BEEWANT PRIVACY NOTICE

Last updated: 6 May 2026

This Privacy Notice (the “Notice”) describes how Beewant SAS, a société par actions simplifiée incorporated under the laws of France (“Beewant”, “we”, “us”, or “our”), processes personal data in connection with our website at https://www.beewant.com (the “Website”) and the Beewant Enterprise platforms (collectively, the “Services”). It is intended to satisfy the information requirements of Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”) and the French Data Protection Act (Loi n° 78-17).

This Notice applies to: (a) visitors to our Website; (b) prospective and existing customers and the individuals representing them; (c) Authorized Users of the Services; and (d) individuals whose personal data is contained in content uploaded to or generated through the Services by our customers (in respect of which Beewant generally acts as a processor).

Where we process personal data on behalf of our business customers (for example, the content they upload to the Services), we act as a “processor” and our customer is the “controller”. In that role, our obligations are set out in our Data Processing Addendum (the “DPA”), and individuals should direct privacy requests to the relevant Beewant customer in the first instance. This Notice describes the personal data we process in our capacity as “controller”.

1. Who we are and how to contact us

Controller: Beewant SAS, a société par actions simplifiée incorporated in France, with registered office in France. We are responsible for personal data processed in our capacity as controller as described in this Notice.

How to contact us about privacy: legal@beewant.com (general privacy questions and to exercise your rights), legal@beewant.com (legal notices), contact@beewant.com (security incidents and abuse). Postal mail can be addressed to Beewant SAS, 268 Avenue Daumesnil, 75012 Paris, France.

Data Protection Officer: where Beewant has appointed a Data Protection Officer, the DPO can be reached at legal@beewant.com.

EU representative for non-EU customers: where required by Article 27 GDPR, our representative can be reached at contact@beewant.com..

2. Categories of personal data we process

Depending on how you interact with us, we may process the following categories of personal data:

2.1 Account and identity data

Name, email address, password (stored hashed), telephone number where provided, organization name, role/title, billing contact, country, language preference, profile picture (if you upload one), and credentials issued by Beewant or by the identity providers you use to sign in (Google, Microsoft, SAML).

2.2 Authentication and security data

OAuth tokens and API keys you generate, multi-factor-authentication factors, IP addresses, device and browser identifiers, sign-in events, password-reset events, security logs, abuse signals, and similar information used to authenticate you and protect the Services.

2.3 Billing and payment data

Billing address, VAT/tax identification number, plan and invoice history, and limited payment-method information (such as last four digits, card brand, and expiry) returned to us by our payment processor. We do not store full card numbers; payment details are collected and processed by Stripe Payments Europe, Ltd.

2.4 Usage data

Information about how you use the Services, such as features used, models invoked, number and size of files processed, queries issued, search and chat events, error logs, performance metrics, and approximate location derived from your IP address. This data is used to operate, secure, and improve the Services.

2.5 Customer Content (processor role)

Files, prompts, queries, transcripts, embeddings, annotations, AI Output, and other content you upload to or generate through the Services. This content may itself contain personal data (about you, your colleagues, your customers, or other individuals). Beewant generally processes Customer Content as a processor, on behalf of the customer that controls the relevant Beewant account, in accordance with the DPA.

2.6 Communications and support data

Records of your communications with us (emails, support tickets, in-app chats, recorded calls or meetings where you have been informed in advance), survey responses, and feedback.

2.7 Marketing and event data

Marketing preferences, event registrations, content downloads, newsletter subscriptions, and engagement with our marketing emails (open and click events). You can opt out of marketing at any time.

2.8 Cookies and similar technologies

Cookies, local storage, pixels, and similar technologies on the Website and the Beewant Platform, as further described in Section 9 (Cookies).

2.9 Special categories of data

We do not seek special categories of personal data (Article 9 GDPR) and ask that you not submit them through the Services unless we have agreed in writing to support your specific use case.

Where Customer Content contains such data, the customer is responsible as controller for ensuring an appropriate legal basis under Article 9(2) GDPR.

3. Where we obtain personal data

We obtain personal data from the following sources:

• Directly from you, when you create an account, fill in a form, contact us, or use the Services.
• From your employer or organization, when they grant you an Authorized User account on their Beewant subscription.
• From identity providers you use to sign in (such as Google or Microsoft), to the extent of the OAuth scopes you authorize.
• From integrations and connectors that you authorize (such as Google Workspace, Microsoft 365, Slack, Notion, Linear, Asana, ClickUp, Jira, GitHub, GitLab, Salesforce, Apollo.io, Intercom, Twilio, Stripe, Meta), to perform the actions you have configured.
• From our payment processor, regarding the status of payments and limited card metadata.
• From sub-processors and other service providers we use to operate the Services (for example, error-tracking and observability tools).
• From publicly available sources or B2B data providers, for prospect research and account-based marketing, where permitted by law.

4. Purposes for which we use personal data, and legal bases

We process personal data for the purposes set out below. The legal bases on which we rely are listed beside each purpose.

Purpose	Categories of data used	Legal basis (GDPR Art. 6)
Provide and operate the Services (account creation, authentication, configuration, hosting and processing of Customer Content, AI features such as chat, search, transcription, embeddings, RAG, agents, integrations).	Account & identity data; authentication & security data; usage data; Customer Content (processor role); billing data.	Performance of a contract with you or with the customer that authorizes your access (Art. 6(1)(b)); legitimate interests where you are not directly the contracting party (Art. 6(1)(f)).
Process payments, manage subscriptions, prevent fraud and meet accounting obligations.	Account & identity data; billing & payment data; usage data.	Performance of a contract (Art. 6(1)(b)); compliance with legal obligations such as accounting, tax and anti-fraud rules (Art. 6(1)(c)); legitimate interests in fraud prevention (Art. 6(1)(f)).
Secure the Services, prevent and respond to abuse, attacks and policy violations, including by analyzing security logs and abuse signals.	Authentication & security data; usage data; communications data.	Legitimate interests in protecting our service, our customers, and third parties (Art. 6(1)(f)); compliance with legal obligations to ensure security of processing (Art. 6(1)(c) and Art. 32 GDPR).
Operate, monitor, troubleshoot and improve the Services, including via analytics, error tracking and aggregated/de-identified analysis.	Usage data; communications & support data; aggregated/de-identified data derived from the foregoing.	Legitimate interests in maintaining and improving the Services (Art. 6(1)(f)).
Provide customer support, respond to your enquiries, and communicate service updates.	Account & identity data; communications & support data; usage data.	Performance of a contract (Art. 6(1)(b)); legitimate interests in supporting users (Art. 6(1)(f)).
Send marketing communications about Beewant products and events.	Account & identity data; marketing data.	Consent (Art. 6(1)(a)) where required (e.g., for unsolicited B2C email); legitimate interests in promoting our business to existing customers and prospects in a B2B context (Art. 6(1)(f)). You can opt out at any time.
Comply with legal obligations and respond to lawful requests from public authorities.	Any of the above categories, as relevant.	Compliance with legal obligations (Art. 6(1)(c)); legitimate interests in defending legal claims (Art. 6(1)(f)).
Establish, exercise or defend legal claims, including in connection with disputes, mergers and acquisitions, or insolvency.	Any of the above categories, as relevant.	Legitimate interests (Art. 6(1)(f)); compliance with legal obligations (Art. 6(1)(c)).

5. How we use personal data with AI features

The Services include AI features such as conversational AI, embeddings, search, retrieval-augmented generation, transcription, AI-assisted annotation, and AI agents. The following points describe how personal data may be processed in connection with those features:

• When you submit a prompt, query, file or other input to an AI feature (a “Customer Input”), Beewant routes that input — together with any context Beewant adds, such as retrieved documents from your account — to the model selected for the request. The model may be hosted within the Beewant Network or by a Third-Party AI Provider that you or your administrator have enabled (for example, OpenAI, Anthropic, Google, Mistral).
• We do not use Customer Inputs or AI Output to train, fine-tune any general-purpose machine-learning model owned by Beewant or any Third-Party AI Provider, except (i) to the extent strictly required to provide the Services to you or your organization (for example, indexing your content into your own vector store), or (ii) where you or your administrator expressly opts in.
• AI Output may be inaccurate, incomplete, biased or otherwise unsuitable. You should not rely on AI Output as the sole basis for decisions that have a material legal, medical, financial, employment, safety or similar effect on individuals, without appropriate human review.
• We do not subject you to a decision based solely on automated processing — including profiling — that produces legal effects concerning you or similarly significantly affects you (Article 22 GDPR), unless we have a lawful basis to do so and have informed you of that basis. Where our customer configures the Services to make such decisions, our customer is the controller responsible for compliance with Article 22.

6. Recipients of personal data

We share personal data only with the recipients and for the purposes described below. We require these recipients to handle personal data in accordance with applicable law and the safeguards described in the DPA.

• Affiliates of Beewant, where Beewant operates through affiliated entities, for the same purposes described in this Notice.
• Sub-processors that help us operate the Services (such as cloud hosting providers, AI providers, transactional-email providers, error-tracking providers, and customer-support tooling). The current list of sub-processors is published in Annex 2 of the DPA and can be queried on demand by emailing legal@beewant.com.
• Identity providers and integration partners, where you choose to authenticate via, or connect Beewant to, a Third-Party Service (Google, Microsoft 365, Slack, Notion, Linear, Asana, ClickUp, Jira, GitHub, GitLab, Salesforce, Apollo.io, Intercom, Twilio, Stripe, Meta, etc.). Data is exchanged with such Third-Party Services only within the OAuth scopes you authorize and according to your configuration.
• Professional advisors (lawyers, auditors, accountants), banks and insurers, where strictly necessary for our legitimate interests or compliance with legal obligations.
• Public authorities, where required by law or by a valid and binding order. Where Beewant receives a request relating to personal data of a customer’s data subjects, we apply the safeguards described in the DPA, including notification to the customer where legally permitted.
• An acquirer or successor entity, in the event of a merger, acquisition, financing, reorganization, sale of all or part of our assets, or insolvency, subject to appropriate confidentiality obligations and notice.

7. International transfers of personal data

By default, we host the Services on infrastructure located in the European Union. Some of our sub-processors and Third-Party AI Providers are, however, established outside the European Economic Area (EEA), in particular in the United States. Where we transfer personal data outside the EEA to a country that has not been recognized by the European Commission as providing an adequate level of protection, we rely on the following safeguards:

• the European Commission’s Standard Contractual Clauses adopted by Implementing Decision (EU) 2021/914 of 4 June 2021, supplemented by additional technical, contractual and organizational measures (such as encryption in transit and at rest, pseudonymization, access controls, and challenge of unlawful government access requests);
• the EU-US Data Privacy Framework, where the recipient is certified under it; and/or
• another transfer mechanism recognized under Articles 44–49 GDPR.

You can request a copy of the relevant safeguard by contacting legal@beewant.com.

8. How long we keep personal data

We keep personal data only for as long as necessary for the purposes described in this Notice, taking into account legal, accounting, regulatory and contractual requirements. Indicative retention periods are:

Category	Retention period	Reason
Account and identity data	Duration of your account, plus 30 days after deletion (and longer for any data we are required to retain by law).	To operate the Services and to enable account recovery and abuse investigations.
Customer Content (processor role)	For the duration of your organization’s subscription. After termination, returned or deleted in line with the DPA — typically within 30 days of termination, except where retention is required by law.	Determined by our customer in its capacity as controller.
Authentication and security logs	Up to 18 months for application logs and up to 12 months for authentication events, except where retention is required by law.	Security, fraud prevention and incident investigation.
Billing, invoicing and tax records	10 years from the date of issuance, except where retention is required by law.	French Commercial Code Article L.123-22 and tax obligations.
Marketing data and cookie consent records	Marketing preferences: until you opt out, plus 3 years from your last interaction. Cookie consent records: 13 months, Article L.34-5 of the French Postal and Electronic Communications Code; CNIL guidance on cookies.	except where retention is required by law.
Customer-support records	5 years from the resolution of the matter, except where retention is required by law.	Limitation period for contractual claims under French law (Article 2224 of the Civil Code).
Records related to legal claims	Until the relevant limitation period has expired, except where retention is required by law.	Establishment, exercise or defense of legal claims.

When personal data is no longer needed, we delete it or anonymize it so that it can no longer be associated with you. Backups are deleted in accordance with our backup-rotation cycle.

9. Cookies and similar technologies

We use cookies and similar technologies on the Website and within the Beewant Platform. Strictly necessary cookies (such as those required to keep you logged in, to load-balance traffic, and to remember your cookie preferences) are deployed without consent on the basis of Article 82 of the French Data Protection Act and the corresponding ePrivacy provisions. Other cookies — such as analytics cookies, audience-measurement cookies that go beyond the CNIL’s “exemption” conditions, and marketing cookies — are deployed only on the basis of your consent, expressed through our cookie banner.

You can withdraw or change your cookie preferences at any time via the “Cookie settings” link on the Website. Detailed information about the specific cookies we use, their purpose and their lifetime can be available by contacting legal@beewant.com.

10. Your rights

Subject to the conditions and exceptions set out in the GDPR and the French Data Protection Act, you have the following rights in respect of your personal data:

• Right of access (Article 15) — to obtain confirmation of whether we process your personal data, and a copy of that data.
• Right to rectification (Article 16) — to have inaccurate or incomplete personal data corrected.
• Right to erasure (Article 17) — to request the deletion of your personal data, where one of the grounds in Article 17 applies.
• Right to restriction of processing (Article 18) — to request that we limit the processing of your personal data in certain situations.
• Right to data portability (Article 20) — to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to have that data transmitted to another controller, where the processing is based on consent or contract and is carried out by automated means.
• Right to object (Article 21) — to object, on grounds relating to your particular situation, to processing based on our legitimate interests; and to object at any time to processing for direct-marketing purposes.
• Right to withdraw consent (Article 7(3)) — where processing is based on your consent, to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
• Right not to be subject to a decision based solely on automated processing (Article 22), including profiling, that produces legal effects concerning you or similarly significantly affects you, except in the cases permitted by law.
• Right to define directives concerning the fate of your personal data after your death, in accordance with Article 85 of the French Data Protection Act.
• Right to lodge a complaint with a supervisory authority (Article 77) — in particular the CNIL (Commission nationale de l’informatique et des libertés), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France, https://www.cnil.fr.

To exercise these rights, please contact us at legal@beewant.com. We may need to verify your identity before acting on your request. Where you are seeking to exercise rights in respect of personal data that we process on behalf of one of our customers (for example, content uploaded to that customer’s Beewant account), we will refer you to that customer in the first instance, as they are the controller responsible for that data.

11. Security

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, as further described in the Security Standards (Annex 1) of the DPA. Measures include encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent), least-privilege access controls, multi-factor authentication for administrative access, network segmentation, vulnerability and dependency scanning, change management, logging and monitoring, employee security training, and incident response. No security measure is, however, foolproof; please notify us promptly at legal@beewant.com if you suspect any compromise of your account.

12. Children

The Services are intended for business use and are not directed to children. We do not knowingly collect personal data from individuals under the age of 16 (or the equivalent age of digital consent in your jurisdiction). If you believe that a child has provided us with personal data, please contact us at legal@beewant.com so that we can take appropriate action.

13. Third-party links

The Website and the Beewant Platform may contain links to third-party websites, services or content. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy notices before providing them with personal data.

14. Changes to this Notice

We may update this Notice from time to time. When we make material changes, we will notify you by email (to the address associated with your account) or by a prominent notice on the Website at least thirty (30) days before the changes take effect, except where the changes are required by law or relate to a new feature, in which case the changes may take effect immediately. The “Last updated” date at the top of this Notice indicates when it was most recently revised. We encourage you to review this Notice periodically.

15. How to contact us

If you have any questions, comments or concerns about this Notice or about how we handle personal data, you can contact us at:

• Email - legal@beewant.com (privacy team or Data Protection Officer, where appointed).
• Postal mail - Beewant SAS, 268 Avenue Daumesnil, 75012, Paris, France.
• Security and abuse - legal@beewant.com.

You also have the right to lodge a complaint with the CNIL (https://www.cnil.fr) or the supervisory authority of the EU/EEA member state where you live or work.