Deesco Pass
FREN

Privacy policy

Version 1.0 — 2026 This Privacy Policy covers the DEESCO corporate website, the Deesco Pass platform, and all associated services and platforms within the DEESCO ecosystem, including notably Deesco Very.
Version v1.0
Effective Date June 01, 2026
Applicable Law French Law
Company DEESCO SAS
SIREN 987 685 559
Address 19 rue de Miromesnil, 75008 Paris, France
Personal Data dpo@deesco.com
Contact contact@deesco.com | support@deesco.com
Hosting OVH cloud France
Payment Stripe, Inc.

1. Preamble and Scope of Application

This Privacy Policy (hereinafter the "Policy") describes how DEESCO SAS (hereinafter "DEESCO", "we", or the "Company") collects, processes, stores, and protects users' personal data when operating the following platforms and services:
  • DEESCO (www.deesco.com/fr) - the group's corporate website;
  • Deesco Pass® (deescopass.deesco.com/fr) - B2C/B2B2C SaaS platform for home energy management;
  • Deesco Very® (deescovery.deesco.com/fr) - B2B professional platform dedicated to partners and professionals.
This Privacy Policy applies to all services operated by DEESCO SAS, specifically Deesco Pass® and Deesco Very®. It details the conditions under which users' personal data are collected, used, retained, secured, and, if applicable, deleted. It is established in accordance with the General Data Protection Regulation (GDPR), the amended French Data Protection Act (Loi Informatique et Libertés), and applicable recommendations and guidelines from competent data protection authorities. This Privacy Policy must be read in conjunction with the DEESCO Legal Notice accessible from the Services. The Legal Notice provides details regarding the publisher of the Services, hosting, intellectual property, and provisions applicable to cookies and trackers used within the Services. The use of the Services implies the unreserved acceptance of this Policy. DEESCO reserves the right to modify this Policy at any time; the version in effect is the one accessible on the relevant platforms at the date of consultation. In the event of a material change, DEESCO will notify users via email or an alert on the platform. The terms of use for the Services are described in the General Terms and Conditions of Sale and Use (CGVU) applicable to Deesco Pass®. Information regarding the publisher of the Services, hosting, and mandatory legal declarations can be found in the DEESCO Legal Notice. This Policy supplements those documents and must be read in conjunction with them. The Services are strictly reserved for individuals of legal age (18 years or older). DEESCO does not knowingly collect data from minors.

2. Data Controller

The data controller for personal data collected within the scope of the Services is: DEESCO SAS A Simplified Joint-Stock Company incorporated under French law Share capital: 100 000 € Head office: 19 rue de Miromesnil, 75008 Paris, France RCS Paris (Registration Date: 28/03/2024) Contact: contact@deesco.com DPO: dpo@deesco.com For any questions regarding the processing of your personal data, you may contact our DPO at dpo@deesco.com. DEESCO undertakes to respond to any request within a reasonable timeframe and no later than the one-month period required under the GDPR.

3. Definitions

Term Definition
Personal Data Any information relating to an identified or identifiable natural person.
Processing Any operation performed on personal data (collection, storage, use, transmission, deletion, etc.).
Data Controller The entity that determines the purposes and means of the processing - DEESCO SAS.
Data Processor Any technical or functional provider processing data on behalf of DEESCO.
User Any natural person accessing DEESCO Services, Deesco Pass®, or Deesco Very®.
Services All the functionalities accessible on the DEESCO group platforms.
Partner A company selected by DEESCO that can receive certain structured data from the user following the user's explicit consent.
eDPE by DEESCO® Proprietary informative energy estimation, with no regulatory or legally binding value.
Housing Safe Personal secure document storage space within Deesco Pass®.

4. Personal Data Collected

DEESCO collects and processes several categories of personal data depending on the functionalities used. The following table breaks down all the categories involved.

4.1 Data Categories

Category Collected Data Source
Identification Last name, first name, email address, phone number (optional). Direct entry
Housing Property address, type of housing, surface area, year of construction, EPC/DPE level, occupancy status (owner/tenant). Direct entry / Onboarding
Equipment Heating system, domestic hot water, insulation, ventilation, doors/windows, photovoltaic panels, charging station, electric vehicle. Direct entry / OCR
Energy Consumption Electricity consumption data (ENEDIS), gas consumption data (GRDF/Gazpar), invoice history. API / Import / OCR
EPC/DPE & eDPE ADEME DPE reference, retrieved DPE label, calculated eDPE by DEESCO® data, proprietary energy scoring. ADEME / Internal calculation
Documents & Safe Any document uploaded by the user: invoices, certificates, quotes, diagnostics, intervention reports. User import
Simulation & Projections Simulated works data, estimated aid, projected savings, simulated financing, solar panel sizing, electric mobility simulation. Internal calculation
Preferences & Objectives Declared objectives (reduce bills, improve DPE, comfort, etc.), notification preferences, partner preferences. Direct entry
Technical Data IP address, browser type, operating system, session identifiers, activity logs, browsing data. Automatic collection
Consents History of consents granted, withdrawn, or refused, with timestamp and version. Internal logging
Billing Data Subscription information (plan, period, amount). Payment data is handled exclusively by Stripe. Stripe
Household Composition Number of occupants and use of the property for energy estimation purposes. Direct entry / Onboarding

4.2 Data Not Collected

DEESCO does not collect special categories of data as outlined in Article 9 of the GDPR (health data, biometric data, political opinions, religious beliefs, racial or ethnic origin). Energy and property data, although potentially reflecting certain usage or consumption habits, do not constitute sensitive data under Article 9 of the GDPR. The Services do not offer any public space, forum, comment system, user-to-user messaging, or community feature that allows users to access other users' information. Therefore, identification data (name, email, account details) is never made accessible to other users of the Services. However, certain data may be accessible to authorized personnel of DEESCO SAS as well as to duly authorized technical processors operating for the purposes of managing, developing, maintaining, hosting, securing, or supporting the Services. This access is strictly limited to the scope of their assigned missions and is framed by contractual obligations of confidentiality, security, and personal data protection.

5. Purposes of Processing, Legal Bases, and Retention Periods

The following table lists all processing activities carried out by DEESCO, their purpose, applicable legal basis, retention period, and potential recipients.
Purpose Concerned Data Legal Basis Duration Nature
Account Creation and Management Identity, email, telephone Performance of a contract Duration of active account, then irreversible anonymization within a maximum of 30 days after account deletion. Mandatory
Onboarding and Property Personalization Property, equipment, household composition, objectives Performance of a contract Duration of active account Mandatory
eDPE by DEESCO® Calculation Property details, equipment, declared consumption Performance of a contract Duration of active account Mandatory for the Service
ADEME DPE Automatic Retrieval Property address, DPE reference number Performance of a contract Duration of active account Optional
ENEDIS API Connection (electricity) & GRDF/Gazpar API Connection (gas) Electricity consumption data / Gas consumption data Explicit consent Duration of the consented connection (18 months max) Optional
Invoice Import and OCR Processing Imported documents, extracted data Performance of a contract Duration of active account Optional
Housing Safe Imported and stored documents Performance of a contract Duration of active account, then deletion or anonymization within a maximum of 30 days after account deletion. Optional
Simulations of Works, Aid, and Financing Property data, equipment, simulated projects Performance of a contract Duration of active account Optional
Smart Energy Photovoltaic, Mobility Property data, specific equipment, vehicle usage Performance of a contract Duration of active account Optional
Recommendations and Scoring All property and consumption data Performance of a contract / Legitimate interest Duration of active account Inherent to the Services
Notifications and Alerts Email, notification preferences Performance of a contract / Consent Duration of active account Configurable
Connecting with Selected Partners Structured property and project data (based on accepted scope) Explicit consent One-off action at transmission date Optional
Subscription and Billing Management Plan, email, payment history Performance of a contract / Legal obligation Subscription duration + 10 years (accounting rules) Mandatory for paid subscriptions
System Security and Logging IP, logs, session identifiers Legitimate interest 13 rolling months Automatic
R&D, Product Improvement, Statistics Anonymized and aggregated data Legitimate interest Indefinite duration (non-re-identifiable) Automatic post-anonymization
User Support Support history, identity, flagged data Performance of a contract 3 years after ticket resolution Upon user request
GDPR Rights and Consent Management Identity, timestamped consents Legal obligation 5 years after exercise of right Mandatory
Cookies and Audience Measurement (analytics) Browsing data, anonymous identifiers Consent / Technical necessity 13 months (analytics cookies) Based on consent

5.1 Additional Details on Legal Bases

Performance of a Contract: Most processing operations are based on the execution of the contract established between the user and DEESCO upon creating an account and accepting the General Terms and Conditions of Sale and Use (CGVU). These operations are necessary to deliver the primary features of the Services. Consent: Certain operations require the user's explicit, free, specific, informed, and unambiguous consent. This applies to ENEDIS and GRDF API connections, introductory matches with selected partners, analytics cookies, and any processing not strictly required for the core Service. Consents are opt-in only (no pre-checked boxes), timestamped, logged, and version-tracked. The user can withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. Legitimate Interest: DEESCO processes specific data based on its legitimate interest, particularly for system security, fraud prevention, technical logging, and product performance analysis using aggregated and anonymized data. These processing operations are systematically balanced against the fundamental rights and interests of the users, and never override them. Legal Obligations: Certain data are retained to comply with DEESCO's legal obligations, notably concerning accounting regulations, handling GDPR rights, and maintaining contractual proof.

6. Automated Processing, OCR, and Data Extraction

6.1 Automated OCR Extraction

Any document uploaded by the user to Deesco Pass® (energy bills, quotes, certificates, diagnostics, etc.) may be processed by an automated Optical Character Recognition (OCR) system to extract structured data. The purpose of this extraction is to:
  • automatically pre-fill relevant fields (consumption metrics, provider details, amounts, dates, hardware);
  • feed into consumption tracking and energy scoring features;
  • improve the accuracy of simulations, recommendations, and eDPE estimations;
  • trigger relevant alerts and notifications.
OCR extraction does not constitute automated decision-making that produces legal effects or significantly affects the user under Article 22 of the GDPR. It is part of the execution of the service contract and does not require separate consent. Raw documents uploaded by the user are never shared with third-party partners. Only structured, contextualized data may be shared for commercial matchmaking purposes, and only with the explicit consent of the user.

6.2 Recommendations, Scoring, and Algorithmic Processing

Deesco Pass® Services automatically generate recommendations, estimations, savings projections, works simulations, energy scoring, and optimization advice using proprietary algorithms, statistical models, and calculation engines built by DEESCO. These automated workflows:
  • rely on data declared and collected under the user's account profile;
  • may deploy baseline statistical assumptions when certain specific points of data are missing;
  • do not lead to any legal, financial, administrative, or regulatory decisions;
  • do not qualify as automated decision-making under Article 22 GDPR producing legal effects on the user;
  • are provided solely for informational and indicative purposes, without binding status.
The eDPE by DEESCO® is a proprietary and informative energy estimate. It is not a substitute for a regulatory Energy Performance Certificate (DPE) performed by a certified professional, holds no legal or opposable weight, and cannot be used for property sales, rentals, or administrative procedures.

7. Consent Management

7.1 Collection and Requirements for Validity

DEESCO collects consents in strict compliance with the conditions set out in Article 7 of the GDPR. Every consent is:
  • freely given: no service is conditioned on granting consent for data processing that is not necessary for the core execution of the Service;
  • informed: the user is provided clear and accessible details regarding the purpose of processing prior to consenting;
  • specific: distinct consent is requested for each separate purpose;
  • unambiguous: consent is given through a clear affirmative action (checkbox, manually clicking a confirmation button);
  • not pre-checked: checkboxes are never pre-selected by default.

7.2 Logging and Traceability

Each consent granted, modified, or withdrawn is recorded along with the date and time (timestamp), the active version of the policy or form at the time of submission, the purpose targeted, and the action taken (grant, refusal, withdrawal). These records serve as proof of consent, which DEESCO is legally required to maintain under the GDPR.

7.3 Scope of Consents

Subject of Consent Collection Point Effect of Withdrawal
Acceptance of CGVU and Privacy Policy Upon account creation Account termination and cessation of access to Services
ENEDIS API Connection (electricity consumption data) When enabling the feature Immediate disconnection and stoppage of data synchronization
GRDF / Gazpar API Connection (gas consumption data) When enabling the feature Immediate disconnection and stoppage of data synchronization
Connecting with Selected Partners With each specific connection request Does not impact data transfers that have already occurred
Receiving Commercial & Partner Communications Upon account creation / in preferences Immediate unsubscription from the relevant communication streams
Analytics Cookies and Audience Measurement Upon initial visit (cookie banner) Deletion of non-essential cookies and stoppage of tracking metrics

7.4 Withdrawal of Consent

Users can withdraw their consent at any time through their account dashboard (Settings > Privacy section), by emailing dpo@deesco.com, or via the cookie management platform found in the footer. Withdrawing consent does not affect the lawfulness of processing carried out prior to that withdrawal.

8. Recipients, Data Processors, and Partners

8.1 Principles of Transmission

DEESCO does not sell or lease its users' personal data to third parties. Data may be shared in three distinct types of situations, following the rules detailed below.

8.2 Technical Processors

DEESCO works with authorized processors for the technical delivery of the Services. These processors act solely under instructions from DEESCO and are contractually bound to comply with the GDPR and this Policy. Personal data may be shared, strictly within the scope of their respective assignments, with the following categories of recipients:
  • DEESCO group corporate entities handling development, maintenance, support, or technical assistance (including DEESCO SA, Switzerland, acting as a sub-processor for DEESCO SAS);
  • hosting and technical infrastructure providers;
  • development, maintenance, and technical support service providers;
  • secure payment gateways;
  • energy data providers and public utilities;
  • audience measurement, statistical analysis, and performance tracking services;
  • legally authorized administrative or judicial bodies.
Certain technical sub-processors appointed by DEESCO SAS (including DEESCO SA as a processor) may access user data when strictly necessary to execute their duties. This access is restricted to authorized personnel. DEESCO SAS ensures that data transfers outside the EU are structured around appropriate legal safeguards (Standard Contractual Clauses, adequacy decisions).

8.3 Commercial Partners

Deesco Pass® can, subject to the explicit prior consent of the user, transfer specific structured data to selected partners operating in the fields of energy renovation, hardware equipment, financing, insurance, real estate, energy utility, and low-carbon transition. These transfers are governed by the following core principles:
  • Mandatory prior consent, specific to each partner or partner group category;
  • One-off, proportionate data transfer limited only to what is needed for the match introduction;
  • Partners act as independent data controllers governed by their own privacy terms;
  • Raw documents from the digital safe are never shared with commercial partners;
  • DEESCO may receive commissions or commercial fees within the framework of these partner introductions.

8.4 Competent Authorities

DEESCO may be required to share personal data with competent judicial, administrative, or regulatory authorities (notably the CNIL, Europol, or courts of law) when mandated by applicable statutes, strictly within the boundaries of such legal obligations.

9. Aggregated, Anonymized Data and Statistics

Following the expiration of personal data retention windows or following an account deletion, DEESCO may preserve and process data that has undergone irreversible anonymization. This data can include: aggregated consumption metrics, usage behavior tracking, geo-localized energy trends, and baseline metrics for improving eDPE calculation algorithms. This data is leveraged for Service enhancement, R&D, and product innovation.

10. Retention Periods

Data Category Retention Period Triggering Event
Account Data (identity, contact info) Duration of active account, then irreversible anonymization within a maximum of 30 days following account deletion. Account deletion
Property & Energy Data Duration of active account, then irreversible anonymization within a maximum of 30 days following account deletion. Account deletion
ENEDIS / GRDF Data Duration of active connection + 18 months maximum Withdrawal of consent or account deletion
Safe Documents Duration of active account, then irreversible anonymization within a maximum of 30 days following account deletion. Deletion request or account closure
Logs and Security Events 13 rolling months Automatic workflow
Consent Records & History 5 years after exercise or withdrawal Withdrawal or exercise of right
Billing Data 10 years starting from fiscal year closure Legal accounting obligation
Support Exchanges 3 years following ticket resolution Ticket resolution closure
Anonymized Data Indefinite duration Not applicable (non-personal data)
Account Deletion Execution Effective deletion executed within a maximum of 30 days post-request User deletion request

11. Data Security

11.1 Technical and Organizational Measures

DEESCO deploys appropriate security frameworks (TLS/HTTPS in-transit encryption, at-rest encryption for sensitive records, strict role-based access control, MFA for administrators, comprehensive access logging, hosting on certified OVHcloud infrastructure located in France).

11.2 Limitations and Responsibilities

DEESCO cannot guarantee absolute safety over web ecosystems. In the event of a security breach implying a high risk for user rights and freedoms, DEESCO will notify the CNIL and inform affected users in line with GDPR requirements.

11.3 User Responsibility

The user is responsible for keeping login passwords strictly private. Any unauthorized access suspicion must be sent immediately to support@deesco.com.

12. Cookies and Trackers Policy

12.1 Definition and Usage

Cookies identify a user profile across active sessions to streamline browser settings and optimize response speed.

12.2 Categories of Cookies Used

Category Description Legal Basis Duration
Strictly Necessary Cookies Essential for platform operation (sessions, security settings, language, cart). Technical necessity (no consent required) Session / 13 months max.
Analytics and Audience Cookies Traffic metrics, navigation behavior. Aggregated and anonymized data format. Consent 13 months
Preference Cookies Saves local settings chosen by the user (display themes, notification types). Consent 12 months
Third-Party Cookies (if applicable) Third-party analytical or functional tools governed by their own privacy terms. Consent Varies by third party

12.3 Cookie Settings Management

Choices can be adjusted at any time through the cookie preference panel located in the platform footer. Refusing analytics cookies does not block access to core features of the Services.

13. Rights of the Data Subjects

13.1 Directory of Rights

Right Scope How to Exercise
Access (Art. 15) Obtain confirmation and copy of personal data processed. Account dashboard or dpo@deesco.com
Rectification (Art. 16) Correct or complete inaccurate records. Account dashboard or dpo@deesco.com
Erasure (Art. 17) Request deletion of personal records. Email dpo@deesco.com (Executed within 30 days)
Restriction (Art. 18) Temporarily freeze processing operations. Email dpo@deesco.com
Objection (Art. 21) Object to processing based on legitimate interest or marketing. Account dashboard or dpo@deesco.com
Portability (Art. 20) Receive data in a structured, machine-readable format. Email dpo@deesco.com (JSON or CSV format)
Withdrawal of Consent (Art. 7) Revoke previously granted processing authorizations. Dashboard > Settings > Privacy section
Post-Mortem Directives Set instructions regarding data management after death. Email dpo@deesco.com

13.2 Response Timescale

Requests are processed within a maximum timeframe of one month. Identity validation checks may be deployed for sensitive accounts.

13.3 Right to Lodge a Complaint with the CNIL

Users maintain the legal right to lodge complaints directly with the CNIL (3 Place de Fontenoy, 75334 Paris, www.cnil.fr).

14. International Data Transfers

DEESCO primarily handles data processing and hosting within the EU (OVH cloud in France). On an exceptional basis, data may be transferred to DEESCO SA in Switzerland for processor support, covered under the European Commission's adequacy decision. Any other out-of-EEA transfer relies on Standard Contractual Clauses.

15. Changes to this Policy

DEESCO reserves the right to update this Policy at any time. If changes are material, users will receive a notice via email or platform alerts with a reasonable preview window before enforcement.

16. Contact and DPO

Channel Contact Details
Data Protection Officer (DPO) dpo@deesco.com
General Support support@deesco.com
Corporate Contact contact@deesco.com
Postal Address DEESCO SAS - Attn: DPO - 19 rue de Miromesnil, 75008 Paris, France
Acknowledge of receipt within 72 business hours. All rights reserved DEESCO SAS.