Your data, protected. Our commitment.

At Staros Cyber Ops, protecting your data is not a legal obligation — it is a core value. This policy explains precisely how we handle your data, your clients' data, and how our AI agents operate in full respect of your privacy and digital sovereignty.

GDPR CompliantEU AI Act CompliantAES-256 EncryptionEU Hosting OnlyZero Data Selling

Contents:Introduction Data Processed by Our AI Agents Data We Collect on This Website Legal Basis for Processing Security Measures Regulatory Compliance Your Rights Third Parties & Data Transfers Cookies & Tracking Contact & Data Protection Officer

Section 01

Introduction

Staros Cyber Ops ('we', 'us', or 'our') is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, and protect information when you visit our website staros-cyber-ops.fr or use our AI agent services.

Staros Cyber Ops

AI Agent Development & Deployment — SaaS & Custom Solutions

Email: [email protected]

Phone: +33 7 83 68 02 78

Country: France, European Union

This policy applies to all individuals whose personal data we process, including website visitors, clients, and end-users of our AI-powered solutions. We act as a data controller for data collected through our website, and as a data processor when handling data on behalf of our clients through deployed AI agents.

Section 02

Data Processed by Our AI Agents

Our AI agents are the core of our offering. When deployed for a client, they process data strictly as a data processor under Article 28 of the GDPR. The following principles govern all AI agent data processing:

Strict Data Isolation

Each client's data is processed in a fully isolated environment. No data from one client can be accessed, shared, or used to train models for another client.

No Third-Party Model Training

Your data is never used to train, fine-tune, or improve any third-party AI models. Your data remains exclusively yours.

Data Minimisation

Our agents collect and process only the data strictly necessary to perform the defined task. No excess data is retained beyond operational needs.

Full Auditability

Every action performed by an AI agent is logged and traceable. You may request a complete activity report for your agent at any time.

Categories of data that may be processed by our agents include: professional identification data, financial and accounting data, communication data (emails, messages), operational business data, and performance metrics. Processing of special category data (Article 9 GDPR) is subject to a specific contractual agreement and enhanced security measures.

Section 03

Data We Collect on This Website

When you visit our website or use our contact form, we may collect the following categories of personal data:

Category	Data	Legal Basis	Retention
Contact Form	Name, email, phone, company (optional), message	Legitimate interest / Consent	3 years
Analytics	Anonymised IP, pages visited, session duration	Legitimate interest	13 months
Technical Logs	Server logs, error reports	Legitimate interest	90 days

We do not use any advertising or third-party tracking cookies. Our analytics tool (Umami) is self-hosted and does not transfer any data to third parties. We do not sell, rent, or share your personal data with any third party for commercial purposes.

Section 04

Legal Basis for Processing

We process your personal data only when we have a valid legal basis under the GDPR (Article 6). The legal bases we rely on are:

Consent (Art. 6(1)(a))

Where you have given clear, informed consent to processing for a specific purpose (e.g., newsletter subscription).

Contract (Art. 6(1)(b))

Where processing is necessary to perform a contract with you or to take pre-contractual steps at your request.

Legal Obligation (Art. 6(1)(c))

Where processing is required to comply with a legal obligation applicable to Staros Cyber Ops.

Legitimate Interests (Art. 6(1)(f))

Where processing is necessary for our legitimate business interests, provided these are not overridden by your rights.

Section 05

Security Measures

Security is a foundational principle at Staros Cyber Ops, not an afterthought. Our infrastructure is built on privacy-by-design and security-by-default principles:

AES-256 Encryption at Rest

All stored data is encrypted using AES-256, the same standard used by banks and government agencies.

TLS 1.3 in Transit

All communications between your systems and our agents are encrypted via TLS 1.3.

Zero-Trust Architecture

Every access request is authenticated, authorised, and logged — even internal ones.

EU-Only Hosting

All data is hosted exclusively on servers located within the European Union.

Encrypted Backups

Automated daily backups, encrypted and stored across geographically distinct data centres.

Penetration Testing

Regular security audits and penetration tests conducted by independent cybersecurity experts.

In the event of a personal data breach, Staros Cyber Ops commits to notifying the relevant supervisory authority within 72 hours and affected individuals without undue delay, in accordance with Articles 33 and 34 of the GDPR.

Section 06

Regulatory Compliance

Staros Cyber Ops operates within a strict regulatory framework and is committed to maintaining full compliance with all applicable regulations governing artificial intelligence and data protection:

GDPR

General Data Protection Regulation (EU 2016/679)

Compliant

Full compliance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality.

AI Act

EU Artificial Intelligence Act (EU 2024/1689)

Compliant

Our AI agents are developed in accordance with the transparency, human oversight, and robustness requirements of the EU AI Act. All systems are classified and documented per regulatory obligations.

NIS2

NIS2 Directive on Cybersecurity (EU 2022/2555)

Compliant

Cybersecurity risk management measures, incident reporting, and business continuity procedures aligned with NIS2 requirements.

CCPA

California Consumer Privacy Act (for US-based clients)

Compliant

Where applicable, we honour CCPA rights including the right to know, delete, and opt-out of sale of personal information.

Section 07

Your Rights

Under the GDPR and applicable data protection law, you have the following rights regarding your personal data. To exercise any of these rights, contact us at [email protected] with a copy of your identity document.

Right of Access

Obtain a copy of all personal data we hold about you.

Deadline: 30 days

Right to Rectification

Correct any inaccurate or incomplete data we hold about you.

Deadline: 30 days

Right to Erasure

Request deletion of your personal data ('right to be forgotten').

Deadline: 30 days

Right to Portability

Receive your data in a structured, machine-readable format.

Deadline: 30 days

Right to Object

Object to the processing of your data on legitimate grounds.

Deadline: Immediate

Right to Restriction

Request the temporary suspension of processing of your data.

Deadline: Immediate

If you believe your rights have not been respected, you have the right to lodge a complaint with the relevant supervisory authority. In France: CNIL (Commission Nationale de l'Informatique et des Libertés) — www.cnil.fr. In the EU, you may also contact your local data protection authority.

Section 08

Third Parties & Data Transfers

We engage carefully selected sub-processors to deliver our services. Each sub-processor is bound by a Data Processing Agreement (DPA) compliant with Article 28 of the GDPR:

Sub-processor	Location	Purpose	Safeguards
Cloud Hosting	European Union	Server infrastructure and data storage	DPA signed
LLM Providers	EU / USA (Standard Contractual Clauses)	Natural language processing for AI agents	DPA signed
Web3Forms	USA (Standard Contractual Clauses)	Contact form submission processing only	DPA signed

No data transfers to third countries are made without appropriate safeguards (EU Standard Contractual Clauses or adequacy decision). We never sell, rent, or share your data with third parties for commercial purposes.

Section 09

Cookies & Tracking

Our website uses a minimal cookie footprint. We do not use advertising cookies, social media tracking pixels, or any third-party analytics that transfer data outside our infrastructure.

Category	Data	Legal Basis	Retention
Essential Cookies	Session management, security tokens	Necessary for operation	Session
Analytics (Umami)	Anonymised page views, session duration	Legitimate interest	13 months

You may disable cookies at any time through your browser settings. Disabling essential cookies may affect the functionality of certain features on our website.

Section 10

Contact & Data Protection Officer

For any questions regarding this Privacy Policy, to exercise your rights, or to report a security incident, please contact us:

[email protected]

Phone

+33 7 83 68 02 78

Address

France, European Union

Response Time

Response guaranteed within 72 hours

This Privacy Policy may be updated to reflect legal, regulatory, or technical changes. Material changes will be notified to clients by email and indicated on this page with an updated date. Last updated: March 28, 2026.

Our commitment is unconditional

The trust of our clients is our most valuable asset. We will never compromise the security or confidentiality of your data for commercial reasons. If you have any questions or concerns, our team is available 24/7 to respond.