Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

OpenCream SAS
15 Avenue Marie-Amélie
60500 Chantilly
France
Email: privacy@corial.app

For any questions regarding this Privacy Policy, your personal data, or to exercise your data protection rights, please contact our privacy contact at privacy@corial.app.

2. What Personal Data We Collect

2.1 Data You Provide Directly

• Account information: Name, email address, company name, job title when you create an account or join our waitlist.
• Communication data: Email address and message content when you contact us.
• Payment information: Billing details processed through our payment provider. We do not store credit card numbers on our servers.

2.2 Data Collected Through the Services

When you use the Corial Application as part of your organization's subscription, the following data may be processed:

• Customer relationship data: Contact names, company names, email addresses, phone numbers, job titles, and interaction records that you or your organization input into the Services through voice notes, emails, documents, or direct entry.
• Communication content: Emails, voice note transcriptions, meeting notes, Telegram messages, and other business communications that you submit to the Services for processing.
• AI-generated data: Summaries, action items, relationship insights, competitive intelligence, and other outputs generated by our AI systems based on data you provide.

2.3 Data Collected Automatically

• Usage data: Pages visited, features used, timestamps, and interaction patterns within the Application.
• Technical data: IP address, browser type, device type, operating system, and referring URL.
• Cookies: We use strictly necessary cookies for authentication and session management. We use Plausible Analytics for website analytics, which does not use cookies and does not collect personal data. See Section 7 for details.

3. How We Use Your Personal Data

We process your personal data for the following purposes and legal bases:

Legitimate interest assessment: Where we rely on legitimate interest as a legal basis, we have conducted a balancing test. Our legitimate interests in improving the quality, security, and usability of the Services do not override your rights, as this processing involves aggregated usage patterns and technical data, not individual profiling. You may object to processing based on legitimate interest at any time by contacting us at privacy@corial.app (see Section 9).

4. AI Processing and Data Handling

Corial uses artificial intelligence systems to process business communications and extract structured data. In accordance with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), we inform you that the Services use AI systems to generate content, including summaries, action items, email drafts, and relationship insights. All AI-generated outputs are identified as such within the Application.

This processing is integral to the Services and operates as follows:

• Voice notes and audio: Audio recordings submitted through the Services are transcribed using Deepgram, Inc. (a third-party transcription service), then processed by our AI systems to extract structured business data (contacts, action items, project updates). Audio files are deleted after transcription is complete.
• Emails and documents: When you forward emails or upload documents to the Services, our AI systems extract relevant business information. The original content is stored within your organization's tenant.
• Telegram messages: When you interact with the Services via Telegram, your messages (including voice notes) are processed by our AI systems. Messages are transmitted through Telegram's infrastructure before being processed by our Services.
• AI model providers: We use third-party AI services (Anthropic and Google) to process your data. Data sent to these providers is used solely for generating responses to our API requests and is not used to train their models. We maintain data processing agreements with all AI providers.
• Data enrichment: We use Bright Data Ltd. to perform web-based research and enrichment on business contacts and companies at your request. This processing uses only publicly available information.
• No automated decision-making: The AI systems generate suggestions, drafts, and summaries. No fully automated decisions with legal or significant effects are made without human review. All external communications (emails, messages) require explicit user approval before sending.

Data Protection Impact Assessment: We have conducted a Data Protection Impact Assessment (DPIA) in accordance with GDPR Art. 35 for our AI processing activities, given the nature and scale of data processed. This assessment is available upon request to supervisory authorities.

5. Multi-Tenant Data Isolation

Corial is a multi-tenant platform. Each subscribing organization ("Tenant") has logically isolated data:

• Data belonging to one Tenant is never accessible to another Tenant.
• Database-level row security policies enforce tenant isolation.
• AI processing is performed within the context of a single Tenant and does not cross tenant boundaries.
• Platform administrators (OpenCream staff) may access tenant data solely for the purpose of providing technical support, with appropriate logging and audit trails.

6. Data Sharing and Sub-Processors

We share personal data with the following sub-processors, solely for the purposes described. We maintain data processing agreements with each sub-processor.

An up-to-date list of our sub-processors is maintained at corial.app/legal/subprocessors. We will notify Tenants at least 30 days in advance of any changes to our sub-processor list, providing an opportunity to object.

Email sending: The Services may send emails on your behalf using your organization's own email infrastructure (SMTP via Gmail, Google Workspace, or Microsoft 365). For system-generated transactional emails (such as password resets and account notifications), we use Resend, Inc. as our email delivery provider.

We do not sell your personal data to third parties. We do not share your data with advertisers.

7. Cookies

The Application uses only strictly necessary cookies for:

• Authentication and session management
• Security (CSRF protection)

We use Plausible Analytics for website traffic analysis, which operates without cookies and does not collect personal data. No cookie consent is required for strictly necessary cookies under GDPR.

We do not use advertising cookies, tracking pixels, or social media cookies.

8. Data Retention

• Account data: Retained for the duration of your account or your organization's subscription, plus 30 days after account deletion.
• Customer relationship data within the Application: Retained for the duration of the Tenant's subscription. Upon subscription termination, data is retained for 30 days to allow export, then permanently deleted.
• Audio files: Deleted immediately after transcription is complete. Only text transcriptions are retained.
• Waitlist data: Retained until we contact you with access or you request removal.
• Marketing communication data: Retained until you unsubscribe.
• Invoicing data: Retained for the period required by French tax law (10 years).
• Server logs: Retained for 90 days.
• Audit logs: Retained for 3 years for security and compliance purposes.

9. Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of your personal data.
• Right to rectification (Art. 16): Request correction of inaccurate data.
• Right to erasure (Art. 17): Request deletion of your personal data.
• Right to restrict processing (Art. 18): Request limitation of processing.
• Right to data portability (Art. 20): Request your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interest, including processing for service improvement and security analytics.
• Right to withdraw consent (Art. 7(3)): Withdraw consent for marketing communications at any time.
• Right not to be subject to automated decision-making (Art. 22): The Services do not make automated decisions with legal or significant effects. AI-generated outputs are provided as suggestions requiring human review.

To exercise any of these rights, contact us at privacy@corial.app. We will acknowledge receipt and respond within 30 days. If the request is complex, we may extend this period by up to 60 days, with prior notice.

For Tenant users: If you use the Services as an authorized user of an organization (Tenant), certain rights regarding Customer Data should be directed to your organization as the data controller. We will assist your organization in responding to such requests.

You also have the right to lodge a complaint with the French data protection authority:

CNIL — Commission Nationale de l'Informatique et des Libertés
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
www.cnil.fr

10. International Data Transfers

Your data is primarily stored and processed within the European Union (Germany, via Hetzner Online GmbH). When data is processed by service providers located outside the EU, we ensure appropriate safeguards are in place:

We have conducted a Transfer Impact Assessment (TIA) for each transfer to a country without an EU adequacy decision. Supplementary measures include encryption of data in transit (TLS), no persistent storage of personal data by AI providers beyond the duration of API request processing, and contractual prohibitions on provider use of data for model training.

11. Data Breach Notification

In the event of a personal data breach:

• We will notify the CNIL within 72 hours of becoming aware of the breach, as required by GDPR Art. 33, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.
• If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay, as required by GDPR Art. 34.
• We will notify affected Tenants within 48 hours of becoming aware of the breach, to enable them to meet their own regulatory obligations.
• We maintain an internal breach register documenting all breaches, their effects, and remedial actions taken.

12. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit (TLS/HTTPS)
• Database-level tenant isolation (row-level security)
• Access controls and authentication with role-based permissions
• Prompt injection detection and AI output validation
• Audit logging of all significant data access and processing events
• Rate limiting and cost controls on AI processing
• Regular security reviews
• Server hardening and monitoring
• Daily encrypted database backups

13. Children's Privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Website and, where appropriate, by email at least 15 days before the changes take effect. The "Last updated" date at the top of this policy indicates when it was last revised.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights:

OpenCream SAS
15 Avenue Marie-Amélie
60500 Chantilly, France
Email: privacy@corial.app