Legal

Privacy policy

Last updated: 7 June 2026

This policy explains how Mr Automate (a French SASU, Nantes RCS 104 920 426), publisher of the Smarter Than AI platform, collects, uses and protects personal data. It applies to users of our site, to our professional clients and to the candidates assessed through the Platform.

Our commitment: to process only the data that is strictly necessary, in compliance with the General Data Protection Regulation (GDPR, EU Regulation 2016/679) and the French Data Protection Act (loi Informatique et Libertés).

1. Data controller

The data controller is:

Mr Automate, a French SASU, Nantes RCS 104 920 426
40 rue la Tour d'Auvergne, 44200 Nantes, France
Contact: legal@smarterthanai.app

Specific case of candidates: where a Client uses the Platform to assess its candidates, the Client is the data controller and Mr Automate acts as a processor within the meaning of Article 28 of the GDPR.

2. Data collected

2.1 Site users and clients

Identification: surname, first name, professional email address, job title, company;
Account: credentials, password (encrypted), preferences;
Billing: company name, address, SIREN number, VAT number, payment history (bank card data is never stored by Mr Automate; it is processed directly by our PCI-DSS-certified payment provider);
Exchanges: the content of support messages and sales enquiries;
Technical data: IP address, browser type, operating system, pages viewed, timestamps.

2.2 Candidates assessed on the Platform

Identification: surname, first name, email address;
Assessment responses: answers to questions, scores, response times;
Generated analyses: profiles and recommendations produced by the algorithms;
Technical data: identical to that of site users.

3. Purposes and legal bases

Purpose	Legal basis (Art. 6 GDPR)
Provide access to the Platform and perform the contract	Performance of the contract
Manage billing and collection	Performance of the contract + legal obligation (accounting)
Ensure the security of the Platform and prevent fraud	Legitimate interest
Respond to support requests	Performance of the contract
Measure site audience and improve the Services	Consent (analytics cookies) / legitimate interest (anonymised measurement)
Send marketing communications	Consent (prospects) / legitimate interest (existing customers, similar products)
Comply with legal obligations (GDPR, taxation, etc.)	Legal obligation
Assess candidates on behalf of a Client	Performance of the contract between Mr Automate and the Client (Mr Automate acts as a processor)

4. Data recipients

The data is accessible to authorised persons within Mr Automate. It may be disclosed:

to the Client, for the data of the candidates it has invited;
to administrative or judicial authorities where required by law;
to our technical processors (see the following section).

Mr Automate does not sell, rent or exchange any personal data.

5. Processors

To provide the Services, Mr Automate uses carefully selected processors, governed by agreements compliant with Article 28 of the GDPR.

Processor	Purpose	Location
Vercel Inc. 340 S Lemon Ave #4133, Walnut, CA 91789, USA	Hosting of the Platform, deployment and content delivery network (CDN)	United States (DPF + SCCs)
Supabase Inc. San Francisco, USA — EU infrastructure available	Backend, database storage and authentication	European Union (Supabase EU region)
Functional Software, Inc. (Sentry) 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA	Detection and tracking of technical errors on the Platform	United States (DPF + SCCs) — EU residency option available
Anthropic, PBC San Francisco, California, United States	Analysis of candidates' responses by an artificial intelligence model (scoring and recommendations). The data transmitted is not retained by Anthropic nor used to train its models (contractual option enabled).	United States (SCCs)
PostHog Inc. 2261 Market Street #4008, San Francisco, CA 94114, USA	Audience measurement and analysis of Platform usage behaviour (traffic statistics, user journeys). The data is hosted in the European Union (PostHog EU region, Frankfurt).	European Union (EU region) — legal entity in the United States (DPF + SCCs)
Google LLC 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA	Measurement of the site's performance in the Google search engine (Google Search Console — impressions, clicks, user queries). No Platform user data is transmitted: Google Search Console exposes aggregated data from the Google engine itself.	United States (DPF)

This list is liable to change. Clients are informed of any substantial change concerning the processors handling data on their behalf.

6. Transfers outside the European Union

Some of our processors handle data in the United States. In such cases, Mr Automate ensures that an appropriate legal framework governs the transfer:

the processor's adherence to the Data Privacy Framework(DPF), recognised by the European Commission's adequacy decision of 10 July 2023;
failing that, the signing of the European Commission's Standard Contractual Clauses (SCCs);
the implementation of additional measures (encryption, pseudonymisation) where necessary.

To reduce exposure to transfers outside the EU, Mr Automate favours, wherever possible, the European configurations of the services it uses (in particular Supabase's EU region for the storage of application data).

7. Retention periods

Data	Period
Active client account	Term of the contract
Inactive client account	3 years after the last activity
Accounting data and invoices	10 years (Article L. 123-22 of the French Commercial Code)
Technical data / connection logs	12 months (French LCEN digital economy law)
Cookies (other than essential)	13 months maximum, in line with the CNIL recommendation
Candidate data	Retained for the period defined by the Client as data controller, with a recommended maximum of 2 years after the last contact
Prospecting data	3 years after the last contact
Support tickets	3 years after closure

8. Security

Mr Automate implements appropriate technical and organisational measures to protect the data:

encryption of communications (TLS) and of sensitive data at rest;
strong authentication and password hashing;
environment segregation and role-based access control;
logging, monitoring and alerting of sensitive accesses and operations;
regular, encrypted backups;
confidentiality commitment from all staff;
documented security-incident management procedure.

In the event of a data breach posing a risk to the rights and freedoms of individuals, Mr Automate notifies the CNIL (the French data protection authority) within 72 hours and informs the affected individuals where required by law.

9. Your rights

In accordance with the GDPR, you have the following rights over your personal data at any time:

Access (Article 15): obtain confirmation that data concerning you is being processed and receive a copy of it;
Rectification (Article 16): correct inaccurate data or complete it;
Erasure (Article 17), under the conditions provided for by the GDPR;
Restriction of processing (Article 18);
Objection (Article 21), in particular to marketing;
Portability (Article 20);
Set instructions regarding the fate of your data after your death;
Withdraw your consent at any time, without this affecting the lawfulness of prior processing.

To exercise these rights, contact us at legal@smarterthanai.app. Proof of identity may be requested in the event of reasonable doubt. A response will be provided within one month, extendable by two months for complex requests.

Assessed candidates: requests to exercise rights relating to data collected during an assessment should, as a priority, be addressed to the Client (the employer or recruiter) who invited you to take the assessment, as it is the data controller. Mr Automate will assist the Client in responding to your request.

If you consider that your rights are not being respected, you may lodge a complaint with the CNIL (the French data protection authority): 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France — www.cnil.fr.

10. Automated decisions and artificial intelligence

The Smarter Than AI Platform relies on artificial intelligence algorithms to analyse candidates' responses and produce recommendations.

Key commitment: the results produced by the Platform constitute decision-support. No decision producing legal or similarly significant effects for a candidate (in particular a recruitment decision) should be taken solely on the basis of automated processing, in accordance with Article 22 of the GDPR. Human intervention by the Client is required.

Under Regulation (EU) 2024/1689 (the “AI Act”), AI systems used for assessment purposes in recruitment are classified as high-risk systems (Annex III). On this basis, Mr Automate undertakes to comply with the associated obligations: risk management, technical documentation, human oversight, transparency, logging, robustness and cybersecurity.

Candidates are informed of the use of an AI system as part of their assessment and may request to exercise their rights, in particular by requesting a human review of any decision concerning them.

11. Use of data for model training

Mr Automate does not use the identifiable personal data of Clients and Candidates to train or improve general-purpose AI models.

Mr Automate may, however, use anonymised and aggregated data (statistics, sector benchmarks) that no longer allows an individual to be identified, in order to improve the quality of the assessments and the relevance of the recommendations.

Where third-party AI models are used (for example via an API), Mr Automate selects providers offering contractual guarantees that exclude the reuse of the transmitted data for training their models.

12. Cookies and trackers

The site uses cookies that are strictly necessary for its operation, preference cookies, and — subject to your consent — audience- measurement cookies.

Type	Purpose	Consent
Strictly necessary cookies	Authentication, security, site operation	Not required
Preference cookies	Remembering user choices (language, analytics-cookie consent choice)	Not required
Analytics cookies (PostHog, EU region)	Traffic measurement, user-journey analysis, product improvement. Placed only if you click “Accept” in the banner.	Required

A consent banner is displayed on your first visit and lets you accept or refuse analytics cookies. Your choice is kept for 13 months, in line with the CNIL recommendation, and you can change it at any time via the “Cookie preferences” link in the footer.

Before you make a choice, and also if you refuse analytics cookies, we measure the site's traffic in an anonymised and entirely cookie-freeway (PostHog cookieless mode), on the basis of our legitimate interest in understanding the use of our Platform. This measurement places no cookie and allows no individual identification or cross-session tracking. Analytics cookies are only placed after you click “Accept”.

13. Changes to the policy

This policy may change. Any substantial change is brought to your attention via the site or by email. The applicable version is the one in force on the date of your consultation, indicated at the top of the document.

14. Contact

For any question regarding this policy or your personal data:

legal@smarterthanai.app
Mr Automate — 40 rue la Tour d'Auvergne, 44200 Nantes, France

Mr Automate · SASU · RCS Nantes 104 920 426