Privacy Policy

Foreword

This website and the software-as-a-service data room solution (”Solution”) are operated by Entropia SAS, with share capital of €17,967.31, registered under the Trade and Companies Registry of Versailles under number 980 705 016, and located at 29 rue de Lafayette, 78000 Versailles, France (hereinafter “Entropia”, “entropia.io”, “we” or “us”).

For website interactions, account administration, security logging and support, Entropia acts as Controller. For any Personal Data contained in Client documents within the data room, the Client acts as Controller and Entropia acts as Processor in accordance with our Data Processing Agreement.

This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you:

visit our website at https://entropia.io,
register for, access, or use our SaaS solution, or
otherwise communicate or interact with us in connection with our Services.

We may update this Privacy Policy from time to time.

Definitions

Client: an organisation or individual that subscribes to or purchases access to the Solution.
Controller: the entity that determines the purposes and means of the processing of Personal Data. For the processing activities described in this Privacy Policy, Entropia is the Controller.
Data Subject: any identified or identifiable natural person whose Personal Data is processed by Entropia.
Personal Data: any information relating to a Data Subject, as defined under the GDPR.
Processor: a natural or legal person that processes Personal Data on behalf of a Controller. Entropia may use certain Processors (e.g. hosting, marketing, or analytics providers) as described in this Privacy Policy.
Services: the Website, the Solution, and related features, content, and functionalities provided by Entropia.
Solution: Entropia’s software-as-a-service data room solution.
User: any individual who accesses or uses the Website or the Solution, whether as a Client’s authorised user or as a visitor.

Personal Data collected, Purpose, Legal Basis, and Retention

Visiting our Website

Categories of Personal Data collected:
- Website usage data (IP address, device and browser details, pages visited, time spent, actions taken),
- Cookies and tracking data through HubSpot and similar tools (strictly necessary cookies, analytics cookies, marketing cookies).
Purpose and legal basis:
- Ensure website functionality (legitimate interest, GDPR Art. 6(1)(f)).
- Analyse traffic and improve performance (legitimate interest for essential analytics; consent for non-essential cookies, GDPR Art. 6(1)(a)).
- Provide targeted marketing and advertising campaigns (consent, GDPR Art. 6(1)(a)).
Data retention:
- Analytics and marketing data are retained in accordance with cookie retention periods (maximum of 12 months unless renewed).
- Strictly necessary cookies are retained only for the session or as required for security.

Engaging with us via Contact Forms

Categories of Personal Data collected:
- Contact form: first name, last name, company, job title, email address, phone number, and the content of your message.
- Newsletter subscription: first name, last name, email address (with double opt-in verification).
Purpose and legal basis:
- Respond to inquiries and follow-up communications (legitimate interest, GDPR Art. 6(1)(f)).
- Send newsletters and marketing communications, where consent is provided (consent, GDPR Art. 6(1)(a)).
Data retention:
- Contact form data is retained for the duration necessary to process your request and follow-up, then deleted or anonymised unless required by law.
- Newsletter data is retained until you unsubscribe or withdraw consent, after which it is deleted or anonymised.

Recruitment applications

Categories of Personal Data collected: First name, last name, contact details, CV, cover letter, LinkedIn profile, position applied for.
Purpose and legal basis: Process applications, evaluate candidates, and follow up on recruitment (performance of contract and legitimate interest).
Data retention: Retained for up to two years unless you consent to a longer retention for future opportunities.

Using our Solution or Services

Authentication and Account Management
- Data Processed: email, password (hashed), authentication tokens/cookies.
- Purpose: create and manage accounts, authenticate Users, secure access to the Services.
- Legal Basis: performance of contract (Terms of Service), legitimate interests (security).
- Retention: for the duration of the account plus a short grace period for logs.
Usage Analytics and Engagement Tracking
- Data Processed: IP address, cookies, device/browser information, pages visited, session duration, clicks.
- Purpose: ensure security, analyse and improve the Solution, generate usage reports, and—where consent is given—deliver marketing communications.
- Legal Basis:
  - legitimate interests for strictly necessary analytics and security logging,
  - consent for marketing and non-essential cookies.
- Retention: up to 12 months.
Support
- Data Processed: name, email, company, job title, phone number, content of messages.
- Purpose: respond to enquiries and provide users with support.
- Legal Basis: performance of contract (support), legitimate interests.
- Retention: two years after last interaction.

Personal Data minimisation

We only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes described in this Privacy Policy.

Personal Data location and security

We use third-party providers (currently including HubSpot, Scaleway, and others) for hosting, marketing, and data management. All providers are chosen for their ability to implement adequate technical and organisational measures to protect data, such as Double Opt-in (ensuring that we only collect emails that are owned by the current User).

The 3rd party software service providers we use to process personal data have their own data security policies. They act as Data Processors with regards to GDPR.

Your data may be stored within or outside the EEA, subject to adequate safeguards (e.g., Standard Contractual Clauses).

We secure our Website and other systems through technical and organisational measures against loss, destruction, access, modification or distribution of your data by unauthorised persons.

Note that unfortunately, the transmission of information via the internet can't always be considered 100% secure. Although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised data access, destruction or alteration. As technology advances we are regularly updating and enhancing the security and organisational measures.

Personal Data sharing

We do not sell or rent your personal data. We may share Personal Data with:

Service providers bound by contractual confidentiality and security obligations;
Affiliates: Entropia may share Personal Data with other entities within the Entropia corporate group;
Business changes: If Entropia undergoes a strategic transaction such as a merger, acquisition, sale of assets, reorganisation, liquidation, or a transition of service to another provider, Personal Data may be disclosed during the due diligence process to counterparties and their advisors, and may be transferred as part of the business assets to a successor entity or affiliate. Any successor to our business will be bound by obligations consistent with this Privacy Policy to ensure the continued protection of Personal Data.
Legal Requirements: Entropia may disclose Personal Data when required to do so by law, regulation, legal process, or enforceable governmental request. We may also disclose Personal Data where we reasonably believe it is necessary to (i) comply with legal obligations, including national security or law enforcement requirements, (ii) protect and defend our rights or property, (iii) prevent, detect, or address fraud or other unlawful activity, (iv) protect the safety of Users of the Services or the public, or (v) defend against legal claims or liability.

Data Subjects rights

Under the General Data Protection Regulation (GDPR), you have a number of rights in relation to your Personal Data. Entropia is committed to ensuring that you can exercise these rights. These include:

Right to be Informed: You have the right to receive clear and transparent information about how we collect, use, and protect your personal data. This Privacy Policy provides that information.
Right of Access: You can request confirmation of whether we process your personal data, and if so, obtain a copy of your personal data together with information about how it is processed.
Right to Rectification: If you believe your personal data is inaccurate or incomplete, you have the right to request that we correct or update it.
Right to Erasure ("Right to be Forgotten"): In certain circumstances, such as where your personal data is no longer needed for the purpose it was collected, you can request that we delete your data.
Right to Restrict Processing: You may request that we suspend the processing of your personal data, for example if you contest its accuracy or object to its processing.
Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that we transfer it to another organisation where technically feasible.
Right to Object: You can object at any time to our processing of your personal data where we rely on legitimate interests, or where your data is processed for direct marketing purposes.
Rights in Relation to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing (including profiling) that have legal or similarly significant effects on you, unless such processing is necessary for entering into, or performance of, a contract with you, authorised by law, or based on your explicit consent.

How to exercise your rights?

You can exercise any of these rights by contacting us at privacy@entropia.io. We will respond to your request within the time limits set out under GDPR (normally one month).

If your Personal Data is processed on behalf of one of our Clients (for example, if Entropia acts as a service provider to another organisation), we may need to forward your request to that Client, who is the Controller of your data, so they can respond.

If you are not satisfied with how we handle your request, you also have the right to lodge a complaint with your local supervisory authority.