PositionIA

Privacy policy

Last updated: 2026-06-18 - applicable under GDPR (EU) and Quebec Law 25.

The positionia.com website respects your privacy and limits the collection of personal data to what is strictly necessary for the service to function. This policy explains exactly what is collected, why, and how to exercise your rights.

1. Data collected

The following categories of data are collected:

  • Analyzed URLs: the addresses of the websites you submit for analysis, along with the results produced by the tool. These URLs are public.
  • IP address: used technically to enforce the limit of 5 analyses per day. The IP is not exposed publicly and is never associated by name with an anonymous user.
  • Matomo browsing data: pages visited, duration, traffic source, device type. Cookie-less mode by default (anonymous audience measurement). With explicit consent, cross-visit cookies are placed.

The service works without registration. Creating an account is optional and unlocks additional features (history, score tracking over time, personalized tips).

1.1 Data collected when creating an account

  • User accounts (free, optional): we collect your email address (mandatory, used as identifier), your first name (mandatory), last name (optional), country (mandatory to comply with the GDPR and Quebec Law 25 as well as a future VAT collection), and a password (stored as a bcrypt hash, never in clear text).
  • Email verification: a verification email is sent automatically with a signed token valid for 24 hours. As long as it is not clicked, the account is considered "unverified" and some features are disabled.
  • Sessions: a cookie HttpOnly Secure SameSite=Lax (named posia_session) stores a signed JWT. Default duration: 7 days, refreshed on each active visit.
  • Marketing newsletter opt-in: checkbox unchecked by default. If checked, we record a consent timestamp (GDPR article 7 proof). Concerns only the newsletter and commercial communications unrelated to the service (category 3 below).

1.1 Categories of emails you will receive

We distinguish three categories of emails, each with its own legal basis:

  • Service emails (legal basis: contract performance, GDPR art. 6.1.b) - email verification, password reset, account deletion confirmation, security alerts. They are essential to the operation of your account and cannot be disabled as long as you have an active account.
  • Product announcements (legal basis: legitimate interest, GDPR art. 6.1.f, and soft opt-in exception under EU ePrivacy Directive art. 13) - new features, important updates, terms changes. You receive these communications as an existing customer, regarding a similar product to the one you signed up for. You can unsubscribe anytime via the "Unsubscribe" link in every email (compliant with RFC 8058 one-click unsubscribe).
  • Newsletter and marketing communications (legal basis: consent, GDPR art. 6.1.a) - SEO/AI visibility tips unrelated to PositionIA, ALGOR-IT blog content, third-party product offers. Sent only if you explicitly check the corresponding opt-in box at signup or later in your settings.

2. Purposes & legal bases

PurposeLegal basis (GDPR)
Operation of the analysis serviceLegitimate interest
Abuse prevention (rate limiting per IP)Legitimate interest
Cookie-less audience measurementLegitimate interest (CNIL exemption)
Audience measurement with cross-visit cookiesConsent

3. Retention periods & account deletion

  • Analysis results: 12 months from the date of launch.
  • IP logs (rate limiting): 24 hours rolling (automatic purge).
  • Server logs: 6 months maximum.
  • Matomo data: 26 months (CNIL recommendation).
  • Consent cookies: 13 months maximum (CNIL recommendation).

3.1 Account retention and anonymization

  • Active account data: kept as long as the account exists.
  • Account deletion: on request via /settings (danger zone), the account is immediately deactivated. After 30 days, your analyses are automatically anonymized (removal of your user_id, IP and user agent). The email remains in the database with a deleted_at flag to prevent immediate re-registration with an account impersonating the email.
  • A confirmation email is sent automatically upon deletion.

4. Recipients & subprocessors

Your data is only transmitted to a limited number of strictly necessary parties:

  • Host: Railway Corp.. The service is hosted in the European region.
  • Matomo (analytics): instance self-hosted by ALGOR-IT in Europe. No transfer to Google Analytics, Facebook Pixel, or any other third-party tool.

Transfers outside the EU: no systematic transfer outside the EU is performed for service data. ALGOR-IT's Quebec subsidiary may access data as part of technical support, governed by standard contractual clauses (SCC) between affiliates.

5. Your rights - GDPR (Europe) & Quebec Law 25

In accordance with Regulation (EU) 2016/679 and Quebec Law 25, you have the following rights. When you have an account, most of these rights can be exercised directly from your personal area.

  • Right of access and portability (GDPR art. 15 / 20): downloadable from /settings (todo - currently by email to contact@algor-it.com).
  • Right to rectification (GDPR art. 16): editable directly in /settings (profile + password).
  • Right to erasure (GDPR art. 17): "Delete my account" button in /settings.
  • Right to object to marketing (GDPR art. 21): "Unsubscribe" link present in every marketing email (one click, no login - compliant with RFC 8058). Also editable in /settings.
  • Right to restriction (GDPR art. 18): suspend processing while its compliance is verified.
  • Quebec Law 25: the same rights apply for users in Quebec, with some additional safeguards (transparency on automated decisions).

To exercise your rights in writing, contact contact@algor-it.com. You will receive a response within one month at most.

In case of disagreement, you may lodge a complaint with the CNIL (French data protection authority).

6. Quebec Law 25 specifics

For users residing in Quebec, Law 25 (Act respecting the protection of personal information in the private sector) applies in addition to the GDPR.

  • Personal information protection officer (PIPO): Julien Collin - contact@algor-it.com.
  • Specific rights: access, rectification, right to be forgotten (deindexing), portability, withdrawal of consent at any time.
  • Confidentiality incident notification: in the event of a leak or loss of data presenting a serious risk, you will be notified without undue delay and the Commission d'acces a l'information du Quebec will be informed.

7. Cookies

Details of the cookies used and the option to change your choice are available on the cookie policy page.

8. Minors

The service is not intended for persons under 16 years of age and we do not knowingly collect data concerning them.

9. Contact

For any question relating to this policy: contact@algor-it.com.