Privacy Policy
This privacy policy describes the processing of personal data within the « DABAR's » service (the “Application”), covering the mobile app (iOS / Android) and the associated website. The service is published by DABAR (contact@dabarfrance.com), acting as data controller within the meaning of Regulation (EU) 2016/679 (GDPR). The Application is intended for strictly professional use by employees and authorized collaborators of the Publisher; every account is created or validated by the Publisher.
Intended audience — Minimum age: the Application is reserved for adult professional use. The Publisher sets the minimum age of use at 16 (in line with Article 8 GDPR and French law) and discourages any use by minors outside an authorized professional setting. The Application is not designed for children.
1. Categories of data collected
The Application collects only data strictly necessary to its professional operation: • Contact information: full name, email address (used as login identifier), professional role and department where applicable. • Identifiers: unique user ID generated by the authentication service (Supabase, Inc.). • User content: expense entries (date, supplier, net / VAT-inclusive amounts, VAT, category, associated project), photographs of receipts and uploaded supporting documents (imported from the gallery or captured via the camera), optional comments, tracked commercial projects. • Interface preferences: chosen language (FR / EN / ZH), authentication session stored locally. • Minimal technical diagnostics: connection logs and error messages (for security and support purposes). The Application does not embed any third-party behavioral analytics tool (no Google Analytics, no public Sentry, no Mixpanel, no advertising SDK).
2. Tracking (App Tracking Transparency)
The Publisher expressly declares that the Application **DOES NOT TRACK** its users within the meaning of Apple's App Tracking Transparency framework: • no advertising identifier (IDFA) is read; • no data is shared with data brokers or advertising networks; • no correlation is made between your activity in the Application and your activity in other third-party apps or websites. Consequently, the Application does not display the “Allow … to track you?” prompt on iOS.
3. iOS / Android permissions requested
The Application requests your explicit consent before accessing the following resources; you may refuse or revoke these accesses at any time from your device's Settings: • Camera (NSCameraUsageDescription): to scan a receipt. Images are encrypted in transit and stored in your dedicated space. • Photo library (NSPhotoLibraryUsageDescription): to import a previously taken supporting document. No other photo from your library is read. On the website, camera access and file imports are not used: data entry is manual.
4. Purposes and legal bases
Data is processed for the following purposes: • account management and authentication — legal basis: performance of the employment contract / pre-contractual measures; • expense management (entry, validation, rejection, accounting export) — legal basis: legitimate interest of the employer in organizing professional reimbursements; • management of commercial projects and related information — legal basis: legitimate interest; • security, fraud and unauthorized access prevention — legal basis: legitimate interest / legal obligation; • legal and accounting obligations — legal basis: legal obligation (notably French Commercial Code and Tax Code); • service improvement — legal basis: legitimate interest, within proportionality limits.
5. Notifications
The Application may send in-app notifications (and, where applicable, iOS / Android push notifications) regarding the status of your expenses (validation, rejection, request for information). You can disable push notifications from your device's Settings.
6. Recipients
Data is accessible only to authorized persons: • yourself for your own data; • your hierarchy / finance / administration of the Publisher, within the limits of their respective roles (database-level Row-Level Security); • the technical subprocessors listed below, acting on the Publisher's instructions.
7. Technical subprocessors
• Supabase, Inc. (https://supabase.com) — authentication, database and storage of supporting documents, in a European Union region. • Vercel Inc. (https://vercel.com) — hosting of the public website (legal pages, management interface). • Groq, Inc. (https://groq.com) — extraction of receipt information by artificial intelligence (image analysis). Images transit via a server-side function operated by the Publisher; the provider does not retain your supporting documents beyond the analysis time, in accordance with its retention policy. • Apple Inc. / Google LLC — distribution of the application via App Store / Google Play (no access to your expense content).
8. Location and transfers outside the EU
Business data (expenses, supporting documents, accounts) is stored on servers located within the European Union. Some providers (Groq, Apple, Google) may be located in the United States; transfers, if any, are framed by the European Commission's standard contractual clauses or an equivalent mechanism provided by the GDPR.
9. Retention periods
• Active account: as long as you are an authorized employee / collaborator. • Supporting documents and expense entries: duration required by legal and accounting obligations (up to 10 years for accounting documents, in accordance with Article L123-22 of the French Commercial Code). • Connection and security logs: 12 months maximum. • Data after account deletion: see section 11.
10. Your rights (GDPR)
You may at any time exercise the following rights: access, rectification, erasure (“right to be forgotten”), restriction, objection, portability, and post-mortem directives (French Data Protection Act). To exercise a right or obtain information, write to contact@dabarfrance.com. In case of disagreement, you may lodge a complaint with the CNIL: www.cnil.fr.
Withdrawal of consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before such withdrawal.
11. Account deletion (Apple Guideline 5.1.1(v))
You may delete your account directly from the Application: 1. Open the “Settings” tab. 2. Tap “Delete my account” in the “Account and data” section. 3. Confirm the permanent deletion.
Upon deletion: • Your authentication account is deleted immediately. • Supporting document images you stored in your personal storage area are erased. • Expense entries you created are deleted, subject to legal and accounting obligations: if an entry has already been validated and integrated into the Publisher's accounting, the accounting record is kept for the legal duration (up to 10 years), dissociated from your identity where technically possible (anonymization of the “reviewer” field, etc.). • You will no longer be able to log in with this email address without a new registration validated by the Publisher.
You may also write to contact@dabarfrance.com to request manual deletion or ask any question about this process.
12. Security
Passwords are never stored in clear text: they are hashed by Supabase, Inc. using proven algorithms. Communications between the application and servers are encrypted via TLS. The database applies Row-Level Security access rules ensuring that an employee only sees their own entries, and that only “manager” / “finance” roles may access others' entries.
13. Cookies and local storage
Mobile application: no third-party cookies. The authentication session is stored locally via the operating system's secure vault (iOS Keychain / Android Keystore via encrypted AsyncStorage).
Website: no advertising cookies, no third-party audience-measurement cookies. The browser only stores your authentication session (localStorage) and your preferences (language); these elements are deleted upon logout.
14. Modifications
The Publisher may update this policy to reflect technical or legal changes. The date of last update is indicated below: 5 mai 2026. In case of substantial change, active users are notified via the Application.
15. Contact
For any question regarding this policy or your data: contact@dabarfrance.com.