SuperPagr

Privacy Policy

Version 2.0 — Last updated: December 12, 2025

1. Introduction

This Privacy Policy describes how KARUKERA (hereinafter "we", "our" or "the Publisher") collects, uses, stores and protects the personal data of users of the SuperPagr application (hereinafter "PAGR" or "the Application").

We are committed to respecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and applicable French data protection law (loi Informatique et Libertés).

2. Data controller

KARUKERA
Single-shareholder SARL with capital of €1,000
24 Rue du Puits Picard, 14000 Caen – France
RCS Caen: 930 785 530
SIRET: 930 785 530 00013
Email: julien@superpagr.com

3. Nature of the data processed

Important: No health data

The Application does not collect or process health data within the meaning of Article 9 of the GDPR. We only manage accounts for doctors and healthcare professionals (professional identification data and schedules). No patient-related data is collected or stored.

3.1 Identification data

  • First and last name
  • Professional email address
  • Medical specialty (optional)
  • Profile picture (optional)
  • Phone number (optional)

3.2 Usage data

  • Scheduling preferences and availability
  • History of on-call duties, standby and locum shifts
  • Connection logs (date, time, IP address)
  • Usage and interaction statistics
  • Mobile advertising identifier (if applicable)

3.3 Imported data (optional)

  • Personal calendar events if you enable synchronization (Google Calendar, Outlook, iCloud)

3.4 Cookies and trackers

For more information about cookies, see our Cookie Policy.

4. Purposes of processing

PurposeLegal basis
Provision of the service (account creation, schedule management, shift exchanges)Performance of the contract (Terms of Service)
Improving usability and developing new featuresLegitimate interest
Securing the Application (abuse and fraud detection)Legitimate interest
Aggregated and anonymized statistics for our sponsorsLegitimate interest
Display of advertisements and sponsored contentConsent
Sending notifications and marketing communicationsConsent
Compliance with legal obligationsLegal obligation

5. Hosting and processors

Your data is hosted by the following providers:

Database — Supabase Inc.

Address: 548 Market St, San Francisco, CA 94104, United States
Contact: legal@supabase.io
Function: PostgreSQL database hosting

Application server — Render Services, Inc.

Address: 525 Brannan Street Ste 300, San Francisco, CA 94107, United States
Phone: +1 415 881 5869
Function: Backend and API hosting

Frontend and website — Vercel Inc.

Address: 440 N Barranca Ave #4133, Covina, CA 91723, United States
Phone: +1 559 288 7060
Function: Hosting of the website and front-end application

Other processors

  • Analytics services: to measure audience and improve the user experience
  • Email services: for sending notifications and communications
  • Advertising networks: for displaying advertisements (with your consent)

All our processors are bound by contracts compliant with Article 28 of the GDPR guaranteeing the protection of your data.

6. Data transfers outside the European Union

Some of our providers are located in the United States. These transfers are governed by:

  • The Standard Contractual Clauses (SCCs) of the European Commission (decision 2021/914)
  • The EU-US Data Privacy Framework for certified providers
  • Additional technical measures (encryption, pseudonymization) in accordance with the recommendations of the EDPB following Schrems II

You can obtain a copy of the appropriate safeguards by contacting us at julien@superpagr.com.

7. Data retention period

Type of dataRetention period
User account dataDuration of account activity + 3 years after deletion or inactivity
Connection logs12 months (legal obligation under the LCEN)
Cookies13 months maximum (CNIL recommendation)
Aggregated and anonymized statistical dataUp to 5 years
Billing data (if applicable)10 years (accounting obligation)

8. Data security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption at rest: AES-256 for stored data
  • Encryption in transit: TLS 1.3 for all communications
  • Strong authentication: mandatory MFA for administrators
  • Access control: principle of least privilege
  • Backups: regular and encrypted backups
  • Monitoring: continuous monitoring of access and anomalies

9. Data breach

In the event of a data breach likely to result in a risk to your rights and freedoms, we commit to:

  • Notify the CNIL within 72 hours in accordance with Article 33 of the GDPR
  • Inform you as soon as possible if the breach is likely to result in a high risk to your rights (Article 34 of the GDPR)
  • Document the incident and the corrective measures taken

10. Your rights

In accordance with the GDPR and applicable French data protection law, you have the following rights:

  • Right of access: obtain confirmation of the processing and a copy of your data
  • Right to rectification: correct inaccurate or incomplete data
  • Right to erasure: request deletion of your data
  • Right to restriction of processing: restrict processing in certain cases
  • Right to object: object to processing on legitimate grounds
  • Right to data portability: receive your data in a structured format
  • Right to withdraw consent: at any time, without affecting the lawfulness of prior processing
  • Post-mortem directives: define directives on the fate of your data after your death

How to exercise your rights

Send your request by email to julien@superpagr.com or by postal mail to:

KARUKERA — Data Protection
24 Rue du Puits Picard
14000 Caen – France

Please include a copy of an identity document. We will respond within one month (extendable by two months for complex requests).

11. Minors

The Application is intended for healthcare professionals and is not designed for persons under 18 years of age. We do not knowingly collect personal data from minors.

12. Sharing with third parties

We never sell or rent your personal data.

Your data may only be shared in the following cases:

  • Technical processors: for hosting, emailing, and analytics (bound by GDPR contracts)
  • Sponsors and partners: only aggregated and anonymized statistical data (no nominative data)
  • Authorities: in case of legal obligation or judicial requisition

13. Changes to this policy

We may update this policy to reflect changes in our practices or in the regulations. In the event of a substantial modification, you will be informed by email or notification in the Application at least 15 days before it takes effect.

The date of the last update appears at the top of this document.

14. Complaint

If you believe that the processing of your data constitutes a violation of the GDPR, you have the right to lodge a complaint with the CNIL:

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07
Website: www.cnil.fr

Contact — Data Protection

Julien LELANDAIS
Email: julien@superpagr.com
Phone: +33 6 14 91 72 12