Data Processing
Last updated: March 17, 2026
This document provides a detailed technical overview of how data flows through Carnets and our commitment to GDPR compliance.
1. Legal Basis for Processing
We process your data under Article 6 of the GDPR based on:
- Consent: When you voluntarily upload your data.
- Contract Performance: To provide the service of generating and hosting your travel journal.
2. Data Flow & Processing Lifecycle
| Phase | Action | Retention |
|---|---|---|
| Upload | User uploads ZIP via Cloudflare to secure R2 storage. | Temporary storage. |
| Extraction | Parsing of JSON files to extract posts, stories, and images. | In-memory processing. |
| Enrichment | AI-assisted location extraction and caption polishing. | Transient (No AI training). |
| Storage | Final archive data saved to Supabase (PostgreSQL). | Duration of account. |
| Cleanup | Deletion of raw ZIP and temporary files. | Within 7 days. |
3. Sub-processors
To provide our service, we use the following strictly vetted sub-processors, prioritizing EU-based hosting wherever possible:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database & Authentication | EU (Paris, France) |
| Cloudflare | CDN, DNS & Storage | Global (EU prioritized) |
| Vercel | Application Hosting | EU (Paris, France) |
| Anthropic | AI Processing (API) | USA (No training) |
4. Data Minimisation
We follow the principle of data minimisation (Art. 5 GDPR). Our parser is programmed to ignore files within your Instagram export that are not relevant to your travel journal (such as advertising profiles, search history, or direct messages). We only process:
- Media items (Photos, Videos, Stories)
- Captions and Comments on your own posts
- Location metadata (GPS) and timestamps
5. Security Measures
We implement industry-standard security measures to protect your data:
- Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
- Access Control: Strict internal policies limit access to user data only to what is required for maintenance and support.
- Turnstile Protection: We use Cloudflare Turnstile to prevent automated bots from abusing our processing infrastructure.
6. Data Breach Protocol
In the unlikely event of a data breach, we are committed to notifying the relevant supervisory authority (CNIL in France) within 72 hours, and notifying affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
7. Contact
For technical inquiries regarding data processing, please contact our Data Protection Officer (DPO) at hello@carnets.app.