TARMAGO

Privacy policy

Last updated: 3 April 2026

JOH Consulting (hereafter Β« Tarmago Β») is committed to protecting users' privacy in accordance with the General Data Protection Regulation (GDPR β€” EU Regulation 2016/679) and the French Data Protection Act of 6 January 1978 as amended.

1. Data controller

The data controller is JOH Consulting, EURL with €1,000 share capital, SIRET 949 441 257 00019, represented by Joevin Hermant. Contact: contact@tarmago.com.

2. Data collected

Tarmago collects the following data, necessary for the service:

  • First and last name β€” account creation, identification on bookings
  • Email address β€” account, confirmations, reminders
  • Phone β€” organisers only, contact in case of an issue
  • Booking data β€” history, credits, invoices
  • Payment data β€” processed exclusively by Stripe (Tarmago stores no card data)
  • Organiser KYC documents β€” ID and business proof, required to verify organiser accounts
  • Organiser IBAN β€” transmitted to Stripe Connect for payouts, never stored permanently in clear text

Navigation data

Tarmago uses Vercel Analytics and Speed Insights, privacy-friendly audience measurement tools that drop no cookies, collect no personal data and do not track users across sites. These tools are exempt from consent under CNIL recommendations.

3. Legal bases for processing

Data processing is based on the following legal grounds:

  • Performance of the contract (art. 6.1.b GDPR) β€” managing bookings, payments, credits, invoicing, transactional communication
  • Legitimate interest (art. 6.1.f GDPR) β€” fraud prevention, platform security, organiser identity verification (KYC), service improvement
  • Legal obligation (art. 6.1.c GDPR) β€” keeping invoices and accounting data (Commercial Code), verifying professional identities
  • Consent (art. 6.1.a GDPR) β€” newsletter (opt-in at registration, revocable at any time from account preferences)

4. Use of data

Your data is used exclusively for:

  • Managing your bookings, credits and invoices
  • Sending transactional emails (confirmation, D-7 reminder, cancellation, invoice)
  • Sending the Tarmago newsletter (only if you consented)
  • Verifying organiser identity and activity (KYC process)
  • Processing payments and payouts to organisers via Stripe Connect
  • Improving the Tarmago service and anonymously analysing usage

5. Retention periods

Data is kept for the following durations:

  • Account data (name, email) β€” account lifetime + 30 days after deletion
  • Booking data and invoices β€” 10 years (accounting obligation, Commercial Code art. L123-22)
  • Organiser KYC documents β€” duration of the contractual relationship + 5 years (vigilance obligation)
  • Organiser IBAN β€” removed from our servers as soon as transmitted to Stripe Connect
  • Credits β€” 12 months from creation, then archived
  • Newsletter consent β€” until consent is withdrawn

Upon account deletion, booking data is anonymised (name replaced by Β« Deleted user Β») but kept for accounting purposes.

6. Sub-processors and recipients

Your data may be transmitted to the following sub-processors, strictly within the purposes described:

  • Stripe Payments Europe, Ltd. (Dublin, Ireland) β€” payment and payout processing
  • Supabase Inc. (Singapore, EU Frankfurt hosting) β€” database and authentication hosting
  • Vercel Inc. (USA) β€” website and API hosting
  • Resend Inc. (USA) β€” transactional email sending
  • Vercel Inc. (USA) β€” anonymous audience measurement (Vercel Analytics + Speed Insights), cookie-free

7. Transfers outside the EU

Some sub-processors (Vercel, Resend) are located in the United States. These transfers are governed by the European Commission's Standard Contractual Clauses (SCC) and/or the EU-US Data Privacy Framework, in line with GDPR articles 44 to 49.

8. Data security

Your data is protected by the following measures: encryption in transit (TLS/SSL) and at rest, secure authentication (password hashing, 3D Secure for payments), restricted data access (Row Level Security on all tables), KYC documents stored in a private bucket with temporary signed URLs (1h). Tarmago does not store any card data β€” all payments are handled by Stripe (PCI DSS Level 1 certified).

9. Cookies

Tarmago only uses strictly necessary technical cookies (Supabase authentication session). These cookies are exempt from consent under article 82 of the French Data Protection Act. Tarmago uses no tracking, advertising or profiling cookies.

10. Your rights (GDPR)

Under articles 15 to 22 of GDPR, you have the following rights:

  • Right of access β€” obtain a copy of your personal data
  • Right of rectification β€” correct your data from your profile or by contacting us
  • Right to erasure β€” delete your account from Account > Profile (accounting data is anonymised but kept)
  • Right to portability β€” receive your data in a structured format (JSON)
  • Right to object β€” object to your data processing for legitimate reasons
  • Right to restriction β€” request a temporary suspension of processing
  • Right to withdraw consent β€” withdraw your newsletter consent at any time from Account > Preferences

To exercise these rights, contact us at contact@tarmago.com. We respond within 30 days under GDPR.

11. Complaint to the CNIL

If you consider that the processing of your data does not comply with regulations, you have the right to file a complaint with the CNIL (French Data Protection Authority): cnil.fr or by post at CNIL β€” 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07.

12. Minors

Tarmago does not knowingly collect data from people under 18. Registration and booking are reserved for adults. If a minor provided personal data without parental consent, the legal guardian can request deletion at contact@tarmago.com.

13. Contact

For any question about your personal data or this privacy policy: contact@tarmago.com