House ofIchigo

LEGAL

Privacy Policy.

LAST UPDATED · 26 June 2026 (draft, pending legal review)

This policy explains how House of Ichigo collects, uses, and protects your personal data when you visit our website or contact us. We act as the data controller under the EU General Data Protection Regulation (GDPR). Questions can be sent to privacy@houseofichigo.com.

Who we are.

The data controller responsible for your personal data is House of Ichigo S.A.S. (a société par actions simplifiée), a company registered in France under number 900 030 453 (RCS Auxerre), with its registered office at 8 route départementale 606, 89270 Voutenay-sur-Cure, France ("House of Ichigo", "we", "us").

For any question about this policy or your personal data, contact us at privacy@houseofichigo.com. We have not appointed a Data Protection Officer, as we are not required to under Article 37 of the GDPR; privacy requests are handled at the address above.

Information we collect.

We collect personal data that you provide directly, data collected automatically when you use the site, and data we receive in the course of a client engagement.

Information you give us. When you submit an inquiry through our contact form or otherwise correspond with us, we collect:

  • Identity and contact details — your full name and work email address
  • Organisation details — company name and country
  • Inquiry details — the nature of your request and, depending on the inquiry type, fields such as your area of focus, preferred engagement format, team size, intended use case, partnership type, website, or event details
  • The content of your message and any information you choose to include in it
  • Your communication preferences — whether you have asked to receive updates from us

Information we collect automatically. When you visit the site, we and our analytics provider may collect technical data such as your IP address (in truncated or anonymised form where configured), browser and device type, pages viewed, referring URLs, and interaction data. This is collected through cookies and similar technologies — see our Cookie Policy.

Information from client engagements. When you engage us for Advisory, Solutions, or Academy services, we process the business contact and project information necessary to deliver the engagement. Where we process data on your behalf as part of a service (for example, data you provide for a workshop or build), we act as a processor and that processing is governed by the engagement contract and, where required, a data processing agreement.

How we use information & legal bases.

We process your personal data only where we have a lawful basis under Article 6 of the GDPR. Our purposes and the corresponding legal bases are:

  • Responding to your inquiry and providing requested information — legitimate interests (Art. 6(1)(f)) in answering people who contact us, and, where the inquiry concerns a possible engagement, taking steps at your request prior to entering into a contract (Art. 6(1)(b)).
  • Delivering and administering our services — performance of a contract with you or your organisation (Art. 6(1)(b)).
  • Sending marketing updates and thought leadership — only where you have given consent (Art. 6(1)(a)); you can withdraw consent at any time.
  • Operating, securing, and improving the website (including analytics where you have consented) — your consent for non-essential cookies (Art. 6(1)(a)), and our legitimate interests (Art. 6(1)(f)) in maintaining a secure, functioning site for essential cookies.
  • Complying with legal obligations (e.g. accounting, tax, and responding to lawful requests) — legal obligation (Art. 6(1)(c)).

We do not use your personal data for automated decision-making that produces legal or similarly significant effects.

How we share information.

We do not sell your personal data. We share it only as described below, and only with appropriate safeguards in place:

  • Service providers (processors) who help us run the business — website hosting, database, server hosting for our automation tools, analytics, email, and SEO. They act on our instructions under a data processing agreement. Our current sub-processors are:
    • OVH — website hosting (France)
    • Hetzner — server hosting for our self-hosted n8n automation instance (Germany, EU)
    • Supabase — database used to store website form submissions and related records
    • Google — Analytics, Tag Manager, Search Console, BigQuery
    • Microsoft — Clarity (user-experience analytics)
    • Brevo — newsletter and transactional email
    Non-essential analytics tools (Google Analytics, Microsoft Clarity) run only after you give consent.
  • Professional advisers — lawyers, accountants, and insurers, where necessary.
  • Authorities — where required by law or to protect our rights.
  • In a corporate transaction — if we reorganise, merge, or transfer parts of the business, subject to this policy.

Tools and services we use.

  • Google Tag Manager, Google Analytics, Google Search Console — audience measurement, tag management, and SEO performance.
  • Microsoft Clarity — user-experience and session analytics.
  • Brevo — newsletter and transactional email.
  • Supabase — database used to store website form submissions and related records.
  • n8n — automation of internal data transfers and processing, self-hosted on our own dedicated server (Hetzner, Germany — within the EU).
  • Google BigQuery — storage and analysis of anonymised marketing / SEO data; anonymised and deleted within 24 months maximum.

Where your data is stored.

Personal data submitted through the site is stored in our Supabase database and processed through our self-hosted n8n instance on a dedicated Hetzner server located in [CONFIRM REGION — e.g. Germany, EU]. Website hosting is provided by OVH (France).

International transfers.

We operate in the EU and in the Kingdom of Saudi Arabia (KSA), and some of our service providers are located outside the European Economic Area (EEA) — including, for example, analytics providers based in the United States.

Where we transfer personal data outside the EEA, we put in place an appropriate transfer mechanism — an adequacy decision of the European Commission, the European Commission's Standard Contractual Clauses, or another lawful safeguard — together with supplementary measures where required. You can request a copy of the relevant safeguards by contacting us at privacy@houseofichigo.com. [Your lawyer should confirm the specific mechanisms for each cross-border flow, including any EU–KSA transfers.]

Data retention.

We keep personal data only for as long as necessary for the purposes for which it was collected, including to meet legal, accounting, or reporting requirements. As a general guide:

  • Inquiry and prospect data — retained for up to 24 months after our last meaningful contact, unless it becomes part of an active engagement.
  • Client and contract data — retained for the duration of the engagement and afterwards for the period required by applicable law (in France, certain accounting and commercial records must be kept for up to 10 years).
  • Marketing data — retained until you withdraw consent or object, and reviewed periodically.
  • Website and analytics data — retained for the period set out in our Cookie Policy.

When personal data is no longer needed, we delete it or anonymise it securely.

Your rights.

Under the GDPR, you have the following rights in relation to your personal data:

  • Access — to be told whether we process your data and to receive a copy of it.
  • Rectification — to have inaccurate or incomplete data corrected.
  • Erasure — to have your data deleted in certain circumstances ('right to be forgotten').
  • Restriction — to limit how we use your data in certain circumstances.
  • Portability — to receive certain data in a structured, machine-readable format, and to have it transmitted to another controller where technically feasible.
  • Objection — to object to processing based on legitimate interests, and to object to direct marketing at any time.
  • Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting prior processing.
  • Define instructions on the fate of your data after death, in accordance with applicable French law.

To exercise any of these rights, contact us at privacy@houseofichigo.com. We will respond within one month, as required by the GDPR. You also have the right to lodge a complaint with a supervisory authority — in France, the Commission Nationale de l'Informatique et des Libertés (CNIL), www.cnil.fr. [If you have data subjects in KSA, your lawyer should add the equivalent authority and rights under the KSA Personal Data Protection Law.]

Security.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse — including access controls, encryption in transit, and least-privilege practices with our providers. No method of transmission or storage is completely secure, but we work to protect your data and to notify you and the relevant authority of a personal data breach where the law requires.

Cookies.

We use cookies and similar technologies on this website. Non-essential cookies (such as analytics) are used only with your consent, which you can manage at any time. For full details, see our Cookie Policy.

Children's privacy.

Our website and services are intended for business and professional audiences and are not directed at children. We do not knowingly collect personal data from children under the age of 15 (the age of digital consent in France). If you believe a child has provided us with personal data, contact us and we will delete it.

Changes to this policy.

We may update this policy from time to time. The "last updated" date at the top shows when it was last revised. Material changes will be communicated through the website or, where appropriate, directly.

Contact us.

For any privacy question or to exercise your rights, contact us at privacy@houseofichigo.com or by post at 8 route départementale 606, 89270 Voutenay-sur-Cure, France.