Loader map ground
Loader map ground
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9

Girafe Privacy Policy

Last updated: 12th of June 2026

1. Purpose of this policy

This Privacy Policy explains how Girafe collects, uses, stores, protects and shares personal data in connection with its web platform.

It applies to site visitors, persons creating an account, members publishing a page, persons sending a contact request, persons subscribing to the newsletter, and users of the mapping, artificial intelligence and connection features.

2. Data controller and relationship with Girafe Planet

The data controller for personal data processed in connection with the operation of the Girafe digital platform is:

Girafe France SAS
Simplified joint-stock company, mission-driven company
Registered office: 15 rue de Bruxelles, 75009 Paris, France
RCS: 993 845 965
General contact: contact@girafeplanet.com
Personal data contact: confidentialite@girafeplanet.com

Girafe Planet, a French non-profit association under the law of 1901, is a separate structure from Girafe France SAS and is linked to the Girafe project. This relationship is mentioned for the sake of transparency. At this stage, Girafe Planet is not responsible for all processing carried out on the digital platform.

Girafe Planet may, where applicable, carry or support certain community-based, cultural, territorial or public-interest activities related to Girafe. If a specific initiative involves a particular allocation of roles between Girafe France SAS and Girafe Planet, this allocation will be specified to the persons concerned in the context of that initiative.

No data protection officer has been appointed at this stage. Requests relating to personal data may be sent to: confidentialite@girafeplanet.com.

3. Data collected

Girafe may collect the following categories of data.

3.1 Data provided during registration

  • email address;
  • first name;
  • occupation or title;
  • address entered;
  • public location derived from the address;
  • GPS coordinates associated with the map point;
  • interface language;
  • acceptance of the Terms of Use and Privacy Policy;
  • choice relating to contactability;
  • data necessary to create the account and authenticate by magic link.

3.2 Data relating to the profile or project

  • title;
  • summary;
  • needs;
  • offers;
  • intention;
  • bio or presentation;
  • category;
  • type of profile or project;
  • media, images, videos, documents or links transmitted;
  • project fields: actor type, issue, partners, sponsors, team members or equivalent information;
  • likes or interaction indicators;
  • publication, validation or moderation status.

3.3 Data from the conversational assistant

When a user uses the conversational assistant, they may enter information relating to their background, needs, offers, intentions or project.

According to the current technical configuration, the content of the conversation is not stored server-side by Girafe beyond the time necessary for the request. However, summaries generated from this conversation may be stored in the page: needs, offers, intention, summary, corrected or reformulated sections.

When a logged-in user resumes a conversation, a progress snapshot may be stored in order to allow the path to be resumed.

3.4 Location and mapping data

Girafe collects or uses:

  • the address entered;
  • the shortened or approximate public address;
  • the GPS coordinates of the point displayed on the map;
  • information necessary to display the map;
  • technical data transmitted to Mapbox when consulting the map or using geocoding.

The complete address is not publicly displayed in clear text, but the GPS point of a published page may be visible on the map.

3.5 Data relating to contact requests

When a visitor sends a contact request from a page, Girafe collects:

  • the requester’s email address;
  • the message;
  • the subject of the request;
  • the page concerned;
  • the date on which the request was created.

The request is private and transmitted to the Girafe team, which may relay it to the member concerned. The recipient member’s email address is not made public.

3.6 Technical data

Girafe may process:

  • IP address;
  • server logs;
  • session tokens;
  • magic link tokens;
  • WordPress login cookies;
  • language cookies;
  • cookie consent cookie;
  • nonces and security tokens;
  • rate-limiting and anti-abuse data.

Emails recorded in certain technical logs are masked in order to avoid storing them in clear text in application logs.

3.7 Newsletter data

When a user subscribes to the newsletter, Girafe collects the email address and opt-in status. Newsletters and communications may be sent using Brevo or a similar provider.

4. Purposes and legal bases

Girafe processes data for the following purposes.

4.1 Account creation and management

Purpose: to create an account, allow authentication by magic link, manage account statuses, allow login and modification of information.
Legal basis: performance of the Terms of Use.

4.2 Creation, moderation and publication of pages

Purpose: to allow the creation of profiles and projects, review them, moderate them and publish them on the map and public pages.
Legal basis: performance of the Terms of Use; Girafe’s legitimate interest in ensuring the quality, security and consistency of the platform.

4.3 Contact requests

Purpose: to allow a visitor to send a contact request and the Girafe team to decide whether or not to relay it.
Legal basis: the request made by the person sending the request; Girafe’s and the member’s legitimate interest in enabling a mediated connection when the member has activated the contact option.

4.4 Conversational assistant and generation of summaries

Purpose: to help the user formulate their needs, offers, intentions, summary or sections of their page.
Legal basis: performance of the service requested by the user and Girafe’s legitimate interest in providing a formulation-assistance tool. An information screen informs the user that artificial intelligence is being used before the conversation begins.

4.5 Geocoding and mapping

Purpose: to suggest an address, determine coordinates, display a page on the map and allow map navigation.
Legal basis: performance of the service requested by the user and legitimate interest in providing a functional map. Prior information is displayed before geocoding.

4.6 Security, abuse prevention and technical operation

Purpose: to prevent abuse, protect the platform, limit requests, detect errors, manage sessions and secure forms.
Legal basis: Girafe’s legitimate interest in ensuring the security and proper operation of the platform.

4.7 Newsletter

Purpose: to send information relating to Girafe, its projects, news or calls for contribution.
Legal basis: consent.

4.8 Audience measurement

Purpose: to measure site traffic and understand the use of pages, if Google Analytics or an equivalent tool is enabled.
Legal basis: consent.

5. Publicly visible data

When a page is published, certain data becomes public, including:

  • title;
  • first name;
  • occupation;
  • summary;
  • needs;
  • offers;
  • intention;
  • category;
  • excerpt;
  • image or media;
  • public link to the page;
  • indication of contactability;
  • shortened public location;
  • geographic point on the map;
  • descriptive project fields.

The following are not displayed publicly:

  • member’s email address;
  • complete address entered;
  • contact requests;
  • account data;
  • status history;
  • consents;
  • private content of certain blocks;
  • complete conversations with the assistant.

6. Conversational assistant and OpenAI

Girafe’s conversational assistant relies on the OpenAI API.

When the user uses the assistant, the messages entered may be transmitted to OpenAI in order to produce responses, suggestions or summaries. According to the current technical configuration, the email address is not transmitted to OpenAI. The complete address is not transmitted to OpenAI; only limited context, such as a city or area, may be used where necessary.

The full content of the conversation is not stored server-side by Girafe, except for a progress snapshot where necessary to resume a conversation. Only the final structured or validated content, such as the summary, needs, offers or intention, may be stored and published on the page.

OpenAI states that data transmitted through its API is not used by default to train or improve its models, unless an explicit contrary choice is made. However, OpenAI may process data transmitted in order to provide the service, ensure security and prevent abuse, in accordance with its own applicable contractual terms and policies.

OpenAI is a provider located outside the European Union. The corresponding data transfers are governed by appropriate contractual safeguards, including standard contractual clauses where applicable.

7. Geocoding, mapping and Mapbox

The platform uses Mapbox for geocoding and map display.

When the user enters an address, it may be transmitted to Mapbox in order to suggest addresses and determine geographic coordinates. This operation may occur before an account is created. An information notice is displayed before geocoding.

When consulting the map, the browser may also communicate with Mapbox in order to display map tiles or cartographic images.

Mapbox is a provider located outside the European Union. The corresponding data transfers are governed by appropriate contractual safeguards, including standard contractual clauses or other recognized transfer mechanisms where applicable.

8. Hosting, emails, newsletter and media optimization

The data necessary for the operation of the platform is hosted by Hostinger International Ltd.

Transactional emails, including magic links, confirmations, notifications, contact requests or account-related messages, may be routed through Gandi or an equivalent SMTP service.

Newsletters and communications may be sent through Brevo or an equivalent provider, only where the user has consented to receive them.

Images or media sent to the platform may be technically optimized in order to improve site display and performance. This optimization may be carried out locally on the server or through a specialized service, depending on the technical configuration selected.

9. Recipients and processors

Data may be accessed by:

  • the Girafe team, for administration, moderation, publication, security and connection purposes;
  • site visitors, only for data displayed publicly;
  • technical providers necessary for the operation of the service.

The main identified providers are:

  • Hostinger, for hosting;
  • OpenAI, for the conversational assistant;
  • Mapbox, for geocoding and mapping;
  • Gandi, for routing transactional emails;
  • Brevo, for newsletters and communications;
  • Google Site Kit / Google Analytics, if enabled and accepted;
  • YouTube, only when the user clicks to load an embedded video;
  • Polylang, for language management;
  • EWWW Image Optimizer or an equivalent tool, for image and media optimization, depending on the technical configuration selected.

10. Transfers outside the European Union

Certain providers may be located or process data outside the European Union, in particular OpenAI and Mapbox in the United States, as well as Google or YouTube when their services are used.

These transfers are governed by the safeguards provided under the GDPR, including standard contractual clauses, applicable adequacy decisions, recognized certification frameworks or appropriate supplementary measures where necessary.

11. Cookies and trackers

The platform uses cookies and similar technologies.

11.1 Necessary cookies

Certain cookies are necessary for the operation of the site:

  • WordPress login cookies;
  • security cookies;
  • Polylang language cookie;
  • cookie consent cookie;
  • technical anti-CSRF tokens or equivalents.

These cookies are necessary for the service and do not necessarily require consent.

11.2 Trackers subject to consent

If Google Analytics is enabled, the associated trackers are blocked until the user has given consent through the cookie banner.

In the event of refusal, Google Analytics is not loaded.

YouTube videos are embedded in no-cookie mode where possible and are loaded only after the user clicks on the video façade.

11.3 Consent management

The user may accept or refuse cookies subject to consent through the banner provided. The user’s choice is stored by means of a consent cookie. The user may modify their choice according to the methods provided on the site.

12. Retention periods

Data is kept for a period proportionate to the purposes for which it is collected.

The reference retention periods are as follows:

  • user account: for the duration of use of the service, until account deletion or applicable request;
  • published pages: for the duration of publication, until account deletion, unpublication or applicable request;
  • abandoned drafts: up to 30 days;
  • temporary post-creation data: up to 7 days;
  • contact requests: up to 12 months;
  • newsletter data: until consent is withdrawn or the user unsubscribes;
  • server logs and security data: for the period necessary for security, technical diagnosis and abuse prevention, according to the host’s settings and security needs;
  • data transmitted to providers: according to the periods provided for in their own applicable contractual terms and policies.

Account deletion results in the deletion of the content linked to the account, subject to data that Girafe may be required or authorized to keep for legal, evidentiary, security or third-party contact request management reasons.

13. Rights of individuals

In accordance with the GDPR and the French Data Protection Act, data subjects have, depending on the case, the following rights:

  • right of access;
  • right to rectification;
  • right to erasure;
  • right to object;
  • right to restriction of processing;
  • right to data portability;
  • right to withdraw consent where processing is based on consent;
  • right to define instructions regarding the fate of their data after death;
  • right to lodge a complaint with the CNIL.

Certain features are available in self-service: modification of certain sections, email change with confirmation, disabling contactability, newsletter unsubscription, account deletion.

To exercise a right or ask a question, the user may write to: confidentialite@girafeplanet.com.

Girafe may request information necessary to verify the identity of the requester where necessary.

14. Account deletion

Account deletion results in the deletion of the WordPress account and the content linked to the account, including profiles and projects, according to the existing technical procedures.

Certain data may nevertheless be retained when it concerns third parties, when it is necessary for security, evidence, compliance with a legal obligation or the management of a contact request already sent.

Contact requests include, in particular, the email address of the third-party requester and are not necessarily deleted solely because the recipient member’s account is deleted.

15. Security

Girafe implements technical and organizational measures intended to protect data, including:

  • login by magic link;
  • rate limiting and anti-abuse mechanisms;
  • masking of emails in application logs;
  • human moderation;
  • cookies and security tokens;
  • separation between public and private data;
  • restricted administrator access;
  • secure hosting;
  • deletion and rectification mechanisms.

As no security measure can be absolute, Girafe invites users not to publish or transmit information that they do not wish to make public or that would be excessively sensitive.

16. Minors and sensitive data

Account creation and publication of a page on the platform are reserved for adults.

The platform is not intended to collect or publish nominative information relating to minors, health data, individual social difficulties, or sensitive family, migration, school-related or administrative situations.

Users are invited to formulate needs or projects in general and non-identifying terms when they concern vulnerable groups or public programmes.

17. Changes to this policy

Girafe may modify this policy in order to take into account changes to the platform, its providers, legal requirements or recommendations from competent authorities.

The date of the latest update appears at the beginning of the document.

18. Contact and complaint

For any question relating to this policy or to personal data:
confidentialite@girafeplanet.com

The user may also lodge a complaint with the CNIL.