OnyriaPrivacy Policy
Last updated: January 19, 2025
BnC Consulting SAS ("Onyria", "we", "our") operates the Onyria mobile application and related services. This Privacy Policy describes how we collect, use, share, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and French law.
By using our Services, you agree to the practices described in this Policy.
1. Data Controller
The data controller for your personal data is:
BnC Consulting SAS Simplified Joint-Stock Company Registered office: Lille, France Email: privacy@onyria.app
2. Our Privacy Commitment
At Onyria, we believe your creativity belongs to you:
Your images stay yours — AI-generated creations are processed via Reve AI's API and delivered directly to your device. If you choose to share a link, the image will be temporarily hosted on our servers.
No training on your content — Your generated images are never used to train AI models. Prompts may be transmitted to Reve AI only if you rate an image, to help improve the service.
Minimal data — We only collect information strictly necessary for the service to function.
3. Data We Collect
3.1 Data You Provide
| Data Type | Description | Legal Basis |
|---|---|---|
| Account data | Email address, identifier, authentication data (via Apple or Google) | Contract performance |
| Profile data | Username, preferences | Contract performance |
| Communications | Support messages, user feedback | Legitimate interest |
3.2 Data Collected Automatically
| Data Type | Description | Legal Basis |
|---|---|---|
| Technical data | Device type, iOS version, app version, device identifiers | Legitimate interest |
| Usage data | Features used, number of generations, timestamps | Legitimate interest |
| Performance data | Crash reports, technical diagnostics | Legitimate interest |
3.3 Payment Data
Payments are processed exclusively by Apple's App Store. We never receive or store your banking details or card numbers.
3.4 Data Stored Only at Your Initiative
- Your generated images — Stored only on your device, unless you choose to share a link to an image (it will then be temporarily hosted on our servers)
- Your prompts — Sent directly to Reve AI's API. If you rate an image (thumbs up/down), the associated prompt may be stored and transmitted to Reve AI to improve the service
- Your location — We don't access your geolocation data
- Your contacts — We don't access your address book, except when sharing a referral code (to prevent abuse)
- Your photos — We don't access your photo library except for images you explicitly import
4. Purposes of Processing
We use your data for:
| Purpose | Legal Basis |
|---|---|
| Provide and maintain the Services | Contract performance |
| Manage your account and credits | Contract performance |
| Process your purchases via the App Store | Contract performance |
| Send essential service notifications | Contract performance |
| Improve performance and fix bugs | Legitimate interest |
| Analyze service usage (aggregated statistics) | Legitimate interest |
| Respond to your support requests | Contract performance |
| Prevent fraud and abuse | Legitimate interest |
| Comply with our legal obligations | Legal obligation |
5. Image Generation
When you generate an image:
- Your prompt is sent directly to Reve AI's servers via their API
- Reve AI processes the request and generates the image
- The image is returned directly to your device
Image rating: If you rate an image (thumbs up/down), the associated prompt may be stored and transmitted to Reve AI to improve service quality.
Image sharing: If you choose to share a link to a generated image, it will be hosted on our servers to enable viewing.
Using the Reve AI API ensures that your images are not used to train their AI models.
6. Data Sharing
6.1 Service Providers
We share your data with the following providers, all located in the EU or offering adequate safeguards:
| Provider | Service | Location |
|---|---|---|
| Reve AI | Image generation (via API) | United States (Standard Contractual Clauses) |
| Clerk | Authentication | United States (Standard Contractual Clauses) |
| Apple | Authentication, payments (App Store) | United States (Standard Contractual Clauses) |
| Amplitude | Anonymized usage statistics | European Union |
| Clever Cloud | Server infrastructure | European Union (France) |
6.2 Other Sharing
We may share your data:
- With authorities: In response to a valid legal request
- To protect our rights: In case of fraud or Terms of Service violation
- In case of restructuring: As part of a merger or acquisition (you will be informed)
6.3 No Sale of Data
We never sell your personal data to third parties.
7. International Transfers
Some of our providers are located outside the European Economic Area (EEA). For these transfers, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions where applicable
- Supplementary measures if necessary
8. Data Security
We implement technical and organizational security measures:
- Encryption: All communications use TLS 1.3
- Authentication: Managed by Clerk and Apple, certified providers
- Access: Principle of least privilege for our teams
- Audits: Regular review of our security practices
No system is perfectly secure. In case of a data breach affecting you, we will inform you as soon as possible.
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of your account + 6 months after deletion |
| Usage data | 12 months (then anonymized) |
| Billing data | 10 years (French legal requirement) |
| Support communications | 3 years |
| Security data | 6 months maximum (anonymized, in case of legal proceedings) |
| Generated images | Not retained by us |
10. Your Rights
Under the GDPR, you have the following rights:
| Right | Description |
|---|---|
| Access | Obtain a copy of your personal data |
| Rectification | Correct inaccurate or incomplete data |
| Erasure | Request deletion of your data ("right to be forgotten") |
| Restriction | Restrict the processing of your data |
| Portability | Receive your data in a structured, readable format |
| Objection | Object to certain processing based on legitimate interest |
| Withdraw consent | Withdraw your consent at any time (without affecting the lawfulness of prior processing) |
How to Exercise Your Rights
- In the app: Settings > Account > Privacy
- By email: privacy@onyria.app
- Account deletion: Available in app settings
We will respond to your request within one month. This period may be extended by two months for complex requests.
Complaint
You have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés):
- Website: www.cnil.fr
- Address: 3 Place de Fontenoy, 75007 Paris, France
11. Protection of Minors
Onyria is not intended for persons under 18 years of age. We do not knowingly collect data from minors. If we learn that a minor has created an account, we will delete it.
If you are a parent or guardian and believe your child has provided us with data, contact us at privacy@onyria.app.
12. Cookies and Similar Technologies
Our mobile application does not use traditional cookies. However, we use:
- Device identifiers: For technical app functionality
- Local storage: For your preferences and session data
You can reset your advertising identifier in iOS settings.
13. Changes to This Policy
We may update this Privacy Policy periodically. In case of substantial changes:
- We will inform you via the application or by email
- The new update date will be shown at the top of this document
- For major changes, we will request your consent if necessary
Your continued use of the Services after changes constitutes acceptance of the new Policy.
14. Contact
For any questions regarding this Policy or your personal data:
Email: privacy@onyria.app General support: support@onyria.app
Postal address: BnC Consulting SAS Lille, France
We are committed to responding to all requests as quickly as possible.