Privacy policy
This policy explains what personal data Obexal processes, why, on what legal basis, and the rights you can exercise at any time.
This privacy policy describes how personal data is collected and processed when you use the Obexal service, our websites and related APIs. It is provided in accordance with Articles 13 and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679, the GDPR).
Obexal is a European sovereign identity provider, designed and hosted in the European Union, with no dependency outside the EU.
1. Data controller
The controller responsible for the processing described here is Obexal, published by a French company currently being incorporated; the founder answers directly. The registration details will be published here as soon as the incorporation is complete.
- Email: contact@obexal.com
- Phone: +33 9 84 25 52 61
When Obexal is operated as a white-label identity provider on behalf of a customer (tenant), that customer is the controller of the end-user data held in their workspace, and Obexal acts as a processor on their instructions. This policy covers the processing for which Obexal is the controller.
2. Purposes and legal bases
We process personal data for the following purposes, each with its legal basis under Article 6 of the GDPR:
- Providing the identity service (accounts, authentication, single sign-on, multi-factor authentication, directory, conditional access): performance of the contract (Art. 6(1)(b)).
- Securing access (password policy, passkeys/WebAuthn, TOTP, one-time codes, risk and anomaly detection, kill switch for agents): our legitimate interest in protecting accounts and systems, and compliance with our security obligations (Art. 6(1)(f) and (c)).
- Keeping audit logs of authentication, administration and agent activity: legitimate interest in traceability and legal obligation where applicable (Art. 6(1)(f) and (c)).
- Handling support requests and communications: performance of the contract and legitimate interest (Art. 6(1)(b) and (f)).
- Meeting accounting, tax and legal obligations: legal obligation (Art. 6(1)(c)).
- Sending service or commercial communications where applicable: consent or legitimate interest (Art. 6(1)(a) or (f)); you can object at any time.
3. Data we collect
Depending on how you use Obexal, we may process:
- Identity and profile data: first name, last name, display name, email address, job title, department, preferred language.
- Authentication data: password hashes (never stored in clear text), passkey/WebAuthn credentials, TOTP secrets, one-time codes, linked social or LDAP identities.
- Directory data: groups, memberships, roles, attributes and claims, provisioning data received or sent via SCIM 2.0.
- Access and security data: IP address, approximate country (via GeoIP), connection time, device signals, risk signals, consent records.
- Agent identity data: agent credentials, scope and audience policies, delegation and review records, audit events.
- Technical logs: audit trail entries and real-time audit stream events tied to authentication, administration and API use.
We do not collect date of birth or other data not required to operate the service.
4. Retention periods
Data is kept only as long as necessary for the purposes above:
- Permanent deletion: within 30 days of a deletion request.
- Account and profile data: for the duration of the account, then 3 years after closure.
- Technical and audit logs: 12 months.
- Support correspondence: 3 years after the last exchange.
- Accounting and invoicing records: the statutory retention period (in France, ten years).
At the end of these periods, data is deleted or anonymised.
5. Recipients, processors and hosting
Personal data is accessed by authorised staff on a need-to-know basis and by the following categories of processors acting on our instructions:
- Hosting provider: established in the European Union, hosting in France, datacenter in the Paris region.
- Transactional email provider: established in the European Union.
The named list of processors is available on request through our contact page. Obexal serves its own fonts and does not rely on a third-party content delivery network. Each processor is bound by a data protection agreement under Article 28 of the GDPR.
6. International transfers
Obexal is designed and hosted in the European Union. We do not transfer personal data outside the European Union or the European Economic Area. Should this ever change, we would rely on an appropriate safeguard under Chapter V of the GDPR and update this policy beforehand.
7. Security
We apply technical and organisational measures appropriate to the risk, including encryption of passwords, strong multi-factor authentication, versioned and simulated conditional-access policies, least-privilege agent policies (scope ceiling, TTL cap, audience allowlist, fail-closed), and continuous audit logging.
8. Your rights
Under the GDPR you have the right to access your data, to rectification, to erasure, to restriction of processing, to object, to data portability, and to withdraw consent at any time where processing is based on consent. You may also give instructions on the fate of your data after death.
These rights are backed by real self-service features: you can export your data in one click from your account, and request the deletion of your account after re-authentication. Permanent deletion then takes place within 30 days.
Where Obexal acts as a processor for a tenant, please address your request to that organisation; we will forward it if received directly. To exercise your rights toward Obexal as controller, contact us using the details below. We may ask for proof of identity and will respond within one month.
9. Personal data contact
For any question about this policy or your personal data:
- Personal data point of contact: contact@obexal.com (a data protection officer will be appointed when the incorporation is complete).
- Phone: +33 9 84 25 52 61
10. Complaint to the supervisory authority
If you believe your rights are not respected, you may lodge a complaint with the French supervisory authority, the Commission nationale de l'informatique et des libertés (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, or at www.cnil.fr, without prejudice to any other remedy.
11. Updates
This policy may be updated to reflect changes in the service or the law. Material changes will be communicated before they take effect.
Version dated 2 July 2026.
A question about your data?
We answer privacy and security requests directly.