Data deletion

You have the right to ask us to delete the personal data we hold about you (GDPR Art. 17). This page is the practical procedure. The legal context — what data we hold, why, and the rest of your rights — is in the privacy policy.

1. Where to send the request

Write to legal@oriskami.com. Send it from the email address you used to create your account so we can verify the request without an extra round-trip.

If you no longer have access to that email, send the request from any address and include enough information to let us reasonably establish that you are the account owner (for example, the company name, the SIREN you signed up under, or the original onboarding date). We may ask for one additional verification step before acting.

2. What to include

One short email is enough:

  • The email address tied to the account.

  • The action you want: delete the entire account or delete specific data (and which data).

  • Optionally, a reason — useful but not required.

You do not need to invoke a specific legal article or fill in a form. Plain language is fine.

3. What we delete vs. what we retain

Once we have reviewed the request, where the conditions of GDPR Art. 17 apply we erase from active systems:

  • your account, profile, credentials, and session tokens;

  • personal data you provided through forms, support requests, or onboarding.

Some data is kept for the periods French and EU law require, and for the legitimate-interest periods set out below:

  • Invoices and accounting records — ten years (Code de commerce Art. L123-22).

  • CRM records of our commercial exchanges with you — emails, meeting notes, ticket history, account-management notes — retained for up to ten years from the last interaction, on the basis of our legitimate interest (GDPR Art. 6(1)(f)) in maintaining a coherent record of the commercial relationship and meeting French commercial-record obligations (Code de commerce L123-22). On request we redact direct identifiers (personal email, phone) once the underlying record is no longer needed for an active matter.

  • Authentication and security logs that name you — retained for audit and abuse detection for as long as the legitimate-interest purpose persists; on request we delete or anonymise the entries that name you.

  • Anonymised, aggregated usage statistics — kept indefinitely; these no longer identify you and are outside the scope of GDPR personal-data deletion.

Data may persist briefly in automated backups beyond the active deletion. It is not used operationally and is overwritten as the standard backup retention cycle expires.

4. Timeline

We aim to respond within one month of receiving the request, per GDPR Art. 12(3). For complex or multi-system requests we may extend by up to two further months, in which case we tell you within the first month why and how long we expect to take.

If we cannot act on the request, we tell you why and remind you that you can lodge a complaint with the CNIL or the supervisory authority of your residence (Art. 77).

5. Confirmation

When the deletion is complete, we confirm by email.

For the broader picture — what data we collect, why, who we share with, and the full set of GDPR rights — see the privacy policy.