Privacy Policy

1. Data controller and contact

The controller of the data described in this Policy is [DENOMINATION], a [FORME_SOCIALE] with a share capital of [CAPITAL_SOCIAL], whose registered office is located at [ADRESSE_SIEGE], registered with the Trade and Companies Register of [RCS_VILLE] under number [SIREN], intra-EU VAT number [TVA_INTRA], publication director: [DIRECTEUR_PUBLICATION].

For any question regarding the protection of your personal data or the exercise of your rights, you may contact our dedicated data-protection team at [email protected] or our Data Protection Officer (DPO) at [email protected]. For general legal matters, write to [email protected]; for support, to [email protected].

This Policy is to be read together with our Terms of Use (CGU), our Terms of Sale (CGV), our Acceptable Use Policy (AUP), our Cookie Policy and, for customers, our Data Processing Agreement (DPA), which supplements the Terms of Use.

2. Scope and allocation of roles (controller / processor)

Two distinct sets of data involve two different allocations of roles, which it is essential to distinguish clearly.

"CloseHunt" data (covered by this Policy) — For the data of visitors to our websites, of users of customer accounts, and billing, authentication, support, security and product-usage data, CloseHunt determines the purposes and essential means of the processing and therefore acts as the DATA CONTROLLER within the meaning of Article 4(7) GDPR.

Prospect / lead data (NOT covered by this Policy) — For the data of the individuals our customers target, contact, import, source or enrich through the platform, as well as the content of inbound replies, it is the CUSTOMER who decides whom to contact, on which channels, with what message, at what frequency and on what legal basis. The customer is therefore the DATA CONTROLLER and CloseHunt acts exclusively as a PROCESSOR within the meaning of Article 4(8) GDPR, solely on the customer's documented instructions (the Terms of Use, the DPA and the customer's in-product configuration constituting those instructions). CloseHunt determines neither the purposes nor the essential means of the outreach: the platform is a neutral, configurable tool, and its AI agents strictly execute the parameters set by the customer.

CloseHunt undertakes not to reuse prospect data for its own purposes, not to combine it across customers (strict tenant isolation) and not to use it to train or improve its models or products. The processing of prospect data is governed by the DPA and by section 13 below.

3. Categories of data collected and sources

As controller, we collect and process the following categories of data, mainly provided directly by you, generated by your use of the service, or received from our technical sub-processors (for example, our payment provider):

• Identification and account data: first name, surname, business email address, password (in hashed form), company, job title, login credentials and account preferences.
• Billing and transaction data: company name, billing address, VAT number, subscription plan, billing history and payment data processed by our payment provider (CloseHunt does not store full card numbers).
• Usage and technical data: connection logs, IP address, browser and device type, pages viewed, actions taken in the application, performance metrics and product telemetry.
• Support and communication data: the content of your support requests, email exchanges, tickets and satisfaction surveys.
• Security and logging data: audit logs, authentication events, and fraud- and abuse-prevention data.
• Browsing data and cookies: cookie and tracker identifiers placed on our websites, under the conditions described in our Cookie Policy and, where applicable, subject to your consent.

4. Purposes and legal bases of processing

Each processing operation we carry out as controller relies on one of the legal bases set out in Article 6 GDPR, depending on the purpose pursued:

• Provision, management and billing of the service (account creation and administration, access to the platform, delivery of subscribed features, invoicing and collection) — legal basis: performance of the contract, Article 6(1)(b).
• Security, fraud and abuse prevention, backup, technical monitoring and product improvement (aggregated usage statistics) — legal basis: legitimate interest, Article 6(1)(f); our legitimate interest is to ensure the security, reliability, integrity and evolution of our service and to protect our rights.
• Compliance with our legal and regulatory obligations (accounting, taxation, retention of supporting documents, responses to authorities' requests) — legal basis: legal obligation, Article 6(1)(c).
• Non-essential cookies, non-exempt audience measurement and electronic marketing communications — legal basis: consent, Article 6(1)(a), which you may withdraw at any time without affecting the lawfulness of processing carried out beforehand.

5. Recipients and sub-processors

Your data is accessible only to authorised CloseHunt personnel bound by a duty of confidentiality, and to technical sub-processors acting on our documented instructions. We do not sell your personal data.

To deliver the service, CloseHunt relies on sub-processors, disclosed below by category / function. Each is bound by contractual commitments imposing equivalent data-protection safeguards (Article 28(4) GDPR), and CloseHunt remains liable to you for its sub-processors:

• Cloud hosting / infrastructure (Scaleway SAS, France/EU);
• AI inference (OpenAI, Anthropic);
• Payments (Stripe);
• Email deliverability infrastructure;
• Social and instant-messaging infrastructure;
• SMS gateway;
• Voice-calling infrastructure.
• Third-party enrichment providers configured by the customer (using the customer's own API keys) are not CloseHunt sub-processors: they are contracted directly by the customer, who is their controller; CloseHunt acts only as a technical conduit.

6. International transfers outside the European Union

CloseHunt's primary hosting is provided within the European Union (France), with Scaleway SAS. We prioritise processing your data within the EU/EEA.

Where a sub-processor processes data outside the EU/EEA (for example, in connection with certain AI-inference operations), such transfer is made only to a country benefiting from an adequacy decision of the European Commission, or on the basis of the Standard Contractual Clauses adopted by the Commission on 4 June 2021 (Decision 2021/914), supplemented by additional technical and organisational measures (encryption, minimisation, access control) following a transfer-impact assessment. A copy of the applicable safeguards may be obtained by writing to [email protected].

7. Retention periods

We retain your data only for as long as necessary for the purposes described, plus any applicable legal archiving periods:

• Account and service data: for the entire duration of the contractual relationship, then archived or deleted within a reasonable period after termination, subject to legal retention obligations.
• Billing data and accounting records: retained for the period required by legal and tax obligations (notably ten years for accounting records under French law).
• Usage data, technical and security logs: retained for a limited period proportionate to the purposes of security, monitoring and evidence.
• Commercial prospecting data for which CloseHunt is the controller (for example, a non-customer business contact): in accordance with the CNIL referential on the management of commercial activities, retained in the active database for three years from the prospect's last contact, then archived or deleted (merely opening an email does not reset this period).
• Data processed on the basis of consent (cookies, marketing): until consent is withdrawn and, for trackers, for the periods stated in the Cookie Policy.

8. Your rights over your data

In accordance with Articles 15 to 22 GDPR, you have the following rights in respect of the data for which CloseHunt is the controller:

• The right of access to your data and to obtain a copy;
• The right to rectification of inaccurate or incomplete data;
• The right to erasure (the "right to be forgotten"), under the conditions of Article 17;
• The right to restriction of processing (Article 18);
• The right to portability of the data you have provided to us (Article 20);
• The right to object to processing based on legitimate interest (Article 21(1)) on grounds relating to your particular situation, and the ABSOLUTE right to object to processing for prospecting / direct-marketing purposes (Article 21(2)), which we act upon immediately and without any balancing test;
• The right to withdraw your consent at any time, where processing is based on it, without affecting the lawfulness of processing carried out before withdrawal;
• The right to lodge a complaint with the French data-protection authority (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, www.cnil.fr, or with the supervisory authority of your place of residence.

9. How to exercise your rights

You may exercise your rights at any time by writing to [email protected] or to our DPO at [email protected]. You may also object to any prospecting we carry out on our own behalf and assert an objection to direct marketing via the public page https://closehunt.io/opt-out.

We may need to verify your identity before processing your request. We respond within one month of receiving the request, which may be extended by two months for complex or numerous requests, in which case we will inform you.

If your request concerns prospect data processed on behalf of a customer (CloseHunt then acting as processor), we will forward your request to the customer-controller and/or indicate the sender to contact; see section 13.

10. Cookies and trackers

Our websites use cookies and trackers that are strictly necessary for the operation of the service, as well as, subject to your consent, non-exempt audience-measurement cookies and, where applicable, personalisation cookies. The placement of non-essential trackers is subject to your prior consent, obtained via our cookie-management banner, and revocable at any time.

Detailed terms (categories of trackers, purposes, retention periods, preference management) are described in our Cookie Policy, to which we refer you.

11. Data security

CloseHunt implements appropriate technical and organisational measures within the meaning of Article 32 GDPR to protect your data against unauthorised destruction, loss, alteration, disclosure or access: encryption in transit and at rest, access control and logging, environment and tenant isolation, EU hosting, permission management and incident-response procedures.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority under the conditions and within the time limits set out in Article 33 GDPR and, where applicable, will inform you in accordance with Article 34.

12. Minors' data

CloseHunt is a service strictly reserved for professionals (B2B) and is neither intended for nor offered to minors. We do not knowingly collect data concerning individuals under the age of eighteen. Should we learn that such processing has taken place unintentionally, we will delete the data concerned as soon as possible.

13. Prospect data processed on behalf of our customers

Where CloseHunt processes prospect, lead and inbound-reply data on behalf of a customer, the CUSTOMER is the data controller and CloseHunt acts as a PROCESSOR, solely on its documented instructions, under the DPA that supplements the Terms of Use.

On that basis, it is the customer (controller) who is responsible for: having a valid legal basis for each recipient and each channel (typically the legitimate interest of Article 6(1)(f), documented by a Legitimate Interest Assessment, and compliance with the ePrivacy rules and national anti-spam rules, including Article L34-5 of the French CPCE); providing prospects with the information required by Article 14 GDPR (the data being collected indirectly), including in particular the source of the data and whether it came from public sources; responding to prospects' rights requests; and notifying any breaches to the supervisory authority where applicable.

As a neutral tool, CloseHunt provides compliance features designed to help the customer meet these obligations: insertion and enforcement of objection / unsubscribe mechanisms (unsubscribe link, STOP-keyword handling), consent and opt-out logging, suppression lists, and export and erasure for rights requests. If you are a prospect contacted via CloseHunt, address your request to the sending customer identified in the message; CloseHunt will relay any request it receives to the relevant customer-controller.

14. California and United States residents

For the prospect data we process on behalf of our customers, CloseHunt acts as a "service provider" within the meaning of the California Consumer Privacy Act as amended by the CPRA (Cal. Civ. Code § 1798.140(ag)): we process such information solely for the limited and specified business purposes set out in the contract with the customer, and we do not "sell" or "share" that personal information within the meaning of the law. California residents wishing to exercise their rights regarding prospect data should contact the customer ("business") who contacted them; CloseHunt will assist in processing the request.

For the data of which CloseHunt is the controller (account users, website visitors), California residents have the rights to know, delete, correct, opt out of any sale/share and limit the use of their sensitive information, without discrimination. CloseHunt does NOT sell OR share your personal information within the meaning of the CCPA, and honours the "Global Privacy Control" (GPC) opt-out signal. For any request, contact [email protected]. Business-prospect data (commercial / employment context) is, under current law, covered among US state laws only by the California CCPA, the other state laws excluding individuals acting in a commercial or employment context.

15. Changes to this Policy

We may amend this Privacy Policy to reflect changes in our processing activities, our features or the legal framework. Any updated version will be published on this page with an updated last-updated date and, in the event of a material change, you will be informed by an appropriate means. We encourage you to review this page regularly.