Privacy Policy
Last updated: March 2026
1. Data Controller
The data controller for personal data processing is:
Shelaon Partners — SARL au capital de 5 000,00 €
SIREN: 899 165 872 — RCS Paris
Registered office: 54 Avenue Hoche, 75008 Paris, France
Data protection contact: privacy@shelaon.com
2. Personal Data We Collect
We collect and process the following personal data:
2.1 Data you provide directly
- Identity data: Full name, company name
- Contact data: Email address
- Technical data: FQDN (domain name), SSH public key
- Password delivery preference: Choice between email or file delivery for the Wazuh admin password
2.2 Data collected automatically
- Analytics data: Pages visited, referrer, country (via Vercel Analytics — anonymized, no cookies by default)
- Payment data: Transaction information processed by Stripe (we do not store card numbers)
- Technical logs: IP address, browser user-agent (for security and abuse prevention)
3. Purposes and Legal Bases
We process your personal data for the following purposes:
| Purpose | Data | Legal Basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Service delivery (server deployment) | Name, email, FQDN, SSH key, company | Contract performance (Art. 6.1.b) | Duration of subscription + 12 months |
| Payment processing | Payment info (via Stripe) | Contract performance (Art. 6.1.b) | Duration of subscription + legal retention (10 years for accounting) |
| Deployment email (credentials delivery) | Email, server credentials | Contract performance (Art. 6.1.b) | Sent once, not stored by OSD |
| Customer support | Name, email, support exchanges | Legitimate interest (Art. 6.1.f) | Duration of subscription + 24 months |
| Website analytics | Anonymized usage data | Legitimate interest (Art. 6.1.f) | 24 months |
| Fraud and abuse prevention | IP address, technical logs | Legitimate interest (Art. 6.1.f) | 12 months |
| Legal obligations (invoicing) | Name, company, payment records | Legal obligation (Art. 6.1.c) | 10 years (French accounting law) |
| Cookie consent preference | Consent choice | Consent (Art. 6.1.a) | 13 months |
4. Sub-Processors and Third Parties
We share your personal data with the following service providers, all of which are GDPR-compliant:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription management, invoicing | Name, email, payment info, subscription metadata | USA (EU SCCs + DPF certified) |
| Hetzner Online GmbH | Cloud infrastructure hosting (server provisioning) | SSH key, FQDN, server configuration | Germany / Finland (EU) |
| Mailgun (Sinch) | Transactional email delivery (deployment emails, notifications) | Email address, email content | EU region (eu.mailgun.org) |
| Vercel, Inc. | Website hosting and deployment, web analytics | Anonymized analytics, access logs | USA (EU SCCs) |
| Slack (Salesforce) | Internal admin notifications (new orders) | Order metadata (no PII beyond name/email) | USA (EU SCCs) |
International transfers: Where data is transferred outside the EU (Stripe, Vercel, Slack), transfers are protected by EU Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework (DPF). You can request a copy of the applicable safeguards by contacting privacy@shelaon.com.
5. Cookies and Tracking
5.1 Cookies used
| Cookie | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
osd-consent | OSD | Stores your cookie consent preference | Strictly necessary | 13 months |
va | Vercel Analytics | Anonymous page view analytics | Analytics (optional) | Session |
__stripe_mid, __stripe_sid | Stripe | Fraud prevention during checkout | Strictly necessary | Session / 30 min |
5.2 Your choices
When you first visit our website, a cookie consent banner allows you to accept or decline non-essential cookies (analytics). Strictly necessary cookies (consent preference, Stripe fraud prevention) cannot be disabled as they are required for the service to function.
You can change your cookie preferences at any time by clearing your browser cookies or using your browser settings.
6. Your Rights (GDPR Articles 15-22)
Under the General Data Protection Regulation, you have the following rights:
- Right of access (Art. 15): Obtain a copy of all personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interest, including profiling.
- Right to withdraw consent (Art. 7): Withdraw consent for cookie analytics at any time.
To exercise any of these rights, contact us at privacy@shelaon.com. We will respond within 30 days of receiving your request. If needed, this period may be extended by two additional months for complex requests.
If you believe your rights have not been respected, you have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés), the French data protection authority: www.cnil.fr.
7. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- All communications are encrypted via TLS/HTTPS.
- Payment data is handled exclusively by Stripe (PCI DSS Level 1 certified).
- Server credentials are generated server-side and transmitted securely — OSD does not retain passwords after delivery.
- Hetzner infrastructure is ISO 27001 certified.
- Access to admin systems is restricted and protected by multi-factor authentication.
8. Data Processed by Your Wazuh Instance
Important: OSD does not access, process, or store any data that transits through your Wazuh SIEM instance. This includes security logs, alerts, agent data, and any other information collected by Wazuh on your endpoints. All such data resides exclusively on your Hetzner server and is under your sole control and responsibility.
As the operator of your Wazuh instance, you are the data controller for any personal data processed by your SIEM. You are responsible for ensuring compliance with applicable data protection regulations (GDPR, etc.) for data collected by your Wazuh agents.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For significant changes, we will notify you by email. Continued use of the service after changes constitutes acceptance of the updated policy.
10. Contact
For any questions about this Privacy Policy or to exercise your rights:
- Email: privacy@shelaon.com
- Postal: Shelaon Partners, 54 Avenue Hoche, 75008 Paris, France
- Supervisory authority: CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Shelaon Partners — Cybersecurity & SOC Specialists
Website: shelaon.com · Email: privacy@shelaon.com