Edgee Privacy Policy

At Edgee, protecting personal data and ensuring transparency in our processing practices is central to our mission of building a more privacy-aligned Internet. This Privacy Policy outlines how Edgee Cloud SAS ("Edgee", "we", "us", or "our") collects, processes, and protects personal information in connection with our services.

1. Scope of this Policy

This policy applies to the processing of personal information in the following contexts:

• Customers and Administrative Users: Individuals and organizations who use Edgee's Edge Component Platform and manage services or projects via the Edgee dashboard.
• Website Visitors: Individuals who visit our public-facing websites (e.g. edgee.cloud).
• End Users: Individuals who interact with our customers' websites or applications where Edgee is deployed.

This policy does not apply to our customers' websites, applications, APIs, or networks—even when Edgee's infrastructure intermediates the delivery of their content. Customers are solely responsible for implementing their own privacy policies and ensuring compliance with applicable laws when using Edgee's services in connection with their end users.

Edgee's platform and services are not intended for, nor directed toward, individuals under the age of eighteen. We do not knowingly collect or process personal data from minors. If we become aware that such information has been collected, we will delete it without delay.

As Edgee functions as a proxy layer between end users and third-party or customer services, certain network records (such as IP addresses) may reflect Edgee infrastructure. Edgee acts solely as a conduit for content and requests controlled by our customers, who remain responsible for the nature and legality of any data transmitted through our platform.

2. What Information We Process

We distinguish between data Edgee processes on behalf of customers (as a processor) and data processed for our own operational purposes (as a controller).

2.1. Data Processed on Behalf of Our Customers

Edgee processes End Users' interactions with Customer's websites, APIs, applications, and other digital services where Edgee is deployed. The data processed can include:

• Network and event data (e.g., pageviews, interactions, TCP/IP and HTTP(S) request metadata)
• Pseudonymized or ephemeral identifiers (e.g., session hashes, cookie-based IDs)
• IP addresses (with optional truncation based on customer-configured anonymization settings)
• Device/browser metadata (e.g., language, user-agent, screen size)
• Consent signals from integrated CMPs (e.g., Axeptio, Didomi, OneTrust)

When customers activate specific components (e.g., integrations with third-party analytics platforms), Edgee may act as a data proxy to forward collected events. If user consent has been provided, these events may include personal identifiers (PII) such as full IP addresses or user IDs.

Edgee offers an anonymization feature that removes or masks common PII before data leaves the Edgee infrastructure. However, if a customer chooses to disable anonymization or misconfigures consent enforcement, Edgee cannot technically prevent the transmission of personal data—even in the absence of valid user consent. Customers are fully responsible for ensuring their configuration aligns with applicable laws and consent frameworks.

End User Identification Options

Edgee supports two distinct identification mechanisms for end users, which customers may configure based on their legal obligations and privacy posture:

• Cookieless Identification: For users who have not given consent, Edgee can generate a temporary hash using non-unique attributes (e.g., client IP, user-agent, device language) without setting any cookies. These hashes are valid for 24 hours, reset daily, and are stored only in Edgee's edge cache. This approach avoids persistent tracking and aligns with stricter interpretations of privacy regulations like the GDPR and CNIL guidance.
• Encrypted First-Party Cookie: For use cases that require persistent analytics identifiers, Edgee offers a privacy-compliant first-party cookie. This cookie, placed by Edgee on behalf of the customer, contains an encrypted and anonymized user ID, regenerated dynamically and never exposed to third-party tools. In many jurisdictions, including under CNIL and ICO guidance, such cookies may qualify for consent exemption when strictly limited to first-party audience measurement.

Customers must choose the identification mode that best aligns with their compliance needs and are responsible for ensuring appropriate consent is obtained where required.

2.2. Data Processed for Our Own Operations

We may process the following limited personal data:

• Account registration data (e.g., name, email, company)
• Service usage logs (for support, billing, and security)
• Communication data (e.g., email correspondence)

3. Legal Basis for Processing

Our processing of personal information is based on the following legal grounds:

• Consent – when required, such as for the placement of optional cookies or forwarding data to third-party analytics providers, based on end user choices.
• Legitimate interest – for purposes like anonymized audience measurement, fraud prevention, and ensuring platform security, provided such interests are not overridden by data subject rights.
• Contractual necessity – when processing is required to fulfill our obligations under a contract, such as account provisioning, billing, and platform access.

When Edgee processes data on its own behalf (as a data controller), we determine and document the applicable legal basis for each processing activity.

However, when Edgee processes data on behalf of its customers (as a data processor)—especially in relation to end users—the customer is the data controller. This means our customers are solely responsible for:

• Selecting a valid legal basis for processing end user data (e.g., consent or legitimate interest);
• Determining whether and how to collect consent from end users;
• Configuring Edgee's settings (e.g., anonymization, identification mode, third-party data sharing) in a way that is compliant with their local laws and obligations.

Edgee provides privacy-preserving technical options, but does not make legal determinations on behalf of customers. Improper use or misconfiguration may result in processing that does not meet regulatory requirements.

4. How We Use the Information

We use personal data for specific, clearly defined purposes, depending on whether we are acting as a controller or a processor.

When Edgee Acts as a Processor (on behalf of Customers):

We process end user data exclusively for the purposes defined and controlled by our customers, such as:

• Routing and transforming analytics traffic securely on their behalf
• Enforcing consent signals and user privacy preferences
• Supporting functionality tied to audience measurement and service optimization

We never use end user data for our own purposes beyond service provision.

When Edgee Acts as a Controller (for its own operations):

We process data in order to:

• Provide, maintain, and optimize Edgee services
• Monitor platform performance and usage
• Prevent fraud, abuse, and ensure service security
• Provide support, communicate with customers, and administer accounts

Edgee does not:

• Use personal data for advertising, behavioral profiling, or commercial monetization
• Sell or rent personal data to third parties

All processing activities are limited to what is necessary, proportionate, and aligned with applicable data protection regulations.

5. Data Sharing

We may share data with:

• Sub-processors strictly required to operate the platform (e.g., infrastructure providers)
• Third-party analytics tools, only after applying anonymization or when consent has been granted

Edgee currently engages the following subprocessors to help deliver its services:

• Fastly – Edge network infrastructure and content delivery
• AWS (Amazon Web Services) – Infrastructure hosting and computing
• Google Cloud Platform – Infrastructure and storage services
• Vercel – Front-end hosting and deployment platform

We ensure each subprocessor is subject to strict data protection obligations through appropriate contractual safeguards. For updates or detailed documentation, please visit our Trust Center.

6. International Data Transfers

All personal data processed by Edgee is hosted within the European Union by default. Where international transfers are necessary—for example, when a subprocessor operates outside the EU—we rely on:

• Standard Contractual Clauses (SCCs): Contractual provisions approved by the European Commission that ensure adequate data protection safeguards. These SCCs are available to our customers and their data protection officers upon request.
• Adequacy decisions: Where the European Commission has determined that a non-EU country ensures an adequate level of data protection (e.g., the UK, Switzerland), we may rely on that status to facilitate compliant transfers.
• Organizational and technical safeguards: These include end-to-end encryption of personal data in transit, strict access controls, processing confined to isolated edge environments, and robust auditing policies. These measures help minimize exposure risks and protect transferred data from unauthorized access or misuse. For a more detailed overview of our security measures, please refer to our Trust Center.

7. Data Retention

We retain personal data only as long as necessary:

• Logs: retained for up to 25 months
• End user events (processed on behalf of customers): not stored by Edgee; we act solely as a proxy
• End user debug events: retained for up to 24 hours for operational troubleshooting purposes only
• Account and billing records: for the duration of the customer relationship, plus legal retention obligations

8. Your Rights

Depending on your location, you may have the right to:

• Access, rectify, or erase your data
• Object to processing or request restriction
• Data portability
• Lodge a complaint with a data protection authority

Requests can be submitted to: privacy@edgee.cloud

If you are an end user of a website using Edgee, please contact the site owner directly. Edgee acts as a data processor for the website operator and does not determine the purposes or means of processing your data. However, if you submit a rights request to Edgee and we can reasonably identify the associated customer, we will forward your request to the relevant data controller, where appropriate. In all cases, the primary responsibility for handling data subject rights rests with the site owner or Edgee customer.

9. Security Measures

Edgee employs a comprehensive set of security controls to ensure the confidentiality, integrity, and availability of personal data processed through our platform. Our security program is aligned with industry best practices and independently audited.

• Encryption: All identifiers and traffic are encrypted in transit using TLS 1.2 or higher. Sensitive identifiers are also encrypted at rest.
• Edge isolation: All processing of end user data takes place within isolated edge nodes, minimizing lateral risk and exposure.
• Zero persistent exposure: Identifiers used for analytics purposes are never persistently accessible from the browser side or third-party scripts.
• Access controls: All system access is role-based, logged, and tightly scoped to least privilege.
• Auditing and monitoring: We maintain audit trails and use automated monitoring to detect unauthorized access or misuse.

For a detailed breakdown of our technical and organizational measures, please refer to our Trust Center.

10. Customer Responsibility

Edgee provides tools and configurations to support compliance, but our customers are responsible for:

• Managing consent and transparency toward end users
• Selecting the appropriate identification mode (e.g., cookieless vs. cookie-based)
• Determining the applicable legal basis for data collection

11. Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make material changes, we will communicate them prominently on our website. In addition, customers will be required to review and accept the updated Privacy Policy upon their next login to the Edgee dashboard in order to continue using our services.

12. Contact