Privacy Policy
Protection of your personal data in compliance with GDPR
Last updated: 4 mars 2026
Version 2.0
Updated on March 4, 2026 — addition of information on the processing of company directors' data (version 2.0).
1. Introduction
At FindMyLead, we attach the utmost importance to protecting your personal data. This privacy policy describes how we collect, use, store and protect your information when you use our B2B lead generation platform.
By using our services, you accept the practices described in this policy. If you do not accept these practices, please do not use our services.
Data Controller
- Identity: Thibaud Cathala
- Address: 53 RUE YVES LE COZ, 78000 Versailles, France
- DPO Contact: dpo@findmylead.fr
2. Definitions
Personal data
Any information relating to an identified or identifiable natural person (name, email, IP address, etc.).
Processing
Any operation performed on personal data (collection, storage, use, transmission, deletion).
User
Any person who creates an account and uses FindMyLead services.
Company data
Information relating to legal entities (companies), from public sources (INSEE, official registers).
Sub-processor
External provider that processes personal data on our behalf.
3. Data Collected
3.1 Data you provide us
| Category | Data | Purpose |
|---|---|---|
| User account | First name, last name, email, password (hashed) | Creation and management of your account |
| Profile | Team name, preferences | Experience personalization |
| Payment | Credit card information (via Stripe) | Subscription processing |
| Communications | Content of emails sent through the platform | Email campaigns |
| Support | Messages and attachments | Technical assistance |
3.2 Automatically collected data
| Category | Data | Purpose |
|---|---|---|
| Connection | IP address, date/time, browser, device | Security and connection logs (LCEN) |
| Navigation | Pages visited, actions performed | Service improvement |
| Performance | Load times, errors | Technical diagnostics |
3.3 Company data
Our platform provides access to French company data. This data comes from official public sources and is considered non-personal data :
- SIRENE Database (INSEE): SIREN/SIRET, company name, address, APE code, creation date, headcount, legal form
- Business API (DINUM): Certifications, collective agreements
- Web enrichment: Public websites and contact emails
3.4 Director data
As part of our B2B prospecting service, we collect and process the following data relating to company directors:
Data collected:
- Name and surname of directors (source: Companies Register, via INSEE and INPI APIs)
- Position within the company (source: RCS)
- Professional email address (algorithmically determined from the director's name and company domain name, then technically verified without sending messages)
This data is considered personal data within the meaning of GDPR.
Data source:
Directors' names and positions come from the Companies Register (RCS), a publicly accessible register. Professional email addresses are not collected from a third-party database: they are algorithmically determined by FindMyLead by combining the director's name with the company's website domain name, following standard naming conventions for professional email addresses (firstname.lastname@domain.com, etc.). Address existence is then technically verified (MX/SMTP) without sending any messages.
Legal basis: Legitimate interest (article 6, paragraph 1, point f of GDPR). Our legitimate interest consists in enabling business connections between companies in a B2B prospecting context, in accordance with CNIL recommendations on commercial prospecting. This processing is limited to professional contact details of company directors, used exclusively in communications related to their professional activity.
Retention period: Professional email addresses of directors are retained as long as the company is registered in the RCS and the director holds their position. Data is updated or deleted within 30 days of notification of a change of position or an objection request.
4. Legal Bases for Processing
In accordance with GDPR (article 6), we process your data on the following legal bases:
| Purpose | Legal basis | GDPR Reference |
|---|---|---|
| Service execution (account, search, campaigns) | Contract performance | Art. 6.1.b |
| Payment processing | Contract performance | Art. 6.1.b |
| Retention of invoices and connection logs | Legal obligation | Art. 6.1.c |
| Service improvement, analytics | Legitimate interest | Art. 6.1.f |
| Marketing communications (newsletter) | Consent | Art. 6.1.a |
| Non-essential cookies | Consent | Art. 6.1.a |
| Identification of professional contacts (B2B prospecting) | Legitimate interest | Art. 6.1.f |
5. Use of Your Data
We use your personal data to:
- Provide our services: create and manage your account, perform searches and create campaigns
- Process your payments: manage your subscription via Stripe
- Communicate with you: transactional emails, customer support
- Improve our services: analyze usage to optimize the experience
- Ensure security: detect fraud, protect our systems
- Identify contacts: determine professional contact details of directors to enable targeted and personalized B2B prospecting
What we do NOT do
- We never sell your personal data
- We do not use your data for automated profiling
- We do not share your lead lists with other users
6. Data Sharing
6.1 Sub-processors
We use technical providers contractually bound to protect your data:
| Provider | Function | Location | Guarantees |
|---|---|---|---|
| Stripe, Inc. | Traitement des paiements | États-Unis | Clauses Contractuelles Types (CCT) + Data Privacy Framework |
| Resend, Inc. | Envoi d'emails transactionnels et de campagnes | États-Unis | Clauses Contractuelles Types (CCT) |
| Google LLC (OAuth) | Authentification utilisateur | États-Unis | Data Privacy Framework |
| OVH SAS | Hébergement des serveurs et bases de données | France | Hébergement en France, certifié ISO 27001 |
| Umami Analytics (auto-hébergé) | Mesure d'audience anonyme et sans cookie | France (auto-hébergé) | Pas de données personnelles collectées, conforme CNIL |
6.2 Transfers outside the EU
Transfers to the United States are covered by the Data Privacy Framework and/or the Standard Contractual Clauses (SCC) approved by the European Commission.
7. Data Retention
| Data type | Duration | Legal basis |
|---|---|---|
| Account data (active) | Durée de la relation commerciale | Obligation légale (prescription commerciale) |
| Data after deletion | 3 ans après la suppression du compte | Commercial prescription |
| Invoices and payments | 10 ans | Obligation légale (Code de commerce, art. L123-22) |
| Connection logs | 1 an | Obligation légale (LCEN) |
| Analytics | 25 mois | Recommandation CNIL |
8. Data Security
We implement appropriate technical and organizational measures:
- Encryption: TLS 1.3 (transit), AES-256 (at rest for OAuth tokens)
- Passwords: hashed with bcrypt
- Infrastructure: hosted in France (OVH), ISO 27001 certified
- Access: limited to the strictly necessary (least privilege)
9. Your Rights (GDPR)
| Right | Description | Response time |
|---|---|---|
| Droit d'accès (Article 15 RGPD) | Obtenir la confirmation que vos données sont traitées et en recevoir une copie | 30 jours |
| Droit de rectification (Article 16 RGPD) | Faire corriger vos données personnelles inexactes | 30 jours |
| Droit à l'effacement (Article 17 RGPD) | Demander la suppression de vos données (sous conditions) | 30 jours |
| Droit à la limitation (Article 18 RGPD) | Demander la limitation du traitement de vos données | 30 jours |
| Droit à la portabilité (Article 20 RGPD) | Recevoir vos données dans un format structuré et les transférer | 30 jours |
| Droit d'opposition (Article 21 RGPD) | Vous opposer au traitement de vos données pour des motifs légitimes | 30 jours |
| Retrait du consentement (Article 7 RGPD) | Retirer votre consentement à tout moment (sans affecter la licéité antérieure) | Immédiat |
Exercise your rights
- From your account: Settings → Export or delete data
- By email: dpo@findmylead.fr
Rights of directors whose data is processed
If you are a company director whose professional contact details are processed by FindMyLead, you have the following rights:
- Right of access (article 15 of GDPR): obtain confirmation that data concerning you is being processed and obtain a copy
- Right of rectification (article 16): have inaccurate data corrected
- Right of erasure (article 17): request the deletion of your data
- Right to object (article 21): object to the processing of your data. In the context of commercial prospecting, you may object at any time and without justification.
To exercise these rights, contact us at: dpo@findmylead.fr
Response time: We commit to responding to any request within 30 days. If you believe your rights are not being respected, you may lodge a complaint with the CNIL (www.cnil.fr).
CNIL Complaint
You may lodge a complaint with the CNIL: www.cnil.fr
10. Information to Data Subjects (Article 14 GDPR)
In accordance with article 14 of GDPR, directors whose data is processed are informed of this processing upon first email contact. Each first email sent in the context of a prospecting campaign contains the following information:
- The data source (RCS and algorithmic determination)
- The legal basis for processing (legitimate interest)
- The rights they hold
- An unsubscribe link allowing them to object to any further processing
12. Modifications
We may update this policy. In case of substantial modification, we will notify you by email and/or via a notification on the site.
13. Contact
Data Protection Officer
To exercise your GDPR rights or for any questions about your data
Email: dpo@findmylead.fr