Privacy policy

Who we are

This privacy policy applies to the website ostral.ai (the “Website”).

The Website is published and operated by:

Ostral Security SAS, a société par actions simplifiée registered in France

•         Registered address: 122 rue Amelot, 75011 Paris

•         SIREN: 103489027

•         Contact: privacy@ostral.ai

For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the French Data Protection Act (Loi Informatique et Libertés), Ostral acts as the data controller for the personal data collected through this Website.

This policy explains what personal data we collect when you visit ostral.ai, why we collect it, who we share it with, how long we keep it, and what rights you have.

Note: This policy covers our marketing website only. If you are an end user of the Ostral browser security product deployed by your employer, please refer to our separate Product Privacy Notice and to the Data Processing Agreement between Ostral and your organization.

Data collection

We collect personal data in the following situations:

a) When you fill in a contact or demo request form

•         Data collected: your name, professional email address, company name, job title, country, and any message you send us. Some fields may be optional.

•         Purpose: to respond to your request, organize a product demonstration, and follow up on commercial discussions.

•         Legal basis: the performance of pre-contractual measures taken at your request (Article 6(1)(b) GDPR), or our legitimate interest in responding to business inquiries (Article 6(1)(f) GDPR).

b) When you subscribe to our newsletter

•         Data collected: your professional email address.

•         Purpose: to send you news, product updates, and content about Ostral.

•         Legal basis: your consent (Article 6(1)(a) GDPR). You can withdraw your consent at any time by clicking the unsubscribe link in any email we send you.

c) When you browse the Website

•         Data collected: technical data such as your IP address, browser type and version, operating system, referring URL, pages visited, time spent on pages, and approximate location (country/region level).

•         Purpose: to ensure the Website works correctly, secure it against abuse, and measure aggregate audience and performance.

•         Legal basis: our legitimate interest in operating and securing the Website (Article 6(1)(f) GDPR). For non-essential cookies, your consent (Article 82 of the French Data Protection Act).

Cookies

The Website uses a limited number of cookies and similar technologies:

•         Strictly necessary — session cookies set by Framer (our hosting provider) to make the site work and deliver content via CDN. No consent required.

•         Analytics — Framer’s built-in analytics, used to measure aggregate audience (page views, referrers). Consent required, unless exempt.

•         Functional — preference cookies (e.g. language) to remember your choices. Consent depends on use.

We do not use third-party advertising or tracking pixels (no Google Ads, no Meta Pixel, no LinkedIn Insight Tag).

Data Access

Your data is accessed by Ostral employees who need it to perform their job (commercial, marketing, technical teams).

We also share data with the following categories of sub-processors who process it on our behalf and under our instructions:

•         Framer B.V. — website hosting and built-in analytics (EU / United States).

•         HubSpot Inc. — CRM, demo request handling, newsletter (European Union / United States).

•         Google Workspace — professional email communication (European Union / United States).

 

When data is transferred outside the European Economic Area, we ensure that an adequate level of protection is in place, in particular through the European Commission’s Standard Contractual Clauses and additional technical and organizational measures where necessary.

A full, up-to-date list of our sub-processors is available on request at privacy@ostral.ai.

We do not sell your personal data.

Data Storage

•         Demo requests and prospect data — up to 3 years from the last contact, then archived or deleted.

•         Newsletter subscriber email — until you unsubscribe, then deleted within 30 days.

•         Customer data — for the duration of the commercial relationship, then archived for legal and accounting obligations (up to 10 years).

•         Server logs — up to 12 months.

•         Analytics data — up to 25 months.

Your rights

Under the GDPR and the French Data Protection Act, you have the following rights regarding your personal data:

•         Right of access — obtain a copy of the data we hold about you

•         Right to rectification — correct inaccurate data

•         Right to erasure (“right to be forgotten”) — request the deletion of your data

•         Right to restriction of processing

•         Right to object to processing based on legitimate interest

•         Right to data portability — receive your data in a structured, machine-readable format

•         Right to withdraw consent at any time, where processing is based on consent

•         Right to give instructions regarding your data after your death

To exercise any of these rights, contact us at privacy@ostral.ai. We may ask you to provide proof of identity before responding. We will reply within one month of receiving your request.

If you believe we are not respecting your rights, you may file a complaint with the French data protection authority:

Commission Nationale de l’Informatique et des Libertés (CNIL)

3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07, France

www.cnil.fr

Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (HTTPS/TLS), access controls, logging, regular security reviews, and staff training.

No system is completely secure. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL and, where required, you, in accordance with Articles 33 and 34 GDPR.

Policy Changes

We may update this policy from time to time, in particular to reflect changes in our services, the sub-processors we use, or applicable laws. The most recent version is always available at this URL. Material changes will be communicated by a clear notice on the Website or by email if we have your address.

Contact

For any question about this policy or about how we handle your personal data, please write to:

privacy@ostral.ai