Privacy policy

Last updated : 19 May 2026

The Dark Agency only collects the data needed for business interactions (contact, brief, application, review, newsletter forms) and the site's technical operation (session and language cookies). No advertising or third-party tracking cookies are placed. Contact data is kept for 3 years, applications for 24 months, accounting data for 10 years. Subprocessors are Stripe (EU), Resend (US-SCC), Cloudflare R2 (US-SCC) and Hostinger (EU). GDPR rights are exercised by emailing contact@thedarkagency.fr.

The Dark Agency places particular importance on the protection of the personal data of its users, prospects, clients and candidates. This policy describes, in application of Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and French Act no. 78-17 of 6 January 1978 as amended ("Informatique et Libertés"), the data we collect, the purposes of processing, the legal bases relied upon, the retention periods and the rights you may exercise.

Data controller

The data controller within the meaning of article 4-7 GDPR is The Dark Agency, whose full contact details are listed in our legal notice.

Given the scale and nature of the processing operations performed, The Dark Agency is not required to appoint a Data Protection Officer (art. 37 GDPR). The data controller acts as the reference point for all matters relating to your personal data and can be reached at contact@thedarkagency.fr.

Data we collect

Depending on your interaction with the site, we collect the following categories of data, strictly limited to what is necessary for the purpose pursued:

  • Contact form: first name, last name, email address, phone (optional), offer of interest, free message, IP address, timestamp.
  • Brief form: first name, last name, email, phone, company name, sector, company size, objectives, preferred callback slots, locale, IP address, user agent.
  • Customer review form: first name, last name, email, company, LinkedIn URL (optional), rating, review content, IP address, locale.
  • Application form (Careers page): full identity (first name, last name, city, country), email, phone, LinkedIn (optional), CV in PDF format (stored on private disk), motivation, salary expectations (optional), position-specific answers, IP address, user agent.
  • Newsletter (footer form): email address only, collected on the basis of explicit consent via opt-in.
  • Customer account (subscriber area): email, hashed password (never stored in plain text), billing data and Stripe identifiers.
  • Cookies strictly necessary for the site to function: session token, CSRF token, language preference.

Purposes and legal bases

Each category of data is processed for a specific, explicit purpose, on the basis of one of the legal grounds listed in article 6 GDPR:

Responding to commercial requests

Processing of contact and brief forms. Legal basis: pre-contractual measures taken at the prospect's request (GDPR art. 6-1-b).

Performing the contractual service

Subscription management, editorial deliveries, payments and invoicing. Legal basis: contract performance (GDPR art. 6-1-b).

Reviewing applications

Review of applications submitted through the Careers page, candidate communication, retention for future opportunities. Legal basis: pre-contractual measures (GDPR art. 6-1-b) and explicit consent for extended retention to 24 months (GDPR art. 6-1-a).

Publishing customer reviews

Moderation and publication of publicly submitted testimonials. Legal basis: consent (GDPR art. 6-1-a).

Sending our newsletter

Marketing communications, news and publications from the agency. Legal basis: explicit consent collected through the form's opt-in (GDPR art. 6-1-a). Unsubscription possible at any time by simple request to our contact address.

Complying with our legal obligations

Retention of invoices and accounting data, response to administrative or judicial requests. Legal basis: legal obligation (GDPR art. 6-1-c).

Retention periods

Data is retained for the period strictly necessary for the purpose pursued, then archived or deleted according to the following durations:

  • Contact requests and briefs: 3 years from the last exchange with the prospect, in accordance with CNIL recommendations on commercial prospecting.
  • Job applications: 24 months from submission, with automatic monthly purge (command `applications:purge`) thereafter. CVs are deleted from the private disk together with the record.
  • Published customer reviews: duration of publication on the site, removal on simple request from the contributor.
  • Newsletter: until unsubscription request, and at the latest after 3 years of inactivity in accordance with CNIL recommendation.
  • Active customer accounts: duration of the contractual relationship, extended by applicable limitation periods.
  • Accounting and billing data: 10 years from the end of the fiscal year (art. L.123-22 French Commercial Code).
  • Technical cookies: browser session duration, or maximum thirteen months for the language preference.

Recipients and subprocessors

Your data is accessible only to authorized persons within The Dark Agency within the limits of their duties. In accordance with article 28 GDPR, certain data is transmitted to subprocessors operating under Data Processing Agreements and, where required, the Standard Contractual Clauses adopted by the European Commission:

  • Stripe Payments Europe Ltd (Dublin, Ireland) — payment processing and billing. Data hosted within the EU. Stripe DPA applicable.
  • Resend Inc. (San Francisco, USA) — transactional emails and notification delivery. Resend DPA supplemented by the Standard Contractual Clauses (decision 2021/914).
  • Cloudflare, Inc. (San Francisco, USA) — file storage via Cloudflare R2. Transfer outside the EU framed by the Standard Contractual Clauses and the Cloudflare Data Processing Addendum.
  • Hostinger International Ltd (Larnaca, Cyprus) — hosting of the site and databases. Data retained within the EU.

No data is sold to third parties, used for external targeted advertising, or transferred to data brokers or advertising platforms.

Transfers outside the European Union

Some processing operations involve a transfer of personal data to the United States (Cloudflare, Resend). These transfers are framed by the Standard Contractual Clauses adopted by the European Commission in its decision 2021/914 of 4 June 2021, supplemented by appropriate technical and organizational measures: encryption in transit (TLS 1.2+) and at rest, access control, logging, regular audit of subprocessors.

No transfer is made to a country lacking an adequacy decision from the European Commission or appropriate safeguards within the meaning of articles 45 and 46 GDPR.

Your rights

In accordance with articles 15 to 22 GDPR and the provisions of the French "Informatique et Libertés" Act, you have the following rights over your personal data:

  • right of access: obtain confirmation that your data is being processed and receive a copy;
  • right of rectification: have any inaccurate or incomplete data corrected;
  • right to erasure ("right to be forgotten"): obtain the deletion of your data in the cases provided for in article 17 GDPR;
  • right to restriction of processing: temporarily suspend the processing of your data;
  • right to object: object to processing on grounds relating to your particular situation, or unconditionally with respect to commercial prospecting;
  • right to data portability: receive your data in a structured, commonly used and machine-readable format;
  • right to withdraw your consent at any time, where processing is based on this ground;
  • right to define directives on the fate of your data after your death (art. 85 of Act 78-17).

To exercise these rights, contact us at contact@thedarkagency.fr. We will respond within one month of receipt of your request, in accordance with article 12 GDPR. This period may be extended by two additional months due to complexity or the number of requests, in which case you will be informed.

We may ask you for additional elements to verify your identity, in particular in the event of reasonable doubt about the person making the request.

You also have the right to lodge a complaint with the French data protection authority CNIL (Commission Nationale de l'Informatique et des Libertés): 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — https://www.cnil.fr.

Data security

The Dark Agency implements appropriate technical and organizational measures to ensure the confidentiality, integrity and availability of your data: encryption of communications (HTTPS/TLS), password hashing (bcrypt algorithm), access control, logging of sensitive actions, regular backups, audit of subprocessors. As no measure is infallible, the agency cannot, however, guarantee absolute security.

Cookies

The site only deposits cookies strictly necessary for its operation (session token, CSRF token, language preference). In accordance with article 82 of the French Act 78-17 as amended and CNIL guidelines of 17 September 2020, these cookies are exempt from prior consent.

No advertising, third-party audience measurement or profiling cookies are placed on the site.

In the event that the agency introduces in the future an audience measurement tool or a non-strictly-necessary cookie, a consent banner compliant with CNIL requirements will be implemented prior to any deposit.

Frequently asked questions about your data

Quick answers to the most common questions. For the full regulatory detail, see the complete sections above.

What personal data does The Dark Agency collect when I submit a brief?

The brief form collects your first and last name, email, phone number, your company name and sector, its size, your objectives, your preferred callback slots, your locale, and technically your IP address and user agent. All this data is used solely to prepare our exchange and contact you back — it is never sold.

How long does The Dark Agency keep my data?

Three years for contact requests and briefs (CNIL prospecting recommendation), 24 months for job applications (automatic monthly purge), 10 years for accounting data (legal obligation, art. L.123-22 of the French Commercial Code), the duration of the contractual relationship for active customer accounts. The newsletter is kept until unsubscription or 3 years of inactivity.

How can I delete my data from The Dark Agency?

Email our contact address with your erasure request. We respond within the legal one-month period set by GDPR article 12. We may ask for identity verification in the event of reasonable doubt. Candidate CVs are deleted from the private disk together with the application record.

Does The Dark Agency use Google Analytics or tracking cookies?

No. The site only deposits cookies strictly necessary for its operation (session token, CSRF token, language preference), exempt from prior consent under article 82 of French Act 78-17 and CNIL guidelines of 17 September 2020. No advertising cookies, no Google Analytics, no third-party profiling tool is used.

Is my data transferred outside the European Union?

Some processing involves a transfer to the United States for Cloudflare R2 (file storage) and Resend (transactional email delivery). These transfers are framed by the Standard Contractual Clauses adopted by the European Commission in its decision 2021/914 of 4 June 2021, supplemented by TLS 1.2+ encryption in transit and at rest. Stripe (Dublin) and Hostinger (Cyprus) host your data within the EU.

Which subprocessors access my data at The Dark Agency?

Four subprocessors operating under Data Processing Agreements: Stripe Payments Europe Ltd (Dublin, Ireland) for payments; Resend Inc. (San Francisco, US) for transactional emails; Cloudflare Inc. (San Francisco, US) for file storage via R2; Hostinger International Ltd (Larnaca, Cyprus) for site hosting. No other third party has access to your data.

How do I unsubscribe from The Dark Agency newsletter?

Email our contact address with "newsletter unsubscribe". Your address is immediately removed from the mailing list. Newsletter consent is collected through explicit opt-in and revocable at any time under GDPR article 6-1-a.

Who do I contact to exercise my GDPR rights at The Dark Agency?

Email our contact address to exercise your rights of access, rectification, erasure, restriction, objection, portability, withdrawal of consent and post-mortem directives. The Dark Agency is not required to appoint a formal DPO (GDPR art. 37); the data controller assumes this role. You may also lodge a complaint with the French CNIL (cnil.fr) if needed.

Does The Dark Agency sell my data to third parties?

No. No personal data is sold, transmitted to data brokers, or used for external targeted advertising. The only transmissions concern the technical subprocessors needed to deliver the service, framed by data processing agreements compliant with GDPR article 28.

Does The Dark Agency have a Data Protection Officer (DPO)?

No. Given the scale and nature of the processing operations performed, The Dark Agency is not legally required to appoint a formal DPO under GDPR article 37. The data controller acts as the reference point and remains reachable at the contact address for any question relating to your personal data.

Changes to this policy

This privacy policy may be modified at any time to reflect regulatory, technical or operational changes within the agency. The last updated date indicated at the top of the page prevails. In the event of a substantial modification, the users concerned will be informed by display on the site and, where necessary, by direct notification.