Privacy Policy

1. Introduction

Darwin Data SAS is committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and other applicable data protection laws. This Privacy Policy describes how we collect, use, process, and protect your personal information when you interact with our nature-risk intelligence platform and services.

Contact information:

• Company: Darwin Data SAS
• Registered office: 30 boulevard de Sébastopol, 75004 Paris, France
• Email: privacy@darwindata.ai
• Website: www.darwindata.ai

2. Scope and application

This Privacy Policy applies to:

• All personal data processed by Darwin Data SAS;
• Our nature-risk intelligence SaaS platform and API services;
• Data collected through our website, forms, and customer interactions;
• All employees, contractors, vendors, and third parties processing personal data on our behalf;
• Processing activities where Darwin Data SAS acts as either a data controller or a data processor.

3. Data controller and contact information

Data controller. Darwin Data SAS is the data controller for personal data processed in connection with our services, unless otherwise specified in a separate agreement.

Privacy contact. For all privacy-related inquiries or to contact our privacy team, please email privacy@darwindata.ai.

Data Protection Officer. Given the current scale and nature of our data processing activities, Darwin Data SAS has not appointed a formal Data Protection Officer (DPO) under Article 37 of the GDPR. The Chief Product and Technology Officer (CPTO) serves as our primary privacy contact and oversees our data protection compliance program.

4. Types of personal data we process

4.1 Website and lead generation data

• Names and contact information (email, phone);
• Company name and role/title;
• IP addresses and technical identifiers;
• Website usage data and cookies (including our use of Mixpanel for analytics — see our Cookie Policy);
• Form submissions and inquiry details.

4.2 Customer and business data

• Contact details of customer representatives;
• Account and billing information;
• Communication records and support interactions;
• Usage data and platform analytics.

4.3 Operational and business intelligence data

We process the following categories of data for our nature-risk intelligence services:

• Business operational data (corporate entities, sites, assets);
• Supply chain information;
• Geospatial and environmental data;
• Quantified financial risk exposure data;
• Biodiversity and nature-risk intelligence metrics.

4.4 Personnel and candidate data

• Identity and contact information: full name, home address, personal email, phone number, and government-issued identification;
• Employment and professional details: job applications, CVs, employment contracts, professional history, and qualifications;
• Financial and tax information: payroll data, bank account details, tax identification numbers, and social security information;
• Performance and administrative data: performance reviews, attendance records, holiday tracking, and disciplinary information.

5. Purposes of processing and legal basis

5.1 Service delivery (legal basis: contract performance — Art. 6(1)(b))

• Providing nature-risk intelligence and sustainability technology services;
• Managing customer accounts and access to our platform;
• Delivering API services and data analytics.

5.2 Lead generation and marketing (legal basis: legitimate interest — Art. 6(1)(f))

• Processing website forms and inquiries;
• Communicating with potential customers;
• Marketing our services to relevant business contacts.

5.3 Legal and compliance (legal basis: legal obligation — Art. 6(1)(c))

• Compliance with applicable laws and regulations;
• Responding to legal requests and regulatory inquiries.

5.4 Consent-based processing (legal basis: consent — Art. 6(1)(a))

• Newsletter subscriptions;
• Cookies and tracking technologies, including analytics trackers such as Mixpanel (managed in accordance with our Cookie Policy and your consent preferences).

6. Data sharing and disclosure

6.1 Service providers and processors

We may share personal data with trusted third-party service providers who assist us in delivering our services, including:

• Infrastructure & hosting: AWS — hosts our SaaS platform infrastructure, database, AI services, and our marketing website;
• Authentication & support: Zitadel (authentication and identity provider); Crisp (customer support chat);
• Business operations & analytics: Attio (CRM); Mixpanel (product analytics); Vanta (compliance monitoring);
• Human resources: MySilae (HR management);
• Communication & collaboration: Google Workspace (Google LLC, USA); Slack (Salesforce, Inc., USA); Notion (Notion Labs, Inc., USA); GitHub (GitHub, Inc. / Microsoft, USA);
• Sales & marketing: Lemlist (Lempire SAS, France) — outbound email prospecting;
• Finance & accounting: Pennylane (Pennylane SAS, France) — accounting and financial management;
• Monitoring, observability and search: Sentry (Functional Software Inc., USA) — application monitoring & error tracking; Algolia (USA, EU regions) — search infrastructure.

For all third-party service providers listed above that process personal data outside of the European Economic Area (EEA), Darwin Data SAS ensures appropriate safeguards are in place, primarily through the execution of Standard Contractual Clauses (SCCs) and the implementation of rigorous technical and organizational security measures.

7. International data transfers

As a France-based company, we primarily process data within the European Economic Area (EEA). When we transfer personal data outside the EEA, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Adequacy decisions for countries recognized as providing adequate protection.

Specific transfers:

• AWS (Amazon Web Services, Inc. — USA entity, EU regions): platform infrastructure, database, and AI services. Customer data is stored and processed exclusively in EU regions (eu-west-3, Paris). Standard Contractual Clauses cover the corporate-level transfer exposure related to the US parent entity (CLOUD Act);
• Mixpanel (USA): product analytics;
• Vanta (USA): compliance monitoring;
• Attio (UK): CRM services;
• Crisp (EEA/International): customer support services;
• Google Workspace (USA): email and document collaboration — with EU data residency options configured where available;
• Slack (USA): internal team communications;
• Notion (USA): internal documentation;
• GitHub (USA): source code repositories and issue tracking;
• Sentry (USA): application monitoring and error tracking;
• Algolia (USA, EU regions): search infrastructure.

8. Data retention

Darwin Data SAS maintains personal data in accordance with the principle of storage limitation. Data is retained only for the duration necessary to achieve the specific purposes for which it was collected, to fulfill our contractual obligations, or to comply with applicable statutory, regulatory, or legal retention requirements.

8.1 Retention periods

• Customer platform data: permanently deleted within 90 days after termination of the Customer Agreement, following a 30-day export window made available upon written request, in accordance with the Customer Agreement;
• Contractual, billing and accounting records: retained for the duration of the business relationship plus 6 years following the end of the contractual relationship, in accordance with French Commercial Code obligations (Art. L. 123-22) and applicable tax legislation;
• Lead and marketing data: up to 3 years from last contact, unless consent is withdrawn;
• Website analytics: 26 months from collection;
• Platform usage and analytics data: retained for the duration of the customer contract plus 2 years for product improvement and security auditing purposes.

9. Your rights under the GDPR

As a data subject, you have the following rights:

• Right of access (Article 15);
• Right to rectification (Article 16);
• Right to erasure (Article 17);
• Right to restrict processing (Article 18);
• Right to data portability (Article 20);
• Right to object (Article 21).

To exercise any of these rights, please contact us at privacy@darwindata.ai.

10. Data security measures

We implement appropriate technical and organizational measures to protect personal data:

• Encryption of data at rest and in transit;
• Access controls and authentication systems;
• Regular security assessments and updates;
• Staff training on data protection;
• Incident response and breach notification protocols.

11. Supervisory authority

You have the right to lodge a complaint with a supervisory authority. The relevant supervisory authority for France is the Commission Nationale de l'Informatique et des Libertés (CNIL) — www.cnil.fr.

12. Cookies and tracking technologies

Darwin Data SAS uses cookies and similar tracking technologies to enhance your experience on our website and platform. In accordance with applicable data protection laws, we use a consent banner to obtain your permission before deploying non-essential cookies. You can manage your cookie preferences at any time.