Privacy Policy

This policy describes how Varan Group ("we"), operator of the Diwaller service available at https://diwaller.app, processes personal data of its users and of third parties whose content is moderated through the application.

1. Data controller

• Varan Group
• 23 rue d'Anjou, 75008 Paris, France (EU)
• SIREN: 941 396 541 — SIRET (head office): 941 396 541 00018
• Contact: [email protected]

2. Data we collect

Account data (Diwaller user)

• Business email and brand/channel name entered at signup.
• Password stored as a bcrypt hash (cost 12).
• TOTP secret and recovery backup codes (bcrypt-hashed) for two-factor authentication.
• Last-login timestamp, failed-attempt counters.

OAuth data from connected platforms

When you connect a YouTube, Facebook, Instagram, or TikTok account:

• Account/channel identifier and public name.
• OAuth tokens (access_token, refresh_token) encrypted at rest using Fernet (AES-128-CBC + HMAC).
• Scopes granted.
• Your own OAuth client credentials (Bring-Your-Own-OAuth-App model), encrypted at rest.

Moderation data

• Comments retrieved via the platforms' official APIs for analysis and moderation.
• Comment authors (identifier and public name as returned by the platform).
• Moderation decisions (keep, delete, hide, reply) and action logs.

Technical data

• IP address and User-Agent for rate limiting, abuse prevention, and audit.
• Session cookies (diwaller_session signed JWT, csrf_token anti-CSRF) — strictly necessary.
• Server logs (URL, HTTP status, timestamp) — kept for 30 days.

3. Purposes and legal bases (GDPR)

• Providing the service (automated moderation, dashboard) — performance of contract (Art. 6(1)(b) GDPR).
• Authentication and security (mandatory TOTP, rate limiting, audit) — legitimate interest (Art. 6(1)(f)).
• Connecting third-party platforms — explicit consent via the OAuth flow (Art. 6(1)(a)).
• Improving the service via AI classification — legitimate interest; we do not train models on your data.

4. Recipients

Your data is processed solely by Varan Group. We use the following technical sub-processors, all established in or compliant with the GDPR:

• Contabo GmbH (Germany, EU) — hosting the application server and the PostgreSQL database.
• Cloudflare, Inc. — CDN, WAF, and ingress tunnel (Cloudflare Tunnel). Cloudflare is certified under the Standard Contractual Clauses and the Data Privacy Framework.

No data is sold or shared for advertising purposes.

5. Transfers outside the EU

Application data (account, encrypted tokens, moderated comments) is stored in Germany (EU). Cloudflare may handle traffic in transit via its global points of presence; such transfer is governed by the Standard Contractual Clauses of the European Commission.

6. Retention

• Account data: for the duration of use, deleted within 30 days after account deletion.
• OAuth tokens: until revoked by you or expired by the platform.
• Moderated comments: 12 rolling months by default, configurable.
• Audit logs (actions_log, db_admin_audit): 12 months.
• Server logs (uvicorn, loguru): 30 days.

7. Your rights

Under the GDPR, you have the following rights:

• Access to your personal data.
• Rectification of inaccurate data.
• Erasure ("right to be forgotten").
• Restriction of processing.
• Portability of your data in a machine-readable format.
• Objection to processing based on legitimate interest.
• Withdrawal of consent at any time (disconnecting a platform).

To exercise these rights, write to [email protected]. We respond within 30 days. You may also lodge a complaint with the French data protection authority (CNIL, www.cnil.fr).

8. Security

• Passwords: bcrypt (cost 12).
• Mandatory TOTP 2FA for owner/admin roles.
• OAuth tokens encrypted at rest (Fernet, rotatable keys).
• JWT HS256 sessions, HttpOnly + Secure + SameSite=Lax cookies.
• Security headers: HSTS, CSP, X-Frame-Options DENY.
• CSRF protection (double-submit token).
• Strict multi-tenant isolation (P1) enforced on every request.
• Encrypted backups and retained audit logs.

9. Cookies

Diwaller uses only strictly necessary cookies (authentication, anti-CSRF, time-range persistence). No third-party advertising or behavioural-tracking cookies are set.

10. Changes

We may amend this policy to reflect technical or legal changes. Any material change will be notified by email. The current version is always available at /privacy/en.