Last updated: July 3, 2026
Privacy Policy
SymbiozAI (SASU, SIREN 103 609 244, registered office in Lyon 69003, France, website symbioz.ai) attaches great importance to the protection of personal data. This policy describes how we process personal data in two distinct situations:
- Part A — persons who visit our website and engage with us (prospects, visitors): SymbiozAI is then the data controller.
- Part B — persons whose data is processed through the Service by our customers (the professional contacts of our customers): SymbiozAI then acts as a data processor, on behalf of the customer.
Part A — Visitors and prospects of symbioz.ai
In this part, SymbiozAI is the data controller.
A.1 Data collected: data from contact or demo-request forms, registration data, browsing data (cookies and audience measurement), content of commercial exchanges.
A.2 Purposes: responding to requests, managing the prospect or customer relationship, improving the website, complying with our legal obligations.
A.3 Legal bases: consent (non-essential cookies), legitimate interest (B2B prospecting), performance of pre-contractual and contractual measures.
A.4 Cookies and trackers: a consent banner compliant with the ePrivacy regulation and the CNIL guidelines is implemented for non-essential trackers.
A.5 Retention periods: prospect data is retained for approximately 3 years after the last contact; other periods are specified in our retention policy.
A.6 Recipients: authorized SymbiozAI personnel and technical service providers (hosting, tools).
A.7 Your rights: you have the rights of access, rectification, erasure, objection, restriction, portability, and to define post-mortem directives. You may exercise them at privacy@symbioz.ai. You also have the right to lodge a complaint with the CNIL.
Part B — Data subjects via the Service (our customers' contacts)
In this part, SymbiozAI acts as a data processor on behalf of its customers.
B.1 Our role. When a company (the "Customer") uses SymbiozAI, it entrusts us with personal data of its own contacts (prospects, customers, counterparties). For this data, the Customer is the data controller and SymbiozAI acts as a data processor, on the Customer's instructions.
B.1bis Enrichment and artificial intelligence — a possibly distinct role. By default, SymbiozAI acts as a data processor (Art. 28 GDPR) for ingestion, storage, the CRM, and the attribution of messages by artificial intelligence. For B2B data enrichment (through Apollo, Hunter, BrightData, INSEE/Pappers) and for certain artificial-intelligence processing operations, the qualification may amount to a controller-to-controller relationship or joint controllership, whereby SymbiozAI then determines all or part of the means and purposes. Where applicable, an arrangement setting out the allocation of responsibilities under Art. 26 GDPR is established, and SymbiozAI is answerable for its own obligations (legal basis, information, rights) for the part concerned.
B.2 Where to exercise your rights. If you are a contact of one of our Customers and wish to exercise your rights (access, erasure, objection, etc.), address your request first to the Customer who holds the relationship with you. If you contact us directly, we will forward your request to the responsible Customer and assist them in responding to it.
B.2bis Information of persons in copy and of automatically created records. For persons in copy (cc) of an email and for records created automatically from an unregistered sender, the principle is active information of the person — at the latest at the first contact with them, or within one month following collection (Art. 14.3 GDPR). This information obligation lies primarily with the responsible Customer, whom SymbiozAI equips (§B.1) and assists.
B.3 Categories of data processed (depending on what the Customer imports or connects): professional identity, contact details (email, number, LinkedIn profile), content of exchanges with the Customer, metadata, B2B enrichment data. Depending on the channel:
- WhatsApp / LinkedIn: a short preview of the message (approximately 200 characters) and identifying elements (number, profile), where you are already a contact of the Customer.
- Email (Gmail): the body of the message (up to approximately 5,000 characters, with a follow-up copy up to approximately 10,000 characters), the subject, the headers, and the recipients' addresses (including in copy). If you write to the Customer without already being registered, a contact record may be created automatically from your email and your name.
- A capped excerpt (at most 200 characters) may be transmitted to the artificial-intelligence provider for analysis (see B.5).
B.4 Source of the data. Your data comes from: (a) your exchanges with the Customer (incoming messages); (b) the import carried out by the Customer; (c) professional B2B sources (enrichment).
B.5 Processing by artificial intelligence. The Service uses language models (Anthropic/Claude) to analyze exchanges and propose messages, always validated by a human operator of the Customer. Your data is not used to train these models. A capped excerpt of the message may be transmitted to the artificial-intelligence provider for analysis.
B.6 Transfers outside the EU. Certain providers (in particular the artificial-intelligence provider) are established outside the European Union (United States); these transfers are framed by standard contractual clauses and appropriate safeguards (see the DPA). The main hosting is located within the European Union.
B.7 Subprocessors. The complete and up-to-date list of our subprocessors is published on a dedicated page (see "List of subprocessors"), with notification of changes at least 30 days in advance. The main ones are: Unipile (EU — messaging), Anthropic (US — artificial intelligence), Google (Gmail/Calendar), DigitalOcean (EU — hosting), WorkOS (authentication), and our enrichment providers (Apollo, Hunter, BrightData, INSEE/Pappers).
B.7bis Access to your email inbox (Google). When the Customer connects its Gmail account, SymbiozAI accesses emails through Google's official API in compliance with the Google API Services User Data Policy (Limited Use): the data is used only to provide the Service, never for advertising or for the training of generic models. The Customer may revoke this access at any time.
B.8 Retention periods. They are specified in our retention policy; they are aligned with the Customer's commercial relationship and the applicable reference frameworks.
Common information
- Controller / publisher: SymbiozAI SASU, SIREN 103 609 244, registered office in Lyon (69003), France.
- Data protection contact point: privacy@symbioz.ai.
- Supervisory authority: Commission Nationale de l'Informatique et des Libertés (CNIL), France.
The full identification details of the site's publisher (name, form, capital, RCS, publication director, host) are set out in the "Legal Notice" document.