Privacy policy
DécodAO platform, www.decodao.com. Version 1.0, in force as of 27 May 2026.
This Privacy Policy describes how Valuans SARL, publisher of the DécodAO platform, collects, uses, protects and retains personal data in the context of providing its services. It is the reference document for data protection on the Platform. The Legal notice and the Terms of use refer to it for processing details.
It applies to any person whose data is processed in connection with the use of DécodAO: professional users holding an account, site visitors, and third-party individuals whose name appears in the public procurement files (DCE) submitted for analysis.
1. Data controller
The data controller is Valuans SARL, a limited liability company with a capital of EUR 4,000, headquartered at 7 rue Ladureau, 45000 Orléans, registered with the Orléans Trade and Companies Register under SIRET number 807 500 566 00011, represented by its manager, Didier Thalmann.
The Data Protection Officer (DPO) can be contacted at: didier.thalmann@decodao.com.
2. Data collected and legal bases
DécodAO processes four categories of personal data, each based on its own legal ground under Article 6 of the GDPR.
2.1 Account data
Surname, first name, professional email address, job title and company SIRET. This data is necessary to create and manage the user account.
Legal basis: performance of the contract (Article 6(1)(b) GDPR).
2.2 Company profile data
Certifications, turnover, CPV codes, geographical areas of intervention and references. This data feeds the alignment analysis between the company profile and the tenders under review.
Legal basis: performance of the contract (Article 6(1)(b) GDPR).
2.3 Third-party data contained in RFPs
RFP files submitted for analysis may contain names of natural persons: signatories, managers or trainers mentioned in the tender documents. This data is processed to enable RFP analysis. RFPs are public documents accessible to any economic operator.
Legal basis: legitimate interest of the user in analysing a tender file to which they have access (Article 6(1)(f) GDPR).
2.4 DECP data
French open contracting data (DECP) include the SIRET numbers of contract holders. For sole traders and individual entrepreneurs, these identifiers are linked to an identifiable natural person. DECP data is public, published under a regulatory obligation.
Legal basis: legitimate interest (Article 6(1)(f) GDPR).
No sensitive data within the meaning of Article 9 of the GDPR is collected. DécodAO only targets professionals and does not process consumer data.
3. Processing purposes
Data is processed for the following purposes:
- Creation, authentication and management of user accounts;
- Provision of the RFP analysis service and production of decision-support reports;
- Pre-qualification of notices from the BOAMP feed and enrichment with DECP data;
- Billing, contractual relationship management and support;
- Notification of events relating to the account and the service;
- Improvement of the Platform from data aggregated and irreversibly anonymised (see article 6);
- Compliance with the Publisher's legal and regulatory obligations.
4. Data protection measures
The Publisher implements technical and organisational measures to protect the processed data.
4.1 Pseudonymisation before analysis
Before the text extracted from a RFP is transmitted to the language model (LLM) provider, the names of natural persons are automatically detected and replaced by neutral identifiers. The mapping table between identifier and name is kept on sovereign infrastructure and is never transmitted to the LLM provider. The original names are restored in the final report delivered to the user. This measure reduces the exposure of third-party personal data, in line with the data minimisation principle (Article 5(1)(c) GDPR).
4.2 Data isolation
Each user has a strictly partitioned data space. The RFPs, reports, profiles and results of one user are inaccessible to other users. No cross-account exploitation is performed. This isolation responds to a trust requirement specific to the public procurement sector, where two competitors may be clients of the Platform simultaneously.
4.3 Encryption and traceability
Data is encrypted at rest (AES-256) and in transit (TLS 1.3). Every access to the data is logged with a timestamp, the log itself being partitioned by user.
5. Sub-processors
The Publisher uses sub-processors within the meaning of Article 28 GDPR. Each is bound by a Data Processing Agreement incorporating the safeguards required by that article.
| Sub-processor | Role | Safeguards |
|---|---|---|
| Language model (LLM) provider | Analysis of pseudonymised text extracted from RFPs | DPA signed. Data pseudonymised and encrypted. No retention beyond processing. SCC if the provider is outside the EU. |
| Cloud hosting provider | Storage and processing of data on SecNumCloud-qualified infrastructure | DPA signed. Hosting in France. |
| Email notification service | Delivery of service notification emails | DPA signed. |
| Payment provider | Collection of subscriptions and packs (credit card, SEPA direct debit) | Payment data is processed directly by the provider and not retained by the Publisher. |
The up-to-date list of sub-processors is provided to the user upon simple request to the DPO.
6. Aggregated data and Platform improvement
The Publisher uses data from analyses to improve the Platform, under the following cumulative conditions:
- Data is irreversibly anonymised: any nominative reference (buyer, candidate, contract object, identifying amount) is removed. Only structural indicators are kept;
- The anonymisation does not allow reconstruction or identification of a RFP, a contract, a buyer or a user;
- Names of natural persons contained in RFPs are excluded from aggregated data and are never used for this purpose.
Once thus anonymised, this data no longer constitutes personal data within the meaning of the GDPR (recital 26). The Publisher does not use user RFPs to train language models.
7. Transfers outside the European Union
Storage and pre-processing (extraction, pseudonymisation, structuring) are performed in France, on SecNumCloud-qualified infrastructure.
The inference step, namely the analysis performed by the language model, may involve a transfer to a provider established outside the European Union. In that case:
- The transmitted text is pseudonymised: names of natural persons are replaced by neutral identifiers;
- The transfer is governed by Standard Contractual Clauses (SCC) adopted by the European Commission;
- A Transfer Impact Assessment has been carried out;
- The LLM provider used is identified in the Platform settings accessible to the user.
If the Publisher selects an LLM provider hosted in the European Union, transfers outside the EU are eliminated and the user is informed.
8. Retention periods
Data is kept for the following durations, then purged.
| Data category | Retention period |
|---|---|
| Raw RFPs (uploaded files) | 90 days after analysis. Extended retention on request (12 months maximum). Immediate deletion possible on request. |
| Analysis reports | Depending on the subscribed plan: 3 months (Essential), 12 months (Pro), unlimited (Business / Enterprise). Export offered 15 days before purge. |
| Company profile | Lifetime of the account, then 30 days after termination. |
| Dialogue index (RAG) | 30 days after analysis. |
| Language model call logs | 30 days. Pseudonymised logs, with no personal data in clear text. |
| DECP cache | 30 days. |
| BOAMP notices | 90 days. |
| Access log (audit trail) | 24 months. |
| Benchmark data | Unlimited retention. Data irreversibly anonymised, with no personal data. |
The user is notified 15 days before each automatic purge of their reports. A request for immediate deletion takes precedence over the retention periods set out above.
9. Your rights
In accordance with the GDPR, any person whose data is processed has the following rights:
- Right of access (Article 15);
- Right of rectification (Article 16);
- Right to erasure (Article 17);
- Right to restriction of processing (Article 18);
- Right to data portability (Article 20);
- Right to object (Article 21).
These rights are exercised by email to the DPO at didier.thalmann@decodao.com. The Publisher responds within 30 days. The user can also export their data at any time from their client area (profiles, analysis history, reports, metrics).
If a person considers that their rights are not respected, they may lodge a complaint with the French Data Protection Authority (CNIL), 3 place de Fontenoy, 75007 Paris, www.cnil.fr.
10. Cookies
The DécodAO site uses a limited number of cookies.
Strictly necessary cookies: they ensure authentication and session management. Essential to the operation of the service, they do not require consent.
Audience measurement cookies: the site uses Matomo, hosted in France, which produces anonymous traffic statistics. These cookies are subject to your consent via the information banner. Refusing them has no effect on the operation of the service.
DécodAO uses no advertising cookies and no third-party trackers.
11. Processing by an artificial intelligence system
DécodAO implements an artificial intelligence system within the meaning of Regulation (EU) 2024/1689 (AI Act), classified as "limited risk". This system does not fall into any category of high-risk systems.
The AI system makes no automated decision producing legal effects within the meaning of Article 22 GDPR. The user retains final control over any decision: the agent prepares, the expert decides. The reasoning is traced, every assertion refers back to its source and its level of certainty is displayed. The reports bear the mention "analysis produced by an artificial intelligence system".
12. Personal data breach
In the event of a personal data breach, the Publisher:
- Notifies the CNIL within 72 hours of becoming aware of the breach, if it presents a risk to the rights and freedoms of individuals (Article 33 GDPR);
- Informs the affected users as soon as possible when the breach presents a high risk, describing its nature, likely consequences and the measures taken (Article 34 GDPR);
- Implements the corrective measures necessary (isolation, correction, root cause analysis).
13. Data protection impact assessment
A Data Protection Impact Assessment (DPIA, Article 35 GDPR) has been carried out prior to implementing the processing. It covers the entire pipeline: RFP upload, pseudonymisation, transmission to the language model, storage, DECP enrichment and aggregation. It is kept available for the CNIL.
14. Amendment of this Policy
The Publisher may amend this Privacy Policy to adapt it to legal, technical or organisational developments. Any substantial amendment is brought to the attention of users by email. The applicable version is the one published on the site at the date of consultation.
15. Contact
For any question relating to this Policy or to the exercise of your rights:
- Data Protection Officer: didier.thalmann@decodao.com
- General contact: contact@decodao.com
Valuans SARL, 7 rue Ladureau, 45000 Orléans, SIRET 807 500 566 00011, RCS Orléans.