Privacy policy

Continuum Identity SAS Commercial brand: ContinuumID Legal form: Société par actions simplifiée (SAS, France) Registered office: 200 rue de la Croix Nivert — 75015 Paris, France Paris Trade and Companies Register: 943 177 006 SIREN: 943 177 006 DPO: dpo@continuum-business.com Publication director: Nicolas GARCIA

We collect data only when strictly necessary to deliver our service. • Account data — email, password (hashed), company name, locale, IP address, user agent, DPA acceptance timestamp. • Billing data — billing address, VAT number, payment-method tokens (held by Stripe; we never see your card number). • Usage data — login timestamps, feature events (pseudonymised) for product analytics. • Newsletter data — email + subscription timestamps. • Lead data — submissions to contact / demo / partner forms (email, company, role, message).

• Deliver and operate the CRM SaaS service (account creation, authentication, support). • Process payments and issue invoices. • Send transactional emails (welcome, expiration warnings, invoices). • Send marketing emails (newsletter — separate consent, double opt-in). • Detect and prevent fraud or abuse. • Respond to legal requests when legally compelled.

• Performance of contract (art. 6.1.b) — service delivery, billing. • Legitimate interest (art. 6.1.f) — fraud prevention, B2B marketing to existing prospects (with opt-out). • Consent (art. 6.1.a) — newsletter subscription, optional analytics cookies. • Legal obligation (art. 6.1.c) — accounting record retention, legal requests.

• Account data — for the duration of the subscription + 5 years (commercial limitation period). • Billing data — 10 years (legal accounting requirement). • Newsletter data — until unsubscription, then 13 months for proof of consent. • Lead data — 3 years from last contact, then anonymised or deleted. • Logs — 12 months. • Backups — 30 days rolling retention.

We rely on a limited list of carefully-vetted sub-processors. The current list is published at /sovereignty. Key sub-processors at launch: • Infomaniak (Switzerland) — primary hosting (compute, storage, backups). • Stripe (USA + Ireland) — payment processing. • Twilio SendGrid (USA) — transactional email. • Cloudflare (USA) — DDoS protection + Turnstile captcha. • Sentry (EU region) — error monitoring. Customers are notified 30 days before any change.

Your CRM data resides in Switzerland by default. Some sub-processors operate from the USA — those transfers are governed by Standard Contractual Clauses (SCC) + the EU-US Data Privacy Framework (DPF) where applicable. Enterprise customers can request EU- or France-only data residency.

Under the GDPR, you have the right to: • Access your data. • Rectify inaccurate data. • Erase your data ('right to be forgotten') — subject to legal retention obligations. • Restrict processing. • Object to processing based on legitimate interest. • Data portability — receive your data in a structured, machine-readable format. • Lodge a complaint with a supervisory authority (CNIL in France, FDPIC in Switzerland). To exercise these rights, email dpo@continuum-business.com. We respond within 30 days.

We use only strictly-necessary cookies (session, cart) and a privacy-friendly analytics tool (Umami) that does not require consent under CNIL guidance. Full details at /legal/cookies.

TLS 1.3 in transit, AES-256 at rest, role-based access control with hierarchies, audit logging, optional 2FA, encrypted backups. Detailed security capabilities at /security.

Material changes are notified by email at least 30 days in advance. Minor wording corrections are published with an updated 'last-updated' date and changelog at the bottom of this page.