voxquel

Data protection

GDPR & DPA

Voxquel is built for compliance by design: hosting in France, strict per-account isolation and Odoo access restricted to the model layer. This page summarises our practices. It is informational and does not replace our terms of service or our data processing agreement (DPA).

Last updated : June 27, 2026

Who does what: controller and processor

Data controller

For your Voxquel account data (identity, email, billing, usage logs), IdPact, the publisher of Voxquel, acts as data controller.

Data processor

For the Odoo ERP data Voxquel accesses on your behalf, you remain the data controller and Voxquel acts as a data processor (GDPR art. 28), strictly on your instructions.

Data we process

Depending on your usage, Voxquel may process the following categories:

  • Account data — name, email, password (hashed), preferences (language, time zone, notifications).
  • Billing data — plan, PayPal subscription identifier, invoice history. No card data ever passes through or is stored by Voxquel: payment is handled by PayPal.
  • Odoo connection credentials — URL, database, user and API key, encrypted at rest.
  • Odoo business data — records read or written through Odoo's model layer (customers, quotes, invoices…), according to the permissions you grant. A per-connection local cache may keep a working copy, isolated per account, to speed up queries.
  • Logs — audit of MCP actions (who, what, when), technical metadata and error logs.

Location & hosting

Infrastructure and databases are hosted by OVHcloud in France (European Union). Your data at rest is stored in the EU.

Exception: when you query your ERP through Claude, the content of your requests and the matching Odoo data are sent to Anthropic to produce the answer (see sub-processors and international transfers).

Sub-processors

Voxquel relies on a limited set of sub-processors, selected for their safeguards:

Sub-processor Role Location
OVHcloud Hosting of infrastructure and databases France (EU)
Anthropic, PBC AI processing (Claude) of requests via MCP United States (SCCs)
PayPal (Europe) Payment of subscriptions and credit packs EU / international
Cloudflare Anti-spam captcha (Turnstile) on the contact form International
SMTP provider Sending of transactional emails EU

We notify you in advance of any addition or replacement of a sub-processor; you may object on legitimate grounds.

Security measures

  • Encryption in transit (TLS) and at rest for secrets (Odoo credentials, OAuth and PayPal keys).
  • Strict multi-tenant isolation: the account is the root of isolation; no data is shared between accounts.
  • Odoo access limited to the model layer (search, read, create, write, unlink, aggregate): no raw SQL, no server-side code execution, no view modification.
  • Granular permissions: you define the models and actions each connection allows; reads and writes are never mixed in a single tool.
  • Time-stamped audit log of every MCP action.
  • Hashed passwords; secrets are never logged or committed.

Retention periods

  • Account data — for the life of the account, then deleted within 30 days of closure (unless legally required otherwise).
  • Invoices — kept for 10 years (French accounting obligation).
  • Odoo cache — purged when a connection is deleted or at your request; you can clear it at any time.
  • Audit logs — 12 months.

Your rights

Under the GDPR, you have the following rights over your personal data:

Access

Obtain a copy of the data concerning you.

Rectification

Correct inaccurate or incomplete data.

Erasure

Request the deletion of your data.

Restriction

Restrict certain processing.

Portability

Receive your data in a structured, readable format.

Objection

Object to processing on legitimate grounds.

International transfers

Your data is processed within the European Union by default. Transfers outside the EU — notably to Anthropic, in the United States, when using Claude — are governed by the European Commission's standard contractual clauses (SCCs) and appropriate safeguards.

Data processing agreement (DPA)

If you process personal data through Voxquel, we enter into a data processing agreement with you that complies with GDPR article 28, embedded in our terms of service. It sets out the subject matter, duration, nature and purpose of the processing, the categories of data and data subjects, and our obligations as a processor.

To receive our signed DPA or a version tailored to your organisation, email [email protected].

Breach notification

In the event of a data breach likely to result in a risk to your rights and freedoms, we inform you without undue delay. As a processor, we assist the controller in meeting its notification obligations (GDPR art. 33 and 34).

A question about your data?

For any data protection question, to exercise your rights or to request our DPA, write to us — we reply within 30 days. You may also lodge a complaint with the CNIL, the French supervisory authority.

[email protected]