janine
FR Sign in Request a demo

Personal data

Privacy policy

Last updated : May 17, 2026

This policy describes how Circulab collects, uses and protects personal data of Janine users, in compliance with the Regulation (EU) 2016/679 (GDPR) and applicable national data protection laws.

1. Data controller

The data controller is Circulab SAS, a French simplified joint-stock company with share capital of €16,200, whose registered office is located at 4Q passage de la Fonderie, 75011 Paris, France, registered with the Paris Trade Register (RCS Paris) under number 788 990 356.

For any data protection question or to exercise your rights, contact us at hello@circulab.com or by mail at the registered office.

2. Data collected

2.1 Unauthenticated visitors (askjanine.ai marketing site)

On the public marketing site, no data is collected for analytics or tracking purposes. No Google Analytics, no advertising pixels, no audience measurement cookies.

2.2 Free trial users (3 questions / day)

The backend API temporarily collects, for rate limiting and abuse prevention:

  • IP address (SHA-256 hashed, never stored in clear) — retained for 24h, automatically deleted by Redis;
  • Query content (anonymized, no user identifier) — used to generate the answer via Claude (Anthropic), then stored for aggregated statistical analysis for 30 days.

2.3 Authenticated users (app.askjanine.ai)

Upon account creation and during use:

  • Email address — used for authentication (magic link, passkey) and transactional communication;
  • User identifier (UUID generated by Hanko) — internal use to link conversations to the user;
  • User type and subscription (internal / independent / community / enterprise / discovery, and free / entry / intermediate / expert) — used to determine corpus access and available features;
  • Conversation history (messages exchanged with Janine) — stored to allow resumption after refresh, URL sharing and future export;
  • Analytics logs (date, question type, response time, queried namespaces) — aggregated for service improvement.

2.4 Payment data

Payment data (card number, expiration, CVV) is collected and processed by our third-party provider [TO FILL IN once payment provider is integrated — Stripe integration in progress], PCI-DSS Level 1 compliant. Circulab never has access to complete card data.

3. Purposes of processing

Service delivery
Provide access to Janine, process questions, deliver sourced answers, retain conversation history.
Security and abuse prevention
Rate limiting (3 questions/day for visitors), secure authentication, logging of suspicious access.
Service improvement
Aggregated statistical analysis (most frequent questions, error rates, response times) — never on personally identifiable data.
Communication
Sending transactional emails (magic link), important product notifications, internal weekly report.
Billing
Invoicing, payment processing, debt recovery.

4. Legal basis

  • Performance of contract (Art. 6.1.b GDPR): service delivery after registration.
  • Legitimate interest (Art. 6.1.f GDPR): security, rate limiting, anonymized aggregated statistics.
  • Legal obligation (Art. 6.1.c GDPR): invoice retention (10 years).
  • Consent (Art. 6.1.a GDPR): for non-transactional communications (newsletters — opt-in only, one-click unsubscribe).

5. Hosting and sub-processors

Your data is hosted exclusively in Europe or Switzerland (a country covered by a European Commission adequacy decision).

Conversations + AI + analytics
Infomaniak Network SA (Switzerland) — VPS under Swiss law, GDPR-equivalent. Located in Geneva.
Authentication
Hanko GmbH (Germany) — services hosted in Frankfurt, under GDPR.
CDN and edge compute
Cloudflare, Inc. (USA) — Pages/Workers service. Covered by Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework. Stores no application data — only transient technical caching.
Language model
Anthropic, PBC (USA) — Claude provider. Requests sent to the Claude API are not retained by Anthropic beyond 30 days and are never used to train their models (per their commercial policy). Coverage via SCC + Data Privacy Framework.
Editorial CMS
Sanity.io (Sanity AS, Norway) — public marketing content only. No user data transits there.
Payment
[TO FILL IN once payment provider is integrated — Stripe integration in progress]

6. Retention periods

IP hash (rate limiting)
24 hours.
Aggregated analytics logs (anonymized)
30 days.
Account data (email, identifiers)
For the entire duration of the contractual relationship, then 3 years from termination to allow administrative management.
Conversation history
For the entire account duration, deletable at any time from the interface. Final deletion within 30 days of account or conversation deletion.
Invoices
10 years (legal accounting obligation).

7. Your rights

Under GDPR, you have the following rights:

  • Right of access — know what data we hold about you;
  • Right to rectification — correct inaccurate data;
  • Right to erasure ("right to be forgotten") — request deletion of your data;
  • Right to restriction of processing;
  • Right to data portability — receive your conversations in a structured format (JSON);
  • Right to object — object to processing based on legitimate interest;
  • Right to withdraw consent at any time (for consent-based processing).

To exercise these rights, contact us at hello@circulab.com. We will respond within a maximum of one month.

If you believe your rights are not being respected, you may lodge a complaint with the CNIL (the French data protection authority) or your local supervisory authority.

8. Security

Circulab implements appropriate technical and organizational measures to protect your data:

  • TLS 1.3 encryption for all communications;
  • Passwordless authentication (magic link, passkey) — no password database to compromise;
  • Cryptographically signed JWTs, validated on every request;
  • Database hosting on Infomaniak VPS (Switzerland) under Nginx + Let's Encrypt, SSH key-only access;
  • Regular encrypted backups;
  • Auditable access logs;
  • Regular robustness testing.

9. Cookies

The askjanine.ai site (marketing) sets no cookie.

The app.askjanine.ai application uses only one cookie, set by our authentication provider Hanko to maintain the session after sign-in. HTTP-only, SameSite=Lax, duration per configuration. No third-party cookies, no advertising cookies, no tracking cookies.

10. Transfers outside the EU

Transfers to the United States (Cloudflare, Anthropic) are governed by Standard Contractual Clauses (EU Decision 2021/914) and, where applicable, by the EU-US Data Privacy Framework.

No sensitive application data (conversations, user content) transits through the United States via Cloudflare — only transient technical traffic. Requests to Anthropic Claude transit through Anthropic's European data centers when available.

11. Changes

This policy may be updated. The last update date is indicated at the top of the page. In case of substantial change, users are notified by email at least 30 days before the new version takes effect.

janine

Circular intelligence, everyday.

Powered by Circulab

  • Legal mentions
  • Terms of service
  • Privacy policy
  • Contact
FR

Hosted in Switzerland by Infomaniak