Privacy policy.
Last updated: May 2026
This page describes how Zynra Studio ("Zynra", "we") processes personal data when you visit zynra.agency or contact us. We comply with the EU General Data Protection Regulation (GDPR), the French Loi Informatique et Libertés, and ePrivacy rules. Zynra acts as data controller.
Controller
Zynra Studio — micro-entreprise registered in France. Contact: [email protected]. Full identification details are provided on the Legal Notice page.
What we collect and why
Contact form (lawful basis: pre-contractual measures, art. 6(1)(b) GDPR): name, email, and optionally phone, company, budget, scope and free-text message — used solely to reply to your enquiry. Security signals (lawful basis: legitimate interest, art. 6(1)(f)): truncated IP address and User-Agent stored with the contact submission to mitigate spam and abuse. Analytics (lawful basis: consent, art. 6(1)(a)): Google Analytics 4 with IP anonymisation, loaded only after you accept analytics cookies. Captcha (lawful basis: legitimate interest): Cloudflare Turnstile to filter automated submissions.
Retention
Contact submissions: kept for up to 3 years after the last interaction unless the relationship becomes contractual. Security signals (IP, User-Agent): truncated on storage and deleted after 12 months. Analytics: retained according to Google Analytics defaults (max. 14 months). Signed contracts and supporting proof of consent: kept up to 10 years as required by French commercial law.
Recipients and processors
We use a minimal number of trusted processors: Resend (transactional email delivery), Cloudflare (Turnstile captcha and edge protection), Google (Analytics — only with consent), and our French hosting provider. Each processor is bound by a Data Processing Agreement. A current sub-processor list is available on request.
International transfers
Some processors (Google, Resend, Cloudflare) are headquartered in the United States. Transfers rely on the EU–US Data Privacy Framework and on Standard Contractual Clauses where applicable. Analytics transfers only occur if you have given consent.
Your rights
Under GDPR you have the right to access, rectify, erase, restrict, and port your data, and to object to processing based on legitimate interest. You may withdraw consent for analytics at any time via the cookie banner. To exercise these rights, email [email protected]. We respond within one month. You may also lodge a complaint with the CNIL (cnil.fr).
Security
Data is transmitted over HTTPS. Passwords (internal staff accounts only) are hashed with Argon2id. Two-factor authentication is enforced on staff accounts. We do not sell or rent personal data.
Children
The site is not directed at children under 15 and we do not knowingly collect data from them.
Changes
We may update this policy. Material changes will be highlighted on this page with a new "Last updated" date.