Privacy.
What happens to your letters, your email, and your data, in plain language, without legalese.
Your letters
When you photograph or upload a letter, the image is sent to Anthropic's Claude API so the AI can read it and explain what it means. Anthropic processes the image to produce the explanation, then discards it by default. Per Anthropic's API policy, your inputs are not used to train their models. We don't train anything on your letters either. Mes Papiers does not sell, rent, or share your data with anyone outside the providers listed below.
Sensitive data
Some letters contain what RGPD calls “special categories of data” under Article 9: health information from CPAM or Ameli, sometimes details that imply religious, political, or union affiliation. By uploading the letter you give us your explicit consent to process the contents so we can produce the explanation. You can withdraw that consent any time by deleting the letter from your Dossier or your account entirely.
Your Dossier
If you sign in, the explanation of each letter (the structured JSON with sender, summary, deadlines, action steps) is saved to your Dossier so you can find it later and get reminders. If you use Mes Papiers without signing in, everything stays on your device in browser storage and nothing is sent to our database.
The original scan
Mes Papiers also keeps the original photo or PDF of each letter so the doc viewer can show it next to the explanation. The scan lives in your browser's local storage on every device, and (if you're signed in) in a private storage bucket so it follows you across devices. Each scan is capped at 8MB and only your authenticated session can read it (row-level security, scoped to your user ID). You can turn this off in Settings → Privacy. Turning it off keeps the explanation but wipes every scan we hold for you immediately.
Your email
We use your email address for two things and nothing else: signing you in via magic link, and sending deadline reminders three days before anything is due in your Dossier. No marketing. No mailing list. No sharing.
Reminders
A daily scheduled job checks your Dossier for deadlines in the next three days. If it finds any, we send a single email listing them with links back to the full explanation. You can turn this off any time by signing out or deleting your account.
Your data, yours
You can export everything Mes Papiers holds about you at any time from your Dossier. The export is a single ZIP containing dossier.json with every explanation, plus the original scan of each letter under scans/. JSON and standard image/PDF files: no proprietary format, nothing to install to read it.
Deletion
Sign-out stops reminders immediately. Deleting a letter from your Dossier removes it from our database. To delete your entire account and every row we hold about you, email papier@wassim.work. We'll confirm and complete the deletion within 30 days. Some encrypted backups roll off on a slower cycle (typically up to 90 days) but are not accessible to anyone day-to-day.
How long we keep things
Your Dossier rows and scans stay as long as you keep the account; they're yours. Anthropic discards each request payload by default after producing the explanation. Email delivery logs at Resend roll off after 30 days. Request logs at Vercel roll off after 30 days. If you delete a letter or your account, the corresponding rows and scans are removed within 30 days.
Your rights under RGPD
You can ask Mes Papiers to: confirm what we hold (right of access), correct anything wrong (rectification), delete it (erasure), send you a copy in a portable format (portability), object to a specific processing (opposition), or limit how we use it (restriction). Email papier@wassim.work and we'll respond within one month. If you're unhappy with how we handle your data and we can't resolve it together, you have the right to lodge a complaint with the CNIL, the French data protection authority.
Who sees what
Anthropic (the AI provider, US-headquartered, with a signed Data Processing Addendum and EU Standard Contractual Clauses for international transfers) sees each image for as long as it takes to produce the explanation, then discards it by default. Supabase (our database host, EU-hosted in Frankfurt) stores your Dossier rows and your original scans with row-level security so only your authenticated session can read them. Resend (our email provider) sees your email address to deliver reminders. Vercel (our hosting provider) sees normal request logs. PostHog (our product analytics, EU-hosted) sees anonymous usage events: which pages you visit, whether an upload succeeded, the canonical sender slug (CAF, CPAM, etc.) of letters you upload, never the letter content or any free text. Analytics state is held in your browser's sessionStorage only, which means it ends when you close the tab and never crosses devices unless you sign in. We don't add any other sub-processors without telling you here first.
This is a small project
Mes Papiers is built by one person. It is not a big company with a dedicated legal team. If you read something here that seems wrong or incomplete, email us and we will fix it quickly.