DashlyBoard
Accueil

Privacy Policy

v1·Publiée le May 15, 2026·Effective le June 14, 2026
ℹ️ Cette langue n'a pas encore de traduction dédiée. Affichage en français (version faisant foi).

Privacy Policy — DashlyBoard

Last updated: [15/05/2026]
Version: 1

In force since: [15/05/2026]

> ⚠️ The French version of these Privacy Policy prevails over this English translation. The English version is provided for convenience only; in the event of any discrepancy in interpretation, the French version shall prevail.

---

Preamble

The purpose of this Privacy Policy is to inform users of the DashlyBoard platform (accessible at `https://dashlyboard.com` and its subdomains, hereinafter "the Platform") of the manner in which their personal data is collected, processed and retained.

It is drafted in accordance with:
- Regulation (EU) 2016/679 of 27 April 2016 ("GDPR");
- French Law No. 78-17 of 6 January 1978 as amended ("loi Informatique et Libertés");
- French Law No. 2004-575 of 21 June 2004 on confidence in the digital economy ("LCEN");
- Regulation (EU) 2022/2065 of 19 October 2022 ("Digital Services Act" / DSA);
- Directive (EU) 2021/514 of 22 March 2021 ("DAC7"), transposed into French law in article 242 bis of the General Tax Code.

DashlyBoard has the status of online platform operator within the meaning of DAC7 and must, as such, declare annually to the French tax administration the information relating to reportable sellers (see § 4.7 below).

---

1. Data controller

The controller of the data collected on the Platform is:

Alexandre Biral — DashlyBoard
- Legal form: Sole trader — micro-enterprise regime
- Professional address: 2 place des Vergers, 78320 Le Mesnil-Saint-Denis, France
- RNE registration number: 104122668
- SIRET: 10412266800015
- Intra-Community VAT number: FR80104122668
- Email: `contact@dashlyboard.com`
- Legal representative / Publication director: Alexandre Biral

2. Data Protection Officer (DPO)

DashlyBoard is not legally required to appoint a Data Protection Officer within the meaning of article 37 GDPR. However, a single point of contact for data protection matters is made available to users:

- Email: `privacy@dashlyboard.com`
- Mail: at the head office address indicated in § 1.

3. Data collected

3.1 Data provided directly by the user

At registration:
- First and last name (or pseudonym);
- Email address;
- Password (stored in hashed form — bcrypt algorithm, never in clear text);
- Marketing opt-in choice (explicit, timestamped consent);
- Country of residence (used for the language of emails — FR for French residents, English for others — and for tax obligations).

When creating a store / dashboard:
- Chosen subdomain;
- Trade name, description, visual identity;
- Public contact details.

When activating the store system (DAC7 collection — Merchants only):

The data in this section is only collected when the User opens a store on the Platform. A User who does not sell (forum, internal dashboard, showcase site) is never asked for this information.

- Status: Individual or Professional;
- Country of tax residence (ISO 3166-1 code);
- For individuals:
- Date of birth (mandatory for the DGFiP DPI v1.6 schema — French variant of the OECD DPI schema required by DAC7);
- Place of birth (city and country);
- Tax number (NIF / TIN) — for France: 13-digit tax number appearing on the tax notice; local equivalents for other EU countries.
- For professionals:
- Company name and legal form;
- Registration number (SIREN/SIRET in France, international equivalents);
- Intra-Community VAT number (where applicable).
- Full address (number, street, postal code, city).

When subscribing to a paid subscription or making a sale:
- Billing address;
- Bank details: DashlyBoard does not store full bank card numbers. Payments are delegated to the Stripe provider (see § 5.2). Only a payment method identifier (`pi_…`, `pm_…`) is retained for accounting reconciliation.
- Merchant IBAN: retained exclusively by Stripe (Connect account); retrieved read-only by DashlyBoard at the time of the annual DAC7 declaration for transmission to the DGFiP. No persistent local storage of the IBAN is performed.

When using the Platform:
- Published content (pages, blocks, products, images, uploaded files);
- Messages, support tickets, DSA reports, submitted ideas;
- Attachments exchanged via service chats (between Buyer and Merchant, or Merchant and their team). Attachments from delivery chats are automatically deleted at D+7 after delivery in order to limit retention to what is strictly necessary for the performance of the service;
- Plan change proposals (`PlanChangeProposal`) issued by the Publisher to a User (target plan, price, status, issue date) as well as the User's decision (acceptance, refusal, pending payment);
- Administrator dashboard notifications (`DashNotif`) generated during use (new order, revision payment, member membership request, new chat message, plan change proposal, etc.) as well as user notifications (`UserNotif`) on the personal area;
- Interface preferences (theme, language, notifications).

Automatic Merchant activity tracking (for legal purposes):
- Counter of transactions and turnover over the calendar year (cumulative commission invoices issued);
- Date of automatic switch Individual → Professional and end of grace period, where applicable;
- Date of dispatch of the €1,500 threshold warning email (at most once per calendar year);
- Date of completion of the DAC7 form and associated status (`empty` / `complete` / `exempt_non_eu`).

Account type changes (Individual ↔ Professional):
- Current account type (`accountType`: `individual` or `business`);
- Counter of the number of manual changes carried out (`accountTypeChangesUsed`), capped at 3 over the lifetime of the account (T&Cs § 11.ter.1);
- Timestamp of the last change (`accountTypeUpdatedAt`);
- History of Stripe prorations issued on the occasion of each change with an active Subscription (amount, currency, invoice identifier).

Identity verifications and "Verified" status:
To display the public "Verified" badge on a Merchant's store, the Platform automatically verifies:
- Individuals: convergence on 3 points (registered name + date of birth + country of residence) between the DashlyBoard profile and the KYC data transmitted by Stripe Connect;
- Professionals: presence of a company name, SIRET (or international equivalent) and Stripe status `charges_enabled = true`.

The data used comes exclusively from the fields already collected for DAC7 (see above) and from Stripe Connect onboarding. No additional data is requested for the issuance of the badge.

Moderation audit log (`ModerationAction`):
Each action carried out by the DashlyBoard moderation team (forced refund, product blocking, store blocking, user warning) generates an entry in the audit log including:
- Identity of the moderating agent (email and user identifier of the super-administrator);
- Type of action and type of target (`user` / `product` / `dashboard` / `order`);
- Identifier of the target and mandatory reason;
- Payload specific to the action (for example: Stripe refund identifier, amount refunded, blocking code);
- UTC timestamp.

This log is internal and is not accessible to the public or to the Merchants/Users concerned through direct access, but a motivated copy may be communicated to them within the framework of an internal appeal or a request under the GDPR right of access (art. 15).

When a withdrawal request is made (14-day right of withdrawal — art. L.221-18 of the Consumer Code):

Data collected only when the Consumer User exercises their right of withdrawal on a paid subscription taken out online, within the 14-day period.

- User identity (name, email — already present in the account);
- Plan subscribed, Stripe subscription identifier, subscription date;
- Interface language (used for the language of the acknowledgement, validation or refusal emails);
- Reason for withdrawal (free text field, optional);
- Status of the request (`pending` / `approved` / `rejected` / `withdrawn`);
- Request date and processing date by the super-administrator;
- Internal administrative notes (field reserved for processing the request);
- Where applicable: amount refunded and Stripe refund identifier; or grounds for rejection (mandatory in the event of a motivated refusal).

This data is necessary to fulfil DashlyBoard's legal obligations as a platform operator (article 242 bis CGI, URSSAF case law) and to inform you in good time when your activity reaches a regulatory threshold.

3.2 Data collected automatically

Technical connection data:
- IP address;
- User-agent (browser, OS, version);
- Timestamp of connections and sensitive actions (login, password change, payments).

Security logs:
- Failed login attempts (anti-bruteforce);
- Moderation and banning events;
- Stripe webhooks received (idempotency anti-double-debit).

Cookies and trackers: see § 9.

3.3 Data from third parties

- Google (if connection via OAuth): email address, name, public profile picture, Google Account identifier;
- Stripe: payment confirmations, subscription statuses, refund events;
- VIES (European Commission): validation of intra-Community VAT numbers provided by sellers.

4. Purposes, legal bases and retention periods

For each processing purpose, you will find below the GDPR legal basis invoked and the period during which we retain the data concerned.

4.1 — Creation and management of the user account. Legal basis: performance of the contract (art. 6.1.b GDPR). Duration: duration of the account + 3 years after closure (alignment with the CNIL recommendation on prospection).

4.2 — Provision of subscribed services (dashboards, stores, builder). Legal basis: performance of the contract. Duration: duration of the subscription.

4.3 — Billing, accounting, commission invoices. Legal basis: legal obligation (art. 6.1.c GDPR, art. L.123-22 of the Commercial Code, art. 286 CGI). Duration: 10 years from the closure of the financial year.

4.4 — Payment management and fraud prevention (via Stripe). Legal basis: legitimate interest and legal obligation. Duration: 13 months for non-accounting transaction data; 10 years for accounting documents.

4.5 — Sending of transactional emails (confirmation, invoice, password). Legal basis: performance of the contract. Duration: duration of the account.

4.6 — Sending of newsletters and marketing emails ("Pro Emails", marketing audience). Legal basis: consent (art. 6.1.a GDPR) — explicit and timestamped opt-in. Duration: until withdrawal of consent, and at the latest 3 years after the last active contact.

4.7 — Annual DAC7 declaration (EU marketplace sellers). Legal basis: legal obligation (art. 242 bis CGI). Duration: documents retained for 10 years from the end of the year concerned.

4.7-bis — Merchant tax identification (NIF, date and place of birth, company name, SIREN, IBAN). Legal basis: legal obligation (art. 242 bis CGI). Duration: deletion 10 years after the Merchant's last sale.

4.7-ter — Monitoring of regularity thresholds (automatic transition Individual → Pro at 30 transactions or €3,000). Legal basis: legal obligation and legitimate interest (T&Cs § 19). Duration: duration of the account + 5 years after switching.

4.7-quater — €1,500 threshold warning (information email on auto-entrepreneur status). Legal basis: legitimate interest (Merchant information obligation). Duration: sending limited to once per calendar year; timestamp retained for 3 years.

4.7-quinquies — Export of transactions outside the EU (CSV for foreign tax authorities, where applicable). Legal basis: legitimate interest and legal obligation in the Merchant's jurisdiction. Duration: 10 years, in parallel with EU DAC7.

4.7-sexies — Management of the 14-day right of withdrawal (request form, super-admin processing, refund, archiving of the decision and reason). Legal basis: legal obligation (art. L.221-18 et seq. of the Consumer Code) and performance of the contract. Duration: 5 years from the decision, in alignment with the civil limitation period applicable to consumer disputes.

4.7-septies — Plan change proposals (PlanChangeProposal) — proof of issuance and of the User's decision. Legal basis: performance of the contract and legitimate interest (support, anti-dispute). Duration: 24 months from the last change of status.

4.7-octies — Dashboard notifications (DashNotif) and user notifications (UserNotif). Legal basis: performance of the contract. Duration: 12 months rolling; read notifications are never purged as long as the account or dashboard is active.

4.7-nonies — Service chat and delivery chat attachments. Legal basis: performance of the contract. Duration: automatic deletion at D+7 after delivery, except in the event of an open dispute (retention until closure).

4.7-decies — History of account type changes (Individual ↔ Pro) — change counter, timestamp of the last change, associated Stripe prorations. Legal basis: performance of the contract and legitimate interest (anti-abuse). Duration: duration of the account + 5 years after closure (civil limitation period).

4.7-undecies — Merchant identity verifications (status of the "Verified" badge, results of the 3-point checks for individuals and SIRET + charges_enabled for professionals). Legal basis: performance of the contract and legitimate interest (anti-identity theft). Duration: duration of the account.

4.7-duodecies — Moderation audit log (ModerationAction) — moderation team actions on accounts, products, stores and orders. Legal basis: legal obligation (DSA, LCEN, accounting traceability) and legitimate interest (anti-dispute). Duration: 10 years from the action, in alignment with accounting obligations and the limitation period for merchant-buyer disputes.

4.8 — Moderation, fight against illegal content, processing of DSA reports. Legal basis: legal obligation (LCEN, DSA) and legitimate interest. Duration: duration of the relationship + 5 years (civil limitation period).

4.9 — Platform security (IP logs, attack detection, super-admin IP-log). Legal basis: legitimate interest and legal obligation (LCEN art. 6 II). Duration: 1 year maximum.

4.10 — Audience measurement cookies (where applicable). Legal basis: consent. Duration: 13 months maximum, in accordance with CNIL recommendations.

4.11 — Response to contact and support requests. Legal basis: legitimate interest. Duration: 3 years after the last exchange.

4.12 — Management of disputes, pre-litigation and litigation. Legal basis: legitimate interest. Duration: duration of the applicable limitation period.

4.13 — Anonymised internal statistics. Legal basis: legitimate interest. Duration: re-identifying data purged within 25 months.

4.14 — Legally founded judicial and administrative requisitions. Legal basis: legal obligation. Duration: according to applicable obligations on a case-by-case basis.

Upon expiry of these periods, the data is either permanently deleted, irreversibly anonymised, or archived in an intermediate archive with restricted access where a retention obligation requires it.

5. Recipients of the data

5.1 DashlyBoard authorised personnel

Only authorised persons (Platform administrator and, where applicable, support / accounting team) access personal data, strictly within the limits of their tasks. Access to the super-administration panel is logged (IP-log, action traces).

5.2 GDPR sub-processors

The following sub-processors process data on behalf of DashlyBoard, under a contract compliant with article 28 GDPR:

- Stripe Payments Europe Ltd. — collection, Stripe Connect, subscriptions and refunds. Data hosted in Ireland (EU), with possible backups in the United States. Guarantees: signed DPA and standard contractual clauses for transfers outside the EU.
- Google Ireland Ltd. — OAuth authentication ("Sign in with Google") and, upon explicit user opt-in, access to the Google Sheets API. Data hosted in Ireland (EU). Guarantees: Google DPA and standard contractual clauses.
- OVH SAS — VPS hosting and sending of transactional SMTP emails. Data hosted in France. Guarantees: EU hosting, ISO 27001 certified.
- DNS and anti-DDoS provider (to be completed if different from OVH) — DNS resolution and anti-DDoS protection.

No other sub-processor is used outside this list. Any change will be notified via an update of this policy.

5.3 Sellers and buyers (merchant-customer relationships)

DashlyBoard has the status of marketplace operator: when a buyer places an order on a store hosted by the Platform, certain buyer data (name, delivery address, email, order details) is transmitted to the seller concerned. The latter then becomes an autonomous controller for the purposes of sale execution, after-sales service and compliance with its own legal obligations.

Symmetrically, the seller's commercial identity (company name, SIRET, VAT, address) is communicated to the buyer under the conditions provided for by the Consumer Code.

Stripe Direct Charges (since V1.1) — Since the migration to the Stripe "Direct Charges" model of Stripe Connect, the Merchant is the official seller (merchant of record) for the sale; as such, Stripe transmits to them directly the PaymentIntent data (Buyer identity, email, billing address, last 4 digits of the card) at the time of payment. DashlyBoard then acts only as a technical intermediary (connected platform collecting a commission via `application_fee_amount`). The Merchant therefore becomes the principal controller vis-à-vis this data, in accordance with the Stripe Connect Terms of Service.

5.4 Public authorities

Your data may be communicated to the competent authorities:
- In response to a legally founded judicial or administrative requisition;
- Within the framework of the annual DAC7 declaration transmitted by XML file compliant with the DGFiP DPI v1.6 schema (French variant of the OECD DPI v1.0 schema, updated by the DGFiP in November 2025 for the 2026 campaign) to the Direction Générale des Finances Publiques (DGFiP), via the impots.gouv.fr pro space (Tiers déclarants — Télé-TD service). Concerns only reportable EU-resident Merchants (above the cumulative threshold of 30 transactions AND €2,000 of net annual consideration — exemption below both). The DGFiP then transmits this information, by automatic exchange, to the tax authorities of the other Member States concerned;
- For Merchants resident outside the EU: a CSV export may be communicated upon motivated request from a competent foreign tax authority (1099-K USA, UK/CA/AU equivalents, etc.). No automatic filing outside the EU is performed by the Platform;
- In the event of a mandatory report (PHAROS, TRACFIN where applicable).

5.5 Commercial third parties

No data is transferred, rented or sold to commercial third parties. No sharing with marketing partners is performed without your explicit and prior consent.

6. Transfers of data outside the European Union

The data is mainly hosted in France (OVH). However, certain sub-processors may carry out transfers to third countries, within the limits authorised by the GDPR:

- Stripe: possible backups in the United States. Framed by the Standard Contractual Clauses (SCC) adopted by decision of the European Commission of 4 June 2021, supplemented by additional technical measures (encryption in transit and at rest).
- Google: possible backups / replication outside the EU. Framed by the SCC and the Data Privacy Framework (DPF — adequacy decision of 10 July 2023, subject to pending appeals).

No transfer to a country without appropriate guarantee is performed.

7. Your rights

In accordance with articles 15 to 22 of the GDPR, you have the following rights:

7.1 Right of access (art. 15 GDPR)
Obtain confirmation that your data is processed and receive a copy thereof.

7.2 Right of rectification (art. 16 GDPR)
Have inaccurate or incomplete data rectified — most profile information can be modified directly from your personal area.

7.3 Right to erasure (art. 17 GDPR)
Request the deletion of your data, subject to legal retention obligations (notably the 10 years applicable to accounting documents and DAC7 commission invoices).

7.4 Right to restriction of processing (art. 18 GDPR)
Request the suspension of processing in certain cases (contestation of accuracy, unlawful processing, etc.).

7.5 Right to portability (art. 20 GDPR)
Receive, in a structured and machine-readable format (JSON), the data you have provided to us, and transmit it to another controller.

7.6 Right to object (art. 21 GDPR)
Object at any time:
- To processing based on legitimate interest;
- Without condition to processing for commercial prospection purposes (unsubscribe link present in each marketing email).

7.7 Right to withdraw consent
Where processing is based on your consent (marketing, non-essential cookies, Google Sheets access), you may withdraw it at any time from your personal area, without affecting the lawfulness of previous processing.

7.8 Right to define post-mortem directives
In accordance with article 85 of the loi Informatique et Libertés.

7.9 Exercise procedures
- Online: from your personal area for rectification, account deletion and data export;
- Email: `privacy@dashlyboard.com`;
- Mail: at the head office address (§ 1).

A response will be sent to you within a maximum period of one month from receipt of your request, extendable by two months for complex requests (art. 12.3 GDPR). Proof of identity may be requested in the event of reasonable doubt.

7.10 Right to lodge a complaint with the CNIL

Commission Nationale de l'Informatique et des Libertés (CNIL)
- 3 Place de Fontenoy — TSA 80715 — 75334 PARIS CEDEX 07
- Telephone: +33 (0)1 53 73 22 22
- Website: `www.cnil.fr`

If you reside in another EU Member State, you may refer the matter to the supervisory authority of your country of residence.

8. Data security

DashlyBoard implements appropriate technical and organisational measures with regard to the level of risk, in accordance with article 32 GDPR:

- Encryption in transit: HTTPS / TLS 1.3 across the entire Platform;
- Encryption at rest: Google OAuth tokens encrypted (AES-256-GCM) before insertion into the database;
- Passwords: hashed with bcrypt (never kept in clear text);
- Sessions: HttpOnly + Secure + SameSite signed cookies;
- Anti-CSRF: NextAuth protection;
- Rate-limiting: protection against bruteforce and application-level denial of service attacks;
- Multi-tenant partitioning: each store / dashboard is isolated by subdomain and its own identifier;
- Idempotency: Stripe webhooks are deduplicated to prevent any double-debit;
- Logging: connections, super-admin actions, security events, retained for 1 year;
- Backups: regular encrypted database backups;
- Updates: application and system maintenance (security patches);
- Privilege partitioning: super-admin access by granular roles.

In the event of a data breach likely to result in a risk to your rights and freedoms, DashlyBoard will notify the CNIL within 72 hours (art. 33 GDPR) and will directly inform the persons concerned if the risk is high (art. 34 GDPR).

8.bis Specific security for DAC7 tax data

The data collected for DAC7 (NIF, date of birth, place of birth, IBAN) benefits from reinforced treatment.

8.bis.1 IBAN life cycle — details

The Merchant's IBAN is subject to particular treatment due to its banking sensitivity:

1. Collection: the IBAN is never entered on DashlyBoard. It is collected exclusively by our payment provider Stripe during the Merchant's Stripe Connect onboarding, via a form hosted by Stripe (PCI-DSS level 1).
2. Storage: Stripe retains the IBAN in its infrastructure (EU datacenters — Ireland). DashlyBoard does not store any copy of the IBAN in its local databases, neither in the database, nor in the cache, nor in the backups.
3. Point-in-time read: DashlyBoard retrieves the IBAN from Stripe only at the time of generation of the annual DAC7 XML file (typically once a year, in January), via the Stripe Connect API (`accounts.listExternalAccounts`).
4. Transmission: the IBAN only appears in the XML file transmitted to the DGFiP via the impots.gouv.fr pro space. No other transmission is performed.
5. Erasure: at the end of the XML generation process, the memory buffer containing the IBANs is freed. The XML file itself is retained for 10 years (legal obligation) on encrypted storage with restricted access to the "accounting" super-administrator.
6. Outside DAC7: the IBAN is not used for any other processing (no analytics, no on-screen display, no tracking).

8.bis.2 Other tax data

- Tax number (NIF/TIN): stored encrypted at rest in the database, access restricted to the DAC7 flow only and the "accounting" super-administrator.
- Date of birth and place of birth: stored encrypted at rest, access restricted to the DAC7 flows and the "accounting" super-administrator.
- No transmission of this data to a commercial third party, ever and under no circumstances.
- Automatic deletion 10 years after the Merchant's last sale (legal retention period for tax documents).

9. Language of communications

Transactional emails (payment confirmation, invoices, credit notes, passwords, DSA reports, T&Cs updates, etc.) are sent:
- In French for Users residing in France (`country = FR`);
- In English for all other Users.

Emails relating to the automatic Individual → Professional switch are an exception and are sent in the interface language chosen by the User (8 languages supported) — the critical nature of this notification justifies the additional translation effort.

Emails relating to the processing of a 14-day withdrawal request (acknowledgement, validation and refund, motivated refusal) are also sent in the 8 supported interface languages, due to the contractual and financial nature of the communicated decision.

The user interface (UI) remains available in 8 languages: French, English, German, Spanish, Italian, Russian, Chinese, Japanese.

10. Cookies and trackers

DashlyBoard uses the following cookies:

- Session cookie (next-auth.session-token) — used for the authentication and the maintenance of the connected user's session. Strictly necessary for the performance of the contract. Duration: the session, or 30 days if the user has ticked "Stay connected".
- Anti-CSRF cookie (next-auth.csrf-token) — protects against cross-site request forgery attacks. Strictly necessary on the basis of the Platform's legitimate interest. Duration: the session.
- Interface language cookie (dashly_lang) — stores the language chosen by the user among the 8 supported languages, and prevents each visit from falling back to automatic detection. Functional cookie on the basis of legitimate interest. Duration: 1 year.
- Interface preferences cookie — stores the user's other choices (theme, time zone). Functional cookie on the basis of legitimate interest. Duration: 1 year.

DashlyBoard does not currently use third-party audience measurement cookies or advertising cookies. Should this become the case, a consent banner compliant with CNIL recommendations will be put in place and this section updated.

11. Data of minors

The Platform is not intended for minors under the age of 15. In accordance with article 7-1 of the loi Informatique et Libertés, account creation requires being 15 years of age or older, or the joint consent of the minor and the holder of parental authority.

If you find that data concerning a minor has been collected without valid consent, please write to us at `privacy@dashlyboard.com` so that we can proceed with its deletion without delay.

12. Automated decisions and profiling

No profiling for commercial purposes is performed. DashlyBoard nevertheless takes certain automated decisions framed within the meaning of article 22 GDPR:

12.1 Automatic Individual → Professional switch
When an Individual Seller crosses, over the rolling calendar year, one of the objective thresholds defined in article 19 of the T&Cs (30 transactions, €3,000 of turnover, or manifest purchase for resale), an automatic switch to Professional status is triggered. This decision produces legal effects (de facto change of tax status, termination of the Individual Subscription, temporary blocking of the store during the grace period) and therefore falls within the scope of article 22 GDPR.

As such:
- The criteria are objective, measurable and previously brought to the attention of the Seller in the T&Cs;
- An intermediate warning at €1,500 is sent to give the Seller the opportunity to anticipate;
- The Seller has a right of challenge (human review) which they may exercise during the 3-month grace period (T&Cs § 19.4), with the guarantee of an examination within 15 days;
- No sensitive data within the meaning of article 9 GDPR is used in the decision.

12.2 Automatic re-pricing on account type change
When the User manually changes their account type while a paid Subscription is active, Stripe automatically issues a pro rata invoice (see § 4.7-decies and T&Cs § 11.ter). The exact amount is displayed in a confirmation dialog before validation: the User therefore retains control over the final decision.

12.3 Automated security decisions
Automated security rules (anti-bruteforce, abuse detection, temporary IP blocking) may temporarily suspend an account or session. These decisions are:
- Always provisional (never definitive without human intervention);
- Systematically re-examinable upon human request via `privacy@dashlyboard.com` or a support ticket.

12.4 Non-punitive moderation
Moderation actions (forced refund, temporary product/store blocking, warning) are always initiated by an authorised human agent (super-administrator or moderation team), never triggered by an algorithm. They are recorded in the audit log described in § 3.1.

13. Modifications of this policy

DashlyBoard reserves the right to modify this Privacy Policy to take account of legislative, regulatory, technical or editorial developments.

Any substantial modification will be notified to users with 30 days' notice before its entry into force, by email and/or via a banner on the Platform.

The version history is retained and accessible upon request.

14. Contact

For any question, request to exercise rights or complaint:

- General email: `contact@dashlyboard.com`
- Privacy email: `privacy@dashlyboard.com`
- Mail: 2 place des Vergers, 78320 Le Mesnil-Saint-Denis, France


For a complaint as a last resort:
Commission Nationale de l'Informatique et des Libertés (CNIL) — `www.cnil.fr`