Personal data protection policy

LeadsFlowAI, Société par actions simplifiée (SAS), Chemin de la Bastide Rouge, Le Béal 2000 B1, 06150 Cannes, France. RCS Cannes 980 532 931. Controller contact: [email protected].

Charles Gautier - [email protected].

Only data strictly necessary to the practice is collected: • Identification data (last name, first name, role, organization) during a diagnostic request or professional exchange. • Contact data (professional email, phone) to handle the request. • Technical data strictly necessary for site operation and security. No audience measurement tool is active by default as of the last update. If privacy-respecting audience measurement is later activated, this policy and the cookie policy will be updated. No banking data is processed directly on this site; any payments transit through compliant providers (Stripe, GoCardless or equivalent) ensuring their security.

Processing is based on: • Pre-contractual measures (response to a request, quote, diagnostic). • Performance of the service contract, where applicable. • Legitimate interest of the practice to maintain the professional relationship and site security. • Your consent, where required (communications, non-strictly-necessary audience measurement or future trackers).

Data is retained for the duration necessary for the purpose pursued: • Prospect data: 3 years from last contact. • Client data: throughout the contract duration, then 5 years after termination to meet legal and accounting obligations. • Strictly necessary technical logs: limited to security and operational needs. • Audience data, if a tool is activated later: maximum duration to be specified in the updated cookie policy.

Your data is never sold. It may be shared, strictly as necessary for service performance, with: • The cabinet team and any subcontractors engaged on your project, subject to written confidentiality undertakings. • Necessary technical providers (host, CRM and appointment scheduling tool) bound by GDPR-compliant contracts. • Authorized authorities, upon legal request. Any transfers outside the European Union, where they exist, are governed by European Commission standard contractual clauses.

Ultimate subprocessors used as of the last update: • Hetzner Online GmbH (Germany, EU) - hosting of the site infrastructure. Data stored in European data centers (Germany and Finland), powered by 100% hydroelectric electricity since 2008 (Germany) and 2018 (Finland). German sites certified EMAS. • Cloudflare, Inc. (United States) - content delivery network (CDN), reverse proxy and anti-DDoS protection for leadsflowai.com. Processes visitors' IP addresses and technical connection metadata, for security and performance purposes; traffic from European visitors is served from European data centers. Framed by European Commission standard contractual clauses and Cloudflare's data processing agreement. No form or account data is collected by the site. • GoHighLevel (HighLevel Inc., United States) - CRM tool and appointment scheduling. Framed by European Commission standard contractual clauses. Data limited to strict necessity (name, email, appointment context). No analytics or advertising tracking tool (Plausible, Google Analytics, Meta Pixel, Google Ads, LinkedIn Insight) is active by default as of the last update. Any future addition would trigger an update to this policy and, where required, explicit consent via the dedicated banner.

LeadsFlowAI deliberately distinguishes its public storefront from its data processing: • The public website relies on a global delivery network for performance and international accessibility; it collects no client data, and only technical metadata (IP address) transits through it. • All products, technologies and client data that we develop and host run on European infrastructure, with no subprocessor subject to a non-European jurisdiction in the data path. • The use of non-EU AI APIs or models, where no equivalent European alternative exists, is limited to strict necessity, framed by standard contractual clauses and a data processing agreement, and applies to minimized or anonymized data. This doctrine guides our technical choices and is subject to continuous improvement.

Under GDPR, you have at any time the rights: • of access, rectification, erasure, portability of your data; • of restriction and objection to processing; • to define directives concerning the retention, erasure and communication of your data after death. To exercise these rights, contact the DPO at the address indicated above. A response will be provided within one month (extendable to three months if complexity requires). You also have the right to lodge a complaint with the relevant data protection authority (in France: CNIL - www.cnil.fr).

No audience measurement tool is active by default as of the last update. The only documented storage is strictly necessary local storage for consent preferences, when the user configures them. Any later activation of a measurement tool or cookie-based tool will trigger an update to the cookie policy and, where required, a consent banner compliant with the CNIL recommendation. A privacy-friendly, cookieless audience measurement (such as Plausible, configured to qualify for the CNIL exemption) would not require consent. If a Google tool (GA4, Google Ads) or an advertising cookie (Meta Pixel, LinkedIn Insight Tag) were used, consent would be collected and the Google Consent Mode v2 mechanism applied. The technical detail of deposited trackers is available in the dedicated cookie policy.

If, from this site, you are directed to a Reveal experience (chat, voice, appointment booking) hosted on a dedicated subdomain or domain, that journey has its own information notice and, where applicable, its own consent collection (cookies, possible recordings). The data controller remains LeadsFlowAI, but the purposes and data processed there are specific to that journey and described within the relevant experience.

Reasonable technical and organizational measures are implemented to protect data: encryption in transit (HTTPS), access control, logging, backups, awareness training. No system being inviolable, LeadsFlowAI commits to notifying any data breach within the timeframes set by GDPR.