Last updated: May 17, 2026 1. Purpose of this policy This Personal Data Protection Policy explains how personal information handled through the platform is collected, used, stored, protected, and, when applicable, shared. Its purpose is to clearly inform users, administrators, self-service applicants, support contacts, and other data subjects whose information may be processed in the service. 2. Types of data that may be processed Depending on how the system is used, the platform may process: - identification and contact data; - user records, email addresses, phone numbers, job roles, and organizational relationships; - authentication and security metadata; - activity, audit, session, and event logs; - documents and attachments uploaded by users; - tenant, organization, email, notification, and corporate directory settings; - technical information required for operations, support, and security. 3. Processing purposes Personal data may be processed in order to: - create, manage, and secure user accounts; - enable access, authentication, recovery, and session control; - operate tenants, organizations, modules, documents, and service settings; - provide technical, functional, and administrative support; - send operational, legal, or security notifications; - manage billing, activation, trials, commercial follow-up, or usage control; - maintain traceability, auditing, fraud prevention, and service continuity; - comply with applicable legal, contractual, and regulatory obligations. 4. Legal basis Depending on the case, processing may rely on: - the performance of a contract or pre-contractual relationship; - compliance with legal obligations; - the legitimate interest of operating, securing, and improving the service; - the data subject’s authorization where required or appropriate. 5. Role of tenant and organization When a tenant or organization customizes the service, uploads information, or defines its own texts, policies, or settings, it may act as controller or joint controller for the data managed within its own context. In such cases, the platform operator acts within the technical and contractual scope of the service and does not replace the tenant’s or organization’s own obligations toward its users, employees, customers, or other third parties. 6. Retention Information is retained for as long as necessary to: - fulfill the purpose for which it was collected; - maintain the operation of the service; - address support, audit, security, or compliance needs; - satisfy applicable legal, regulatory, or contractual obligations. Once retention is no longer necessary, information may be deleted, anonymized, blocked, or archived in accordance with the applicable policies. 7. Sharing and transfers Information may be shared with or made available to: - infrastructure, storage, email, authentication, or support providers; - third parties delivering services necessary for the operation of the environment; - authorities or legitimately entitled third parties when required by law or valid request; - tenants or organizations administering the user’s operating context, to the extent needed for the service. Where cross-border transfers or access exist, reasonable contractual, technical, or organizational safeguards will be sought. 8. Data security The service adopts reasonable technical and organizational controls to protect information against loss, unauthorized access, alteration, disclosure, or improper destruction. However, no environment is completely immune to incidents. For that reason, users, tenants, and organizations must also meet their own duties regarding configuration, access control, and appropriate use. 9. Data subject rights Where permitted by applicable law, data subjects may request: - access to their information; - update, rectification, or correction; - deletion or anonymization; - restriction of or objection to processing; - portability where applicable; - withdrawal of authorizations when appropriate. The platform may include internal mechanisms for export, anonymization, or privacy request handling, without prejudice to the formal channels defined by the data controller. 10. Data provided by third parties or integrations If a user, tenant, or organization imports personal data from a corporate directory, integrations, bulk imports, or document uploads, it represents that it has sufficient lawful basis for that processing and for incorporating such data into the service. 11. Minors and sensitive data Unless specifically enabled, appropriately controlled, and supported by a sufficient legal basis, the platform is not intended for the intentional processing of minors’ data or special categories of sensitive information. If a tenant or organization uses the service for such data, it must assume the reinforced measures and obligations that apply. 12. Updates This policy may be updated to reflect regulatory, contractual, operational, or product changes. The current version will be the one published in the platform at the time it is consulted.