Version 1.0 — 2026
This Privacy Policy covers the DEESCO corporate website, the Deesco Pass platform, and all associated services and platforms within the DEESCO ecosystem, including notably Deesco Very.
| Version |
v1.0 |
| Effective Date |
June 01, 2026 |
| Applicable Law |
French Law |
| Company |
DEESCO SAS |
| SIREN |
987 685 559 |
| Address |
19 rue de Miromesnil, 75008 Paris, France |
| Personal Data |
dpo@deesco.com |
| Contact |
contact@deesco.com | support@deesco.com |
| Hosting |
OVH cloud France |
| Payment |
Stripe, Inc. |
1. Preamble and Scope of Application
This Privacy Policy (hereinafter the "Policy") describes how DEESCO SAS (hereinafter "DEESCO", "we", or the "Company") collects, processes, stores, and protects users' personal data when operating the following platforms and services:
- DEESCO (www.deesco.com/fr) - the group's corporate website;
- Deesco Pass® (deescopass.deesco.com/fr) - B2C/B2B2C SaaS platform for home energy management;
- Deesco Very® (deescovery.deesco.com/fr) - B2B professional platform dedicated to partners and professionals.
This Privacy Policy applies to all services operated by DEESCO SAS, specifically Deesco Pass® and Deesco Very®. It details the conditions under which users' personal data are collected, used, retained, secured, and, if applicable, deleted.
It is established in accordance with the General Data Protection Regulation (GDPR), the amended French Data Protection Act (Loi Informatique et Libertés), and applicable recommendations and guidelines from competent data protection authorities.
This Privacy Policy must be read in conjunction with the DEESCO Legal Notice accessible from the Services. The Legal Notice provides details regarding the publisher of the Services, hosting, intellectual property, and provisions applicable to cookies and trackers used within the Services.
The use of the Services implies the unreserved acceptance of this Policy. DEESCO reserves the right to modify this Policy at any time; the version in effect is the one accessible on the relevant platforms at the date of consultation. In the event of a material change, DEESCO will notify users via email or an alert on the platform.
The terms of use for the Services are described in the General Terms and Conditions of Sale and Use (CGVU) applicable to Deesco Pass®. Information regarding the publisher of the Services, hosting, and mandatory legal declarations can be found in the DEESCO Legal Notice. This Policy supplements those documents and must be read in conjunction with them.
The Services are strictly reserved for individuals of legal age (18 years or older). DEESCO does not knowingly collect data from minors.
2. Data Controller
The data controller for personal data collected within the scope of the Services is:
DEESCO SAS
A Simplified Joint-Stock Company incorporated under French law
Share capital: 100 000 €
Head office: 19 rue de Miromesnil, 75008 Paris, France
RCS Paris (Registration Date: 28/03/2024)
Contact: contact@deesco.com
DPO: dpo@deesco.com
For any questions regarding the processing of your personal data, you may contact our DPO at dpo@deesco.com. DEESCO undertakes to respond to any request within a reasonable timeframe and no later than the one-month period required under the GDPR.
3. Definitions
| Term |
Definition |
| Personal Data |
Any information relating to an identified or identifiable natural person. |
| Processing |
Any operation performed on personal data (collection, storage, use, transmission, deletion, etc.). |
| Data Controller |
The entity that determines the purposes and means of the processing - DEESCO SAS. |
| Data Processor |
Any technical or functional provider processing data on behalf of DEESCO. |
| User |
Any natural person accessing DEESCO Services, Deesco Pass®, or Deesco Very®. |
| Services |
All the functionalities accessible on the DEESCO group platforms. |
| Partner |
A company selected by DEESCO that can receive certain structured data from the user following the user's explicit consent. |
| eDPE by DEESCO® |
Proprietary informative energy estimation, with no regulatory or legally binding value. |
| Housing Safe |
Personal secure document storage space within Deesco Pass®. |
4. Personal Data Collected
DEESCO collects and processes several categories of personal data depending on the functionalities used. The following table breaks down all the categories involved.
4.1 Data Categories
| Category |
Collected Data |
Source |
| Identification |
Last name, first name, email address, phone number (optional). |
Direct entry |
| Housing |
Property address, type of housing, surface area, year of construction, EPC/DPE level, occupancy status (owner/tenant). |
Direct entry / Onboarding |
| Equipment |
Heating system, domestic hot water, insulation, ventilation, doors/windows, photovoltaic panels, charging station, electric vehicle. |
Direct entry / OCR |
| Energy Consumption |
Electricity consumption data (ENEDIS), gas consumption data (GRDF/Gazpar), invoice history. |
API / Import / OCR |
| EPC/DPE & eDPE |
ADEME DPE reference, retrieved DPE label, calculated eDPE by DEESCO® data, proprietary energy scoring. |
ADEME / Internal calculation |
| Documents & Safe |
Any document uploaded by the user: invoices, certificates, quotes, diagnostics, intervention reports. |
User import |
| Simulation & Projections |
Simulated works data, estimated aid, projected savings, simulated financing, solar panel sizing, electric mobility simulation. |
Internal calculation |
| Preferences & Objectives |
Declared objectives (reduce bills, improve DPE, comfort, etc.), notification preferences, partner preferences. |
Direct entry |
| Technical Data |
IP address, browser type, operating system, session identifiers, activity logs, browsing data. |
Automatic collection |
| Consents |
History of consents granted, withdrawn, or refused, with timestamp and version. |
Internal logging |
| Billing Data |
Subscription information (plan, period, amount). Payment data is handled exclusively by Stripe. |
Stripe |
| Household Composition |
Number of occupants and use of the property for energy estimation purposes. |
Direct entry / Onboarding |
4.2 Data Not Collected
DEESCO does not collect special categories of data as outlined in Article 9 of the GDPR (health data, biometric data, political opinions, religious beliefs, racial or ethnic origin). Energy and property data, although potentially reflecting certain usage or consumption habits, do not constitute sensitive data under Article 9 of the GDPR.
The Services do not offer any public space, forum, comment system, user-to-user messaging, or community feature that allows users to access other users' information. Therefore, identification data (name, email, account details) is never made accessible to other users of the Services.
However, certain data may be accessible to authorized personnel of DEESCO SAS as well as to duly authorized technical processors operating for the purposes of managing, developing, maintaining, hosting, securing, or supporting the Services. This access is strictly limited to the scope of their assigned missions and is framed by contractual obligations of confidentiality, security, and personal data protection.
5. Purposes of Processing, Legal Bases, and Retention Periods
The following table lists all processing activities carried out by DEESCO, their purpose, applicable legal basis, retention period, and potential recipients.
| Purpose |
Concerned Data |
Legal Basis |
Duration |
Nature |
| Account Creation and Management |
Identity, email, telephone |
Performance of a contract |
Duration of active account, then irreversible anonymization within a maximum of 30 days after account deletion. |
Mandatory |
| Onboarding and Property Personalization |
Property, equipment, household composition, objectives |
Performance of a contract |
Duration of active account |
Mandatory |
| eDPE by DEESCO® Calculation |
Property details, equipment, declared consumption |
Performance of a contract |
Duration of active account |
Mandatory for the Service |
| ADEME DPE Automatic Retrieval |
Property address, DPE reference number |
Performance of a contract |
Duration of active account |
Optional |
| ENEDIS API Connection (electricity) & GRDF/Gazpar API Connection (gas) |
Electricity consumption data / Gas consumption data |
Explicit consent |
Duration of the consented connection (18 months max) |
Optional |
| Invoice Import and OCR Processing |
Imported documents, extracted data |
Performance of a contract |
Duration of active account |
Optional |
| Housing Safe |
Imported and stored documents |
Performance of a contract |
Duration of active account, then deletion or anonymization within a maximum of 30 days after account deletion. |
Optional |
| Simulations of Works, Aid, and Financing |
Property data, equipment, simulated projects |
Performance of a contract |
Duration of active account |
Optional |
| Smart Energy Photovoltaic, Mobility |
Property data, specific equipment, vehicle usage |
Performance of a contract |
Duration of active account |
Optional |
| Recommendations and Scoring |
All property and consumption data |
Performance of a contract / Legitimate interest |
Duration of active account |
Inherent to the Services |
| Notifications and Alerts |
Email, notification preferences |
Performance of a contract / Consent |
Duration of active account |
Configurable |
| Connecting with Selected Partners |
Structured property and project data (based on accepted scope) |
Explicit consent |
One-off action at transmission date |
Optional |
| Subscription and Billing Management |
Plan, email, payment history |
Performance of a contract / Legal obligation |
Subscription duration + 10 years (accounting rules) |
Mandatory for paid subscriptions |
| System Security and Logging |
IP, logs, session identifiers |
Legitimate interest |
13 rolling months |
Automatic |
| R&D, Product Improvement, Statistics |
Anonymized and aggregated data |
Legitimate interest |
Indefinite duration (non-re-identifiable) |
Automatic post-anonymization |
| User Support |
Support history, identity, flagged data |
Performance of a contract |
3 years after ticket resolution |
Upon user request |
| GDPR Rights and Consent Management |
Identity, timestamped consents |
Legal obligation |
5 years after exercise of right |
Mandatory |
| Cookies and Audience Measurement (analytics) |
Browsing data, anonymous identifiers |
Consent / Technical necessity |
13 months (analytics cookies) |
Based on consent |
5.1 Additional Details on Legal Bases
Performance of a Contract: Most processing operations are based on the execution of the contract established between the user and DEESCO upon creating an account and accepting the General Terms and Conditions of Sale and Use (CGVU). These operations are necessary to deliver the primary features of the Services.
Consent: Certain operations require the user's explicit, free, specific, informed, and unambiguous consent. This applies to ENEDIS and GRDF API connections, introductory matches with selected partners, analytics cookies, and any processing not strictly required for the core Service. Consents are opt-in only (no pre-checked boxes), timestamped, logged, and version-tracked. The user can withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
Legitimate Interest: DEESCO processes specific data based on its legitimate interest, particularly for system security, fraud prevention, technical logging, and product performance analysis using aggregated and anonymized data. These processing operations are systematically balanced against the fundamental rights and interests of the users, and never override them.
Legal Obligations: Certain data are retained to comply with DEESCO's legal obligations, notably concerning accounting regulations, handling GDPR rights, and maintaining contractual proof.
6. Automated Processing, OCR, and Data Extraction
6.1 Automated OCR Extraction
Any document uploaded by the user to Deesco Pass® (energy bills, quotes, certificates, diagnostics, etc.) may be processed by an automated Optical Character Recognition (OCR) system to extract structured data. The purpose of this extraction is to:
- automatically pre-fill relevant fields (consumption metrics, provider details, amounts, dates, hardware);
- feed into consumption tracking and energy scoring features;
- improve the accuracy of simulations, recommendations, and eDPE estimations;
- trigger relevant alerts and notifications.
OCR extraction does not constitute automated decision-making that produces legal effects or significantly affects the user under Article 22 of the GDPR. It is part of the execution of the service contract and does not require separate consent.
Raw documents uploaded by the user are never shared with third-party partners. Only structured, contextualized data may be shared for commercial matchmaking purposes, and only with the explicit consent of the user.
6.2 Recommendations, Scoring, and Algorithmic Processing
Deesco Pass® Services automatically generate recommendations, estimations, savings projections, works simulations, energy scoring, and optimization advice using proprietary algorithms, statistical models, and calculation engines built by DEESCO.
These automated workflows:
- rely on data declared and collected under the user's account profile;
- may deploy baseline statistical assumptions when certain specific points of data are missing;
- do not lead to any legal, financial, administrative, or regulatory decisions;
- do not qualify as automated decision-making under Article 22 GDPR producing legal effects on the user;
- are provided solely for informational and indicative purposes, without binding status.
The eDPE by DEESCO® is a proprietary and informative energy estimate. It is not a substitute for a regulatory Energy Performance Certificate (DPE) performed by a certified professional, holds no legal or opposable weight, and cannot be used for property sales, rentals, or administrative procedures.
7. Consent Management
7.1 Collection and Requirements for Validity
DEESCO collects consents in strict compliance with the conditions set out in Article 7 of the GDPR. Every consent is:
- freely given: no service is conditioned on granting consent for data processing that is not necessary for the core execution of the Service;
- informed: the user is provided clear and accessible details regarding the purpose of processing prior to consenting;
- specific: distinct consent is requested for each separate purpose;
- unambiguous: consent is given through a clear affirmative action (checkbox, manually clicking a confirmation button);
- not pre-checked: checkboxes are never pre-selected by default.
7.2 Logging and Traceability
Each consent granted, modified, or withdrawn is recorded along with the date and time (timestamp), the active version of the policy or form at the time of submission, the purpose targeted, and the action taken (grant, refusal, withdrawal). These records serve as proof of consent, which DEESCO is legally required to maintain under the GDPR.
7.3 Scope of Consents
| Subject of Consent |
Collection Point |
Effect of Withdrawal |
| Acceptance of CGVU and Privacy Policy |
Upon account creation |
Account termination and cessation of access to Services |
| ENEDIS API Connection (electricity consumption data) |
When enabling the feature |
Immediate disconnection and stoppage of data synchronization |
| GRDF / Gazpar API Connection (gas consumption data) |
When enabling the feature |
Immediate disconnection and stoppage of data synchronization |
| Connecting with Selected Partners |
With each specific connection request |
Does not impact data transfers that have already occurred |
| Receiving Commercial & Partner Communications |
Upon account creation / in preferences |
Immediate unsubscription from the relevant communication streams |
| Analytics Cookies and Audience Measurement |
Upon initial visit (cookie banner) |
Deletion of non-essential cookies and stoppage of tracking metrics |
7.4 Withdrawal of Consent
Users can withdraw their consent at any time through their account dashboard (Settings > Privacy section), by emailing dpo@deesco.com, or via the cookie management platform found in the footer. Withdrawing consent does not affect the lawfulness of processing carried out prior to that withdrawal.
8. Recipients, Data Processors, and Partners
8.1 Principles of Transmission
DEESCO does not sell or lease its users' personal data to third parties. Data may be shared in three distinct types of situations, following the rules detailed below.
8.2 Technical Processors
DEESCO works with authorized processors for the technical delivery of the Services. These processors act solely under instructions from DEESCO and are contractually bound to comply with the GDPR and this Policy.
Personal data may be shared, strictly within the scope of their respective assignments, with the following categories of recipients:
- DEESCO group corporate entities handling development, maintenance, support, or technical assistance (including DEESCO SA, Switzerland, acting as a sub-processor for DEESCO SAS);
- hosting and technical infrastructure providers;
- development, maintenance, and technical support service providers;
- secure payment gateways;
- energy data providers and public utilities;
- audience measurement, statistical analysis, and performance tracking services;
- legally authorized administrative or judicial bodies.
Certain technical sub-processors appointed by DEESCO SAS (including DEESCO SA as a processor) may access user data when strictly necessary to execute their duties. This access is restricted to authorized personnel. DEESCO SAS ensures that data transfers outside the EU are structured around appropriate legal safeguards (Standard Contractual Clauses, adequacy decisions).
8.3 Commercial Partners
Deesco Pass® can, subject to the explicit prior consent of the user, transfer specific structured data to selected partners operating in the fields of energy renovation, hardware equipment, financing, insurance, real estate, energy utility, and low-carbon transition.
These transfers are governed by the following core principles:
- Mandatory prior consent, specific to each partner or partner group category;
- One-off, proportionate data transfer limited only to what is needed for the match introduction;
- Partners act as independent data controllers governed by their own privacy terms;
- Raw documents from the digital safe are never shared with commercial partners;
- DEESCO may receive commissions or commercial fees within the framework of these partner introductions.
8.4 Competent Authorities
DEESCO may be required to share personal data with competent judicial, administrative, or regulatory authorities (notably the CNIL, Europol, or courts of law) when mandated by applicable statutes, strictly within the boundaries of such legal obligations.
9. Aggregated, Anonymized Data and Statistics
Following the expiration of personal data retention windows or following an account deletion, DEESCO may preserve and process data that has undergone irreversible anonymization. This data can include: aggregated consumption metrics, usage behavior tracking, geo-localized energy trends, and baseline metrics for improving eDPE calculation algorithms. This data is leveraged for Service enhancement, R&D, and product innovation.
10. Retention Periods
| Data Category |
Retention Period |
Triggering Event |
| Account Data (identity, contact info) |
Duration of active account, then irreversible anonymization within a maximum of 30 days following account deletion. |
Account deletion |
| Property & Energy Data |
Duration of active account, then irreversible anonymization within a maximum of 30 days following account deletion. |
Account deletion |
| ENEDIS / GRDF Data |
Duration of active connection + 18 months maximum |
Withdrawal of consent or account deletion |
| Safe Documents |
Duration of active account, then irreversible anonymization within a maximum of 30 days following account deletion. |
Deletion request or account closure |
| Logs and Security Events |
13 rolling months |
Automatic workflow |
| Consent Records & History |
5 years after exercise or withdrawal |
Withdrawal or exercise of right |
| Billing Data |
10 years starting from fiscal year closure |
Legal accounting obligation |
| Support Exchanges |
3 years following ticket resolution |
Ticket resolution closure |
| Anonymized Data |
Indefinite duration |
Not applicable (non-personal data) |
| Account Deletion Execution |
Effective deletion executed within a maximum of 30 days post-request |
User deletion request |
11. Data Security
11.1 Technical and Organizational Measures
DEESCO deploys appropriate security frameworks (TLS/HTTPS in-transit encryption, at-rest encryption for sensitive records, strict role-based access control, MFA for administrators, comprehensive access logging, hosting on certified OVHcloud infrastructure located in France).
11.2 Limitations and Responsibilities
DEESCO cannot guarantee absolute safety over web ecosystems. In the event of a security breach implying a high risk for user rights and freedoms, DEESCO will notify the CNIL and inform affected users in line with GDPR requirements.
11.3 User Responsibility
The user is responsible for keeping login passwords strictly private. Any unauthorized access suspicion must be sent immediately to support@deesco.com.
12. Cookies and Trackers Policy
12.1 Definition and Usage
Cookies identify a user profile across active sessions to streamline browser settings and optimize response speed.
12.2 Categories of Cookies Used
| Category |
Description |
Legal Basis |
Duration |
| Strictly Necessary Cookies |
Essential for platform operation (sessions, security settings, language, cart). |
Technical necessity (no consent required) |
Session / 13 months max. |
| Analytics and Audience Cookies |
Traffic metrics, navigation behavior. Aggregated and anonymized data format. |
Consent |
13 months |
| Preference Cookies |
Saves local settings chosen by the user (display themes, notification types). |
Consent |
12 months |
| Third-Party Cookies (if applicable) |
Third-party analytical or functional tools governed by their own privacy terms. |
Consent |
Varies by third party |
12.3 Cookie Settings Management
Choices can be adjusted at any time through the cookie preference panel located in the platform footer. Refusing analytics cookies does not block access to core features of the Services.
13. Rights of the Data Subjects
13.1 Directory of Rights
| Right |
Scope |
How to Exercise |
| Access (Art. 15) |
Obtain confirmation and copy of personal data processed. |
Account dashboard or dpo@deesco.com |
| Rectification (Art. 16) |
Correct or complete inaccurate records. |
Account dashboard or dpo@deesco.com |
| Erasure (Art. 17) |
Request deletion of personal records. |
Email dpo@deesco.com (Executed within 30 days) |
| Restriction (Art. 18) |
Temporarily freeze processing operations. |
Email dpo@deesco.com |
| Objection (Art. 21) |
Object to processing based on legitimate interest or marketing. |
Account dashboard or dpo@deesco.com |
| Portability (Art. 20) |
Receive data in a structured, machine-readable format. |
Email dpo@deesco.com (JSON or CSV format) |
| Withdrawal of Consent (Art. 7) |
Revoke previously granted processing authorizations. |
Dashboard > Settings > Privacy section |
| Post-Mortem Directives |
Set instructions regarding data management after death. |
Email dpo@deesco.com |
13.2 Response Timescale
Requests are processed within a maximum timeframe of one month. Identity validation checks may be deployed for sensitive accounts.
13.3 Right to Lodge a Complaint with the CNIL
Users maintain the legal right to lodge complaints directly with the CNIL (3 Place de Fontenoy, 75334 Paris, www.cnil.fr).
14. International Data Transfers
DEESCO primarily handles data processing and hosting within the EU (OVH cloud in France). On an exceptional basis, data may be transferred to DEESCO SA in Switzerland for processor support, covered under the European Commission's adequacy decision. Any other out-of-EEA transfer relies on Standard Contractual Clauses.
15. Changes to this Policy
DEESCO reserves the right to update this Policy at any time. If changes are material, users will receive a notice via email or platform alerts with a reasonable preview window before enforcement.
16. Contact and DPO
| Channel |
Contact Details |
| Data Protection Officer (DPO) |
dpo@deesco.com |
| General Support |
support@deesco.com |
| Corporate Contact |
contact@deesco.com |
| Postal Address |
DEESCO SAS - Attn: DPO - 19 rue de Miromesnil, 75008 Paris, France |
Acknowledge of receipt within 72 business hours. All rights reserved DEESCO SAS.