Orion
OrionBack to home
Last updated: April 6, 2026

Privacy Policy

We take your privacy seriously. This policy explains what data we collect, how we use it, and the controls you have over it.

Data Controller

The data controller responsible for your personal data is:

Célyan Mellinger, auto-entrepreneur registered in France — operating Orion Monitoring at orion.fuxlor.dev.
Contact: celyan.mellinger@hotmail.fr

This policy applies to all personal data processed in connection with your use of the Orion platform, including the web dashboard, SDK, and Orion Agent.

Information We Collect

We collect information you provide directly and information generated by your use of the Service.

Account Data

  • Email address provided at registration
  • Username and display name
  • Authentication credentials (stored as hashed values — never in plaintext)
  • Passkey / WebAuthn device credentials, if used
  • Billing information (handled directly by Stripe — we never store raw card data)

Log and Monitoring Data

  • Log messages and metadata submitted via the Orion SDK or Orion Agent
  • System metrics (CPU, memory, disk, network) collected by the Linux agent
  • Timestamps, log levels, source identifiers, and tags you attach to logs
  • Alert configurations and trigger history

Usage Data

  • IP address at login and during active sessions
  • Pages visited and features used within the dashboard
  • Session duration and interaction patterns

Cookies

  • Session cookies for authentication (see the Cookies section for details)

How We Use Your Information

We use the information we collect to:

  • Provide, operate, and improve the Service
  • Process payments and manage your subscription via Stripe
  • Send transactional emails — account confirmations, password resets, quota alerts, plan changes (via Resend)
  • Respond to support requests and communicate about your account
  • Detect, investigate, and prevent fraud, abuse, and security incidents
  • Comply with our legal obligations under French and EU law
  • Analyze aggregate, anonymized usage trends to improve features and performance
We do not sell your personal data or log data to third parties. We do not use your log data to train AI models or for any purpose beyond providing the Service to you.

Data Storage and Security

Your data is stored on servers located in Paris, France, within the European Union. No personal data is transferred outside the EU, except through the sub-processors listed in the Third-Party Services section, which provide appropriate safeguards.

We implement the following technical and organisational security measures:

  • All communications encrypted in transit via TLS/HTTPS
  • JWT authentication with asymmetric signing (RS256)
  • Passwords stored using bcrypt hashing — never stored in plaintext
  • API tokens hashed with SHA-256 before storage
  • Access to production systems restricted to the operator
  • Regular database backups

Despite these measures, no system is completely secure. In the event of a personal data breach affecting your rights, we will notify you and the relevant supervisory authority as required by GDPR.

Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

  • Account data: retained for the duration of your subscription, then deleted within 30 days of account termination
  • Application logs: automatically deleted according to your plan's retention period (30, 90, or 180 days from the log timestamp)
  • Billing records: retained for 10 years in accordance with French accounting obligations (Code de commerce)
  • Connection and security logs: retained for 12 months

You may request earlier deletion of your personal data by exercising your right to erasure (see Your Rights section), subject to our legal retention obligations.

Third-Party Services

We use the following sub-processors to operate the Service. Each processes your data only on our instructions and is contractually bound to protect it:

Stripe

Payment processing. Stripe collects and processes your payment card information directly. We receive only a customer ID and subscription metadata. Stripe is headquartered in the US and covered by the EU-US Data Privacy Framework and standard contractual clauses. See stripe.com/privacy.

Resend

Transactional email delivery. Your email address and the content of service emails (confirmations, alerts, billing notices) transit through Resend’s servers. See resend.com/legal/privacy-policy.

Server infrastructure

Physical infrastructure hosting the API, database, and web application. All servers are located in Paris, France (EU).

We do not use any advertising networks, behavioral tracking services, or analytics platforms that share your data with third parties.

Your Rights (GDPR)

As a user located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR — Regulation EU 2016/679):

  • Right of Access — request a copy of the personal data we hold about you
  • Right to Rectification — request correction of inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten") — request deletion of your personal data
  • Right to Data Portability — receive your data in a structured, machine-readable format
  • Right to Object — object to processing based on our legitimate interests
  • Right to Restrict Processing — request that we limit how we use your data
  • Right to Withdraw Consent — where processing is based on consent, withdraw it at any time

Our legal bases for processing your data are: performance of contract (Art. 6.1.b — providing the Service), legal obligation (Art. 6.1.c — accounting and fraud prevention), and legitimate interest (Art. 6.1.f — security and abuse prevention).

To exercise any of these rights, contact us at celyan.mellinger@hotmail.fr. We will respond within 30 days. You also have the right to lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés) at cnil.fr.

You can manage most data preferences directly from your account settings, including deleting your account.

Cookies

We use only the cookies strictly necessary for the Service to function. We do not use advertising cookies, third-party analytics cookies, or behavioral tracking technologies.

Authentication (session)

A session token stored in your browser to keep you logged in. This cookie is required for the Service to function and cannot be disabled. It expires when you log out or after a period of inactivity.

Preferences

Theme selection (dark/light mode) stored locally. This cookie is functional and does not leave your device.

No cookie consent banner is required as we only use strictly necessary and functional cookies that do not require prior consent under the ePrivacy Directive.

Children's Privacy

Orion is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such information, please contact us at celyan.mellinger@hotmail.fr and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or via a prominent notice within the Service at least 15 days before the changes take effect.

The “Last updated” date at the top of this page reflects the most recent revision. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

Contact Information

For any privacy-related questions, requests, or concerns:

  • Name: Célyan Mellinger
  • Email: celyan.mellinger@hotmail.fr
  • Subject: "Privacy Request — [your request type]"
  • Supervisory authority: CNIL — www.cnil.fr
For GDPR-related requests, we aim to respond within 30 days as required by law.