Privacy Policy

1 Data Controller

Current controller

Until the company is formally incorporated, the data controller is:

Nicolas Surleraux
Avenue de la Moisson 6, 1640 Rhode-Saint-Genèse, Belgium
ns@getakte.com

2 What is Akte?

Akte is a service that helps organizations audit and control external sharing in Google Drive / Google Workspace. It detects "anyone with link" shares, identifies external access, and helps enforce data governance policies.

3 Who This Policy Applies To

This policy covers data processing for:

Website visitors — browsing, cookies, server logs
Prospects — demo requests and inquiries
Customers and users — accounts, support interactions
End users / data subjects whose data appears in a customer's Google Workspace environment (e.g. internal/external user emails, file metadata, access rights) when the customer connects their domain to the Service

4 Data We Process

4.1 Browsing data (website)

IP address, technical identifiers, server logs
Browser and device information (user-agent, OS, language)
Pages visited, timestamps
Cookies and trackers (see section 12)

4.2 Contact and prospect data (demo requests)

When you request a demo, we may collect:

Name
Professional email address
Company name
Company size
Free-form message (optional)

4.3 Account data

Name, email, role (admin / user)
Google OAuth authentication identifiers (we never access your Google password)
Account settings and preferences
In-app action history (audit logs, depending on configuration)

4.4 Google Workspace / Google Drive data

When a customer connects Google Workspace, Akte may process:

Domain identifiers (e.g. the Google Workspace domain)
Domain user directory
File metadata (ID, name, owner, location, dates, type)
Sharing settings and permissions (e.g. "anyone with link", external shares, access lists)
Identifiers of people with access (e.g. internal and external user email addresses)

Important: Akte is designed to analyse sharing permissions and provide visibility and control. Access uses domain-wide delegation with minimal permissions. Access is read-only by default — write actions are only performed when an administrator explicitly triggers an action.

File content: We never read the content of Google Drive files — only related metadata.

4.5 Support data

Request content (tickets), attachments
Support metadata (timestamps, status, history)

4.6 Billing data

Billing details (company name, VAT number, address, billing email)
Payment-related data (processed by Polar.sh and Stripe — we do not store your card details)

5 Purposes & Legal Bases (GDPR)

We process personal data for the following purposes:

Providing the Service

Scanning, risk detection, dashboard display, workflows, logs.

Contract Legitimate interest

Securing and maintaining the Service

Monitoring, fraud and abuse prevention, technical logs.

Legitimate interest Legal obligation

Prospect management

Demo requests, responses, B2B commercial follow-up.

Legitimate interest Consent (if required)

Billing and accounting

Invoicing and financial records.

Contract Legal obligation

Product improvement

Usage analytics, diagnostics, quality monitoring.

Legitimate interest Consent (analytics)

6 Google Data Access & Limited Use

Akte accesses Google Workspace data solely for the features requested by the customer (external share auditing, governance, and control).

6.1 Transparency and limited use

In accordance with Google policies, we commit that data obtained via Google APIs:

Is limited to providing and improving user-facing features of the Service
Is not used for targeted advertising, data resale, or advertising profiling
Complies with applicable "Limited Use" requirements

6.2 Scope of access (OAuth scopes)

The permissions requested (OAuth scopes / domain-wide delegation) include:

https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly

6.3 Write actions

By default, access is read-only. Modifications (e.g. removing a share, changing a permission) only occur when a customer administrator explicitly triggers an action within the interface.

7 GDPR Roles

7.1 Site & marketing data

For visitor and prospect data (demo forms, contact, cookies), Akte acts as the data controller.

7.2 Customer Google Workspace data

When a customer connects their Google Workspace, the customer is the data controller for their users' and documents' data. Akte acts as a data processor (processing data to deliver the Service).

A Data Processing Agreement (DPA) is available upon request at ns@getakte.com.

8 Data Sharing

We only share personal data with our service providers acting as sub-processors (hosting, transactional email, support, billing, analytics) and with authorities when required by law.

8.1 Sub-processors

Service

Provider

Location

Hosting & database

Amazon Web Services

eu-central-1 (Frankfurt)

Authentication

Google LLC

USA

Transactional email

Postmark by ActiveCampaign LLC

USA

Payment

Polar.sh

USA

Analytics

PostHog

USA (consent required)

9 International Transfers

Where service providers are located outside the European Economic Area, we put appropriate safeguards in place by selecting trusted partners and carefully reviewing their privacy practices.

10 Retention Periods

We retain data only as long as necessary for the purposes described:

Prospect data (demos / contact)

12 months

Customer account data

Duration of contract

Scan results (metadata, shares)

Duration of contract

Security / audit logs

12 months

Backups

30 days

Legal obligations (accounting)

7 years

11 Security

We implement technical and organisational measures appropriate to the risk, including:

Access controls (least-privilege principle)
Logging and auditability
Secured environments and secrets management
Internal procedures and access restrictions

12 Cookies & Trackers

The website may use cookies and trackers:

Strictly necessary — operation and security
Analytics — audience measurement via PostHog

Depending on your location, a consent banner may be displayed for non-essential cookies.

13 Your Rights (GDPR)

You have the following rights under the conditions set out in the GDPR:

Right of access
Right to rectification
Right to erasure
Right to restriction of processing
Right to object
Right to data portability
Right to withdraw consent (where applicable)
Right to lodge a complaint with a supervisory authority

To exercise your rights, contact us at ns@getakte.com. We may request proof of identity if necessary. Response time: maximum 15 days.

14 Supervisory Authority (Belgium)

In Belgium, the competent supervisory authority is the Data Protection Authority (APD / GBA). Contact details are available on its official website.

15 Minors

The Service is intended for professional use (B2B) and is not designed for minors. If you believe a minor has provided us with data, please contact us at ns@getakte.com.

16 Policy Changes

We may update this policy to reflect legal, technical, or product changes. The "Last updated" date will be adjusted and, where necessary, we will notify users by email.

17 Contact

For any privacy-related question:

ns@getakte.com
Or by post: Avenue de la Moisson 6, 1640 Rhode-Saint-Genèse, Belgium