Privacy Policy
Protecting the personal data and privacy of its users is of great importance to SFBX SAS ("SFBX", "we", "us" or "our"). This includes protecting your privacy by ensuring that you have the access and control necessary to decide how your data is used.
To this end, SFBX undertakes to process personal data in compliance with the applicable data protection laws and regulations in the countries from which its users access and use the AppConsent® solutions ("Solution"), in particular the European General Data Protection Regulation (known as "GDPR " ).
This privacy policy clarifies how we collect and process your personal data in the context of your use of this website:
- of the SFBX.io website
- AppConsent® Enterprise, Standard, Essential and Free offers
- AppConsent® Xchange offer
Please read it carefully, as it applies every time you use them.
What is personal data?
Personal data means any information relating to an identified or identifiable natural person (the "data subject").
In connection with your use of our solution, you are considered a data subject. The personal data covered by this Privacy Policy is therefore any information about you or your users, to the extent that you or your users are identified or identifiable, for example by reference to the IP address and or IMEI of the device or account identifiers.
The processing of personal data is subject to specific legal and regulatory provisions, in particular GDPR.
2. Why do we collect your personal data?
We only collect personal data that is necessary for purposes such as ensuring that you have the best possible experience with the solution, communicating easily with you, and in the context of the purpose of the solutions and based on your consent and that of the users of your websites or application, sharing your users' personal data with partners that you have chosen through the validation of contracts that will be offered to you.
3. under what conditions and what personal data is collected.
We collect personal data from you and your users in the following situations and for the purposes detailed below. For each case, we detail the information that is stored by our services. Our solutions have been built with Privacy by Design and Privacy by Default in mind, ensuring the highest possible level of data protection.
So very little information is stored by our services, none of it is nominative and all of it is encrypted and anonymized.
3.1 When logging in to the website (https://sfbx.io/) as a casual visitor
When you log on to the website, we will automatically collect the following personal data for technical purposes so that the website you use is tailored to provide you with the best possible user experience:
- The truncated IP address of your device,
- The URL of the site you are currently viewing,
- The user agent,
- The timestamp,
- Technical session cookies,
- Retargeting cookies,
- Audience measurement cookies,
The data is kept for 12 months.
3.2 When registering, subscribing to an offer, and using your account on the platform (https://app.appconsent.io)
When you register/use your account on the website, we will collect the following data through the registration form:
- Your complete IP
- Your login : Hash email
- The secure version of your password
We also retain your account information in the interests of the contract between us so that you can use our products:
- Company name,
- Siret number,
- EU VAT number
- Address of the head office,
- First and last name of the legal representative,
- First and last names of account administrators and users, and their roles,
- URLs of websites and applications.
This data will be collected and processed for the purpose of managing your user account and providing you with the Solutions services. This processing is based on its necessity for the performance of a contract to which you are a party, namely the Terms of Use of the products.
These data are kept for the duration of the contract plus the 5-year commercial prescription.
Bank and billing information is not stored or managed by SFBX but by its partner Stripe: https: //stripe.com/fr whose privacy policy and TOS are as follows: https: //stripe.com/fr/privacy.
SFBX shall not be liable for any breach or improper handling of the Client Data by the Stripe Partner.
The Client is obliged to inform SFBX in the event of non-compliance or breach by the Stripe Partner of its obligations to manage its Data.
3.3 When using the solutions.
3.3.1 AppConsent® Enterprise, Standard, Essential and Free
AppConsent®is a consent management platform (CMP), a solution for collecting user consent for our clients’ websites and apps. It is available in three plans: Enterprise/Premium, Standard, and Essential, plus an older plan—Free—that is still used by some clients but is no longer actively marketed.The rules are the same for all four plans.
The following data is kept for the purpose of product operation and transmission of evidence:
- User IDs of your websites or applications,
- Transaction history, i.e., date, time, version of consent notice, consent status, source, and the Global Vendor List (GVL).
- Positive, negative or mixed consents.
These data are kept for the duration of the contract plus the 5-year commercial prescription.
The Customer's bank and billing details are administered and stored by Stripe's partner: https: //stripe.com/fr, whose privacy policy and T&Cs are as follows: https: //stripe.com/fr/privacy, and not by SFBX.
3.3.2 AppConsent® Xchange
With AppConsent® Xchange, in exchange for providing the CMP free of charge, SFBX collects basic data from the user’s device. This data is basic and non-intrusive. It enables SFBX and its partners to create high-value-added products focused on the traceability and security of data exchanges. The goal is to build a strong and trustworthy data governance ecosystem.
This product allows our Xchange customers to share the data they hold with Partners and provide traceability and ensure that the user's choice is respected in the use of their data.
No data is shared without its legal basis attached.
The following data is kept for the purpose of product operation and transmission of evidence:
- User IDs of your websites or applications,
- Transaction history, i.e., date, time, version of the consent notice, consent status, source, and the Global Vendor List (GVL),
- Positive or negative consents,
- CMP XChange customer references,
- Partner testimonials,
- Contracts,
- Shared data types.
Data is transmitted via our platform between the Xchange Client website and our Partners; we store it only temporarily—for a period ranging from 6 hours to 1 month—until it is used by the Partner.
These data are kept for the duration of the contract plus the 5-year commercial prescription.
The data of the Internet users/mobility collected within the framework of the Xchange service :
The Xchange offer has been designed to only deliver data to advertisers, brands or other actors who are clients of our platform, if we have a positive consent signal beforehand. Under no circumstances will data be delivered without this consent being present.
The legal basis for sharing this data is consent. For the data to be shared, the purposes of processing must align. For example, if a brand is pursuing processing purposes such as Personalization and Measurement, and you have objected to both via the Consent Management Platform (CMP) notice, then the data will not be shared. If you object to the “Measurement” processing purpose, the data will be provided, but our platform will indicate that you have objected to this purpose via the IAB TCF consentString, or via specific metadata for processing activities not covered by the IAB TCF or for specific purposes.
Here is the list of data concerned, this list may be updated regularly. This is organic data, not intrusive for the users.
Type of data | Example |
MAID (Mobile Advertiser ID) | 22F02CE6-12DB-4E69-B0A3-95CE2B1E4BA3 |
MaidType | IDFA(Apple) or AAID(Android) |
AppConsentID (cookie) | 524f957-8126-4bbb-9cb6-f4d59341a50b |
TimestampCollect | 1572006875 |
deviceManufacturer | Xiaomi |
DeviceModel | E A2 |
DeviceCarrier | Orange |
IP (Truncated) | 90.50.183.XX |
AppNameBundle | com.SFBX.appconsenttest.xchange |
DeviceOS | ANDROID |
DeviceOSVersion | 28 |
ConsentString | BOpdxkUOpdxkUACABAFRCo-AAAAq57__f__3_8_v3_9_NuzvOv_j_ef93VW8fvYvcEvzhY9d_u_Uzxc4m_0vRc9ycgx85eprGsoxQ7KSsG-VOgd_7t__3ziX9ohP6wkcprxz3bEw-jo2o8Jg |
extraConsentSignal | { "GEOLOC_AD" = { id = 359fFyR; state = 1; vendors = { 124 = 1; 368 = 1; 435 = 1; Ironsource = 1; }; }; "GEOLOC_MARKET" = { id = JU7iLdm; state = 1; vendors = { 124 = 1; 368 = 1; 435 = 1; Ironsource = 1; }; }; } Purpose xO7AjTTJ ( { xO7AjTTJ = 1; }, { 124 = 1; }, { 368 = 1; }, { 435 = 1; }, { Ironsource = 1; } ) |
deviceCountryCode | EN |
ExternalId | ABCDA24321 |
SignalStrenght | 99 |
NetworkType | UNKNOWN |
URL (Web) | https://www.awebsite.com |
Content | Text content of the page or application |
ID Sync(web) | True/False |
3.4 When using the contact form.
3.4.1 The general contact form (https://sfbx.io/contact/)
By using the contact form on the website, we will collect, through this form, the following data:
- Subject of your message;
- Your Name;
- Company name;
- Email address;
- The subject of your message;
- The message you enter in the "Message" field;
- Any screenshots you can attach to your message;
- Data related to your account and technical data related to the context of use to help us understand the problem you may be experiencing.
This data will be collected and processed for the purpose of receiving and processing your message, to be able to respond to it and to resolve any problems you may encounter described in your message. This processing is based on your consent, expressed by clicking on the "Send" button on the "Contact Us" form.
In the event that your message contains personal data classified as "sensitive data" under applicable data protection laws and regulations, for example data relating to your state of health, you explicitly consent to SFBX, by clicking on the send button on the contact form, receiving and processing such data in order to respond to your message.
It is understood that SFBX does not require or encourage its users to provide sensitive data through the "Contact Us" form.
This information is destroyed after processing your request made in this contact form.
We do not keep a history of these exchanges.
3.4.2 The contact form for using theAppConsent® Xchange solution (https://sfbx.io/inscription-xchange-cmp-gratuite/)
When you use the contact form on the website to access theAppConsent®XChange Platform, we will collect the following information through that form:
- Full name,
- Company name,
- Email,
- Name of the website or app,
- Platform type: Web & Mobile Web, Mobile App, Other,
- Data related to your account and technical data related to the context of use to help us understand the problem you may be experiencing.
This information will be collected and processed for the purpose of receiving and processing your message, responding to it, and creating an account for you to access theAppConsent®XChange product.
This processing is based on your consent, which you provide by clicking the "Submit" button on the "Contact Us" form.
This information is destroyed after processing your request made in this contact form.
We do not keep a history of these exchanges.
How is your personal data protected?
We apply the necessary internal and technological security measures to ensure that your data is not lost, misappropriated, accessed or disclosed to third parties except :
- Within the framework of the contracts and uses of the products,
- At the request of a judicial or police authority or any authority empowered by law.
Your information is encrypted and stored on servers located in Belgium, the Netherlands, and France. Access to your user account is protected by your password. You are responsible for keeping the password you chose when registering on our platform confidential, and you agree not to disclose it to anyone.
If you request deletion of your account, deletion will take effect immediately, unless your account has been suspended or blocked. In this case, we will keep your data for a period of 2 years in order to prevent you from circumventing the rules in force on our platform.
Deleting your account does not result in the deletion of the data retained and listed in Section 3. To delete your information, you must follow the procedure to exercise your right to erasure as described in Section 8.
Who is the data controller and can I contact them?
The controller is SFBX, which provides the solutions.
If you have any questions or concerns about this privacy policy, SFBX's processing of personal data on the Solutions, or SFBX's data protection and privacy commitments more generally, you can contact the privacy policy administrator by sending an email via dataprotection@SFBX.io or by writing to
SFBX SAS, Attention: Privacy Policy Administrator, 15 Place Canteloup, 33800 Bordeaux.
6. With whom is my personal data shared?
The data will only be shared with third parties/partners in the context of the contracts that you have validated in the solutions.
These partners may use subcontractors in accordance with GDPR the processing of this personal data. In such cases, the data controller will always remain the third party/partner with whom you have entered into the contract and with whom you may exercise your rights (see Article 8).
Apart from this case, the personal data collected and processed in accordance with Article 3 above will be shared with SFBX people and departments, in particular our staff dedicated to technical issues and user experience studies.
Only in specific cases, your personal data may be shared to respond to requests from the relevant authorities and in legal proceedings if necessary.
7. Where is my data hosted?
The database and backups are hosted by Google Cloud in France, Belgium, and the Netherlands.
The safeguards put in place to ensure the security of data transfers outside the European Union, in the event that Google Cloud is subject to the Cloud Act due to force majeure, are as follows:
|
Actor |
Country |
Selected protective measure (European Commission Standard Contractual Clauses, CNIL Standard Contractual Clauses, Binding Corporate Rules, Clauses other than standard clauses with CNIL authorization, PIA) |
| Google Cloud | United States | CCT – pseudonymized + blockchain + encryption |
8. What are your rights regarding your personal data?
In accordance with the applicable data protection laws and regulations, you have the following rights regarding the processing of your personal data: right of access, right of data portability, right of rectification, right of erasure, right to object to processing and right to restrict processing.
- Right of access: you can access your data to modify it, or request a copy of your personal information.
- Right of rectification: you can ask SFBX to correct inaccurate information on its database.
- Right of deletion: you can request the deletion of your Personal Data.
- Right to object: You may object at any time to the processing of your personal data onAppConsent®Xchange by clicking on this link.
- Right to limit processing: you can request the suspension of processing concerning you for the time of an audit.
- Right to portability: you can have the personal data you have provided transmitted in a structured, commonly used and computer-readable format to us or to another data controller, where technically possible.
You may exercise these rights by contacting the Privacy Policy Administrator at dataprotection@SFBX.io or by writing to SFBX.com SAS, Attention: Privacy Policy Administrator, 15 Place Canteloup 33800 Bordeaux, France.
These rights are purely personal and can only be exercised by the individual concerned. Therefore, you may be asked to provide a copy of a valid form of identification; we will only keep this copy for the time necessary to verify your identity.
In this case, SFBX will cease processing the personal data concerned and will retain it for the appropriate period of time.
For those processing activities described in sections 2 and 3 above that are based on your consent, you have the right to withdraw that consent at any time, without justification.
Finally, you have the right to lodge a complaint about the processing of your personal data by SFBX with the competent supervisory authority in your country.
SFBX has appointed a DPO in charge of personal data protection whose contact details are as follows
- juridique@dipeeo.com
- Tel: 09.50.39.07.50
- Postal address: Dipeeo, 95 avenue du Président Wilson, 93100 Montreuil, France
9. Changes to this Privacy Policy
This Privacy Policy was last updated on April 4, 2026. Please note that we may revise it from time to time and reserve the right to update or modify it.
We will post the revised privacy policy on the website https://sfbx.io/ and the platform https://app.appconsent.ioso that users can always see what personal data we collect and how we collect it. Additionally, if you have registered via the registration form, you will also receive an email notifying you of any changes or updates to the Privacy Policy at the email address associated with your user account.
By clicking on this link, you can view our Cookie Policy
By clicking on this link, you can view theData Protection Agreement (DPA) for the AppConsent Premium/Enterprise, Standard, Essential, and Free plans.
By clicking on this link, you can view theXchange Data Protection Agreement (DPA) for the AppConsent Xchange solution.
