Privacy Policy – Concord

Last updated: November 13, 2025

This Privacy Policy defines the conditions under which personal data is collected, processed, and retained by Concord, a société par actions simplifiée (SAS) governed by French law, whose registered office is located at 9 rue des Colonnes, 75002 Paris, France, in the context of the use of its software platform and related services.

1. Identity of the Data Controller

The controller of personal data processing is Concord SAS, represented by its legal representative. Users may direct any request relating to the protection of their personal data to the following address: privacy@concord.ad.

No Data Protection Officer (DPO) has been formally appointed under Article 37 of the General Data Protection Regulation. All data protection inquiries may be directed to privacy@concord.ad.

2. Nature of the Data Processed

Concord collects and processes data enabling the identification and professional qualification of users accessing the platform. This includes, in particular, surname, first name, professional email address, company name, and where applicable, profile photograph. This information is mainly retrieved via Single Sign-On (SSO) mechanisms, such as those provided by Google Workspace or Microsoft Entra ID, and may be enriched or updated automatically by Concord or manually by the user.

In addition to this identification data, Concord also collects technical connection data, usage history, and metadata linked to interactions with the platform. This includes, without limitation, connection logs, navigation trails, and timestamps. Moreover, any information or content voluntarily transmitted by the user through forms, chat interfaces, file uploads, or collaborative functionalities may be processed, including campaign briefs, creative materials, comments, or operational instructions.

3. Legal Basis and Purpose of the Processing

Processing of personal data is carried out in accordance with Article 6 of the General Data Protection Regulation (Regulation EU 2016/679) and the French Data Protection Act as amended. The processing is based either on the execution of the contract to which the user is a party, the legitimate interests pursued by Concord in the context of platform security, monitoring, and improvement, or the consent of the user where required, particularly in relation to optional cookies and non-essential communications.

The purposes of the processing include: user authentication and account management; provision and operation of the platform and its core functionalities; customer support and issue resolution; statistical analysis and service improvement; fraud prevention and compliance with legal obligations.

4. Retention Period of Personal Data

Personal data is retained for the duration of the contractual relationship and active use of the account. In the absence of user activity over a continuous period of twenty-four (24) months, or in the event of a request for deletion, personal data is either deleted or irreversibly anonymised within a maximum of ninety (90) calendar days. Connection logs and technical access traces are retained for a maximum period of twenty-four (24) months, in accordance with the recommendations of the Commission nationale de l’informatique et des libertés (CNIL).

5. Recipients and Subprocessors

Personal data may be transmitted to technical providers acting on behalf of Concord in the capacity of data processors, particularly in the areas of data hosting, authentication flow, user support, or AI module execution. These providers act exclusively on instruction from Concord and are subject to contractual commitments regarding confidentiality, security, and regulatory compliance.

Where any such provider is located outside the European Economic Area, Concord ensures that appropriate safeguards are in place, including, where applicable, the implementation of the European Commission’s Standard Contractual Clauses or an adequacy decision pursuant to Article 45 of the GDPR.

6. Use of Artificial Intelligence Modules

The platform includes access to generative models and algorithmic tools, integrated for the sole purpose of assisting users in the drafting of media briefs, generation of recommendations, or execution of tasks linked to campaign management. The data transmitted to these services is strictly limited to the content provided by the user through the relevant input fields. According to the applicable terms of the providers used, this data is not used to train models and is not retained after processing. Concord ensures that all integrations are configured to comply with these restrictions, without being able to guarantee the behaviour of third-party infrastructure beyond Concord’s control.

7. Cookies and Tracking Technologies

Only cookies that are strictly necessary for the technical provision of the platform are stored by default. Where other trackers (for example, for analytics or marketing purposes) are implemented, their activation is subject to prior consent from the user, collected via a cookie consent management platform. At this stage, Concord uses the Segment tool as a CMP and has not implemented any optional cookies requiring consent.

8. Data Hosting and Security Measures

All user data is hosted within the European Union on infrastructure that offers an adequate level of protection in accordance with the requirements of the GDPR. Hosting is provided via Amazon Web Services (AWS) and the frontend interface is delivered through Framer infrastructure. Concord implements technical and organisational security measures appropriate to the risks inherent to the processing, including data encryption, access control, monitoring, and audit procedures.

9. Rights of the Data Subject

In accordance with Chapter III of the GDPR, users have the right to obtain confirmation as to whether or not data concerning them is being processed, and where that is the case, access to the data and information on the processing. They also have the right to request the rectification or erasure of their data, to limit or oppose its processing, and to request the portability of the data when applicable.

To exercise their rights, users may contact Concord at the address privacy@concord.ad. Responses will be provided within a maximum of thirty (30) calendar days from the date of receipt of the request, except in cases of manifest abuse or technical impossibility duly justified.

10. Modification of the Privacy Policy

Concord reserves the right to modify this Privacy Policy at any time, in particular to comply with legal developments or changes in the functionalities of the platform. In the event of a substantial change, users may be informed by any appropriate means. In all cases, continued use of the services after the entry into force of the updated version implies full and complete acceptance of the modified policy.