RelocDesk
GuidesPricing

Privacy Policy

Last updated: June 26, 2026

Table of contents

  1. Introduction and data controller
  2. Data collected
  3. Legal basis for processing
  4. Third-party services
  5. Cookies and tracking
  6. Your rights
  7. Data retention
  8. International data transfers
  9. AI and automated processing
  10. "Where Should I Move?" quiz and partner matching
  11. Data security
  12. Children's data
  13. Changes to this policy
  14. Contact and DPO

Introduction and data controller

RelocDesk ("we", "us", "our") is a SaaS platform designed to help expatriates organize their relocation abroad. This privacy policy explains how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and applicable French and European data protection laws. The data controller responsible for your personal data is: GAMECELSIOR, a French simplified joint-stock company (SAS) with a share capital of €10,000, registered with the Paris Trade and Companies Register under number 934 661 463. EU VAT number: FR66934661463 Registered office: 13B Avenue de la Motte-Picquet, 75007 Paris, France RelocDesk is a service operated by GAMECELSIOR. Email: [email protected] Website: https://relocdesk.com

Data collected

We collect and process the following categories of personal data: Account data: email address, hashed password (we never store plain-text passwords). Project data: relocation projects you create (destination city, country, planned dates, notes). Places data: places you add to your projects (names, addresses, coordinates, status, ratings, phone numbers, URLs, custom fields). Photos: images you upload to document places (compressed and stored in Supabase Storage). Task data: tasks and to-do items you create. Budget data: expenses, budget categories, expense groups and payment information you enter. Price tracker data: products, shops and price entries you record. Comparator data: comparison tables and offers you create. Technical data: IP address, browser type, device information, pages visited (collected via PostHog analytics, only with your consent). AI interaction data: search queries you submit to our AI features (processed by Google Gemini).

Legal basis for processing

We process your personal data on the following legal bases under Article 6 of the GDPR: Contract performance (Art. 6(1)(b)): Processing your account, project, places, tasks, budget and comparator data is necessary to provide the RelocDesk service you signed up for. Consent (Art. 6(1)(a)): Analytics tracking via PostHog is only activated after you give explicit consent through our cookie consent banner. Legitimate interest (Art. 6(1)(f)): We may process limited technical data to ensure the security, availability and proper functioning of our platform. Legal obligation (Art. 6(1)(c)): We may process data to comply with applicable legal obligations (e.g., tax, accounting).

Third-party services

We use the following third-party services to operate RelocDesk. Each service processes your data as described below: Service | Purpose | Location Supabase Cloud | Database, authentication, file storage | EU (Frankfurt, Germany) Cloudflare Pages | Website hosting, CDN, SSL/TLS | Global (edge network) PostHog | Analytics (with consent only) | EU (eu.i.posthog.com) Google Gemini API | AI-powered search and task generation | United States Google Places API | Location search and place photos | United States MapTiler | Map tiles (client-side) | EU Nominatim / Komoot Photon | Address geocoding (client-side) | EU Resend | Transactional emails ([email protected]) | United States All API calls to Google services (Gemini, Places) are routed through our server-side proxy. Your API keys are never exposed to the browser.

Cookies and tracking

RelocDesk uses the following types of cookies and tracking technologies: Essential cookies: Authentication session tokens managed by Supabase. These are strictly necessary for the service to function and do not require consent. Analytics cookies (consent required): PostHog analytics (EU cloud instance at eu.i.posthog.com) is only activated after you give explicit consent via our cookie banner. You can withdraw your consent at any time through your browser settings or by contacting us. We do not use advertising cookies or third-party tracking pixels.

Your rights

Under the GDPR, you have the following rights regarding your personal data: Right of access (Art. 15): You can request a copy of all personal data we hold about you. Right to rectification (Art. 16): You can ask us to correct inaccurate or incomplete personal data. Right to erasure (Art. 17): You can request deletion of your personal data. You can delete your account from the settings page, which will remove all your data. Right to data portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format. Right to restriction (Art. 18): You can ask us to restrict the processing of your data in certain circumstances. Right to object (Art. 21): You can object to the processing of your data based on legitimate interest. Right to withdraw consent: Where processing is based on consent (e.g., analytics), you can withdraw consent at any time without affecting the lawfulness of prior processing. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority, in particular the CNIL (Commission Nationale de l'Informatique et des Libertés) in France.

Data retention

We retain your personal data as follows: Account data: Retained for as long as your account is active. Deleted within 30 days after account deletion. Project and associated data: Retained for as long as your account is active. Deleted when you delete a project or your account. Photos: Deleted from Supabase Storage when you delete them or when your account is deleted. Analytics data: Retained by PostHog for a maximum of 12 months, then automatically deleted. Server logs: Retained for a maximum of 90 days for security and debugging purposes. After deletion, data may persist in encrypted backups for up to 30 additional days before being permanently purged.

International data transfers

Your primary data (account, projects, places, photos, budget) is stored in the EU (Supabase Cloud, Frankfurt, Germany). Some data may be transferred outside the EU/EEA when you use certain features: Google Gemini API (US): When you use AI search features, your search queries are sent to Google servers in the United States via our server-side proxy. This transfer is covered by the EU-US Data Privacy Framework. Google Places API (US): When you search for places or import from Google Maps, location queries are sent to Google servers. This transfer is covered by the EU-US Data Privacy Framework. Cloudflare (Global): Website content may be cached and served from Cloudflare edge nodes worldwide. Cloudflare is certified under the EU-US Data Privacy Framework. Resend (US): Transactional emails are sent via Resend servers in the United States. We ensure that all international transfers comply with GDPR requirements through appropriate safeguards (Standard Contractual Clauses or adequacy decisions).

AI and automated processing

RelocDesk uses artificial intelligence features powered by Google Gemini. Here is how AI is used: AI place search: When you use the AI search feature, your query is sent to Google Gemini to generate relevant place suggestions for your destination. The AI does not have access to your full account data, only the specific query you submit and contextual information about your project's city and country. AI task generation: You can ask the AI to generate task checklists. Only your query text is sent to the AI service. AI comparator generation: The AI can generate comparison tables based on your description. Only your query text is sent. Receipt scanning: When you scan a receipt with AI, the image content is processed by Google Gemini to extract item and price information. No automated decision-making: We do not use AI or automated processing to make decisions that produce legal or similarly significant effects on you. AI features are tools to assist your research, and all final decisions remain yours. AI features consume credits from your account. You can choose not to use AI features at any time.

"Where Should I Move?" quiz and partner matching

Our "Where Should I Move?" quiz is publicly accessible and does not require creating an account. Your answers (personal and family situation, income sources and level, assets, climate and lifestyle preferences, priorities, languages spoken, relocation timeline, preferred or excluded countries) are processed solely to generate personalised destination recommendations. Transfer to AI: to produce these recommendations, your answer profile is sent to Google Gemini (United States) through our server-side proxy. This transfer is covered by the EU-US Data Privacy Framework. If you are not logged in to an account, these answers are not linked to your identity and are not retained on our servers after the recommendations are generated. Partner matching (optional consent): a checkbox, unticked by default, lets you agree to have your information shared with partner relocation providers (movers, agencies, schools, etc.). This is explicit, optional consent within the meaning of Article 6(1)(a) GDPR. This matching feature is not yet active: for as long as it is not, no data is shared with any partner. When it becomes active, no transmission will take place without your explicit consent, which you may withdraw at any time.

Data security

We implement appropriate technical and organizational measures to protect your personal data: - All data in transit is encrypted using TLS/SSL (HTTPS enforced via Cloudflare). - Passwords are hashed using bcrypt before storage (we never store plain-text passwords). - Database access is protected by Row Level Security (RLS), ensuring each user can only access their own data. - API keys and secrets are stored server-side only and are never exposed to the browser. - Server-side API routes implement rate limiting to prevent abuse. - All server routes are protected by authentication checks. - Photos are compressed before upload to minimize data exposure. - Supabase Cloud provides automatic encrypted backups and enterprise-grade infrastructure.

Children's data

RelocDesk is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we discover that we have inadvertently collected data from a child under 16 without proper parental consent, we will take immediate steps to delete that data. If you believe a child has provided us with personal data, please contact us at [email protected].

Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will notify you by email or by displaying a prominent notice on the platform. We encourage you to review this policy periodically. The date of the latest revision is indicated at the top of this page.

Contact and DPO

For any questions regarding this privacy policy or to exercise your data protection rights, you can contact us at: RelocDesk - Data Protection Email: [email protected] You also have the right to lodge a complaint with the French data protection authority: CNIL (Commission Nationale de l'Informatique et des Libertés) 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 Website: www.cnil.fr

← BackTerms of Service →
© 2026 GAMECELSIOR SAS — RelocDesk