Skip to content
INFUSE
Dried Tulsi (Holy Basil) — discretion, respect, simplicity

Legal document

Privacy Policy

How INFUSE collects, uses and protects your personal data. GDPR compliant.

1. Data controller

The controller of personal data collected on infuse.earth is:

  • I Infuse SARL
  • 4 Beausoleil, 49230 Sèvremoine, France
  • SIRET 930 808 621 00013 — VAT FR60930808621
  • Email: gestion@infuse.earth
  • Legal representative: Timoté Merlet

I Infuse SARL has not appointed a Data Protection Officer (DPO), as it is not legally required to under Article 37 of the GDPR. For any question about your data, write to gestion@infuse.earth — we answer directly.

2. Data we collect

INFUSE only collects data that is strictly necessary for the purposes described in section 3.

2.1 Identification and contact data

  • First and last name
  • Email address
  • Postal address (billing and shipping)
  • Phone number (optional, used only for delivery if the carrier requires it)

2.2 Order data

  • Order history (products, quantities, dates)
  • Amounts paid
  • Payment method used (no card data)
  • Shipping addresses

2.3 Payment data

INFUSE stores no payment card data. All transactions are processed by our payment provider Stripe, certified PCI-DSS Level 1. If you choose to save your card for a future purchase, the token is stored at Stripe, never at our end.

2.4 Navigation and technical logs

At this time, infuse.earth uses no analytics tool— no Google Analytics, no Plausible, no Vercel Analytics. The cookies page lists every cookie actually set.

Our hosting provider Vercel keeps standard technical logs (IP, device type, requested page, timestamp) for short periods, for security and operational purposes — Vercel acts as a processor and does not use these logs for advertising profiling.

2.5 Communication data

  • Emails exchanged with our customer service
  • Conversations with the AI Concierge (anonymised if you are not signed in; tied to your account if you are, to improve the relevance of answers)

2.6 Account data (if you create an account)

  • Sign-in credentials (email + Supabase Auth magic link)
  • Preferences (language, ambient, notifications)
  • Saved addresses (billing, shipping)

2.7 Allies program data

  • Ally status
  • Unique coupon code
  • History of sales generated by your code
  • Bank transfer details (IBAN or equivalent) you share with us on request to pay your commissions. Payouts are handled manually by our human on the payments side (Ornella) — not through Stripe Connect or any third-party intermediary. These details are stored in our Supabase database under restricted access.

3. Purposes and legal bases

Under Article 6 of the GDPR, each processing operation is based on a specific legal ground:

PurposeLegal basis
Order processing and deliveryPerformance of contract (Art. 6.1.b)
Invoicing and accounting obligationsLegal obligation (Art. 6.1.c — 10 years)
Customer service and after-salesPerformance of contract (Art. 6.1.b)
Account creation and managementConsent (Art. 6.1.a)
NewsletterConsent — explicit opt-in
Allies programPerformance of contract (Art. 6.1.b)
AI ConciergeLegitimate interest (Art. 6.1.f) or consent
Fraud preventionLegitimate interest (Art. 6.1.f)
Legal obligations and authoritiesLegal obligation (Art. 6.1.c)

4. Recipients and processors

Your data is accessible only to authorised INFUSE staff and to the technical processors strictly necessary listed below. Each is bound by a Data Processing Addendum (DPA) and by the Standard Contractual Clauses of the European Commission for transfers outside the EU.

ProcessorPurposeData location
Supabase Inc.Database, authentication (magic link), file storageEU — eu-west-3 (Paris)
Stripe Inc. / Stripe Payments Europe Ltd.Payment processing (3D Secure)EU (Ireland) + USA
Sendcloud B.V.Shipping label generation and parcel tracking (relay to Colissimo, Mondial Relay, etc.)EU — Netherlands
Resend, Inc.Transactional emails (order confirmation, shipping, magic link, post-purchase guides)USA
Vercel Inc.Website and CDN hosting — serves pages and keeps technical access logsUSA + global edge
Anthropic, PBCAI Concierge API (Claude model) — only the content of your message is sent, never your email or accountUSA

INFUSE never sells your data. INFUSE does not share your data with marketing partners, ad partners or data brokers.

If we add a new processor (for example an anonymous analytics tool), this page will be updated and the cookies banner will reappear with an updated notice.

5. Transfers outside the European Union

Some of our processors are based in the United States (Stripe, Resend, Vercel, Anthropic). These transfers are framed by:

  • adherence to the EU-US Data Privacy Framework (DPF) for certified companies;
  • the Standard Contractual Clauses (SCCs) approved by the European Commission (decision 2021/914);
  • additional technical measures (encryption in transit and at rest).

You can request a copy of the safeguards in place at any time by writing to gestion@infuse.earth.

6. Retention periods

DataRetention
Active customer accountUntil deletion request
Inactive customer account3 years, then anonymisation
Order and invoicing data10 years (accounting obligation)
NewsletterUntil consent is withdrawn
Anonymous AI Concierge conversations30 days maximum
Vercel technical logsPer Vercel policy (typically a few weeks)
Prospect data (contact form)3 years after last contact
Allies programDuration of relationship + 5 years

7. Your rights

Under Articles 15 to 22 of the GDPR, you have the following rights over your personal data:

  • Right of access (Art. 15) — obtain a copy of your data.
  • Right to rectification (Art. 16) — correct any inaccurate or incomplete data.
  • Right to erasure (Art. 17) — subject to legal obligations (notably 10-year invoice retention).
  • Right to restriction of processing (Art. 18).
  • Right to portability (Art. 20) — receive your data in a structured format (JSON or CSV).
  • Right to object (Art. 21) — to processing based on legitimate interest or direct marketing.
  • Right to withdraw consent (Art. 7) at any time.
  • Automated decisions (Art. 22) — INFUSE makes no decision producing legal effects on you solely on the basis of automated processing. The AI Concierge is an orientation tool, not a decision tool.

8. How to exercise your rights

Directly in your account: update your data (/compte), request account deletion.

By email: send your request to gestion@infuse.earth including:

  • your name, last name, account email;
  • the nature of your request;
  • a copy of an ID if needed to verify your identity (only in case of doubt).

INFUSE answers within 30 days maximum (extendable by 2 months for complex requests, with prior notice).

9. Cookies

The full breakdown of cookies set by infuse.earth — exact list, lifetimes, purposes — is on the cookies page. In short: no advertising cookies, no Meta pixel, no retargeting cookies, no third-party analytics at this time.

10. Security

  • Encryption in transit (HTTPS/TLS) on the entire site
  • Encryption at rest on the Supabase database
  • Authentication via magic link (one-time email link)
  • Access restricted to authorised personnel only
  • Regular audit of access and permissions

In case of a data breach likely to result in a risk to your rights and freedoms, INFUSE will notify the CNIL within 72 hours and will inform you as soon as possible, in accordance with Articles 33 and 34 of the GDPR.

11. Complaint to the CNIL

If you consider that your rights are not respected, you may at any time lodge a complaint with the French Data Protection Authority (CNIL) :

CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
cnil.fr/en/complaints

Before reaching out to the CNIL, we would appreciate it if you wrote to us first at gestion@infuse.earth. Most situations resolve through a direct exchange.

12. Updates

INFUSE may need to amend this policy to adapt to changes in regulation or in our services. Any substantial change will be notified by email if you have an account or are subscribed to the newsletter. The last update date appears at the bottom of the page.

Dernière mise à jour : 2026-05-29

Privacy Policy · INFUSE