Last updated : 2026-04-09

Privacy Policy

Beloha is committed to protecting your personal data with full transparency. This document explains precisely what data is collected, why, how it is protected, and what your rights are.

This policy complies with the GDPR (EU Regulation 2016/679), CCPA (California), and Law 25 (Québec). No personal data is sold, shared for advertising purposes, or used outside the context of the commercial relationship with Beloha.

1 Data controller

Name : Toky RAKOTOARIMANANA

Status : Independent freelancer

Address : Antananarivo, Madagascar

Email : [email protected]

Tax ID / STAT : 3019413358 / 62011 11 226 0 03494

The Beloha website is a portfolio presenting web development services. It offers no registration, no user account creation, and no online payment. The only data collected is what you voluntarily submit through the contact or quote request forms, for the purpose of initiating an external commercial discussion.

2 Data collected

Beloha collects only the data strictly necessary for its operation. No data is collected without your explicit action. There are two sources: your form submissions and technical data automatically generated by your browsing.

Contact & quote forms

Data	Purpose	Legal basis	Retention
First and last name	Identifying the contact, personalising responses	Consent (Art. 6.1.a GDPR)	3 years after last contact
Email address	Primary communication channel to respond to the request	Consent (Art. 6.1.a GDPR)	3 years after last contact
Message, project description	Understanding the requirement, preparing the quote	Consent (Art. 6.1.a GDPR)	3 years after last contact
Consent record	Legal proof of agreement to the Terms of Sale and Privacy Policy	Legal obligation (Art. 7 GDPR)	5 years (statutory limitation period)

Technical data (automatically collected)

Data	Purpose	Legal basis	Retention
IP address	Site security, abuse detection, server logs	Legitimate interest (Art. 6.1.f GDPR)	12 months, then automatic deletion
Estimated country (derived from IP)	Displaying local currency (Ar / € / $) without a visible third-party request	Legitimate interest (Art. 6.1.f GDPR)	7 days in PostgreSQL cache (Solid Cache), not transmitted to third parties
Navigation logs (URL, timestamp, browser)	Technical diagnostics, debugging, uptime monitoring	Legitimate interest (Art. 6.1.f GDPR)	30 rolling days

No user account is created. No password is stored. No payment data passes through this site.

3 What we do not do

No data selling

No data is sold to any third party, under any circumstances

No targeted advertising

No advertising networks, no tracking pixels

No profiling

No automated decisions based on your data

No unsolicited newsletter

No commercial emails without your explicit consent

No user accounts

No registration, no stored passwords

No payment data

No financial transactions processed on this site

4 Cookies and trackers

Beloha uses a minimal number of cookies, all strictly functional. No advertising cookies, no cross-site tracking cookies, and no behavioural analytics tools (Google Analytics, Hotjar, Mixpanel…) are present on this site.

Cookie	Purpose	Duration	Consent required
`_beloha_session`	Rails session management, CSRF protection (anti-forgery)	Browser session	Not required — functional
`_beloha_locale`	Remembering the chosen language (fr / en / mg)	1 year	Not required — functional
`geo_country`	Remembering estimated country for currency display (Ar / € / $)	7 days	Not required — functional

No third-party cookies. No external tracking scripts. No embedded social media widgets that would collect data without your action.

You can disable cookies via your browser settings. Disabling the session cookie will prevent the contact form from working. The geolocation cookie can be overridden manually via the language selector in the navigation bar.

5 Data sharing

Beloha does not share your personal data with any third party for commercial or advertising purposes. The only cases of transmission to external services are:

IP geolocation API : Your IP address may be sent to ipapi.co (a third-party service) to determine your country and display the corresponding currency. This transfer only concerns the IP address, with no other personal data attached. The response (country code only) is cached for 7 days to minimise transmissions. ipapi.co privacy policy: ipapi.co/privacy.

Email delivery provider : Messages you send via the forms are routed to the Service Provider's email inbox via an SMTP server. Message content is not stored by a third-party service and is not indexed.

No personal data is sold, rented, or transferred to third parties. In the event of a lawful request from competent authorities (judicial requisition), the Service Provider is required to comply with applicable law.

6 Data security

✓

HTTPS / TLS 1.3

Encryption of all communications between your browser and the server

✓

Secure hashing

Sensitive data is processed using secure hashing algorithms

✓

Restricted access

Only the Service Provider has access to data — no team, no subcontractors

✓

Automated backups

Regular encrypted backups of the PostgreSQL database

✓

Secure cache (Solid Cache)

Geolocation cache stored in PostgreSQL, not exposed in shared memory

✓

Dedicated server (VPS)

Data hosted on a dedicated VPS, not shared with other tenants

7 International data transfers

The Beloha website is accessible worldwide. Data is hosted on a VPS whose location is specified in the Legal Notice. If this server is located outside the European Union, data from European visitors may be subject to a transfer outside the EU.

In that case, the Service Provider undertakes to put in place appropriate safeguards in accordance with the GDPR — in particular the Standard Contractual Clauses (SCCs) approved by the European Commission — to ensure a level of protection equivalent to that guaranteed in the European Economic Area. For California residents, CCPA rights also apply (see section 8).

8 Your rights

Under the GDPR (Art. 15–22), CCPA, and Law 25 (Québec), you have the following rights regarding your personal data:

Right of access

Obtain a copy of all data about you held by Beloha

Right to rectification

Have inaccurate or incomplete data about you corrected

Right to erasure

Request deletion of your data (right to be forgotten), subject to legal retention obligations

Right to portability

Receive your data in a structured, commonly used, machine-readable format (JSON or CSV)

Right to object

Object to processing of your data based on legitimate interest

Right to restriction

Request temporary suspension of processing in certain cases provided for by the GDPR

To exercise any of these rights, send your request to [email protected] stating your identity and the right you wish to exercise. Response within 30 calendar days. Proof of identity may be requested.

If you believe that the processing of your data does not comply with the GDPR, you have the right to lodge a complaint with the competent supervisory authority: the CNIL in France (www.cnil.fr), or the authority in your country of residence in the EU. For California residents: California Attorney General (oag.ca.gov). For Québec residents: Commission d'accès à l'information (cai.gouv.qc.ca).

9 Retention periods

The Service Provider applies the data minimisation principle: data is kept only as long as necessary for the purposes for which it was collected.

Contact data (name, email, message): retained for 3 years from the last exchange, corresponding to the limitation period for contractual liability claims under French law.

Consent records (IP, timestamp, version of accepted documents): retained for 5 years in accordance with the statutory limitation period for proof of consent (Art. 7 GDPR and CNIL guidelines).

Technical data (logs, IP): maximum 12 months. Geolocation data (estimated country in cache): 7 rolling days.

At the end of these periods, data is automatically deleted or irreversibly anonymised. You may also request early deletion by exercising your right to erasure (see section 8).

10 Policy updates

The Service Provider reserves the right to update this privacy policy at any time, particularly in the event of regulatory changes or modifications to data processing. The last updated date is shown at the top of this page.

In the event of a material change affecting the rights of data subjects, the Service Provider undertakes to inform individuals who submitted a form within the preceding 12 months, by email if their address is still available.

11 Applicable law

This privacy policy is governed by French law and the General Data Protection Regulation (GDPR, EU Regulation 2016/679). It is also designed to meet the requirements of the CCPA (California Consumer Privacy Act) for California residents and Law 25 for Québec residents.

Any dispute relating to the interpretation or application of this policy will be subject to the competent courts as specified in the Legal Notice.

For any questions about your personal data: [email protected]