Privacy Policy

1. Purpose of this Privacy Policy

biofinder operates the website https://biofinder.io and the biofinder platform. biofinder is operated by Houssem Eddine Kihal EI, SIRET 91170280100026. biofinder places great importance on the protection and confidentiality of personal data.

This Privacy Policy explains how and why biofinder processes personal data in the context of the services it provides, in accordance with Regulation (EU) 2016/679 ("GDPR") and the French Loi Informatique et Libertés of 6 January 1978 as amended.

2. How biofinder is designed, and what that means for your data

biofinder is built to minimise personal data at the source.

• biofinder's own database holds company-level information only (company name, headquarters, pipeline, services, sector, technology). It does not contain a database of individuals, contacts or prospects.
• Individual contact data (names, professional emails) is never pre-collected by biofinder. It is retrieved on demand from third-party data providers only when a customer actively requests it for a specific company.
• Contact data retrieved this way is stored exclusively inside the requesting customer's personal workspace. It is not added to biofinder's own database, is not shared with other customers, and is not reused by biofinder for any other purpose.
• Contact data in a customer workspace is auto-purged after three (3) months, and the customer can delete any contact at any time before that.

This architecture means biofinder acts mainly as a data processor on behalf of its customers when it comes to personal data, and only processes minimal personal data as a data controller for its own website visitors, registered users and business contacts.

3. Who this Privacy Policy applies to

This Privacy Policy applies to:

• customers and registered users of the biofinder platform;
• visitors to the biofinder.io website;
• job applicants who apply to biofinder;
• contacts of biofinder via email, forms, meetings or social media.

If you are an individual whose contact information has been retrieved through biofinder by one of its customers, section 6.3 below explains how to exercise your rights.

This Privacy Policy is aimed at individuals aged at least fifteen (15).

4. Why we process personal data, and on what legal basis

biofinder processes personal data for the following purposes:

• to provide the Services, maintain your account, respond to your requests and deliver customer support, on the basis of the Terms of Service and biofinder's legitimate interest in providing the best possible service;
• to host and process contact data retrieved on your behalf from third-party data providers, stored in your personal workspace and auto-purged after three (3) months, on the basis of the Terms of Service (acting as data processor for you);
• to send product updates, news and commercial communications, on the basis of our legitimate interest in retaining and prospecting business customers (B2B), with an easy opt-out at all times;
• to handle billing, payments and unpaid invoices, on the basis of the Terms of Service and our legitimate interest;
• to respond to questions sent via email, forms or instant messaging, on the basis of our legitimate interest in communicating with you;
• to handle job applications, on the basis of our legitimate interest in recruiting;
• to comply with legal obligations in matters of accounting, tax and data protection.

biofinder has documented a legitimate-interest balancing test for each processing activity relying on Article 6(1)(f) GDPR. A summary is available on request at privacy@biofinder.io.

biofinder does not rely on consent as a legal basis for the processing described above. A right to withdraw consent therefore does not apply. Where consent is ever required for a specific feature (for example, non-essential cookies), it will be collected separately and can be withdrawn at any time.

5. How we obtain personal data

Personal data is collected:

• directly from you when you register, contact us, use the Services or visit biofinder.io;
• on your behalf, from contracted third-party data providers, when you use a feature that retrieves contact information for a company. In this case biofinder acts as your processor; the data provider acts as a sub-processor. You remain responsible for the purpose and lawful basis of the retrieval and for your subsequent use of the retrieved data.

biofinder does not collect or build a database of individuals from public sources, social networks or scraping.

If you publish content voluntarily on pages that biofinder operates on social networks, you acknowledge that you are fully responsible for any personal information you choose to share there.

6. Categories of personal data and retention periods

6.1 Customers and registered users (biofinder acts as data controller)

• identification data (name, first name, job title, company, role), retained for the duration of the service and thereafter for the statutory limitation period, generally five (5) years;
• contact data (professional email, professional phone), same retention period;
• account and usage data (logs, IP address, connection history), retained for one (1) year;
• billing and payment data, retained for the period required for the transaction and thereafter for the statutory limitation period (five to ten years).

biofinder does not store full payment card details. Card data is held by our payment processor.

6.2 Contact data retrieved on your behalf (biofinder acts as data processor)

• professional identification and contact data (name, professional email, job title, company affiliation) retrieved by you from third-party data providers;
• retained inside your personal workspace only, never merged into biofinder's own database, never exposed to other customers;
• auto-purged after three (3) months from the date of retrieval, unless you delete it earlier;
• manually deletable at any time from your workspace.

Because this data is processed on your instructions, you (the customer) are the data controller for it. Your obligations include having a lawful basis for the retrieval, informing data subjects where required, honouring their rights, and complying with Article L.34-5 of the French Code des Postes et des Communications Electroniques and equivalent laws on electronic prospecting.

For personal data processed by biofinder customers within their own workspace, each customer is the data controller and is responsible for maintaining its own privacy policy covering such processing. This Privacy Policy does not govern those activities.

6.3 If you were contacted because a biofinder customer retrieved your details

If you believe a biofinder customer obtained your professional contact information through biofinder and you want to exercise your rights (access, rectification, erasure, objection), you have two routes:

• contact the customer directly: they are the data controller for the data stored in their workspace and can act on your request immediately;
• contact biofinder at privacy@biofinder.io: biofinder will, where technically possible, forward your request to the customer concerned and, if applicable, to the upstream data provider. biofinder itself does not maintain a cross-customer index of retrieved contacts.

In any event, contact data retrieved in a customer workspace is auto-purged three (3) months after retrieval.

6.4 Job applicants

• data contained in the CV and cover letter, retained for the duration of the recruitment process and for a maximum of two (2) years thereafter.

6.5 Website visitors

• connection logs (IP address, browser), retained for one (1) year;
• cookies: only strictly necessary cookies (for example authentication session). No analytics, advertising or tracking cookies are used at the date of this Privacy Policy.

7. Your rights

Under the GDPR you have the following rights, which you can exercise at any time and free of charge:

• right of access to your personal data and to a copy of it;
• right of rectification of inaccurate, outdated or incomplete data;
• right to object to processing, in particular for direct marketing purposes;
• right of erasure ("right to be forgotten") of data not essential to the functioning of the Services;
• right to restriction of processing in the event of a dispute;
• right to data portability, allowing you to retrieve your personal data;
• right to give instructions regarding the fate of your data after death.

To exercise any of these rights, contact privacy@biofinder.io. Requests must be made by you personally. In case of doubt about the identity of the requester, biofinder may ask for proof of identity.

biofinder will respond as soon as reasonably possible, and in any event within one (1) month of receipt, or three (3) months where the request is technically complex or where biofinder receives a large volume of requests at the same time. biofinder may refuse requests that are manifestly excessive or unfounded.

8. Automated processing and AI

biofinder uses AI agents to power its matching, enrichment and recommendation features. These agents rely on third-party AI inference providers operating under contractual commitments that prohibit the use of customer data for training their models.

The output of AI agents is informational and supports your own decision-making. It is not a fully automated decision producing legal or significant effects within the meaning of Article 22 GDPR. You remain responsible for your own decisions, outreach and conclusions based on the information surfaced by biofinder.

In accordance with Article 50 of Regulation (EU) 2024/1689 (the "EU AI Act"), you are informed that you are interacting with AI systems when using the Services. biofinder acts as a deployer of third-party AI systems. AI-generated outputs are surfaced clearly within the product, and their content should be verified before being relied upon for material decisions.

For any question about the automated processing involved in the Services, contact privacy@biofinder.io.

9. Who has access to your personal data

Your personal data is accessed by biofinder's team and by trusted sub-processors strictly to operate the Services.

biofinder reviews its sub-processors before engaging them, to confirm they comply with applicable data protection rules.

biofinder does not sell, rent or transfer personal data to third parties or commercial partners.

Categories of sub-processors include:

• hosting and infrastructure (EU-based);
• AI inference providers used to run the matching and enrichment agents;
• B2B data providers used on customer demand to retrieve professional contact information into the customer's workspace;
• payment processor for subscription billing;
• transactional email for account notifications.

The current list of sub-processors, with names, locations, roles and contracted safeguards, is available on request at privacy@biofinder.io.

10. International transfers

Personal data processed by biofinder is primarily hosted on servers located within the European Union (provided by OVH SAS, France).

Some sub-processors, in particular AI inference providers, may process data in countries outside the European Economic Area (for example the United States). In those cases, biofinder relies on the appropriate safeguards recognised by the GDPR, namely:

• the EU-US Data Privacy Framework where the sub-processor is certified;
• Standard Contractual Clauses adopted by the European Commission;
• additional technical and organisational measures where required.

Details of the safeguards in place for each sub-processor are included in the sub-processor list available on request.

11. How we protect your data

biofinder implements technical and organisational measures intended to safeguard personal data, including access controls, encryption in transit, logical segregation of customer workspaces, regular backups, and review of sub-processor security. Where a personal data breach is likely to result in a risk to your rights and freedoms, biofinder will notify the competent supervisory authority and, where required, affected individuals in accordance with Articles 33 and 34 GDPR.

12. Cookies

biofinder currently uses only strictly necessary cookies for the website and platform to function (for example authentication session cookies). No analytics, advertising or third-party tracking cookies are in use.

If biofinder adds analytics or other non-essential cookies, this Privacy Policy will be updated and a consent mechanism will be deployed before any such cookies are set on your device.

13. Contacting biofinder

For any question about this Privacy Policy or the processing of your personal data, contact:

• General: hello@biofinder.io
• Privacy and data protection: privacy@biofinder.io

biofinder has not appointed a Data Protection Officer as it is not required to do so under Article 37 GDPR. Privacy requests are handled by the publication director.

14. Contacting the CNIL

You may at any time contact the French supervisory authority, the Commission nationale de l'informatique et des libertés ("CNIL"):

• Service des plaintes de la CNIL, 3 place de Fontenoy TSA 80751, 75334 Paris Cedex 07, France
• Phone: +33 1 53 73 22 22
• Website: https://www.cnil.fr

If you are based in another EU Member State, you may also contact your local supervisory authority.

15. Modifications to this Privacy Policy

biofinder may modify this Privacy Policy to reflect new legal requirements or changes in processing activities. Updated versions are published on biofinder.io with the updated date indicated at the bottom.