Graplia - AI-Powered n8n Workflow Generation

1. Data Controller

Identity and contact details
The data controller of the personal data collected via Graplia is:

Company name: Graplia
Legal representative: LOISON Pierre Baptiste
Registered office: 8 rue Pierre Leroux, Paris 75007
Data protection email address: baptisteloison@proton.me

Data Protection Officer (DPO)
– As of today, Graplia:

☐ has appointed a DPO;
☑ has not appointed a DPO.

Given the size and nature of the activity, Graplia is not required to appoint a DPO in accordance with Art. 37 of the GDPR.
In the absence of a DPO, for any questions relating to the protection of your data (exercise of rights, requests for information, complaints, etc.), you may contact the GDPR officer at baptisteloison@proton.me.

2. Purposes of processing

Graplia implements various personal data processing operations in order to ensure the provision and proper functioning of the Service. The purposes are strictly limited to the following:

2.1 Authentication and account management

Purpose: Verify the user’s identity and secure access to the Service.
Technical means: Exclusive use of Auth0’s Authentication flow and OAuth2 API to obtain the access token.

2.2 Connection to the n8n instance

Purpose: Import workflows and read the identifiers of existing node credentials.
Technical means: Requests via the n8n REST API for reading and writing workflows in the instance.
Data involved: Denominators of the credentials of existing nodes in the instance. Graplia neither records nor consults the content of node credentials in n8n under any circumstances.

2.3 Pseudonymized statistics

Purpose: Analyze Graplia usage by users (number of created workflows, import rate of workflows into n8n instances, etc.).
Technical means: Collection of pseudonymized metrics via PostHog, with no direct link to the user’s identity.
Data involved: Aggregated and pseudonymized usage indicators (number of created workflows, workflow categorizations, types of nodes generated, etc.).

2.4 Workflow generation

Purpose: Allow the user to generate n8n workflows from natural language instructions.
Technical means: Transmission of the instruction content to a third-party provider in order to generate the workflow via artificial intelligence.
Data involved: Instruction text content, denominators of node identifiers existing on the n8n instance if connected.

3. Categories of data collected

Graplia only processes the information strictly necessary for the purposes described:

Authentication identifiers
Auth0 access token, used to secure login and maintain the active session.
Contact details
Email address associated with the Auth0 account, required for user identification and management.
Denominators of n8n identifiers
Denominators of node connection identifiers in n8n, necessary to add connection identifiers on new workflows. Only if the n8n instance is configured on the user’s account.
n8n workflows
Workflows existing on the n8n instance, necessary to retrieve the denominators of connection identifiers.
Pseudonymized metrics
Aggregated data such as the number of created workflows, workflow categorization, types of nodes generated.

No other personal data (IP address, location, browsing history, etc.) is collected or processed by Graplia.

4. Legal basis for processing

For each purpose of Graplia, the legal basis under Article 6 of the GDPR is as follows:

Authentication and account management

Legal basis: Performance of the contract (Article 6.1 b)
Justification: The provision of Graplia requires verifying the user’s identity and managing their session.

Connection to the n8n instance

Legal basis: Consent (Article 6.1 a)
Justification: Connecting to the n8n instance is an optional feature that is enabled in the application settings.

Pseudonymized statistics for the user

Legal basis: Legitimate interest (Article 6.1 f)
Justification: The development of pseudonymized dashboards helps improve the service and inform the user of their activity without infringing their rights and freedoms (pseudonymized data).

Workflow generation

Legal basis: Performance of the contract (Article 6.1 b)
Justification: The user must be able to generate workflows via the technical provider as part of the subscribed service.

5. Data recipients

The data collected and processed by Graplia is disclosed only to the actors strictly necessary to carry out the purposes described above, under the following conditions:

Internal technical providers

Graplia’s development and operations teams,
Cloud host (France Central): only encrypted data is accessible to hosting operators.

Third-party providers

OpenAI
- Purpose: Creation of n8n workflows (generative AI).
- Data transmitted: User instruction, denominators of connection identifiers.
Auth0
- Purpose: Secure authentication and user account management (account creation, login, session management, password reset).
- Data exchanged: Email address linked to the account, unique user ID generated by Auth0, OAuth2 access token, technical session metadata (login timestamp, authentication status).
n8n instance
- Purpose: Connect Graplia to the user’s personal instance in order to import, generate and manage n8n workflows.
- Data exchanged: Identifiers of existing workflows, denominators of connection identifiers (credentials) linked to instance nodes, text content of workflows during generation or modification. Graplia neither accesses nor stores the full content of credentials (passwords, tokens, API keys).
PostHog
- Purpose: Collection of pseudonymized metrics for generating statistical dashboards.
- Data transmitted: Aggregated and pseudonymized indicators (no link to user identity).

No other sharing is carried out, and Graplia undertakes not to sell or disclose personal data to third parties.

6. Transfers outside the EU

Graplia ensures that all personal data is hosted within the European Union, on servers located in France Central. No data is stored outside the EU.

However, certain operations with third parties involve data transfers to third countries (notably the United States):

OpenAI API: The text content of user instructions as well as the denominators of connection identifiers to n8n nodes are sent to OpenAI’s servers.

These transfers are governed by appropriate safeguards:

Standard Contractual Clauses (SCC) adopted by the European Commission, included in contracts with OpenAI.
Where applicable, Binding Corporate Rules (BCR) or other mechanisms recognized by European legislation.

Pseudonymized metrics via PostHog are hosted exclusively within the European Union.

7. Data retention periods

Graplia has defined strict retention periods, adapted to each category of data and in compliance with the principle of storage limitation (Article 5.1 e of the GDPR):

Authentication and contact data (OAuth2 token, email address)
Retained for 2 years from the last login or account update.
Pseudonymized metrics (PostHog statistics)
Only aggregates are kept for 2 years to monitor trends, then automatically purged.
Deletion requests
If a user exercises their right to erasure, Graplia deletes all of their personal data (identifiers, contact, workflows, denominators of connection identifiers) within one month of receiving the request.

After these periods, the data is either permanently deleted or irreversibly pseudonymized if it must be retained for statistical or internal archiving purposes (but without any possible link to the person’s identity).

8. Data subject rights

In accordance with Articles 15 to 22 of the GDPR, any person whose data is processed by Graplia has the following rights:

8.1 Right of access
You can obtain confirmation of whether or not Graplia processes your data and, if so, access that data (purposes, categories, recipients, retention period, etc.).

8.2 Right to rectification
If your data is inaccurate or incomplete, you may request its update or correction.

8.3 Right to erasure (“right to be forgotten”)
You may request the deletion of your personal data in the cases provided for by the GDPR. Graplia undertakes to delete all your data (identifiers, contact, workflows, denominators of connection identifiers) within one month of receiving the request.

8.4 Right to restriction of processing
You may, under certain conditions, request the temporary suspension of the processing of your data (for example, in case of dispute over the accuracy of the data).

8.5 Right to object
You may object at any time, for legitimate reasons, to your data being processed based on Graplia’s legitimate interest (notably for pseudonymized statistics).

8.6 Right to data portability
Where the processing is based on your consent or on the performance of a contract, you may request to receive your data in a structured, commonly used, machine-readable format, and to transmit it to another controller.

8.7 How to exercise your rights
To exercise these rights, please send your request to:

Email: baptisteloison@proton.me

8.8 Response time
Graplia will respond to your request within 28 days of receipt. This period may be extended by two months due to the complexity or number of requests, with prior notification to the user.

Graplia maintains an internal record of processing activities, available upon request to the supervisory authority.
Graplia is not intended for minors under the age of 16.

9. Data security

Graplia implements appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data, in accordance with Article 32 of the GDPR:

Data encryption

Data at rest: All stored data (identifiers, contact, workflows, denominators of connection identifiers) is encrypted using robust algorithms (AES-256).
Data in transit: Exchanges between the client and the server, as well as between our servers and third-party APIs (Auth0, OpenAI, PostHog), are protected by TLS 1.2+.

Access controls and authentication

Production environment access is restricted under a “least privilege” model; only authorized members of the technical team may view or act on the data.
Logging and auditing of administrative logins and actions (secure logs, available in case of incident).

Pseudonymization

Metrics collected via PostHog are systematically pseudonymized, with no direct link to user identity.

Backups and disaster recovery plan

Regular (daily) encrypted backups stored in a secure cluster.
Documented disaster recovery plan to restore service and data in case of major incident within minimal time.

Security testing and updates

Quarterly vulnerability scans and rapid remediation of identified flaws.
Regular updates of software dependencies and security patches for the operating system.

Graplia undertakes to periodically review these measures to adapt them to evolving risks and best practices.

10. Cookies and trackers

Graplia uses a limited number of cookies and trackers, exclusively for functional and analytical purposes:

Session cookies (functional)

Purpose: Maintain the user’s active session after authentication via Auth0.
Lifetime: Expires upon browser closure (session).
Type: First-party cookie, only on the Graplia domain.

PostHog cookies (pseudonymized analytics)

Purpose: Collect aggregated and pseudonymized usage metrics (number of page views, actions on the dashboard, synchronization volumes) to improve and stabilize the service.
Lifetime: 1 year from the last interaction.
Type: Third-party cookie managed by PostHog, with no direct link to the user’s identity (pseudonymization).

No advertising or marketing trackers
Graplia does not implement cookies for advertising, targeting, or resale of data. No personal data is shared for commercial purposes with advertisers or advertising networks.

Cookie management and refusal

Users can configure their browser at any time to refuse or delete cookies.
Refusing PostHog analytics cookies will not prevent access to the Service, but will disable pseudonymized metrics tracking.
Refusing functional session cookies will make it impossible to reconnect without renewing the Auth0 authentication procedure.

11. Procedure in case of personal data breach

In the event of a personal data breach (a security incident resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to data), Graplia applies the following procedure, in compliance with Articles 33 and 34 of the GDPR:

Detection and containment

Immediate identification of the incident by monitoring and alert tools (access logs, intrusion detection systems).
Blocking or isolating affected components (servers, networks, user accounts) to prevent propagation or continued unlawful access.

Analysis and qualification

Technical assessment of the extent of the breach: categories and number of affected individuals, nature and volume of exposed data, duration of the incident.
Investigation of root cause (exploited vulnerability, human error, system failure).

Internal notification

Immediate notification of the Information Security Officer and the DPO (where applicable).
Opening of an incident file and maintenance of an internal register of breaches (date, incident description, data affected, measures taken).

Notification to supervisory authority

Deadline: No later than 72 hours after discovery of the breach, unless the incident is deemed unlikely to result in a risk to the rights and freedoms of data subjects.
Content: Description of the nature of the breach, categories and approximate number of data subjects, categories and volume of data affected, measures taken or planned to address the breach and mitigate its effects.

Notification to data subjects

When: Without undue delay, where the breach is likely to result in a high risk to the rights and freedoms of individuals (e.g. contact data).
Content: Clear description of the nature of the breach, contact details of the DPO or GDPR officer, recommendations to mitigate possible negative effects, and description of protection measures implemented.

Remediation measures and follow-up

Implementation of fixes (patches, reconfiguration, strengthened access controls) to address the security flaw.
Post-incident review: detailed report, lessons learned, and update of security procedures and policies to prevent recurrence.
Internal communication of improvements and possible staff training.

Incident record retention

Retention of the breach register and analysis reports for at least 5 years, in accordance with best practices, to demonstrate compliance in case of inspection.

12. Policy updates

Graplia undertakes to keep its personal data protection statement up to date and compliant with legislative, regulatory, and technological developments.

Review frequency
The privacy policy and this GDPR statement are reviewed at least once a year, or more frequently in the event of a significant change to the service, its data processing, or applicable regulations.

Notification procedures

Prior notification: Any significant change to the policy will be notified at least 30 days before implementation.
Communication channels:
- Sending an email to the user’s primary address (the one associated with their Auth0 account).
- Displaying a banner or pop-up window upon login to the Graplia interface, inviting the user to review the changes.
Effective date: The new version will be deemed accepted if the user continues to use the Service after the effective date indicated in the notification.

Archiving previous versions
The different versions of the policy are archived and remain available upon request by contacting baptisteloison@proton.me.