§ Privacy
Privacy policy
How Tessaliq handles personal data under the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the French Loi Informatique et Libertés. Two scopes are covered separately: the public website, and the verifier API.
Data controller
SASU Tessaliq, publisher of the site and operator of the service (see legal notice for full details), represented by its President Olivier Meunier.
- Registered office: 5 chemin de la Marmousière, 49125 Tiercé, France
- RCS: 104 764 923 R.C.S. Angers
- Privacy contact: contact@tessaliq.com
No Data Protection Officer (DPO) is formally appointed at this stage; SASU Tessaliq's processing does not fall within the categories that make a DPO mandatory (Article 37 GDPR). The President handles privacy requests directly.
1. Public website — tessaliq.com
Data collected
- Contact form — name (optional), email address, and message content. Purpose: reply to the enquiry. Legal basis: legitimate interest in commercial contact (Art. 6.1.f GDPR) and, if applicable, consent (Art. 6.1.a).
- Server logs — IP address, user agent, HTTP method, path and timestamp, collected by the hosting providers for technical operation, security and abuse prevention. Purpose: legitimate interest (Art. 6.1.f).
Data NOT collected
- No analytics cookies, no advertising cookies, no tracking pixels.
- No Google Analytics, Meta Pixel, Hotjar, nor any third-party analytics provider.
- No user accounts on the public site. No newsletter subscription.
Retention
- Contact form emails: up to 24 months after the last exchange, then deleted.
- Server logs: retention policy of the hosting providers (typically 30 days).
2. Verifier API — api.tessaliq.com
The verifier API is Tessaliq's core product. It is used by SaaS publishers to verify identity attributes presented via EUDI Wallets for their end-users. The data flow is structurally different from a typical API.
Data scope — architectural minimisation
Tessaliq is designed so that no personal attribute of the end-user is persisted on Tessaliq's servers. During a verification:
- The verifier receives a wallet presentation via OID4VP or the Digital Credentials API.
- It validates the issuer signature, selective disclosures and key binding in memory only.
- It records in an append-only audit log: session identifier, policy name, outcome (verified / failed), timestamp, proof fingerprint (SHA-256 hash) and, where available, the assurance level of the underlying PID. No birth date, no name, no nationality, no document number.
- It issues a signed receipt (ES256 JWT) containing only the session metadata above. The receipt contains no personal attribute.
In the zero-knowledge advanced path (alpha opt-in), the birth date
never leaves the end-user's browser. In the default mdoc age
verification path, the wallet discloses only the requested derived
attribute (e.g. age_over_18), so the birth date never
transits through Tessaliq's servers.
Roles under GDPR
For the verifier API, Tessaliq acts as a processor on behalf of the SaaS publisher, who is the controller. Processing is documented in a Data Processing Agreement (DPA) signed at pilot onboarding. The DPA details the instructions, the technical and organisational measures, the sub-processors, and the data subjects' rights handling.
Retention
- Session metadata and receipts: retained for the duration required by the SaaS publisher's audit needs, typically 5 years for regulated age verification (ARCOM / SREN / CNIL audits).
- Personal attributes: never retained. By construction, there is nothing to retain.
3. Blog and documentation
The blog and technical documentation pages do not collect personal data. No cookies, no analytics, no comment system.
Sub-processors and international transfers
Tessaliq uses the following sub-processors. Transfers outside the EU/EEA are covered by the European Commission's Standard Contractual Clauses (SCC, 2021/914) and supplementary measures where applicable.
- Vercel, Inc. (United States) — hosts the public site and dashboard. Server logs only; no end-user personal attribute flows to Vercel. EU production regions used. Vercel's privacy policy: vercel.com/legal/privacy-policy.
- Fly.io, Inc. (United States) — hosts the verifier
API. EU regions (
cdgParis) used by default. Server logs only. Fly.io privacy: fly.io/legal/privacy-policy. - Infomaniak Network SA (Switzerland — adequate
country per European Commission decision 2000/518/EC) — email
service for
contact@tessaliq.com. - Resend, Inc. (United States) — transactional email delivery (2FA OTP for receipt verification). Emails contain no personal attribute other than the recipient address.
Cookies
tessaliq.com does not set analytics, advertising or
tracking cookies. The only cookies that may be set are strictly
necessary for the dashboard authentication (session cookies, exempt
from consent per Article 82 Loi Informatique et Libertés).
Your rights under GDPR
Under Articles 15 to 22 GDPR, you have the right to:
- access your personal data (Article 15);
- rectify inaccurate data (Article 16);
- request erasure ("right to be forgotten", Article 17);
- restrict processing (Article 18);
- data portability (Article 20);
- object to processing (Article 21);
- not be subject to automated individual decision-making (Article 22).
To exercise these rights regarding data processed by Tessaliq as controller (public website), contact contact@tessaliq.com. A reply is provided within one month.
For data processed by Tessaliq as a processor on behalf of a SaaS publisher (verifier API), contact the SaaS publisher directly, who is the controller for that processing.
You may also lodge a complaint with the French data protection authority (CNIL) at cnil.fr/fr/plaintes.
Security measures
- HTTPS on all public endpoints (TLS 1.2+).
- Encryption at rest for the database (managed Postgres).
- Secrets stored via environment variables, not in source code.
- Receipts and presentations are signed (ES256) with keys whose public parts are published via JWKS for independent verification.
- Append-only audit log; the log database is protected by SQL triggers against modification.
Updates to this policy
Last updated: 2026-05-15. Substantive changes are announced on the changelog. The date above always reflects the most recent version of this page.