Privacy.

When you photograph or upload a letter, the image is sent to Anthropic’s Claude API so the AI can read it and explain what it means. Anthropic processes the image to produce the explanation, then discards it by default. Per Anthropic’s API policy, your inputs are not used to train their models. We don’t train anything on your letters either. Mes Papiers does not sell, rent, or share your data with anyone outside the providers listed below.

Mes Papiers uses generative AI to read and explain your letters. This is required disclosure under the EU AI Act (Article 50) and we want it to be explicit:

• Provider: Anthropic, PBC (Claude API)
• Where: United States, with EU Standard Contractual Clauses in place for transfers (see international transfers)
• What goes: the image of the letter or document, plus structured fields we’ve previously extracted from your dossier when relevant context helps the explanation. Never your email, never your account metadata.
• What comes back: a structured JSON explanation that we save to your dossier (if signed in) or just show you (if not).
• Retention by Anthropic: the API request payload is discarded by default after the response is produced.
• Training: Anthropic does not use API inputs to train their models. We do not train anything on user data either.
• Verify before acting: AI extraction is accurate but not infallible. Always check important details — deadlines, amounts, identifiers — against the original document before taking action. Each parsed result carries a footer reminder.

Some letters contain what GDPR calls “special categories of data” under Article 9: health information from CPAM or Ameli, sometimes details that imply religious, political, or union affiliation. By uploading the letter you give us your explicit consent to process the contents so we can produce the explanation. You can withdraw that consent any time by deleting the letter from your dossier or your account entirely.

If you sign in, the explanation of each letter (the structured JSON with sender, summary, deadlines, action steps) is saved to your dossier so you can find it later and get reminders. If you use Mes Papiers without signing in, everything stays on your device in browser storage and nothing is sent to our database.

Mes Papiers also keeps the original photo or PDF of each letter so the doc viewer can show it next to the explanation. The scan lives in your browser’s local storage on every device, and (if you’re signed in) in a private storage bucket so it follows you across devices. Each scan is capped at 8MB and only your authenticated session can read it (row-level security, scoped to your user ID). You can turn this off in Settings → Privacy. Turning it off keeps the explanation but wipes every scan we hold for you immediately.

We use your email address for: signing you in via magic link, sending deadline and expiry reminders, and (for paid users) sending billing receipts. No marketing list. No sharing.

A daily scheduled job checks your dossier for upcoming deadlines and document expiries. Free-tier accounts do not receive reminders. You can manage which reminder types are enabled in Settings → Reminders.

You have the rights guaranteed by Articles 15–22 GDPR: access, rectification, erasure, restriction, portability, and objection. Most of these are self-service:

• Access + portability: Settings → Your data → Export. You receive a ZIP of every document, letter, explanation, and account-metadata row we hold about you. Rate-limited to one export per 7 days.
• Erasure: Settings → Your data → Delete account. The deletion is reversible for 30 days, then irreversible.
• Rectification, restriction, objection: email privacy@mespapiers.app. We respond within one month per Article 12.3.
• Complaint: if you’re unhappy with how we handle your data, you have the right to lodge a complaint with the CNIL.

How long we keep things:

• Account, dossier, explanations: as long as your account is active, plus a 30-day grace window after deletion (during which you can restore).
• Original scans: kept indefinitely while the linked document or letter exists in your dossier; you can also opt to drop scans after parsing in Settings → Privacy.
• Inactive accounts: if you don’t log in for 24 months, we send a warning email. After 60 more days without sign-in, the account is auto-deleted.
• Email delivery logs (Resend): 30 days.
• Request logs (Vercel): 30 days.
• Anthropic API request payloads: discarded by default after the response.
• Encrypted backups: roll off on a slower cycle (typically up to 90 days). Not accessible day-to-day; restored only for incident recovery.

Every third-party processor that handles your data, what they do, where they’re based, and our DPA / SCC posture with each:

The full list with DPA links is maintained at /docs/vendors.md in the source repository (developer-facing). We don’t add a sub-processor without updating this list first.

Some sub-processors above are based in the United States. Transfers to those processors rely on the European Commission’s Standard Contractual Clauses (SCCs) under Article 46 GDPR, and where applicable on the EU-US Data Privacy Framework (DPF). For requests routed through Anthropic specifically, we restrict the payload to the minimum needed to produce the explanation (image bytes plus the dossier context fields you’ve voluntarily added); we never include your email address or account metadata in the prompt.

• Per-user envelope encryption for letter content. Every letter you save is encrypted with a 32-byte AES-256-GCM key unique to your account. The key itself is wrapped under a master key held in our server environment, never in the database. A Postgres dump alone yields opaque ciphertext: decryption requires both the database and the master key, which never touch each other on disk.
• Encryption at rest for everything else: AES-256 on Supabase (database + storage buckets) and Vercel (edge cache). Verified annually.
• Encryption in transit: TLS 1.2+ enforced on every endpoint. HSTS enabled.
• EU data residency: Supabase Frankfurt (database + storage), PostHog EU (analytics), Sentry Germany (error monitoring). User content does not leave the EU. Anthropic (the model provider) processes explanation requests in the US under signed Standard Contractual Clauses and does not train on our traffic (see “What we send to Anthropic” above).
• No model training on your letters. We do not train Mes Papiers’ own models on user data — we don’t have own-trained models. We use Anthropic’s API with explicit no-training settings. Your letter content is never used to improve any model, ours or anyone else’s.
• Access control: row-level security in the database, owner-scoped policies. No staff has day-to-day access to user document content. Decryption of letter content happens only inside the API request serving the owning user — never in batch jobs, analytics queries, or admin tools.
• Object storage: private buckets only. Scans and exports are accessible exclusively via short- lived signed URLs.
• Audit logs: every administrative or service-role read or write of user content is logged with actor, timestamp, and target. Retained 12 months.

We use a minimum number of strictly-necessary cookies (auth session, language preference, consent state). Non-essential cookies (analytics, error monitoring) load only after you give consent via the cookie banner shown on first visit. You can change your preferences any time from Settings → Cookie preferences.

In the event of a personal data breach affecting your data, we will notify you and the CNIL within 72 hours of becoming aware, in accordance with Articles 33 and 34 GDPR.

Mes Papiers is not directed at children under 16. We do not knowingly collect data from anyone under that age. If you believe a child has signed up, email privacy@mespapiers.app and we will delete the account.

We’ll update this page when our practices change. Material changes will be announced by email to all registered users at least 30 days before they take effect.

For any privacy question: email privacy@mespapiers.app. For a more formal request, the postal address is in the Legal notice.