Privacy policy

1. Data controller

The controller of your personal data is Alexandre Marotel, publisher of ScorCity.com.

For any question regarding the protection of your data: contact@scorcity.com

2. Data collected and purposes

ScorCity only collects data strictly necessary for the service:

Forms (guide download, investor diagnostic, contact)

• First name, last name, email address (when you provide them) — purpose: send you the requested resource, respond to your request, send you similar content if you have consented.
• Diagnostic questionnaire answers (budget, goal, horizon, risk, area) — purpose: compute your recommended cities and refine the methodology. Answers are associated with an anonymous session UUID and are linked to your email only if you choose to receive the summary.

Browsing and audience measurement

• Pages visited, session duration, device type, browser, country — collected via Matomo (self-hosted in France), Google Analytics 4 and Microsoft Clarity. Purpose: understand how the site is used, detect bugs, improve ergonomics.
• IP address — anonymized before storage in Matomo; processed by Google and Microsoft under their applicable safeguards (standard contractual clauses).

Technical data

• Server logs (IP, date, URL, HTTP status) — purpose: security, abuse prevention, technical diagnostics.

3. Legal basis (GDPR art. 6)

• Consent: follow-up emails after downloading a resource or diagnostic (explicit opt-in); non-essential cookies.
• Legitimate interest: anonymized audience measurement, system security, service improvement.
• Pre-contractual measure: sending the requested resource (PDF guide, diagnostic summary).

4. Recipients

Your data is neither sold nor transferred to third parties for commercial purposes. It may be processed by the following sub-processors, each bound by a GDPR-compliant agreement:

• OVH SAS (France) — hosting.
• Matomo (self-hosted on OVH servers in France) — audience measurement.
• Google Ireland Ltd — Google Analytics 4 (non-EU transfers covered by standard contractual clauses and Data Privacy Framework).
• Microsoft Ireland Operations Ltd — Microsoft Clarity (non-EU transfers covered by standard contractual clauses).
• Mautic (self-hosted on OVH servers in France) — sending follow-up emails and resources.

5. Retention periods

• Server logs: 12 months.
• Audience measurement data (Matomo / GA4 / Clarity): 13 months maximum.
• Emails collected through forms: until your deletion or unsubscribe request, and at most 3 years after the last active contact.
• Investor diagnostic sessions: 24 months.
• Contact exchanges by email: 3 years after the last exchange.

6. Your rights

Under the GDPR and the French Data Protection Act, you have the following rights:

• Right of access to your personal data.
• Right to rectification of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten").
• Right to data portability.
• Right to object to the processing.
• Right to restriction of processing.
• Right to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal).

To exercise these rights, write to contact@scorcity.com with details of your request. Proof of identity may be requested.

You also have the right to lodge a complaint with the CNIL (French Data Protection Authority), 3 place de Fontenoy, 75007 Paris, France.

7. Cookies

ScorCity only uses cookies for audience measurement and browsing convenience. No third-party advertising cookies are dropped.

• Strictly necessary cookies: session, language preference — exempt from consent.
• Audience measurement cookies (Matomo, Google Analytics 4, Microsoft Clarity) — subject to your consent.

You can configure your browser at any time to refuse or delete these cookies.

8. Security

Data is hosted by OVH in France, accessible only via encrypted connections (HTTPS, SSH). Passwords are stored as irreversible hashes. Database access is restricted by IP and strong authentication.

9. Transfers outside the European Union

Some sub-processors (Google, Microsoft) may process your data outside the EU. These transfers are framed by the European Commission's standard contractual clauses and, where applicable, by the Data Privacy Framework for the United States.

10. Changes

This policy may be updated to reflect legal or technical developments. The last update date is indicated at the top of the page.