Privacy notice (GDPR)

This privacy notice is the English translation of the French original. The French GDPR documentation at /fr/rgpd/ is the legally authoritative version. References to GDPR/RGPD are equivalent.

Principles#

We process the strict minimum of personal data necessary for the purposes stated below. No data is transferred to third parties, nor outside the European Union. No advertising processing, no profiling.

Data controller#

NIM-HQ (SAS, SIREN 843 913 427), L’Alphatis Bâtiment C, 55 allée de l’Argentine, 30900 Nîmes, France. General contact: contact [at] sovereignty-gap.eu. For any question relating to your data: rgpd [at] sovereignty-gap.eu.

Data processed and purposes#

The site is mainly static and collects no personal data when pages are consulted. The declaration generator at /en/profile/ runs entirely in your browser — no data entered transits through any server of the manifesto. The draft is stored in client-side localStorage; it can be erased at any time via the browser’s tools.

When a declaration is notified for public indexing, three items are transmitted: the canonical URL of the sovereignty.json file (public by construction), the declarant’s name as it appears in the file (public by construction), and a moderation email (moderation_email) intended to allow a correction request. The moderation email is deleted immediately upon validation, in a non-circumventable manner, and the deletion is traced by the emailDeletedAt timestamp (without retention of the email itself).

The manifesto does not store the content of your declaration. The sovereignty.json file is published on your domain and read on the fly during moderation and daily re-checks. Only indexing metadata (URL, name, status, date of last verification, number of commitments) is stored in the database.

Sub-processors#

Hosting: Scaleway SAS (Paris, France) — datacentres and data stored in France.
Managed services: NimeOps SARL (Nîmes, France).
Audience measurement: Matomo Analytics, self-hosted instance on the publisher’s infrastructure (no transmission to a third party, no transfer outside the European Union).

No data is transmitted to a sub-processor outside the European Union.

Cookies and audience measurement#

The site uses a self-hosted audience-measurement cookie (Matomo), exempt from consent under CNIL ruling no. 2020-091:

IP address anonymised (last two octets stripped before processing);
strictly statistical purpose, no profiling, no cross-referencing with other processing, no resale;
cookie set under the site’s domain only, maximum duration 13 months;
no advertising cookies, no third-party cookies;
browser Do Not Track setting respected by default.

Your rights#

The site collects very little. Your Profile draft never leaves your browser; your moderation_email is deleted immediately upon validation, with no possibility of retention; the indexing metadata (canonical URL, declarant name, status) is public by construction. Most of the rights below are, in practice, moot for most visitors — but they remain available.

Right of access (GDPR art. 15) — to know which data concerns you. For a declarant: their public indexing metadata, and their moderation_email if it has not yet been deleted.
Right to rectification (art. 16) — to correct erroneous data. The declarant controls their sovereignty.json file directly on their domain; updating the file is enough — the next daily verification propagates the change to the index.
Right to erasure (art. 17) — to request the removal of a declaration from the public index. Removal is manual, traced in the public history; the file remains accessible at the declarant’s discretion on their own domain.
Right to restriction of processing (art. 18) — to request the temporary freezing of a contested processing operation, while a situation is being clarified. Typically applicable during the handling of a substantiated dispute.
Right to data portability (art. 20) — to retrieve one’s data in a structured format. Moot in practice here: the sovereignty.json file is already published in an open format on the declarant’s domain.
Right to object (art. 21) — to oppose a processing operation. Moot for page consultation (no data processed). For Matomo audience measurement, the objection is respected by construction via the browser’s Do Not Track header.
Right to withdraw consent (art. 7§3) — applicable only to processing based on consent. Moot here: no processing on the site relies on this legal basis.
Post-mortem directives (the French Informatique et Libertés law (1978, revised), national implementation alongside the GDPR, art. 85) — you may inform us, or register with a certified trusted third party, of the fate of your data after your death.

The site performs no profiling and no automated individual decision-making within the meaning of art. 22 GDPR; this right is moot here.

To exercise one of these rights, write to rgpd [at] sovereignty-gap.eu specifying the canonical URL of your Profile if applicable. Response within one month (GDPR art. 12§3), extendable to three months in case of complexity — with information given to the requester within the initial period as appropriate.

If you consider that a processing operation concerning you is non-compliant, you may lodge a complaint with the CNIL or with the supervisory authority of your member state.

Security#

The site is entirely static: no personal data of visitors is processed by the web server. The only data collected (open-letter counters, Matomo audience measurement) is stored on Scaleway servers in France — no transfer outside the European Union. Transfers between your browser and the site are encrypted (TLS 1.3). The IP address is anonymised before processing (last two octets stripped).

The full identification of the hosting, the cross-cloud application orchestration (LayerOps) and the “European providers free of extraterritoriality risk” guarantee are detailed in the legal notice.