Privacy Policy
This privacy policy describes how ODOWA (hereinafter "we") collect, use, share and protect
the personal data of users of the mobile application Kartes (hereinafter « the Application »),
as well as associated services accessible via the site kartes.io
It complies with the General Data Protection Regulation (GDPR — EU Regulation 2016/679)
and with the Informatique et Libertés Act of January 6, 1978, as amended.
Table of Contents
1. Identity of the data controller
The data processor is:
- ODOWA
- Address: 49 rue de la République, 60160 Montataire, France
- SIRET : 94505301500018
- email : support@kartes.io
2. Collected data
2.1 Data provided directly by the user
| Category | Data concerned |
|---|---|
| User account | Email address, password (hashed), name, first name, phone number (optional), profile photo (optional) |
| Work area (workspace) | Organization name, logo, settings, user role (member, administrator, owner) |
| Content produced in the application | Photos of infrastructure elements taken from the application, entered descriptions, comments, inspection and intervention forms, electronic signatures, and voice recordings for transcription |
| Payment (paying offers) | Billing data processed by Stripe (name, billing address). Card data never passes through our servers. |
2.2 Automatically collected data
| Category | Data concerned |
|---|---|
| Location Data | GPS Coordinates (latitude/longitude) when creating or viewing an element on the map, as well as for the optional team position sharing feature (Pro and higher plans, can be disabled) |
| Technical Data | IP Address, device type, OS version (Android/iOS/Web), application version, anonymized technical identifiers |
| Activity Journals (audit log) | Timestamped history of actions performed (creation / modification / deletion of items, interventions, inspections) with user identifier — used for traceability and security |
| Usage Data | Pages viewed, features used, time spent, for internal statistical purposes |
3. Objectives and Legal Bases
| Purpose | Legal basis (GDPR) |
|---|---|
| User account creation and management | Execution of the contract (T&Cs) |
| Supply of application features (mapping, inspection, intervention, reporting) | Contract Execution |
| Geolocation of elements on the map | Contract Execution — the feature requires the position to function |
| Image analysis using artificial intelligence (AI Vision: object recognition, field suggestions) | Contract execution / consent (optional feature activable) |
| Voice transcription by artificial intelligence (AI Voice) | Consent (explicit user trigger) |
| AI Chatbot | Consent (optional feature) |
| Team Messaging | Contract Execution |
| Push notifications (alerts, messages, reminders) | Consent (activatable/deactivatable system authorization) |
| Gamification (badges, optional rankings) | Contract execution — disableable by the administrator |
| Team Position Sharing (Pro+ Offers) | Consent (activable by each member individually) |
| Billing and payment of the subscription | Contract execution / legal obligation (accounting) |
| Security, fraud prevention, traceability (audit log) | Legitimate interest / legal obligation |
| Anonymized internal usage statistics | Legitimate Interest |
| Transactional communications (password reset, confirmations) | Contract Execution |
4. Mobile Application Permissions
The application Kartes requests the following system permissions on Android and iOS. All are requested contextually at the moment of their first use and can be revoked at any time in the device settings.
| Permission | Usage justification |
|---|---|
| Camera | Take photos of infrastructure elements (equipment, signage, damages) to associate them with mapped elements or with interventions/inspections. |
| Localization (precise and approximate) | Geolocate elements when creating them on the map, display your real-time position to help you navigate on site, and optionally share your position with your team (optional feature). |
| Microphone | Save AI-transcribed voice annotations to quickly enter fields without a keyboard (optional feature). |
| Storage / Photos | Select existing images from the gallery to attach them to an item or an intervention. |
| Notifications | Notify you of relevant events (new message, assigned intervention, important alert) |
| Internet | Synchronize data with our servers and use cloud AI features. |
5. Subcontractors and data recipients
To provide the application's services, we engage technically selected subcontractors for their GDPR compliance:
| Subcontractor | Purpose | Data concerned |
|---|---|---|
| Amazon Web Services (AWS S3) | Storage of photos and uploaded files | Photos taken from the app, profile photos, jackets |
| Anthropic (API Claude) | AI Image Analysis (Vision), voice transcription (Voice), conversational assistant | Uploaded images, voice recordings, text prompts — only upon explicit user trigger |
| Mapbox | Display of mapping, address geocoding | GPS Coordinates, Searched Addresses |
| Stripe | Processing of subscription payments | Name, email, billing address, card data (managed exclusively by Stripe, never by our servers) |
| DeepL | Automatic translation of content for non-French-speaking users | Text Snippets to Translate (labels, object type descriptions) |
| Host (API servers) | Database and application server hosting | User Data Set |
| Transactional email services | Email sending (password reset, invitations, invoices) | Email address, first name |
No personal data is resold to third parties for commercial or advertising purposes.
6. Transfers outside the European Union
Some of our subcontractors may process data from countries outside the European Union:
- Anthropic (United States) : transfers governed by the Commission's Standard Contractual Clauses (SCC).
- Stripe (United States / Ireland) : certified under the EU-US Data Privacy Framework (DPF), and CCT.
- AWS : our S3 buckets are configured in region eu-west-3 (Paris) — your photos and files remain stored in France.
- Mapbox : CCT for map tile requests.
7. Storage Durations
| Data Category | Storage duration |
|---|---|
| User account (profile, credentials) | As long as the account is active. Deletion upon request, or prolonged inactivity (3 years without connection) |
| Product content (photos, elements, interventions) | As long as the workspace is active. Permanent deletion within 30 days after account or workspace deletion |
| Audit Logs (audit log) | 2 years from the event |
| Billing data | 10 years (legal accounting requirement) |
| Technical logs (connection, errors) | Maximum 12 months |
| Backups | 30 to 90 days depending on the criticality |
| Data sent to AI (Anthropic) | Not retained by Anthropic beyond the request (zero-retention policy for API uses) |
8. Data Security
We implement technical and organizational measures to protect your data:
- TLS Encryption for All Client/Server Communications
- Hashed passwords (bcrypt algorithm) — never stored in plain text
- JWT token authentication with limited lifetime + revocable refresh tokens
- Strict data isolation per workspace (multi-tenant partitioning in database and cache)
- Encrypted backups
- Server-side Role-Based Access Control (RBAC)
- Timestamped audit logs to track any sensitive action
- Regular security updates for servers and dependencies
9. Your rights
In accordance with the GDPR, you have the following rights regarding your personal data:
- Right of access : obtain a copy of your data
- Right to rectification : correct inaccurate or incomplete data
- Right to erasure (« right to be forgotten »): request the deletion of your data, subject to our legal obligations
- Right to restriction of processing
- Right of objection to processing based on legitimate interest
- Right to data portability : receive your data in a structured and readable format
- Right to withdraw your consent at any time for the processing based on it
- Right to file a complaint with the CNIL (www.cnil.fr)
To exercise your rights, contact us at: support@kartes.io. We respond within a maximum period of one month.
Deleting your account is also possible directly from the app, in the user settings.
10. Minors
The application Kartes is a professional tool intended for infrastructure management stakeholders
(local authorities, companies, asset managers). It is not intended for persons under 16 years of age
and we do not knowingly collect data relating to minors. If you believe that a minor has provided us with
data, contact us for immediate deletion.
11. Cookies and Trackers
The mobile application does not use third-party cookies for advertising or profiling purposes.
The site kartes.io may use strictly necessary cookies for the operation (session, language) and, where applicable, anonymized audience measurement cookies.
No advertising or cross-site tracking cookies are placed.
12. Policy Modifications
This policy may be updated to reflect technical, legal, or functional changes.
Any substantial modification will be notified to users (notification within the application or email).
The date of the last update is listed at the top of this document.
13. Contact
For any questions regarding this privacy policy or the processing of your personal data:
- email : support@kartes.io
- Mail : ODOWA — 49 rue de la République, 60160 Montataire, France