Personal data protection policy

LeadsFlowAI, Société par actions simplifiée (SAS), Chemin de la Bastide Rouge, Le Béal 2000 B1, 06150 Cannes, France. RCS Cannes 980 532 931. Controller contact: charles@leadsflowai.com.

Charles Gautier — charles@leadsflowai.com.

Only data strictly necessary to the practice is collected: • Identification data (last name, first name, role, organization) during a diagnostic request or professional exchange. • Contact data (professional email, phone) to handle the request. • Aggregated and anonymized navigation data (pageviews, time spent) for audience measurement purposes. No banking data is processed directly on this site; any payments transit through compliant providers (Stripe, GoCardless or equivalent) ensuring their security.

Processing is based on: • Pre-contractual measures (response to a request, quote, diagnostic). • Performance of the service contract, where applicable. • Legitimate interest of the practice to maintain the professional relationship. • Your consent, where required (non-strictly-necessary audience measurement, communications).

Data is retained for the duration necessary for the purpose pursued: • Prospect data: 3 years from last contact. • Client data: throughout the contract duration, then 5 years after termination to meet legal and accounting obligations. • Navigation data: 13 months maximum.

Your data is never sold. It may be shared, strictly as necessary for service performance, with: • The cabinet team and any subcontractors engaged on your project, subject to written confidentiality undertakings. • Technical providers (host, CRM tool, audience measurement tool) bound by GDPR-compliant contracts. • Authorized authorities, upon legal request. Any transfers outside the European Union, where they exist, are governed by European Commission standard contractual clauses.

Ultimate subprocessors used as of the last update: • Hetzner Online GmbH (Germany, EU) — hosting of the site infrastructure and of the optional self-hosted analytics instance. Data stored in European data centers (Germany and Finland), powered by 100% hydroelectric electricity since 2008 (Germany) and 2018 (Finland). German sites certified EMAS. • GoHighLevel (HighLevel Inc., United States) — CRM tool and appointment scheduling. Framed by European Commission standard contractual clauses. Data limited to strict necessity (name, email, appointment context). No advertising tracking tool (Meta Pixel, Google Ads, LinkedIn Insight) is used as of the last update. Any future addition would trigger an update to this policy and explicit consent via the dedicated banner.

Under GDPR, you have at any time the rights: • of access, rectification, erasure, portability of your data; • of restriction and objection to processing; • to define directives concerning the retention, erasure and communication of your data after death. To exercise these rights, contact the DPO at the address indicated above. A response will be provided within one month (extendable to three months if complexity requires). You also have the right to lodge a complaint with the relevant data protection authority (in France: CNIL — www.cnil.fr).

This site uses privacy-respecting audience measurement — either no analytics tool, or a self-hosted Plausible Community Edition instance on European infrastructure (Hetzner, Germany), without third-party tracking cookies or advertising identifiers. Aggregated statistics do not allow visitor identification and are not shared with third parties. Since no advertising tracker is set, no prior consent is required for the default audience measurement. Any later activation of a cookie-based tool (Google Tag Manager, GA4, Meta Pixel, LinkedIn Insight Tag) would trigger a consent banner compliant with the CNIL recommendation and Google Consent Mode v2. The technical detail of deposited trackers is available in the dedicated cookie policy.

Reasonable technical and organizational measures are implemented to protect data: encryption in transit (HTTPS), access control, logging, backups, awareness training. No system being inviolable, LeadsFlowAI commits to notifying any data breach within the timeframes set by GDPR.