Legal & Policies

FR

Thomas LEQUEUX Consultings

πŸ“„ Privacy Policy

Opti' - Excel Add-in

Last updated: March 2026

French version: https://lequeux-thomas.com/addin/site/legal/fr/
English version: https://lequeux-thomas.com/addin/site/legal/en/

πŸ“§ thomas.lequeux.consulting@gmail.com
🌐 https://lequeux-thomas.com/contact-us/

This Privacy Policy describes how Thomas LEQUEUX Consulting collects, uses, processes, and protects the personal data of users of the Excel add-in Opti', accessible from the website https://lequeux-thomas.com/addin/

1. Data Controller

The data controller is:

Thomas LEQUEUX Consulting
French micro-enterprise β€” SIRET: 94071918000017
Address: 5 AllΓ©e de l'Autan, 31850 MontrabΓ©, France
Contact email: thomas.lequeux.consulting@gmail.com

2. Data Collected

We only collect data strictly necessary for the proper functioning of the add-in:

  • Email address
  • Subscription and payment history (via Stripe)
  • History of API requests made to the server
  • Number of tokens used for AI calls
  • History of conversations with the OptiBot assistant, if and only if the user activates the "Cloud sync" mode (see section 4.8).

We do not collect or store Excel files, databases, or user data processed by the add-in.

3. Purpose of Processing

The collected data is used solely for:

  • Managing access to the service (plans, authorizations)
  • Validating the user's license
  • Managing usage limits
  • Providing customer support when needed
  • Occasionally informing the user about updates or product-related offers

No data is sold, rented, or transferred to third parties for commercial purposes.

4. Analysis by Artificial Intelligence β€” Available Engines

The add-in offers three artificial intelligence analysis engines, each providing a different level of confidentiality and power. The choice of engine is made via a single "Private AI" button that the user can activate or deactivate at any time:

  • Standard mode (Private AI disabled): analyses are performed by the Mistral AI engine, a French artificial intelligence hosted in the European Union.
  • Private AI mode enabled: analyses are performed by the OptIA Online engine, an AI model operated exclusively by Thomas LEQUEUX Consulting on a private infrastructure, without any third-party AI provider involvement.
  • OptIA Offline (100% local): available for users who want entirely offline processing, with no data transmission.

The user is free to switch modes at any time, depending on the desired level of confidentiality and power.

4.1 Mistral AI (standard mode β€” Private AI disabled)

When Private AI mode is disabled, all analyses and conversations with OptiBot are processed by the Mistral AI engine:

  • The table selected by the user is converted into text and sent via the secure backend server of Thomas LEQUEUX Consulting to Mistral AI's API.
  • The backend server does not retain or log the content of requests or responses.
  • The data sent to Mistral AI is limited to the content of the selected table, in a voluntary and explicit action by the user.
  • Mistral AI is a French company (SAS, registered office: 15 rue des Halles, 75001 Paris β€” SIREN: 952418325), natively subject to the General Data Protection Regulation (GDPR).
  • By default, data is hosted in the European Union.
  • Thomas LEQUEUX Consulting uses Mistral AI's Scale plan. On this plan, user data (inputs and outputs) is not used for training Mistral AI's artificial intelligence models. No user action is required to benefit from this protection.
  • Mistral AI retains API request inputs and outputs for 30 rolling days for abuse monitoring purposes, after which the data is deleted.
  • Processing by Mistral AI is subject to their Data Processing Addendum (DPA), available at legal.mistral.ai.
  • The Zero Data Retention (ZDR) option is available upon request from Mistral AI, allowing for the deletion of any retention of inputs and outputs beyond the request processing time.
Confidentiality level: Good. Data is hosted in the European Union by default, by a French company natively subject to GDPR. It is not used for model training (Scale plan). Mistral AI retains requests for 30 days for abuse monitoring, then deletes them. This level is between OpenAI (data transferred to the United States) and OptIA Online (no retention, private infrastructure).

4.2 OptIA Online (Private AI mode enabled β€” private server)

When the user enables Private AI mode, all analyses and conversations with OptiBot are processed by the OptIA Online engine:

  • The selected table is converted into text and sent via the secure backend server of Thomas LEQUEUX Consulting to a private GPU container, operated exclusively by Thomas LEQUEUX Consulting.
  • The artificial intelligence model (Qwen 2.5 72B) is executed in this private container; no third-party AI provider is involved in the processing.
  • The GPU container is hosted by the Modal platform (Modal Labs, Inc.), certified SOC 2 Type II and HIPAA-compliant.
  • The backend server (Render) does not retain or log the content of requests or AI responses.
  • The GPU container does not retain any user data on disk: the model runs entirely in GPU RAM, and data is purged at the end of processing.
  • The GPU container automatically shuts down after a period of inactivity (scale-to-zero), reducing the exposure surface.
  • Communications between the backend server and the GPU container are protected by a dedicated authentication key and encrypted via HTTPS (TLS 1.3).

Modal's confidentiality guarantees:

  • Modal contractually commits to never accessing, reading, or using the source code, function inputs and outputs, or any data stored in its clients' images and volumes (documented least-privilege policy).
  • Modal deletes all function inputs and outputs as soon as the results have been retrieved by the client.
  • Containers are isolated by gVisor technology (sandboxing developed by Google and used in Google Cloud Run), ensuring reinforced isolation between workloads.
  • All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
  • The client (Thomas LEQUEUX Consulting) retains full ownership rights over their data. Modal can only use aggregated and de-identified data for internal purposes.
  • Modal is certified SOC 2 Type II, attesting to the implementation and effective maintenance of security controls over an extended period, and offers the signing of Business Associate Agreements (BAA) for health data (HIPAA compliance).
Confidentiality level: High. Data remains within the infrastructure controlled exclusively by Thomas LEQUEUX Consulting and is never transmitted to a third-party AI provider. Thomas LEQUEUX Consulting commits to never accessing, reading, copying, exploiting, or commercializing user data processed by this engine. No request or response content is recorded, logged, or retained, either on the backend server or on the GPU container. Processing is done entirely in RAM, and data is purged at the end of each request. The host Modal contractually commits to never accessing its clients' function inputs and outputs and to deleting them after retrieval. Containers are isolated by gVisor, all communications are encrypted in TLS 1.3, and the platform is SOC 2 Type II certified.

4.3 OptIA Offline (100% local)

When the user selects the OptIA Offline engine:

  • The artificial intelligence model runs entirely on the user's computer.
  • No data leaves the user's machine: neither the table content nor the generated response is transmitted to a remote server.
  • No network connection is required for processing the analysis.
  • Thomas LEQUEUX Consulting has no visibility or access to data processed in this mode.
Confidentiality level: Maximum. Processing is done entirely offline. No data is exposed to a network or third party.

4.4 Comparative table of analysis engines

Criterion Mistral AI
(standard mode)		 OptIA Online
(Private AI ON)		 OptIA Offline
(100% local)
Confidentiality Good High Maximum
AI Power Good High Basic
Data leaves PC Yes Yes No
Third party involved Mistral AI (France) No AI provider None
Infrastructure host Mistral AI (EU, France) Modal (USA, SOC 2 Type II) Local machine
Data residency European Union (by default) United States (Modal) Local machine
Provider access to data 30 days (abuse monitoring) None (contractual commitment) None
Use for training No (Scale plan, opt-out by default) Not applicable Not applicable
Data storage 30 days, then deletion None (deleted after processing) None
Zero Data Retention (ZDR) Available upon request Not applicable (no storage) Not applicable
GDPR compliance Native (French company) Via Modal DPA Not applicable
Encryption TLS in transit TLS 1.3 + AES-256 at rest Not applicable
Connection required Yes Yes No

The user can switch between modes at any time via the "Private AI" button.

4.5 OptiBot β€” Conversational Assistant

The add-in includes a conversational assistant called OptiBot. When a user asks a question about their data:

  • OptiBot analyzes only the column headers (field names) of the active worksheet to determine which columns are relevant to answer the question.
  • If OptiBot detects that a column may contain personally identifiable information (e.g., respondent names, email addresses, phone numbers), it explicitly asks the user whether they want to include or exclude this column from the analysis before accessing any data content.
  • If the user chooses to exclude a column, it becomes entirely invisible to the AI engine: neither the header nor the column data is read or transmitted.
  • This prior consent mechanism applies regardless of the AI engine selected (Mistral AI, OptIA Online, or OptIA Offline) and regardless of the mode (Private AI enabled or disabled).

4.6 Manual Column Exclusion

Independently of OptiBot's automatic detection, the user can at any time manually exclude any column from the analysis by clicking the exclusion button (a "no entry" icon) present on each line of the column headers list.

Any excluded column β€” whether by user decision via OptiBot or via manual exclusion β€” is entirely ignored by all AI processing, including analysis, cleaning, and report generation.

4.7 Data Cleaning (Clean Data)

The add-in offers an automated data cleaning feature. When the user activates this function:

  • The AI engine receives the headers of non-excluded columns and a representative sample of the data in these columns.
  • The AI identifies data requiring cleaning, particularly free-text responses (e.g., "Other, specify..." fields) where formulations vary between respondents.
  • The AI proposes groupings and standardizations of these responses to reduce the number of distinct occurrences and enable reliable statistical analysis.
  • The proposed modifications are presented to the user as a preview. No modification is applied without the user's explicit confirmation.
  • Columns previously excluded by the user are never included in the cleaning process.

Cleaning is subject to the same confidentiality rules as analysis: data is processed by the AI engine corresponding to the mode selected by the user (Private AI ON or OFF), according to the modalities described in sections 4.1 to 4.3.

4.8 OptiBot Conversation History β€” Local Mode and Cloud Mode

The OptiBot assistant maintains a history of conversations exchanged with the user to allow them to find past analyses, resume an interrupted conversation, and consult previous results. The user has two storage modes to choose from:

Local Mode (default):

  • Conversations are stored exclusively in the user's browser (Excel add-in localStorage).
  • No conversation is transmitted to a remote server.
  • Conversations are limited to 10 maximum and are not synchronized between devices.
  • If the user clears their browser cache, updates, or uninstalls the add-in, local conversations are permanently lost.
  • Thomas LEQUEUX Consulting has no access to conversations stored in Local mode.

Cloud sync mode (upon explicit user activation):

  • The user can, if they wish, activate Cloud synchronization to keep their conversations indefinitely and access them from multiple devices.
  • Conversations (titles, messages, session metadata) are then stored on Supabase servers located in the European Union. They are transmitted via an encrypted connection (HTTPS/TLS) and stored on servers with disks encrypted at rest (AES-256). However, the data remains readable by the technical administrator of Thomas LEQUEUX Consulting via the Supabase interface. They are neither end-to-end encrypted nor anonymized.
  • Conversations are linked to the user ID and protected by database-level security rules (Row Level Security), ensuring that only the authenticated user can access their own conversations.
  • The user can at any time return to Local mode, delete an individual conversation, or export their conversations in Markdown format.

Special case β€” Private AI mode:

  • Conversations created while Private AI mode is enabled are always stored locally only, even if Cloud sync mode is activated.
  • Conversations marked as "private" are never transmitted to Supabase servers, to ensure that exchanges made in private mode never leave the user's local environment.
  • These conversations are only visible from the device on which they were created and are not synchronized between devices.
Summary: by default, OptiBot conversations remain on the local machine. The explicit activation of Cloud sync mode by the user is the only circumstance in which conversations may be transmitted to a remote server (Supabase, EU). Conversations created in Private AI mode always remain local.

5. Security

  • The add-in operates largely locally for table generation.
  • Exchanges with the backend server are via secure HTTPS connection.
  • Communications between the backend server and the private GPU container (OptIA Online) are protected by a dedicated authentication key and encrypted in TLS 1.3.
  • Passwords are never stored in plain text.
  • Authentication and password storage are managed by Supabase, via secure encryption.
  • Thomas LEQUEUX Consulting never has access to passwords.
  • Authentication tokens are managed securely and linked to the user ID.
  • The private GPU container automatically shuts down after a period of inactivity (scale-to-zero), limiting the data exposure surface.
  • GPU containers are isolated by gVisor technology, preventing any cross-access between workloads.

6. Retention Period

  • Subscription and payment data is retained for the duration of the subscription, then archived for the legal tax period (5 years).
  • Technical data (number of API calls, logs) is retained only for the time necessary to manage the service.
  • Support exchanges may be retained for service improvement or technical archiving purposes.
  • User data processed by AI engines is not retained beyond the request processing time, except for Mistral AI which may retain it for 30 days for abuse monitoring (see section 4.1). For the OptIA Online engine, Modal deletes all function inputs and outputs as soon as the results have been retrieved. The Zero Data Retention (ZDR) option is available upon request from Mistral AI to eliminate this 30-day retention.
  • OptiBot conversations in Local mode remain on the user's machine until they delete them or clear the browser cache.
  • OptiBot conversations in Cloud sync mode are retained on Supabase servers as long as the user does not delete them (via soft delete). Deleted conversations are marked as deleted in the database but may be technically retained for limited recovery purposes.

7. User Rights (GDPR)

In accordance with Articles 15 to 22 of the GDPR, you have the following rights:

  • Right of access to your data
  • Right to rectification
  • Right to object and erasure
  • Right to restriction of processing
  • Right to data portability

To exercise your rights: πŸ“§ thomas.lequeux.consulting@gmail.com

8. Hosting and Sub-processors

8.1 Supabase β€” Database Management

  • Used for authentication and secure storage of user data (email address, ID, subscriptions).
  • Also used for storing OptiBot conversations when the user explicitly activates Cloud sync mode (see section 4.8).
  • Passwords are encrypted and managed exclusively by Supabase, with no plaintext access by Thomas LEQUEUX Consulting.
  • Conversations stored in Cloud sync mode are protected by row-level security rules (Row Level Security): each conversation is linked to a unique user ID and is only accessible to the authenticated user.
  • Servers located in the European Union, GDPR-compliant.

8.2 Stripe β€” Payments and Subscriptions

  • Used for payment and subscription management.
  • Stripe processes payment data according to PCI-DSS standards.
  • Thomas LEQUEUX Consulting never has access to users' banking data.
  • Stripe is based in Ireland for European customers (GDPR-compliant).

8.3 Render β€” Backend Hosting

  • Backend server hosted via Render, located in Frankfurt (EU).
  • Manages API calls, license validation, and routing of requests to the selected AI engine.
  • The backend server does not retain or log the content of AI requests or responses.
  • All communications are via secure HTTPS.

8.4 Mistral AI β€” Artificial Intelligence Analysis (standard mode)

  • Used when the user disables Private AI mode, for data analysis and conversations with OptiBot.
  • The transmitted data is limited to the Excel selection made by the user.
  • Mistral AI is a French company (SAS, registered office: 15 rue des Halles, 75001 Paris β€” SIREN: 952418325), natively subject to GDPR.
  • By default, data is hosted in the European Union.
  • Thomas LEQUEUX Consulting uses Mistral AI's Scale plan, on which user data is not used for model training.
  • Mistral AI retains API request inputs and outputs for 30 rolling days for abuse monitoring purposes, after which the data is deleted.
  • Mistral AI acts as a sub-processor and provides a GDPR-compliant Data Processing Addendum (DPA).
  • No data transfer outside the European Union is necessary by default with this engine.
  • The Zero Data Retention (ZDR) option is available upon request, allowing for the elimination of the 30-day retention for abuse monitoring.
  • Mistral AI's data processing terms are available at legal.mistral.ai/terms/data-processing-addendum and legal.mistral.ai/terms/privacy-policy.

8.5 Modal β€” GPU Hosting (OptIA Online engine)

  • Used when Private AI mode is enabled, for data analysis and conversations with OptiBot.
  • Modal (Modal Labs, Inc.) is a serverless cloud infrastructure platform. Thomas LEQUEUX Consulting exclusively deploys and operates its own AI model in an isolated container.
  • Modal is SOC 2 Type II certified, attesting to the implementation and effective maintenance of security, availability, confidentiality, and data protection controls over an extended period, verified by an independent auditor.
  • Modal is HIPAA-compliant and offers the signing of Business Associate Agreements (BAA) for health data.
  • Modal contractually commits to a least-privilege approach: it never accesses, uses, or consults the source code, function inputs and outputs, or data stored in its clients' images and volumes.
  • Modal deletes all function inputs and outputs as soon as the results have been retrieved by the client.
  • Containers are isolated by gVisor technology (open-source sandboxing developed by Google, used in Google Cloud Run and Google Kubernetes Engine), ensuring defense in depth at the lowest level of the operating system.
  • All data is encrypted in transit via TLS 1.3 and at rest via AES-256.
  • The client (Thomas LEQUEUX Consulting) retains full intellectual property rights over their data. Modal can only use aggregated and de-identified data for internal purposes (platform improvement).
  • No user data is written to the GPU container's disk; processing is done entirely in RAM.
  • The container automatically shuts down after a period of inactivity (scale-to-zero).
  • Modal's terms of use and data processing policy are available at modal.com/legal/terms and modal.com/legal/dpa.

8.6 Hostinger β€” Website

  • Hosts the showcase website https://lequeux-thomas.com (WordPress).
  • Manages cookies and CNIL compliance.
  • No sensitive add-in-related data is stored via Hostinger.

9. Cookies and Website

The website https://lequeux-thomas.com may use cookies for audience measurement (Google Analytics) or functionality. An information banner and consent system are in place in accordance with CNIL requirements.

10. International Data Transfers

Personal data processed in the context of the add-in may be subject to transfers outside the European Union in the following cases:

  • Standard mode (Mistral AI): data is hosted in the European Union by default. Mistral AI is a French company natively subject to GDPR. No transfer outside the EU is necessary by default.
  • Private AI mode (OptIA Online): inference data transits through Modal's infrastructure (United States). Modal contractually commits to never accessing the content of function inputs and outputs and to deleting them after retrieval. The AI model is operated exclusively by Thomas LEQUEUX Consulting in an isolated container. Modal's data processing terms are governed by their Data Processing Addendum (DPA).
  • OptiBot conversation Cloud sync: if the user explicitly activates this option, conversations are stored on Supabase, in the European Union. No transfer outside the EU is necessary for this functionality.

When the user chooses the OptIA Offline engine, no data transfer occurs.

11. Updates to this Policy

This policy may be updated at any time based on product feature developments or regulatory changes.

Last revision: April 2026

✨ Ethical Commitment Charter

Thomas LEQUEUX Consulting

Opti' - Excel Add-in

French version: https://lequeux-thomas.com/addin/site/legal/fr/
English version: https://lequeux-thomas.com/addin/site/legal/en/

πŸ“§ thomas.lequeux.consulting@gmail.com
🌐 https://lequeux-thomas.com/contact-us/

πŸ“… Version dated August 14, 2025

🧭 1. Our Vision

Opti' is a service developed by Thomas LEQUEUX Consulting, a French micro-enterprise specializing in supporting humanitarian and development actors.

Aware of our ethical responsibility as a provider of technical solutions serving humanitarian action, we commit to respecting the fundamental principles guiding the humanitarian sector.

🀝 2. Fundamental Humanitarian Principles

We adhere to universal humanitarian principles:

  • Humanity: to alleviate human suffering wherever it is found.
  • Neutrality: to take no side in any conflict.
  • Impartiality: to provide services without discrimination.
  • Independence: to guarantee the autonomy of our technical decisions.

🚫 3. Prevention of Sexual Exploitation and Abuse (PSEA)

We adopt zero tolerance towards any form of:

  • Abuse of power
  • Sexual exploitation or harassment
  • Discriminatory or oppressive behavior

We commit to working only with partners and users who adhere to these same principles.

βš–οΈ 4. Data and AI Ethics

Our tool uses AI to assist with data analysis. As such:

  • No sensitive personal data is collected or retained.
  • Data sent to the AI is exclusively that explicitly chosen by the user during the analysis setup phase.
  • Requests sent to the AI are solely intended to provide data interpretation for the user, and are never used for commercial purposes.

We encourage our users to anonymize data before any analysis.

πŸ•ŠοΈ 5. Commitment Against Violence, Terrorism and Corruption

We commit to providing our services only to actors who respect international humanitarian law.

We refuse any collaboration with persons or entities involved in:

  • Financing or supporting terrorism
  • Serious human rights violations
  • Acts of corruption, abuse or oppression

We regularly verify our compliance with European and international regulations regarding sanctions and security.

πŸ§ͺ 6. Accountability and Transparency

We make every effort to offer a service that is:

  • Transparent in its operation
  • Respectful of data confidentiality
  • GDPR-compliant

Any legitimate ethical concern or report can be addressed directly to: πŸ“§ thomas.lequeux.consulting@gmail.com

πŸ“ 7. Review and Improvement

This charter may be updated to remain aligned with the evolution of ethical practices and humanitarian sector standards.

Last revision: August 14, 2025

← Back to homepage