Privacy Policy

Last update: October 2025

In the course of its business activities, Pharaday processes Personal Data. These Processing activities are described in this Privacy Policy (hereinafter referred to as the "Privacy Policy").

Pharaday places the highest importance on protecting your Personal Data and is committed to ensuring that all Processing operations are carried out in strict compliance with the applicable data protection laws and regulations.

The purpose of this Privacy Policy is to explain how Pharaday collects, uses, stores, and protects your Personal Data in accordance with the applicable data protection framework. It also aims to help you understand how your Personal Data is handled, the purposes for which it is used, and the rights you have to control and manage this use.

1. Definitions

Pharaday — Pharaday SAS, a simplified joint-stock company with a capital of €13,644.50, having its registered office at 5, Rue Fénelon 33000 Bordeaux, registered with the Bordeaux Trade and Companies Register under number 983 618 216, represented by Thibault Court, President duly authorized for the purposes of this Agreement. Pharaday is a company primarily engaged in the design, development, and commercialization of SaaS-based technological solutions in the maritime transport sector, some of which integrate the use of artificial intelligence.

Personal Data — Means, within the meaning of Article 4(1) of the GDPR, any information relating to an identified or identifiable natural person, in particular by reference to an identifier such as a name, an identification number, location data, or one or more factors specific to that individual's physical, physiological, genetic, mental, economic, cultural, or social identity. Conversely, data referring to the identification of a legal entity are not considered Personal Data within the meaning of Article 4(1) of the GDPR.

Privacy Policy or Policy — Refers to this Privacy Policy, which governs the conditions under which your Personal Data are collected and processed by Pharaday.

Applicable Data Protection Legislation — Refers to the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 ("GDPR"), the French Data Protection Act No. 78-17 of 6 January 1978, as amended, and its implementing texts, as well as any other legislative or regulatory act of French or European law applicable in France relating to the protection of Personal Data.

Data Processor — Means, within the meaning of Article 4 of the GDPR, any natural or legal person that processes Personal Data on behalf of the Controller.

Data Controller — Means, within the meaning of Article 4 of the GDPR, the natural or legal person, public authority, agency, or other body which, alone ("independent Data Controller") or jointly with others ("joint controller"), determines the purposes and means of the Processing of Personal Data.

Processing(s) — Means any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

‍

2. Purpose and scope of the Privacy Policy

The purpose of this Privacy Policy is to inform you about:

• the methods and characteristics of the Processing of your Personal Data carried out by Pharaday in the context of its business activities; and
• your rights under the Applicable Data Protection Legislation.

This Privacy Policy does not apply to: websites or platforms also used by our clients and not operated by Pharaday, or Personal Data processed by our clients in their capacity of Data Controller.

3. Data Controller identity

Pharaday is the Data Controller for the Processing activities describes in this Privacy Policy.

However, when clients use Pharaday's SaaS platform as part of their own operations, they remain the Data Controllers, and Pharaday acts as a Data Processor. In this context, Pharaday processes Personal Data solely on behalf of and in accordance with the instructions of its clients. When Pharaday acts as Data Processor, the categories of Personal Data and purposes of Processing are determined by the client (the Data Controller); Pharaday implements appropriate technical and organizational measures to ensure the confidentiality, integrity, and security of the data entrusted to it. The types of Personal Data processed in this context depend on the client's use of the platform but may include operational, user, or contact information relating to their own customers or partners.

4. Principles governing the Data Processing activities

In its capacity as Data Controller, Pharaday is committed to complying with Applicable Data Protection Legislation. In this regard, Pharaday undertakes to ensure that your Personal Data are:

• processed lawfully, fairly, and in a transparent manner;
• collected for specific, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes;
• adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
• accurate and, where necessary, kept up to date;
• retained in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed;
• processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful Processing, accidental loss, destruction, or damage, through the use of suitable technical and organizational measures.

Pharaday remains at your full disposal for any questions or comments regarding the Processing of your Personal Data.

5. Personal Data Processing activities

5.1 Origin of Personal Data

The Personal Data processed by Pharaday may come from different sources, depending on the nature of the Processing activities. These may include:

• information provided directly by you, for example when you contact Pharaday, use its services, or communicate with our team;
• information obtained from third parties or business partners, in accordance with applicable legal requirements.

5.2 Processing activities description

Depending on the context in which the data are collected, the following categories of Personal Data may be processed by Pharaday as Data Controller:

Management of our commercial relationships (clients, partners, suppliers)Categories of Personal Data: Identification and contact information, Professional and transactional data, Contractual and billing information.Legal basis: Performance of the contract (GDPR Art. 6(1)(b)); Legal obligation (GDPR Art. 6(1)(c)).Data retention: Duration of the contractual relationship + 5 years (statutory limitation period).

Management of our product / services improvementCategories of Personal Data: Account data, Connection and usage data.Legal basis: Legitimate interest of Pharaday (GDPR Art. 6(1)(f)).Data retention: Duration of the service provision + up to 3 years for service improvement statistics (anonymized thereafter).

Management of our communication and marketing B2BCategories of Personal Data: Identification and contact data, preferences, communication history.Legal basis: Legitimate interest of Pharaday for the prospection (GDPR Art. 6(1)(f)); Consent (Art. 6(1)(a)) when required.Data retention: 3 years from the last interaction or opt-out request.

Management of Pharaday support and user assistanceCategories of Personal Data: Identification and contact data, message content, account data.Legal basis: Performance of a contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)).Data retention: Duration of Processing the request + 2 years for quality follow-up.

Management of recruitmentCategories of Personal Data: Identification and contact data, CV and career history, interview notes.Legal basis: Legitimate interest of Pharaday (Art. 6(1)(f)); pre-contractual measures (Art. 6(1)(b)).Data retention: Up to 2 years after last contact with the candidate (unless deletion requested sooner).

Management of our legal obligations and complianceCategories of Personal Data: Identification data and all necessary Personal Data required by authorities in accordance with minimization principle.Legal basis: Legal obligation (Art. 6(1)(c)).Data retention: Duration in accordance with the applicable legal rules and obligations, for example 10 years of retention for billing and invoicing data.

Management of security and fraud preventionCategories of Personal Data: Connection data (IP address, logs, identifiers), technical usage data.Legal basis: Legitimate interest (Art. 6(1)(f)); Legal obligation (Art. 6(1)(c)).Data retention: 6 months to 1 year (log retention per CNIL recommendation).

‍

5.3 Automated Processing, Sensitive Data and Data Provision

Pharaday does not carry out any automated individual decision-making or profiling.

Pharaday does not process any special categories of data (Article 9 GDPR).

Failure to provide required Personal Data may prevent Pharaday from providing services, fulfilling contracts, or responding to requests.

Personal Data are collected and processed only to the extent necessary for the purposes pursued.

6. Who has access to Personal Data

Access to Personal Data is strictly limited to authorized personnel within Pharaday who need such access in order to perform their professional duties and fulfil the purposes described in this Privacy Policy. Access may also be granted to:

• Service providers and technical partners (see the list below in Appendix 1 – Pharaday's Data Processors) acting on behalf of Pharaday (such as hosting providers, maintenance and support services, or communication tools), strictly within the limits necessary to perform their tasks;
• External advisors or auditors, where required by legal, regulatory, or contractual obligations;
• Competent authorities or courts, when disclosure is required by law or in response to a valid legal process.

All recipients are bound by confidentiality obligations and, where applicable, by data processing agreements in compliance with Article 28 of the GDPR, ensuring that your Personal Data are processed securely and lawfully.

7. Data security

Pharaday implements appropriate technical and organizational security measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include, in particular:

• encryption of data in transit and at rest;
• network and access control mechanisms (e.g., authentication, logging, firewalls);
• periodic reviews of security protocols and incident management procedures;
• regular staff training on data protection and confidentiality obligations.

In the event of a Personal Data breach likely to result in a risk to individuals' rights and freedoms, Pharaday will comply with its obligations under Articles 33 and 34 of the GDPR.

8. International Data Transfers

As part of its operations and in providing its SaaS platform, Pharaday may transfer Personal Data to recipients located outside the European Economic Area (EEA). Such transfers may occur, for example:

• when Pharaday relies on technical service providers or hosting partners (such as cloud infrastructure, communication, or analytics providers) whose servers are located outside the EEA;
• when clients or partners of Pharaday are established in third countries;
• or when Pharaday's internal teams or subsidiaries operate in countries outside the EEA.

Whenever Personal Data are transferred outside the EEA, Pharaday ensures that an adequate level of protection is guaranteed, in compliance with Chapter V of the GDPR. This may include, as appropriate:

• EU adequacy decision;
• Standard Contractual Clauses (SCCs); or
• Other legal safeguards under Chapter V of the GDPR.

Pharaday also ensures that its partners and service providers located outside the EEA undertake to process Personal Data in strict compliance with data protection, confidentiality, and security standards equivalent to those in force within the European Union.

9. Right of Data Subjects

In accordance with the Applicable Data Protection Legislation, and in particular Articles 15 to 22 of the GDPR, you have the following rights regarding your Personal Data:

• Right of access: to obtain confirmation as to whether your data are being processed and to access those data;
• Right to rectification: to request correction of inaccurate or incomplete data;
• Right to erasure ("right to be forgotten"): to request deletion of your data, where legally permissible;
• Right to restriction of Processing: to request that Processing be temporarily limited under certain conditions;
• Right to data portability: to receive your data in a structured, commonly used, and machine-readable format, and to transmit them to another Data Controller;
• Right to object: to object to the Processing of your data, particularly where Processing is based on legitimate interest or for direct marketing purposes;
• Right to withdraw consent: where Processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of prior Processing;
• Right to lodge a complaint: with the Commission Nationale de l'Informatique et des Libertés (CNIL) or any competent supervisory authority if you believe that your rights have been infringed.

Requests to exercise your rights can be sent by email to contact+privacy@pharaday.net (or any other address designated by Pharaday for this purpose).

Pharaday will respond to such requests within the time limits set out by the GDPR, generally within one month of receipt.

10. Updates to this Privacy Policy

Pharaday may update this Privacy Policy from time to time, in particular to reflect:

• changes in its Processing activities;
• developments in Applicable Data Protection Legislation or regulatory guidance.

Whenever significant changes are made, Pharaday will inform users by appropriate means (for example, by email notification or a notice on the platform), and invite them to review the updated version of this Privacy Policy.

The most recent version of the Policy will always be available on Pharaday's website and will indicate the date of its last update.

11. Contact information

For any questions, concerns, or requests relating to this Privacy Policy or the Processing of your Personal Data, you may contact Pharaday at:

• Email: contact+privacy@pharaday.net
• Postal address: 5 rue Fenelon, F-33000 Bordeaux, France

If you believe that your rights have not been respected, you also have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL) or any other competent data protection authority.

Appendix 1 - Pharaday's Data Processors

To carry out our activities, we rely on service providers acting as Data Processors within the meaning of the GDPR (Regulation (EU) 2016/679). These providers process Personal Data on our behalf and in accordance with our instructions.

We ensure that we only engage Data Processors offering sufficient guarantees as required by the GDPR and undertake to enter into contractual arrangements with them under the conditions set out in Article 28 of the GDPR.

ProcessorsPurposesData location1AWSHosting of data and serversFrance2AirtableCRMUS3LagrowthmachineB2B marketingEU4WorkOSAuthentication platformUS5ResendEmailing platformUS

‍

How do we share your Personal data with and why?

‍

We may share your Personal data with our personnel subject to a prior confidentiality obligation, to the competent authorities upon request according to Applicable Laws and Regulations on Personal Data Protection, and with our service providers for instance for the hosting of your data, management of our systems etc.  

In any case, we are being vigilant to ensure the confidentiality of the data sharing and we also ensure that our providers present sufficient guarantees before sharing with us the data.

How can you control the processing activities we do on your Personal data?

‍

According to Applicable Laws and Regulations on Personal Data Protection your have rights which allow you to exercise a real control over your Personal data and how we process them:

- You can request access to your Personal data
- Your can ask for the correction and the deletion of your Personal data
- You can object to the processing of your Personal data based on legitimate interests and for commercial prospecting purposes
- You can suspend the use of your Personal dataYou can withdraw your consent at any time
- You have rights against an automated decisionYou can request the portability of part of your Personal data
- You can lodge a complaint to the competent Supervisory authority

If you which to exercise the rights listed above, please contact us:

- At our office: Pharaday, 5 rue Fénelon 33000 Bordeaux
- Or by email: contact@pharaday.ai  

How do we protect your Personal data?

‍

Considering the state of art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Pharaday implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

- The pseudonymisation and encryption of Personal Data;
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

Cross border data transfers

‍

In the event our activities require a transfer of Personal Data to a country outside the EEA, we agree to provide a lawful framework to this transfer according to Applicable Laws and Regulations on Personal Data Protection.
The cross-border data transfer shall be conditioned to on any export being carried out (i) on the terms of appropriate safeguards (for instance the EU standard clauses on the transfer of Personal Data in their latest version in force and according to the module applicable to the Personal Data transfer), or based on as adequacy decision.

‍

Evolution of this Privacy Policy

‍

We may modify this Privacy Policy at any time, considering product, legal and regulatory changes.  

The version that prevails is the one accessible online on our website. You therefore must refer to the version available online at the time of your access and use our website or the Pharaday’s Platform.

However, the Personal data will always be processed in accordance with the current applicable Privacy Policy at the time of their collection, unless otherwise permitted by law.

Contact

For any query with this Privacy Policy or with the way Pharaday processes your Personal data, please contact us by email to: om@pharaday.net or by letter: Pharaday, 5 rue Fénelon 33000 Bordeaux.

‍