, to which Google LLC is certified • Standard Contractual Clauses (SCCs) adopted by the European Commission between Google Ireland Limited and Google LLC SOBRII does not make any other personal data transfers outside the European Union or European Economic Area.
• Website navigation data: 13 months maximum • Contact form data: 3 years after last contact • Prospect data: 3 years after last active contact • Client data (contract, billing): contract duration + 5 years (civil statute of limitations) • Authentication data (dashboard): contract duration + 60 days • Login logs (dashboard): 12 rolling months • Telemetry data (Agent): 24 rolling months maximum • Anonymized and aggregated data: 5 years maximum after contract end • Invoices: 10 years (accounting obligation) At the end of these periods, data is deleted or irreversibly anonymized.
SOBRII implements state-of-the-art technical and organizational measures to protect your data: • Encryption in transit: TLS 1.2 minimum, TLS 1.3 preferred • Encryption at rest: Transparent Data Encryption (TDE, AES-256) and application-level encryption (AES-256) for sensitive fields • Secrets management: Azure Key Vault certified FIPS 140-2 Level 2, automatic key rotation every 90 days • Data isolation: each client has a dedicated, physically isolated database (Azure SQL) • Strong authentication: BCrypt, SSO compatible (Azure AD, Okta, Google, SAML 2.0, OIDC), short-lived tokens (15 minutes) • Granular access control: 80+ permissions with hierarchical inheritance • Immutable logging: tamper-resistant storage, cryptographic hash chain • Secure agent: developed in Rust (native memory safety), outbound-only communication (HTTPS 443), RSA asymmetric cryptography authentication • Backups: daily incremental, weekly full, encrypted, stored in a separate data center • Isolated environments: development, staging and production strictly separated
Under the GDPR, you have the following rights: • Right of access (Art. 15) — Obtain confirmation that your data is being processed and receive a copy • Right to rectification (Art. 16) — Have inaccurate or incomplete data corrected • Right to erasure (Art. 17) — Request deletion of your data under GDPR conditions • Right to restriction (Art. 18) — Request restriction of processing in certain cases • Right to data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format • Right to object (Art. 21) — Object to processing for reasons relating to your particular situation • Right to withdraw consent — For consent-based processing, you may withdraw at any time How to exercise your rights: • Email: dpo@sobrii.io • Mail: SOBRII — Data Protection Officer, 8 rue de la Bandido, 34070 Montpellier, France We commit to responding within one (1) month. This period may be extended by two months in complex cases. Complaint to the CNIL: • Website: www.cnil.fr • Address: 3, place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
The sobrii.io website uses cookies strictly necessary for technical operation. These do not require your prior consent. Subject to your consent, we may use audience measurement cookies. You can manage your preferences at any time via the cookie management banner. In accordance with CNIL recommendations, audience measurement cookies have a maximum lifespan of 13 months. For more details, please consult our Cookie Policy, accessible from sobrii.io.
SOBRII reserves the right to modify this Privacy Policy at any time. In case of substantial changes, we will inform you by publishing an updated version on our website, with a visible notice for thirty (30) days.
For any questions regarding this Privacy Policy or the protection of your personal data: • Data protection officer: dpo@sobrii.io • Address: SOBRII, 8 rue de la Bandido, 34070 Montpellier, France • Website: sobrii.io