LEGAL · LAST UPDATED MAY 17, 2026

Privacy policy

Data we collect

This section describes the categories of personal data we collect when you use korum studio (the "Service"), operated by Infographart, sole trader (micro-enterprise), with registered office in Provence-Alpes-Côte d'Azur, France.

1.1. Account data. When you create an account, we collect your email address and the password you choose (stored in hashed form only, by our authentication provider Supabase). If you use Google sign-in (SSO), we receive your email address and a Google account identifier; we never store your Google password.

1.2. Profile and preferences. We store the settings associated with your account: workspace membership, UI theme (light/dark), display language. These preferences are stored in our database and, for responsiveness, in your browser's local storage (keys quorum.theme, quorum.locale, quorum.activeWorkspaceId).

1.3. Content you import. When you import a source to seed a panel (product brief, interview transcript, Figma URL, user reviews), the content is processed by our servers and forwarded to our AI provider (Google Gemini) to generate synthetic personas. You are responsible for the lawfulness of imported content and warrant you hold the necessary rights. We strongly recommend you do not import identifying personal data without prior pseudonymisation (in particular within interview transcripts).

1.4. Content generated in the Service. Research questions, selected protocols, debate content (synthetic turns) and verdicts produced are stored in your workspace.

1.5. Technical data. Our hosting providers (Vercel, Supabase) collect technical logs (server logs, IP addresses, user-agents) for security, abuse prevention and diagnostic purposes. korum studio does not exploit these data for profiling.

1.6. Contact form. If you send a message via the About page form, we collect your name, email address, optional subject and message content. These data are processed via a Vercel Function (api/contact.ts), stored in the contact_messages table hosted by Supabase (region eu-west-3 Paris, European Union), and delivered to us by email notification via Supabase. No additional third-party email provider is involved.

1.7. What we do not collect. We do not set any advertising cookie or tracker. We do not use intrusive audience analytics tools (Google Analytics, Mixpanel, etc.). We use Vercel Web Analytics (cookieless, no cross-site tracking, IP anonymized) and PostHog (product behaviour analytics, EU-hosted, opt-in only, no advertising use) — both gated behind your analytics consent. We do not sell or rent your data.

How we use your data

We process your data for the following purposes, on the GDPR legal bases (Art. 6):

  • Provide and operate the Service (account creation, workspace management, panel generation, debate orchestration, verdict production) — legal basis: performance of contract (Art. 6.1.b);
  • Persist your preferences (theme, language, active workspace) — legal basis: legitimate interest in delivering a consistent experience (Art. 6.1.f);
  • Maintain Service security (abuse prevention, fraud prevention, audit log) — legal basis: legitimate interest (Art. 6.1.f);
  • Reply to your requests sent via the contact form — legal basis: legitimate interest or consent depending on context (Art. 6.1.a / Art. 6.1.f);
  • Comply with legal obligations (retention of accounting evidence, response to legal requests) — legal basis: legal obligation (Art. 6.1.c).

Automated decision-making and profiling. The Service uses a generative AI model (Google Gemini) to produce personas and orchestrate debates. These processings do not result in automated decisions producing legal effects on natural persons within the meaning of Art. 22 GDPR. Generated personas are synthetic constructs for user research purposes. Any business decision taken on the basis of a verdict remains under the human responsibility of the member.

Data retention

We apply the following retention periods (indicative, to be confirmed by legal counsel):

  • Active account (email, hashed password, member profile) — throughout the duration of your registration — performance of contract.
  • Inactive account (no sign-in) — [TO BE CONFIRMED BY PO — default: 36 months] after last sign-in, then deletion or anonymisation — storage limitation (Art. 5.1.e GDPR).
  • Workspace, panels, segments, personas, debates, verdicts — contract term + 30 days (purge) after account deletion — performance of contract.
  • Verdict share links — 30 days (TTL), then automatically deactivated — default duration in code.
  • Workspace activity log — [TO BE CONFIRMED BY PO — default: rolling 12 months] — security and traceability.
  • Technical logs (Vercel, Supabase) — per subprocessor policies (typically 30 to 90 days) — operational security.
  • Contact form messages — [TO BE CONFIRMED BY PO — default: 36 months] after last contact — CNIL recommendation.
  • localStorage preferences — until cleared by you (clear browser data) or unsubscription — 1st party storage, not persisted server-side.

Upon expiry, data are permanently deleted or irreversibly anonymised. You may request early account deletion at any time (see Section 5).

Third-party services

To provide the Service, we rely on the following subprocessors, who act on our instructions under data processing agreements (DPA):

  • Supabase Inc. (United States — effective hosting: region eu-west-3 Paris, European Union) — database hosting, authentication, file storage, realtime communication, contact message storage (contact_messages table). DPA: https://supabase.com/legal/dpa. Data hosted in the EU — no international transfer to document for Supabase.
  • Vercel Inc. (United States, global Edge Network) — frontend hosting and serverless function execution (including api/contact.ts for the contact form). DPA: https://vercel.com/legal/dpa. Transfer governed by EU Standard Contractual Clauses 2021/914.
  • Google LLC (Gemini API) (United States / global endpoint) — generative AI model inference used for persona seeding, debate orchestration and verdict synthesis. DPA: https://cloud.google.com/terms/data-processing-addendum. Per Google's documentation, prompts sent to the paid Gemini API are not used to train models. Transfer governed by EU Standard Contractual Clauses 2021/914.
  • Google LLC (OAuth) (United States) — Google SSO authentication, only if you choose this option. Policy: https://policies.google.com/privacy.
  • PostHog, Inc. (product behaviour analytics) — EU-hosted at eu.i.posthog.com. Activated only after analytics consent. Autocapture disabled. No session recording, no advertising use. Privacy policy: posthog.com/privacy.

No other subprocessor is used. An exhaustive, up-to-date list of our subprocessors is available on request to the address mentioned in Section 6.

Your rights

Under the GDPR (EU 2016/679), the UK GDPR, the CCPA/CPRA and the Swiss nFADP, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) — obtain a copy of the data we hold about you.
  • Right of rectification (Art. 16 GDPR) — correct inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR) — request deletion of your data under the conditions provided.
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR) — object to processing based on legitimate interest.
  • Right to withdraw consent at any time, where processing is based on consent (Art. 7.3 GDPR), without affecting the lawfulness of prior processing.

California residents (CCPA/CPRA): you also have the Right to Know, Right to Delete, Right to Correct, Right to Opt-Out of Sale/Sharing — being noted that korum studio does not sell or share your personal data — and Right to Non-Discrimination.

How to exercise your right of access and portability (Art. 15 and Art. 20 GDPR). Data export is now self-service: open your Account page, section Privacy, and click "Request data export" to download a complete copy of your data in JSON format.

How to exercise your other rights. For rectification, erasure, restriction, objection or consent withdrawal, send a request to contact@infographart.com specifying the nature of your request. We respond within 30 days at most from receipt, in accordance with Art. 12.3 GDPR.

Right to lodge a complaint. If you believe your rights are not respected, you may contact the supervisory authority of your country of residence: France: CNIL (https://www.cnil.fr). United Kingdom: ICO (https://ico.org.uk). California: CPPA (https://cppa.ca.gov). Switzerland: FDPIC (https://www.edoeb.admin.ch).

Contact us

For any question regarding this Privacy Policy or the exercise of your rights, you may reach us at:

Data controller: Infographart, sole trader (micro-enterprise), registered office in Provence-Alpes-Côte d'Azur, France.

Website: https://korum.studio — General email and data protection: contact@infographart.com.

Internal privacy contact: reachable at contact@infographart.com (Infographart is not required to appoint a formal DPO under Art. 37 GDPR).

A record of processing activities (RPA) is maintained in accordance with Article 30 GDPR and is available on request at contact@infographart.com.

Last updated: May 17, 2026. We may modify this Privacy Policy. Any substantial change will be notified to you by email and by an in-Service banner at least 30 days before it takes effect.

Cookies and local storage

korum studio sets no advertising cookie or tracker. The only audience analytics tool we use is Vercel Web Analytics — cookieless, anonymous, gated behind your analytics consent. To provide the Service, we use only: session cookies set by our authentication provider Supabase, strictly necessary to maintain your connected session and exempt from prior consent under CNIL guidelines; local storage (localStorage) to remember your interface preferences (light/dark theme, language, active workspace, sidebar state), which remain on your device and are not shared with third parties; a consent witness (korum.consent.v1) deposited after your interaction with the cookies transparency banner, to remember your choice for 13 months. The full and up-to-date list of cookies and storage keys used is available on the dedicated Cookies page. You can change your preferences at any time via the Manage cookies link in the footer.