Privacy Policy
Updated version as of May 1, 2026
Data Controller
Corolair acts as data controller for processing related to its website, prospecting activities, and human resources management. In the context of providing the Corolair platform to clients, Corolair acts as a data processor within the meaning of Article 28 of the GDPR; such processing is governed by the DPA concluded with the client.
The Website and the Corolair Solution
The website and the Corolair solution are published by COROLAIR SAS (hereinafter "Corolair"). In the course of browsing the website or the Corolair solution, users are required to provide certain Personal Data to Corolair.
This personal data protection policy (hereinafter the "Privacy Policy") aims to inform users of how Corolair, in its capacity as data controller, processes Personal Data.
What Personal Data is Collected?
Personal Data refers to all information relating to an identified or identifiable natural person. Corolair collects only information that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
The specific type of Personal Data collected depends on the context of the interactions of the data subject with Corolair and includes, by way of example:
- Identification information (last name, first name, date and place of birth, nationality, gender, family status, personal email address, postal address, phone number);
- Professional information (workplace, date of entry into the company, seniority, job held, nature of the employment contract, social security number, professional email address);
- Financial information (data relating to bank card, bank transfer – RIB/IBAN, cheque);
- Connection information (data relating to the use of the website or Corolair solution, login data, pages and solutions visited, advertisements clicked, products searched, location, duration of visit, IP address, data relating to the device used);
- Demographic data (age, country, preferred language).
When browsing the website or the Corolair solution, cookies are also collected. For more information on our cookie policy, please refer to our cookie policy accessible here.
On What Legal Basis is Personal Data Collected?
Personal Data is processed by Corolair in cases permitted by applicable regulations, and in particular under the following conditions:
- When the data subject has given free, specific, informed, and unambiguous consent to the processing of their Personal Data (e.g., contact / information request, personalisation of your experience on the website or the Corolair solution);
- When it is necessary for the performance of a contract or pre-contractual measures taken at the request of the data subject (e.g., demo request, partnership request, application processing);
- For compliance with Corolair's legal or regulatory obligations (e.g., fraud prevention, etc.);
- When Corolair's legitimate interests may justify processing (e.g., IT security measures, service improvement, commercial prospecting).
Why is Personal Data Collected?
Personal Data is collected for specific, explicit, and legitimate purposes. Depending on the case, Personal Data may be used for:
- Access to the website or the Corolair solution;
- Browsing the website or the Corolair solution;
- Information requests and other forms;
- Improvement of products and services;
- Organisation of events;
- Commercial prospecting;
- Application processing;
- Experience personalisation;
- Newsletter subscriptions;
- Responses to surveys, promotions, and other communications;
- Management of client, supplier, and subcontractor files;
- Management of its "human resources" file.
Recipients of Personal Data
Personal Data is processed by Corolair. It will never be sold to third parties.
Personal Data may be transferred to third-party recipients for technical reasons.
These recipients may include:
- Subcontractors or third-party service providers acting on behalf of Corolair as part of specific processing in accordance with the purposes for which it was initially collected, in the context of activities such as service provision, product marketing and commercialisation, data management, recruitment and/or HR management providers: website hosting provider, website development and maintenance provider, authorised accountant.
- The main subcontractors and providers involved are Scaleway (France), Azure OpenAI Services (France), Vercel (EU/USA), Clerk (USA), Temporal Cloud (USA), Google Workspace (EU/USA), Notion (USA), Slack (USA), Bastion Technologies (France). The list is kept up to date and may evolve; a notification is made in the event of a material change.
- Bodies responsible for a monitoring or inspection mission in accordance with applicable regulations (e.g., supervisory authorities such as the CNIL).
Corolair may also be required to disclose Personal Data to third parties when such disclosure is required by law, a regulatory provision or a court order, or when such disclosure is necessary to ensure the protection and defence of our rights.
What Are the Rights Regarding Personal Data and How to Exercise Them?
The Rights
Right of access, rectification, and erasure (or "right to be forgotten") of Personal Data
The right of access allows you to obtain from Corolair confirmation of whether or not Personal Data is being processed, the conditions of such processing, and to receive an electronic copy (for any additional copy, Corolair is entitled to charge reasonable fees based on the administrative costs incurred). The data subject also has the right to obtain from Corolair, without undue delay, the rectification of their Personal Data.
Finally, subject to exceptions provided for by applicable law (e.g., retention necessary to comply with a legal obligation), the data subject has the right to request from Corolair the erasure, without undue delay, of their Personal Data, where one of the following grounds applies:
- The Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- The data subject wishes to withdraw their consent on which the processing of their Personal Data was based and there is no other legal basis justifying such processing;
- The data subject considers and can demonstrate that their Personal Data has been unlawfully processed;
- The Personal Data must be erased pursuant to a legal obligation.
Right to restriction of processing of Personal Data
Applicable regulations provide that this right may be invoked in certain cases, in particular the following:
- When the accuracy of Personal Data is contested;
- When it is established that the processing of Personal Data is unlawful and restriction of processing is requested instead of erasure;
- When Corolair no longer needs the Personal Data for processing purposes but it is still required by the data subject for the establishment, exercise, or defence of legal claims;
- When the data subject objects to processing based on the legitimate interests of the data controller.
Right to portability of Personal Data
Where Corolair processes Personal Data on the basis of consent, such consent may be withdrawn at any time using the means made available for this purpose. However, and in accordance with applicable law, withdrawal of consent only applies for the future and cannot therefore call into question the lawfulness of processing carried out prior to such withdrawal.
Right to lodge a complaint with a supervisory authority
If, despite Corolair's efforts to preserve the confidentiality of Personal Data, the data subject considers that this is not ensured, a complaint may be lodged with a supervisory authority. A list of supervisory authorities is available on the European Commission's website.
Right to decide the fate of Personal Data upon death
Finally, the data subject has the right to organise the fate of their Personal Data post-mortem through the adoption of general or specific directives. Corolair undertakes to respect these directives. In the absence of directives, Corolair recognises the right of heirs to exercise certain rights, in particular the right of access, if necessary for the settlement of the deceased's estate; and the right to object in order to close the deceased's accounts and object to the processing of their Personal Data.
How to Exercise Your Rights
For any question relating to this Privacy Policy and/or to exercise the rights described above, the data subject may contact Corolair's legal team, by email or post, by sending a letter accompanied by a copy of any identity document to:
legal@corolair.com or Corolair, 112 avenue de Paris, CS 60002, 94300 Vincennes
If the request is submitted electronically, the information will also be provided electronically where possible, unless the data subject expressly requests otherwise.
If Corolair does not follow up on the data subject's request, it will inform them of the reasons for its inaction, and the data subject has the possibility of lodging a complaint with a supervisory authority and/or seeking judicial redress. The data subject may in particular file a complaint via the online complaint service on the CNIL website, or by post to: CNIL – 3 place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07.
Retention Period of Personal Data
Corolair retains Personal Data for the time necessary to fulfil the pursued purposes, subject to legal archiving possibilities, obligations to retain certain Personal Data, and/or an anonymisation process.
For processing carried out in connection with the platform provided to clients, data is retained for the duration of the contract and then deleted within a maximum of thirty (30) days after the end of the contract or after account deletion, whichever comes first, for the purposes of restitution and erasure. Associated backups are encrypted; inaccessibility is guaranteed within thirty (30) days by key destruction and logical purge. Technical logs are retained for thirty (30) days, unless otherwise required by law.
For processing for which Corolair is the data controller in relation to its website and its own activities, data is retained according to the following indicative timeframes:
- data collected via forms (contact, complaint, demo request): until the request is fully processed;
- data collected in connection with a subscription to communications, publications, or events: until unsubscription;
- data collected in connection with a job application: two (2) years from the last contact with Corolair, unless a different local provision applies or deletion is requested;
- connection data and audience measurements (IP address, cookies): up to thirteen (13) months;
- where applicable, documents and records subject to legal retention obligations (notably accounting and tax): for the periods provided for by applicable regulations.
Security and Protection of Personal Data
Corolair implements appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of Personal Data and to prevent it from being distorted, damaged, destroyed, or disclosed to unauthorised third parties. All persons with access to Personal Data are subject to a confidentiality obligation. Corolair's service providers and subcontractors are bound by contractual security and confidentiality commitments prohibiting any use for purposes other than those provided for, as well as any unauthorised disclosure.
Corolair prioritises hosting and processing within the European Economic Area where possible. However, certain technical providers may involve limited processing outside the EEA (notably Vercel, Clerk, Temporal, Google Workspace, Notion, Slack). Where such transfers occur, they are governed by the Data Privacy Framework and/or the Standard Contractual Clauses of the European Commission, with appropriate additional measures such as data minimisation, pseudonymisation, and encryption.
Corolair applies access controls, authorisation management, multi-factor authentication for administrator and operational accounts, encryption of data in transit and at rest, logging with pseudonymised identifiers, and short retention of technical logs. In the event of a confirmed Personal Data breach likely to result in a risk to the rights and freedoms of data subjects, Corolair will notify the competent supervisory authority and, where required by regulations, the data subjects, in accordance with applicable law.
Transfers of Personal Data
Corolair adopts a localisation approach for processing within the European Economic Area where possible. However, certain providers involved for technical or organisational purposes may involve limited processing outside the EEA (notably Vercel, Clerk, Temporal Cloud, Google Workspace, Notion, Slack). Where such transfers occur, they are governed by the Data Privacy Framework and/or the Standard Contractual Clauses of the European Commission, with appropriate additional measures such as data minimisation, pseudonymisation, and encryption.
Amendments to this Privacy Policy
Corolair may make changes to this policy. These changes take effect upon publication on the Site. You will be subject to the most recent version of the Privacy Policy. In the event of a material amendment to this policy, Corolair will inform you of this update, either by displaying a notice on the Site if it concerns its website, or by email notification.
Versions
A version of this policy is available in French and English. The French version shall prevail over the English version in the event of an interpretation dispute.
Applicable Law and Jurisdiction
This Privacy Policy is governed by French law.
Any dispute relating to this Privacy Policy shall be brought before the competent courts of Paris, unless otherwise required by law.