Privacy policy & GDPR

This privacy policy (hereinafter 'the Policy') describes how CGWM (CG WEB & MOBILE), a French SAS, SIREN 999 428 006, with its registered office at 36 rue Henri Bodchon, 60700 Pont-Sainte-Maxence, France (hereinafter 'the Publisher', 'we'), collects, uses, retains, and protects the personal data of users (hereinafter 'you', 'the User') of the LeadSphere service (hereinafter 'the Service'), in compliance with Regulation (EU) 2016/679 of April 27, 2016 (GDPR), French Law No. 78-17 of January 6, 1978, as amended (Data Protection Act), and CNIL guidelines.

The data controller is CGWM, represented by Mr. Julien Canguilieme, President. Contact: contact@leadsphere.fr. Address: 36 rue Henri Bodchon, 60700 Pont-Sainte-Maxence, France.

Your data is processed for the following purposes: (a) Provision and management of the Service — legal basis: contract performance (Art. 6(1)(b) GDPR); (b) Account and organization management — legal basis: contract performance; (c) Sending email campaigns via your own connected mailboxes — legal basis: consent (Art. 6(1)(a)); (d) Use of AI features via your own API keys — legal basis: consent (Art. 6(1)(a)); (e) Security, fraud prevention, and audit logging — legal basis: legitimate interest (Art. 6(1)(f)); (f) Service-related communications (account notifications, incidents) — legal basis: legitimate interest; (g) Compliance with legal obligations — legal basis: legal obligation (Art. 6(1)(c)).

Your personal data is accessible exclusively to: authorized members of your organization (according to roles: Owner, Manager, User), authorized CGWM personnel strictly within the scope of Service operation, and subprocessors listed in Article 11. We never sell, rent, or share your personal data with third parties for commercial or advertising purposes.

Our servers are hosted in France (Scaleway, Paris). In principle, your data does not leave the European Union. However, if you connect third-party services (OpenAI, Google, Microsoft) whose servers are located outside the EU, the data you choose to send them through the Service is subject to those providers' privacy policies. We recommend reviewing each provider's privacy policy before connecting your API key or mailbox.

Account data: retained for the duration of your subscription, then deleted within 30 days of definitive account closure, unless a longer retention period is required by law. Usage data and audit logs: retained for a rolling 12-month period. Encrypted third-party credentials (API keys, OAuth tokens, SMTP credentials): deleted immediately upon revocation by the User or account closure. Billing data: retained for 10 years in accordance with French accounting and tax obligations (Article L.123-22 of the French Commercial Code).

We implement the following technical and organizational measures: end-to-end encryption (E2EE) of all sensitive data (API keys, email credentials, OAuth tokens) using libsodium (XSalsa20-Poly1305); unique encryption key per organization, derived from a master key stored in a secure environment variable; passwords hashed with bcrypt; TLS 1.2+ encrypted communications; append-only audit log for all sensitive data access; role-based access control (RBAC) with strict multi-tenant isolation; regular encrypted backups.

Under the GDPR and the French Data Protection Act, you have the following rights: right of access (Art. 15 GDPR) — obtain confirmation that your data is being processed and receive a copy; right to rectification (Art. 16) — correct inaccurate or incomplete data; right to erasure (Art. 17) — request deletion of your data, subject to legal retention obligations; right to restriction of processing (Art. 18); right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format; right to object (Art. 21) — object to processing based on legitimate interest; right to withdraw consent at any time for consent-based processing, without affecting the lawfulness of processing carried out prior to withdrawal. To exercise these rights, send your request with proof of identity to: contact@leadsphere.fr. We will respond within one month, extendable by two months for complex requests (Art. 12(3) GDPR).

The Service uses only strictly necessary cookies: JWT authentication cookie (jwt_token), language preference cookie (NEXT_LOCALE). No tracking, advertising, or behavioral analytics cookies are used. These cookies, being strictly necessary for service provision within the meaning of Article 82 of the French Data Protection Act and CNIL guidelines of October 1, 2020, do not require prior user consent.

The subprocessors involved in processing your data are: Scaleway (server hosting, France); Stripe (payment processing, PCI-DSS certified); Mailpit (development email server, local only). A subprocessing agreement compliant with Article 28 GDPR is in place with each provider. Note: AI providers (OpenAI, Mistral, Anthropic, OpenRouter) and email providers (Google, Microsoft) that you choose to connect are not our subprocessors — you have a direct relationship with them through your own accounts and API keys.

LeadSphere does not provide AI services or email sending services. You bring your own API keys (OpenAI, Mistral, Claude, OpenRouter) and connect your own mailboxes (Gmail, Microsoft 365, SMTP). These credentials are end-to-end encrypted before storage (E2EE, libsodium). CGWM personnel technically cannot access your credentials in plain text. You are solely responsible for complying with the terms of use of the third-party services you connect. You may revoke your credentials at any time from your organization settings; they will be immediately deleted from our systems.

We reserve the right to modify this Policy at any time. In the event of a substantial change, you will be notified by email or by a notification within the Service at least 15 days before the changes take effect. The last update date is indicated at the top of this page. Continued use of the Service after notification constitutes acceptance of the changes.

For any questions regarding the protection of your personal data, you may contact our Data Protection Officer at: dpo@leadsphere.fr, or by mail: CGWM — Data Protection, 36 rue Henri Bodchon, 60700 Pont-Sainte-Maxence, France.

If you believe that the processing of your personal data constitutes a violation of the GDPR, you have the right to file a complaint with the French Data Protection Authority (CNIL): CNIL, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07. Website: https://www.cnil.fr. Phone: +33 1 53 73 22 22.