Privacy policy

Last updated: 9 April 2026

This privacy policy describes how Sarah Eyraud (hereafter "we") collects, uses and protects personal data of visitors to sarah-eyraud.com, in accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act.

1. Data controller

Sarah Eyraud

Contact: via the contact form at /en/contact/

2. Data collected

We collect two categories of personal data:

a. Via the contact form

When you use the contact form, we collect:

• Your name
• Your email address
• The content of your message

This data is necessary to reply to your enquiry and is collected on the basis of your explicit consent when submitting the form.

b. Traffic analytics

We use Cloudflare Web Analytics, a privacy-friendly analytics solution that works without cookies and without individual tracking. The data collected (page views, country, browser) is anonymised and aggregated — it does not allow you to be identified. Legal basis: legitimate interest (improving the website).

No advertising cookies, no third-party trackers (Google Analytics, Meta Pixel, etc.) are used on this website.

3. Purposes of processing

Your data is processed solely to:

• Respond to your professional enquiries (collaboration, information requests)
• Measure website traffic anonymously to improve its content
• Comply with legal obligations regarding retention of communications

4. Recipients and sub-processors

The only people with access to your data are:

• Sarah Eyraud herself (sole user of the back-office)
• The following technical sub-processors, strictly bound by data processing agreements (DPA):
• Cloudflare, Inc. (USA) — hosting, CDN, cookieless analytics, legacy video file storage (R2 bucket). Safeguards: Standard Contractual Clauses (SCC) + GDPR certification.
• Sanity.io (EU / USA) — content management system, access restricted to editor. Safeguards: DPA + SCC.
• Resend, Inc. (USA) — contact form email delivery. Safeguards: DPA + SCC.
• Mux, Inc. (USA) — video hosting and streaming. Safeguards: DPA + SCC.

Your data is never sold, rented or transferred to third parties for commercial purposes.

5. Transfers outside the European Union

Some of our sub-processors are located in the United States. These transfers are governed by the Standard Contractual Clauses adopted by the European Commission, ensuring a level of protection equivalent to that of the GDPR.

6. Retention period

• Messages received via the contact form: 3 years from your last contact with us, in accordance with the French data protection authority (CNIL) recommendations for B2B outreach.
• Technical logs and anonymised analytics: 25 months maximum.

After this period, your data is deleted or irreversibly anonymised.

7. Your rights

In accordance with articles 15 to 22 of the GDPR, you have the following rights over your personal data:

• Right of access: obtain confirmation that your data is being processed and receive a copy
• Right to rectification: correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): request the deletion of your data
• Right to restriction of processing
• Right to object to processing
• Right to data portability
• Right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal

To exercise any of these rights, please use the contact form at /en/contact/. We will reply within one month at most.

8. Complaint to the CNIL

If, after contacting us, you believe that your rights are not being respected, you have the right to lodge a complaint with the French data protection authority (Commission Nationale de l'Informatique et des Libertés — CNIL):

• Online: https://www.cnil.fr/fr/plaintes
• By mail: CNIL — 3 Place de Fontenoy — TSA 80715 — 75334 PARIS CEDEX 07, France

9. Security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration or disclosure. All communications on the website are encrypted via HTTPS (TLS 1.3).

10. Changes

This policy may be updated at any time to reflect legal or technical changes. The date of the last update is shown at the top of this page. Any substantial changes will be clearly signalled on the website.