Personal Data Protection Policy
Articule SAS, operating under the trade name Qontrol
Effective as of December 10, 2025. This policy may be amended at any time. In the event of amendment, the new version shall be published on the Website and the Application. Continued use of the Services after publication shall constitute acceptance of the amended version.
1. Preamble
The purpose of this policy is to inform you of the conditions under which Articule, a simplified joint-stock company (Société par Actions Simplifiée) with a sole shareholder, registered with the Paris Trade and Companies Registry under number 843 409 954, with its registered office at 231 rue Saint-Honoré, 75001 Paris, operating under the trade name Qontrol (hereinafter "We" or "Qontrol"), collects and processes your personal data.
We comply, in the collection and management of your personal data, with French Law No. 78-17 of January 6, 1978, on Information Technology, Data Files and Civil Liberties, as amended (hereinafter the "French Data Protection Act"), as well as Regulation (EU) 2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the "GDPR").
2. Definitions
The following terms and expressions, when used with initial capital letters, shall have the meaning ascribed to them below or, failing that, in the Terms of Use of Qontrol's Services.
- Personal Data: any information relating to an identified or identifiable natural person, including but not limited to your surname, first name, email address, IP address, Application usage data, and any other information you choose to provide to us.
- Website: the website accessible at qontrol.io.
- Application: the Qontrol web application accessible from the Website.
- Services: all services offered by Qontrol through the Website and the Application.
- Client: any legal entity or natural person having subscribed to Qontrol's Services.
- User: any natural person using the Website, the Application, or the Services, whether as a Client or as an employee of a Client.
If you choose to connect to your Qontrol account through a third-party authentication service (e.g., Google), certain data such as your name, email address, and photograph may be retrieved from that service. By choosing this login method, you agree that said service may provide us with such data.
3. Data controller and point of contact
The controller responsible for the collection of your Personal Data is Articule, as identified in Section 1.
For any questions regarding the protection of your Personal Data, you may contact us:
- By email: privacy@qontrol.io
- By post: Articule — Qontrol, 231 rue Saint-Honoré, 75001 Paris, France
4. Data collected and legal bases
We collect your Personal Data on the following legal bases:
| Legal basis | Categories of data | Purpose |
|---|---|---|
| Performance of a contract (Art. 6.1.b GDPR) | Name, email, account data, Services usage data | Provision and management of the Services, management of the contractual relationship, billing |
| Legitimate interest (Art. 6.1.f GDPR) | Browsing data, aggregated usage data | Improvement of the Services, traffic statistics, platform security |
| Consent (Art. 6.1.a GDPR) | Browsing data (non-essential cookies) | Analytics and tracking cookies as described in the Cookie Policy annexed hereto |
| Legal obligation (Art. 6.1.c GDPR) | Billing data | Retention of accounting records in accordance with applicable legislation |
We inform you, at the time of collection, whether certain data is mandatory or optional. Mandatory data is required for the proper functioning of the Services.
5. Purposes of processing — As Data Controller
Your Personal Data is collected for one or more of the following purposes:
- Managing your account and providing the Services you have subscribed to;
- Managing the contractual relationship: contracts, orders, billing, support;
- Building and maintaining a file of Clients, Users, and prospects;
- Sending communications relating to the Services (transactional emails);
- Sending newsletters and commercial communications, subject to your right to object;
- Producing usage and traffic statistics for the Services;
- Managing unpaid amounts and any disputes;
- Personalizing responses to your information requests;
- Ensuring the security and proper technical functioning of the platform.
6. Purposes of processing — As Data Processor
In the context of the Services, Qontrol processes Personal Data on behalf of its Clients, as a data processor within the meaning of Article 28 of the GDPR, for the following purposes:
- Enabling the Client to measure and monitor the effectiveness of cybersecurity measures in the practices of its organization and employees;
- Assisting the Client in selecting and implementing appropriate cybersecurity measures;
- Enabling dynamic monitoring of the implementation of cybersecurity measures within the Client's organization.
In this context, the Clients are the data controllers within the meaning of the GDPR. The conditions for the processing of Personal Data by Qontrol as a data processor are governed by a Data Processing Agreement (DPA), available on the Data Processing Agreement (DPA) page.
7. Recipients and sub-processors
7.1 Internal access
Your Personal Data is accessible to members of the Qontrol team, strictly limited to what is necessary for the performance of their duties, as well as to audit services (statutory auditors in particular).
7.2 Sub-processors
Where data is processed outside the European Union, the transfer is governed by the mechanisms described in Section 9.
7.2.1 Sub-processors involved in the provision of the Services
The following sub-processors are involved in the provision of the Services:
| Category | Sub-processor | Data location |
|---|---|---|
| Infrastructure hosting | OVH | France (EU) |
| Authentication | Clerk | United States |
| Product analytics | Amplitude | European Union |
| Transactional and marketing email | Customer.io | United States |
| Support chat | Crisp | European Union |
| Integrated questionnaires | Tally | European Union |
| Integrated questionnaires | Typeform | United States |
| Support ticket tracking | Linear | United States |
| Business process automation | Make | European Union |
| Technical observability | New Relic | European Union |
| Error tracking | Sentry | United States |
| Internal administration | Retool | United States |
| Payment and subscription | Stripe | United States |
| Artificial intelligence (see Section 8) | Anthropic | United States |
7.2.2 Sub-processors used in internal operations
The following sub-processors are used in Qontrol's internal operations (business relations, administration, communication):
| Category | Sub-processor | Data location |
|---|---|---|
| Customer relationship management (CRM) | Attio | United States |
| Accounting and billing | Pennylane | France (EU) |
| Appointment scheduling | Calendly | United States |
| Internal communication | Zulip (SaaS) | European Union |
| Staff email and office productivity | Google (Google Workspace) | United States |
| Video meeting recording | Fireflies | United States |
These lists are subject to change. The current version is the one published on the Website.
7.3 Other recipients
Your Personal Data may also be disclosed to public authorities, solely in order to comply with our legal obligations, to officers of the court, ministerial officers, and debt collection agencies.
8. Algorithmic processing and artificial intelligence
Qontrol uses artificial intelligence technologies in two distinct contexts:
8.1 Internal use
The Qontrol team uses artificial intelligence tools (Anthropic Claude) in its day-to-day operations. Such use may involve the processing of limited Personal Data (for example, Client account names) on the basis of our legitimate interest in ensuring the proper functioning of our business. We apply a principle of data minimization with respect to data transmitted to these tools.
8.2 AI features in the Application
The Application offers features incorporating artificial intelligence for the processing of business data. These features may process Personal Data contained in the Clients' business data.
The processing of data by these AI features is governed as follows:
- Activation by the Client: these features can be enabled and disabled by the Client in the Application settings. When disabled, no data is transmitted to artificial intelligence providers.
- Role of the Client: in its capacity as data controller, the Client decides whether to enable these features for its organization. Such activation constitutes a processing instruction within the meaning of the DPA.
- Sub-processor: when these features are enabled, data is transmitted to Anthropic (see table in Section 7.2) as a sub-processor.
- Minimization: only data strictly necessary for the operation of the feature is transmitted.
Qontrol does not carry out any fully automated decision-making within the meaning of Article 22 of the GDPR, nor any profiling of Users by means of artificial intelligence.
9. Transfers outside the European Union
Some of our sub-processors (see Section 7.2) are established outside the European Union, primarily in the United States. Transfers of Personal Data to these sub-processors are governed by the following mechanisms:
- Data Privacy Framework (DPF): where the sub-processor is certified under the EU-US Data Privacy Framework, pursuant to the European Commission's adequacy decision of July 10, 2023;
- Standard Contractual Clauses (SCCs): where the sub-processor is not certified under the DPF, the transfer is governed by the standard contractual clauses approved by the European Commission, as implemented by the relevant sub-processor;
- Adequacy decision: where data is transferred to a country benefiting from an adequacy decision of the European Commission.
10. Data retention periods
10.1 Data relating to Client and prospect management
Your Personal Data is retained for the duration of the contractual relationship.
For commercial prospecting purposes, your data may be retained for a period of three (3) years from the end of the contractual relationship or, for non-client prospects, from the date of collection or the last contact from the prospect.
At the end of this period, we may contact you to ask whether you wish to continue receiving commercial communications.
10.2 Data processed as data processor
Personal Data processed on behalf of our Clients is retained for the duration of the contract with the relevant Client. Upon termination of the contract, such data is deleted or returned to the Client in accordance with the terms of the DPA.
10.3 Data relating to legal obligations
Data required to establish proof of a right or a contract, or retained in compliance with a legal obligation, shall be retained for the period required by applicable law.
10.4 Identity documents
In the event that you exercise your rights (access, rectification, objection), data relating to identity documents is retained only for the time necessary to verify your identity.
10.5 Objection list
Information required to take into account your right to object is retained for a minimum of three (3) years from the date the right is exercised.
11. Security
Qontrol takes all appropriate precautions and implements organizational and technical measures, in accordance with the state of the art, to preserve the security, integrity, and confidentiality of your Personal Data and to prevent it from being distorted, damaged, or accessed by unauthorized third parties.
We use secure payment systems that comply with applicable standards.
Your Personal Data is hosted on servers operated by OVH, located in France, within the European Union.
12. No transfer of data
Your Personal Data shall not be sold, rented, or exchanged for the benefit of third parties.
However, in the context of Services provided as data processor, Qontrol may share with the Client (in its capacity as data controller) data resulting from the interaction of its employees with the platform, for the sole purpose of enabling effective management of its cybersecurity approach. Such data includes, but is not limited to: activities performed on the platform, action plan tracking, learning modules completed, logins, and responsiveness to tasks.
This sharing is carried out on the basis of the performance of the contract between Qontrol and the Client.
13. Rights of data subjects
In accordance with the French Data Protection Act and the GDPR, you have the following rights over your Personal Data:
13.1 Right of access, rectification, and erasure
You may obtain disclosure, rectification, or erasure of your Personal Data. You may exercise these rights directly through your online account or by contacting us at the details provided in Section 3.
13.2 Right to object
You may object at any time to the processing of your Personal Data based on our legitimate interest. We may, however, continue the processing if there are compelling legitimate grounds that override your rights and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims.
13.3 Right to data portability
You have the right to receive your Personal Data that you have provided to us in the context of using the Services. This right applies to data processed on the basis of the performance of a contract or your consent. We will provide such data in an open, structured, commonly used, and machine-readable format.
13.4 Right to restriction of processing
You may obtain the restriction of the processing of your Personal Data in the following cases:
- during the verification period, when you contest the accuracy of your data;
- when the processing is unlawful and you prefer to restrict the processing rather than erase your data;
- when we no longer need your data, but you require it for the exercise of your rights;
- during the verification period of legitimate grounds, when you have objected to the processing.
13.5 Directives regarding the fate of data after death
You may define directives regarding the retention, erasure, and disclosure of your Personal Data after your death. These directives may be:
- General: they cover all of your Personal Data and must be registered with a certified digital trusted third party approved by the CNIL;
- Specific: they cover data processed by Qontrol and must be sent to us at the contact details provided in Section 3.
You may designate a person responsible for the execution of your directives. In the absence of such designation, your heirs may access and request the implementation of your directives. You may amend or revoke your directives at any time.
13.6 Complaint to a supervisory authority
You have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL) or any other competent supervisory authority, if you consider that the processing of your Personal Data constitutes a violation of applicable regulations.
This right may be exercised without prejudice to any other administrative or judicial remedy.
Annex — Cookie Policy
What is a cookie?
When you browse our Website or our Application, cookies, pixels, and other trackers (hereinafter collectively referred to as "Cookies") may be placed on your browser or device.
A Cookie is a small file stored in your browser or on your device and identified by a name. It is placed when visiting a website or application and retrieved on subsequent visits, thereby allowing your browser to be recognized.
Technical and functional cookies
Technical and functional Cookies are necessary for the proper functioning of the Website and the Application. They do not require your consent.
| Cookie name | Function | Retention period |
|---|---|---|
| Clerk | Authentication and session management | 30 days |
| Crisp | Live support chat, support conversation tracking | 6 months |
Performance and technical monitoring cookies
The following Cookies are used for technical error tracking and improvement of the quality of the Services:
| Cookie name | Function | Retention period |
|---|---|---|
| Sentry | Application error and incident tracking | Session duration |
Social media cookies
We do not use social media cookies.
Managing your preferences
You may manage your Cookie preferences at any time through your browser settings. Please note that disabling certain technical Cookies may affect the functioning of the Website and the Application.
You may also visit the CNIL website (www.cnil.fr) for further information on Cookie management.