← BACK TO 7BOOST.
This is an English translation provided for convenience. The legally binding version of this document is in French —
view the French version.
7BOOST. — Privacy Policy
Last updated: June 16, 2026
This privacy policy is intended to inform users of the 7BOOST. extension and website (hereinafter the "Service") about how their personal data is collected, used, retained, and protected, in accordance with the General Data Protection Regulation (GDPR), and in particular its Article 13.
1. Identity and contact details of the data controller
The Service is published on a non-professional basis by an individual, who acts as data controller within the meaning of the GDPR.
In accordance with Article 6-III of French Law No. 2004-575 of June 21, 2004 on confidence in the digital economy ("LCEN"), the publisher of the Service, an individual acting on a non-professional basis, exercises their right to preserve anonymity. Their identifying information has been provided to their hosting provider, who is bound by professional confidentiality.
Contact: contact@7boost.io
Website hosting: GitHub Pages (GitHub, Inc., 88 Colin P Kelly Jr St, San Francisco, CA 94107, USA)
No Data Protection Officer (DPO) has been appointed. Under Article 37 of the GDPR, this appointment is only mandatory for public authorities, or for organizations whose core activities involve regular and systematic large-scale monitoring of data subjects, or large-scale processing of special category data (Article 9) or data relating to criminal convictions. The Service, published by an individual on a non-professional basis and not processing such data on a large scale, does not fall into any of these categories. Any question regarding personal data may be sent to the contact address above.
2. Personal data collected
As part of the use of the Service, the following categories of data are collected:
- Account data: username, email address, and password (encrypted), via the Supabase Auth authentication system, when creating an account.
- Usage data: number of "boost" requests made per day, associated with the account identifier and a date (the "usage" table), in order to apply the free daily usage limit.
- Prompt content: the text entered by the user (the "raw prompt"), as well as any optional style keywords, is transmitted on a one-off basis to the AI provider for processing, and is not permanently stored by the Service.
- Local preferences: display preferences, selected output language, local counters, and default tags, stored locally on the user's device via chrome.storage.local and not transmitted to the Service.
- Technical connection data: information strictly necessary for authentication to function (Supabase session token).
The Service does not collect any banking data, health data, geolocation data, and does not carry out any profiling of users.
3. Purposes of the collection
The personal data described above is processed for the following purposes:
- To enable the creation, authentication, and management of the user account (username, email, password).
- To provide the core functionality of the Service, namely the optimized rewriting of prompts submitted by the user (prompt content).
- To apply the free daily usage limit and prevent abuse (usage data).
- To remember user preferences in order to improve their experience (local preferences).
4. Legal basis for processing
- Performance of a contract: account creation, authentication, the provision of the prompt rewriting service, and the enforcement of usage limits are necessary for the performance of the contract entered into with the user upon registration (Article 6(1)(b) GDPR).
- Legitimate interest: the retention of usage counters and quota verification serve the data controller's legitimate interest in ensuring the proper functioning, security, and economic viability of the Service (Article 6(1)(f) GDPR).
5. Recipients and data sharing
Personal data is neither sold, rented, nor exchanged with third parties for commercial purposes. It may be transmitted to the following recipients, strictly to the extent necessary for the operation of the Service:
- Supabase Inc.: database hosting and authentication management, storage of the "usage" table. The Supabase instance used for the Service is hosted within the European Union. Supabase acts as a data processor within the meaning of the GDPR.
- Mistral AI (AI provider): receives the content of the user's raw prompt (and, where applicable, style keywords and the desired output language) for the purpose of generating the optimized prompt. This content is transmitted on a one-off basis, for each request, via a secure Edge function, and is not retained by the Service beyond the processing of the request.
No personal data linked to the user's account (username, email, account identifier) is transmitted to Mistral AI. Only the text content of the prompt submitted by the user (and any associated style keywords) is sent, for the sole technical purpose of prompt optimization.
Mistral AI is a company incorporated under French law, headquartered within the European Union (Paris, France). The processing of prompt content by Mistral AI therefore takes place within the European Union, with no transfer to a third country, and in compliance with the GDPR obligations applicable to processors established in the European Union.
- GitHub Pages: hosting of the Service's showcase website.
Account and usage data, hosted by Supabase, and prompt content, processed by Mistral AI, therefore remain located within the European Union. The Service's showcase website (hosted on GitHub Pages, whose operator is located in the United States) does not collect personal data: visiting it therefore does not result in any transfer of personal data to this provider within the scope of the processing described in this policy.
6. Data retention periods
- Account data (username, email, password): retained for the entire lifetime of the account. If the account is deleted by the user or upon their request, this data is deleted within a maximum of 30 days, corresponding to the technical time required for effective purging of systems (main database and backups).
- Usage data (daily counters): each daily record (account associated with a date and a number of requests) is retained for 90 days from its creation, after which it is automatically deleted. This period corresponds to the time necessary to apply the daily limit and to detect any abnormal usage.
- Prompt content transmitted to the AI provider: not permanently retained by the Service after the request has been processed. The AI provider may apply its own retention policy, as described in its terms of use.
- Local preferences (chrome.storage.local): retained on the user's device until manually deleted or until the extension is uninstalled.
7. Data security
The data controller implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure, including:
- The API key for the AI provider is stored exclusively in the server-side Edge function secrets and is never exposed in the extension's code or accessible client-side.
- Every request to the prompt-processing function is subject to authentication verification (JWT token); any unauthenticated request is rejected.
- Passwords are managed in encrypted form by the authentication provider (Supabase Auth) and are never stored in plain text.
- The table containing usage data is protected by Row Level Security rules.
8. User rights
In accordance with the GDPR, every user has the following rights over their personal data:
- Right of access: obtain confirmation that data concerning them is being processed and obtain a copy of it (Article 15 GDPR).
- Right to rectification: request correction of inaccurate or incomplete data (Article 16 GDPR).
- Right to erasure: request deletion of their personal data, including by deleting their account (Article 17 GDPR).
- Right to object: object, on legitimate grounds, to processing based on the data controller's legitimate interest (Article 21 GDPR).
- Right to data portability: receive the data provided in a structured, commonly used, machine-readable format (Article 20 GDPR).
- Right to restriction of processing: request restriction of the processing of their data in certain cases provided for by the GDPR.
These rights may be exercised by writing to contact@7boost.io. A response will be provided within one month of receipt of the request, a period which may be extended by a further two months in the case of complex requests or a high volume of requests, in accordance with Article 12(3) of the GDPR.
9. Right to lodge a complaint
If, after contacting the data controller, the user considers that their rights are not being respected, they may lodge a complaint with the French Data Protection Authority (CNIL):
- Online: www.cnil.fr
- By post: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
10. Cookies and trackers
The 7BOOST. website does not currently use any analytics, advertising, or personalization cookies requiring prior consent. Only cookies strictly necessary for the Service to function (notably those related to authentication within the extension) may be used, and these do not require consent under the ePrivacy Directive and CNIL guidelines.
Should future developments introduce cookies subject to consent (for example, audience measurement tools), this policy will be updated and a consent collection mechanism will be put in place prior to the deployment of such cookies.
11. Changes to this privacy policy
The data controller reserves the right to modify this privacy policy at any time, in particular to comply with any regulatory, technical, or case-law developments. The applicable version is the one published on the website and extension at the date of consultation, with the date of last update indicated at the top of this document.