Privacy policy

1. Introduction

This Privacy Policy explains how CodeTiburon processes your personal data when you visit https://codetiburon.com and any subdomain or landing page operated by us (together, the "Site"), submit the "Get a Quote" form, contact us by email, or otherwise interact with our online services.

We process personal data in accordance with Regulation (EU) 2016/679 (the "GDPR"), the French Data Protection Act of 6 January 1978 as amended ("Loi Informatique et Libertés") and Directive 2002/58/EC (the "ePrivacy Directive") as transposed in France.

2. Data controller

The data controller responsible for the processing described in this Privacy Policy is:

  • CODETIBURON, SAS, share capital €30,000, SIREN 981 543 861, SIRET 981 543 861 00026, RCS Aix-en-Provence 21 December 2023, intra-community VAT FR73981543861, NAF/APE 62.02A.
  • Registered office: Immeuble Le Mercure C, 485 rue Marcelin Berthelot, 13290 Aix-en-Provence, France.
  • Email: [email protected].

CodeTiburon has not appointed a Data Protection Officer as one is not mandatory under Article 37 GDPR for our processing activities. The contact above is the primary channel for any question or request relating to your personal data.

3. Personal data we collect

3.1 Data you provide via the Get a Quote form

When you submit the Get a Quote form we collect the information you fill in, which typically includes:

  • your first and last name;
  • your business email address and, where provided, phone number;
  • your company name, role and country;
  • the description of your inquiry, including any technical, commercial or project information you choose to share; and
  • any attachments you upload.

3.2 Data you provide by other means

If you contact us by email, telephone or social media we collect the contact details you use and the content of your communication. If you apply for a position with us, we collect the data contained in your CV and any covering message; the processing of recruitment data is described in a separate notice provided at the point of collection.

3.3 Data collected automatically

When you browse the Site we and our service providers collect technical data such as IP address, device identifiers, browser type and version, operating system, referrer URL, pages visited, time spent and timestamps. We use cookies and similar technologies for this purpose, as described in Section 7.

4. Purposes and legal bases

We process your personal data only where we have a lawful basis under Article 6 GDPR. The list below summarises the main purposes.

(a) Responding to your Get a Quote request and pre-contractual exchanges. Legal basis: pre-contractual measures taken at your request (Art. 6(1)(b) GDPR) and, where you act on behalf of a company, our legitimate interest in responding to business inquiries (Art. 6(1)(f) GDPR).

(b) Managing our customer and prospect relationships in HubSpot. Legal basis: our legitimate interest in managing commercial relationships in an organised way (Art. 6(1)(f) GDPR), balanced against your right to object.

(c) Sending you commercial communications about our services. Legal basis: your consent (Art. 6(1)(a) GDPR) where required, or our legitimate interest where French law permits (notably Article L.34-5 of the French Postal and Electronic Communications Code for B2B communications relating to similar services). Every commercial email contains an easy unsubscribe link.

(d) Operating, securing and improving the Site. Legal basis: our legitimate interest in providing a secure and well-functioning website (Art. 6(1)(f) GDPR).

(e) Measuring audience and improving the Site (Google Analytics). Legal basis: your consent (Art. 6(1)(a) GDPR), collected through the cookie banner.

(f) Online advertising, remarketing and conversion measurement. The Site itself does not display third-party advertising. However, where you accept marketing cookies, we deploy the Google Ads remarketing tag, the LinkedIn Insight Tag and the Meta Pixel so that we can build audiences of past Site visitors and show our own advertisements to those audiences on the Google, LinkedIn and Meta advertising networks (i.e., on third-party sites and apps), and so that we can measure the performance of those campaigns. Legal basis: your consent (Art. 6(1)(a) GDPR), collected through the cookie banner.

(g) Complying with legal and accounting obligations. Legal basis: compliance with a legal obligation to which we are subject (Art. 6(1)(c) GDPR).

(h) Establishing, exercising or defending legal claims. Legal basis: our legitimate interest in protecting our rights (Art. 6(1)(f) GDPR).

5. Recipients and processors

Within CodeTiburon, access to your personal data is limited to staff who need it to perform the purposes above and is subject to confidentiality obligations.

We share personal data with the following categories of recipients:

  • HubSpot. We use HubSpot, Inc. as our CRM. Data submitted via the Get a Quote form, as well as related correspondence, is stored in HubSpot and processed on our behalf as a processor under a data-processing agreement that includes the EU Standard Contractual Clauses.
  • Google (Google Analytics). Where you consent via the cookie banner, we use Google Analytics provided by Google Ireland Limited to measure audience. Configuration aims to minimise data collection (IP anonymisation, no advertising features unless separately consented).
  • Amazon Web Services (Amazon Lightsail). The Site is hosted on AWS infrastructure, with production environments located in Paris, France. AWS acts as a processor under our agreement, which includes the EU Standard Contractual Clauses for any limited transfers to AWS group entities outside the EEA.
  • Cloudflare. Public pages of the Site are proxied through Cloudflare, Inc. (with EU establishment Cloudflare Germany GmbH), which provides content delivery, caching and security (including bot protection). Cloudflare acts as our processor under a data-processing agreement that includes the EU Standard Contractual Clauses, and is certified under the EU-U.S. Data Privacy Framework.
  • Google Ads (remarketing and conversion measurement). Where you consent via the cookie banner, we use Google Ads provided by Google Ireland Limited, with Google LLC as a controller for certain processing. For ad serving, conversion measurement and cross-context behavioural advertising we and Google act as joint controllers in accordance with the European Economic Area-specific Google Ads Data Processing Terms / Controller Addendum.
  • LinkedIn Ads (Insight Tag). Where you consent, we use the LinkedIn Insight Tag provided by LinkedIn Ireland Unlimited Company. We and LinkedIn act as joint controllers in respect of the collection and disclosure to LinkedIn of personal data via the Insight Tag, in accordance with LinkedIn's Joint Controller Addendum.
  • Meta Ads (Pixel). Where you consent, we use the Meta Pixel provided by Meta Platforms Ireland Limited. We and Meta act as joint controllers in respect of event-data collection via the Pixel, in accordance with Meta's Controller Addendum.
  • Email and communication providers used to send and receive correspondence.
  • Professional advisers (lawyers, accountants, auditors) where necessary for the purposes set out in Section 4.
  • Public authorities and courts where required by law.

We do not sell personal data for money. Where you accept marketing cookies, the use of Google Ads, LinkedIn and Meta tags involves disclosures of online identifiers that may qualify as "sharing" for purposes of cross-context behavioural advertising under the CCPA/CPRA. If you are a California resident and wish to opt out of such sharing, you can refuse marketing cookies in our cookie banner; we honour the Global Privacy Control (GPC) signal as a valid opt-out request.

6. International transfers

Some of our service providers — including HubSpot, Google (Analytics and Ads), Cloudflare, LinkedIn and Meta — may process personal data outside the European Economic Area, in particular in the United States. Where such transfers take place, we rely on appropriate safeguards under Chapter V GDPR, including:

  • the European Commission's adequacy decision for transfers to certified U.S. organisations under the EU-U.S. Data Privacy Framework (where applicable);
  • the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), combined with supplementary technical and organisational measures where necessary.

You may obtain a copy of the relevant safeguards by writing to [email protected].

7. Cookies and similar technologies

The Site uses cookies and similar technologies. A cookie is a small text file stored on your device that allows the Site or a third party to recognise your browser.

We use the following categories of cookies:

  • Essential cookies, required to operate the Site (session security, recording of your cookie choices, security of the Get a Quote form and bot protection via Cloudflare). They are always active and do not require consent.
  • Analytics cookies, deposited by Google Analytics 4 where you consent, to measure traffic and usage patterns so we can improve the experience.
  • Marketing cookies, deposited by Google Ads, the LinkedIn Insight Tag and the Meta Pixel where you consent, to build audiences of past Site visitors for our own remarketing campaigns on third-party networks and to measure campaign performance. The Site itself does not display third-party advertising.

When you first visit the Site, a cookie consent banner allows you to accept all, refuse all, or choose specific categories of non-essential cookies. You can change your choices at any time via the "Cookie preferences" link in the footer of the Site. Refusing non-essential cookies does not affect your access to the Site.

A detailed list of cookies (name, provider, purpose, duration and category), together with information about Google Consent Mode v2, is available in our Cookie Policy.

8. Retention

We retain personal data only for as long as necessary for the purposes set out above, applying the following indicative retention periods:

  • Get a Quote submissions and prospect data: up to three (3) years from the last meaningful contact, in line with the CNIL's guidance for B2B prospecting.
  • Customer relationship data: for the duration of the relationship and up to five (5) years after its end, subject to longer statutory retention obligations.
  • Accounting and tax records: ten (10) years, as required by Article L.123-22 of the French Commercial Code.
  • Server and security logs: up to twelve (12) months.
  • Cookies: no longer than thirteen (13) months for consent records and audience-measurement cookies, in line with CNIL guidance.

After these periods, data is deleted or anonymised, except where longer retention is required to establish, exercise or defend legal claims, or to comply with a legal obligation.

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction. These include TLS encryption for traffic to and from the Site, role-based access controls, logging, regular updates and security reviews of our suppliers. Despite these measures, no transmission over the internet or storage system can be guaranteed 100% secure. Please report any suspected vulnerability to [email protected].

10. Your rights

Subject to the conditions set out in the GDPR and French law, you have the right to:

  • access your personal data and obtain a copy (Art. 15);
  • request rectification of inaccurate or incomplete data (Art. 16);
  • request erasure of your data (Art. 17);
  • request restriction of processing (Art. 18);
  • object to processing based on legitimate interests, including direct marketing (Art. 21);
  • data portability where processing is based on consent or contract and carried out by automated means (Art. 20);
  • withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3));
  • define directives on the fate of your personal data after your death (Article 85 of the Loi Informatique et Libertés).

To exercise your rights, please contact [email protected]. We may ask for proof of identity where reasonably necessary to verify your request. We will respond within one (1) month, extendable by two further months for complex requests, as permitted by Article 12 GDPR.

You also have the right to lodge a complaint with the French data-protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07, www.cnil.fr, or with the supervisory authority of your EU member state of habitual residence.

11. Automated decision-making

We do not make decisions producing legal or similarly significant effects based solely on automated processing within the meaning of Article 22 GDPR.

12. Children

The Site is not directed to children. We do not knowingly collect personal data from individuals under 16 years old. If you believe that a child has provided us with personal data, please contact us at [email protected] and we will delete the data without undue delay.

13. Third-party links

The Site may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before sharing any personal data with them.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies or legal requirements. The date of the latest update is indicated at the top of the document. For material changes affecting your rights, we will use reasonable efforts to provide prior notice (for example via a banner on the Site or by email where you have provided one) and, where required, will collect a new consent.

15. Contact us

For any question or request relating to this Privacy Policy, please contact CODETIBURON SAS at [email protected] or by post at the registered office indicated in Section 2.