Stratorama
Privacy policy
Last updated: 29 May 2026
This policy explains what personal data Stratorama processes when you use the service, why, on what legal basis, who has access to it, and what rights you have under the GDPR.
Data controller
The data controller is JULIEN GUEDON CONSEIL, registered at 24 rue René Viviani, 44200 Nantes, France. Full company information is in the Legal notice.
For any privacy-related question or to exercise your rights, contact contact@stratorama.app.
What we collect, and why
Account data
- Email address
- Password (stored hashed by Supabase; we never see it in plain text)
Purpose: create your account and authenticate you. Legal basis: performance of the contract (Art 6(1)(b) GDPR). Providing this data is required - without it, we can't create your account.
Sign in with Google (optional)
If you choose to sign in with Google, Google shares with us:
- Your Google account identifier
- Your email and name
Purpose: authenticate you without a password. Legal basis: performance of the contract. Alternative: use email + password sign-up instead.
Service content
- Floor plans (stages/floors, rooms, walls, doors, windows, lights, outlets, shutters - with positions and labels)
- User settings
- Bindings between your floor elements and your Home Assistant entities (entity identifiers)
- A long-lived token (
agent_token) issued when you pair your Stratorama Agent add-on
Purpose: deliver the service - store your plans and let you control your linked devices through your own Home Assistant. Legal basis: performance of the contract.
We do not store your Home Assistant credentials or the live state of your devices. Device states flow live from your add-on to your browser via our tunnel and are never persisted on our servers.
Technical logs
- IP address, user-agent, request paths, timestamps (in HTTPS access logs at our hosting provider)
- Authentication session tokens (JWT, stored in your browser's localStorage)
- Failed authentication attempts (anti-bruteforce, fail2ban)
Purpose: keep the service running, prevent abuse, investigate incidents. Legal basis: legitimate interest (Art 6(1)(f) GDPR) - operating a secure service.
Service emails
We send transactional emails such as account confirmation and password reset via Supabase. We do not send marketing emails.
How long we keep your data
- Account and content: as long as your account is active. After 3 years of inactivity (no sign-in), the account and its content are deleted or anonymized.
- HA pairing token: until you disconnect the add-on (the
user_agentsrow is deleted on disconnect). - Server access logs: up to 12 months (the maximum recommended by French law for connection logs, LCEN Art 6-II).
- Auth failure logs: rolling window of about one week (fail2ban defaults).
You can delete your account at any time from inside the app: open the settings FAB (top-right gear icon) and choose Account → Delete my account. If you cannot sign in for any reason, you can also email contact@stratorama.app to request deletion.
Who has access to your data (processors)
To operate Stratorama, we rely on a small set of carefully chosen processors:
- Supabase Inc.
- Database and authentication. Project hosted in the EU (region
eu-west-1, Ireland). - OVHcloud SAS
- VPS hosting (the tunnel server and the static site), in Gravelines, France. Daily backups are stored on the same VPS.
- Let's Encrypt
- Automatic issuance of TLS certificates. We share with them only the public domain name - no personal data.
- Google LLC (United States, optional)
- Only if you choose Sign in with Google. Google is part of the EU-US Data Privacy Framework. Google's privacy policy applies to that flow.
Your data is never sold or rented to anyone. We don't use third-party analytics or advertising trackers.
Where your data is stored
All your core data (account, plans, HA bindings, tokens) stays in the European Union: Supabase in Ireland, OVH in France.
The only flow that leaves the EU is the optional Google sign-in, which is covered by the EU-US Data Privacy Framework.
Security
- Traffic between your browser, our tunnel, and the add-on runs over HTTPS / TLS 1.2+.
- Passwords are hashed by Supabase - we never see the plain text.
- The Home Assistant add-on opens an outbound connection to our tunnel; we never connect inbound to your Home Assistant. You don't need to expose Home Assistant on the public Internet.
- Server access is key-only with fail2ban throttling repeated attempts.
- Daily backups of the database and TLS state, retained 30 days.
Your rights
Under the GDPR, you have the right to:
- Access the data we hold about you
- Correct inaccurate data
- Request erasure ("right to be forgotten")
- Restrict processing
- Receive your data in a portable format
- Object to processing based on legitimate interest
- Lodge a complaint with the French data protection authority (CNIL) at cnil.fr/en/plaintes
To exercise any of these rights, email contact@stratorama.app. We aim to respond within 30 days.
Cookies and local storage
Stratorama does not use tracking cookies, advertising cookies, or third-party analytics. The only data your browser stores locally is:
- The Supabase authentication session token (in
localStorage) - required to keep you signed in.
This is strictly necessary for the service and doesn't require a consent banner under French and EU rules (CNIL, ePrivacy).
Children
Stratorama is not designed for children under 16. We do not knowingly collect data from minors. If you are a parent or guardian and believe a minor has signed up, contact us and we'll delete the account.
Automated decision-making
We do not perform automated decision-making that produces legal effects on you, including profiling.
Changes to this policy
When this policy changes, we update the "Last updated" date at the top. For material changes that affect your rights, we'll also notify active users by email.
Contact
For any question about your personal data:
- Email: contact@stratorama.app
- Postal: JULIEN GUEDON CONSEIL, 24 rue René Viviani, 44200 Nantes, France