Privacy Policy & GDPR

Pievra is committed to protecting your personal data. This Privacy Policy explains who we are, what data we collect, why we collect it, how we use it, and what rights you have. It applies to all users of pievra.com and the Pievra platform globally, with specific provisions for users in the European Union and France.

1. Data Controller

The data controller responsible for your personal data is:

Company: Pievra
Website: pievra.com
Data Protection Officer (DPO): dpo@pievra.com
Privacy enquiries: privacy@pievra.com

As data controller, Pievra determines the purposes and means of processing your personal data in accordance with the EU General Data Protection Regulation (GDPR) (Regulation 2016/679) and the French Data Protection Act (Loi Informatique et Libertés, as amended by the Law of 20 June 2018).

2. Data We Collect

Category	Data Types	Source
Account Data	Name, work email address, company name, job title, password (hashed)	Provided by you on registration
Campaign Data	Campaign briefs, budgets, targeting parameters, flight dates, buying model selections	Provided by you via Campaign Planner
Agent Listing Data	Agent name, description, performance benchmarks, protocol compatibility, SDK integration logs	Provided by you on agent submission
Transaction Data	GMV amounts, Liquidity Fee transactions, payment method details (tokenised via payment processor)	Generated by platform use
Usage Data	Pages visited, features used, click events, session duration, browser type, OS, IP address	Automatically collected via GA4 and server logs
Community Data	Comments posted on News articles, votes, reactions	Provided by you in community features
Communication Data	Emails sent and received with Pievra, support ticket content	Provided by you in communications

We do not collect special category data (sensitive personal data) as defined in Article 9 GDPR, including health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data.

3. Lawful Basis for Processing

We process your personal data on the following lawful bases under Article 6 GDPR:

Contract performance (Art. 6(1)(b)): Processing necessary to provide the Services you have requested, including account management, campaign planning, and marketplace transactions.
Legitimate interests (Art. 6(1)(f)): Platform security, fraud prevention, service improvement, analytics, and community moderation. We have conducted a Legitimate Interests Assessment (LIA) and concluded our interests do not override your rights.
Legal obligation (Art. 6(1)(c)): Compliance with applicable laws, tax obligations, and regulatory requirements.
Consent (Art. 6(1)(a)): For non-essential cookies and marketing communications. Consent is freely given, specific, informed and can be withdrawn at any time.

4. Purposes of Processing

Providing and operating the Pievra platform and all associated Services;
Account registration, authentication and account management;
Processing campaign plans and facilitating marketplace transactions;
Verifying and listing agents in the Marketplace;
Processing payments and invoices;
Providing customer support;
Detecting and preventing fraud, abuse, and security incidents;
Improving the platform through aggregated, anonymised analytics;
Sending service communications (account notifications, security alerts, product updates);
Sending marketing communications where you have provided consent or where permitted by applicable law;
Complying with legal and regulatory obligations.

5. Data Retention

We retain personal data for as long as necessary to fulfil the purposes set out in this Policy, unless a longer retention period is required by law.

Account data: Retained for the duration of your account plus 3 years after account closure;
Campaign data: Retained for 2 years from campaign completion;
Transaction data: Retained for 10 years to comply with French accounting and tax law (Article L123-22 of the Commercial Code);
Usage/analytics data: Retained for 26 months in line with CNIL recommendations for web analytics;
Community comments: Retained while your account is active; deleted within 30 days of account closure unless legally required to retain;
Support communications: Retained for 3 years from last interaction.

We do not sell your personal data. We share data with the following categories of third parties:

Payment processors: Stripe Inc. (USA) — PCI-DSS compliant; processes payment card data under its own privacy terms;
Cloud infrastructure: Servers hosted within the EU/EEA where possible;
Analytics: Google Analytics 4 — configured with IP anonymisation and data retention set to 26 months in line with CNIL guidance;
Email service providers: For transactional and marketing communications;
Legal and regulatory authorities: Where required by applicable law or court order.

All sub-processors are bound by data processing agreements in compliance with Article 28 GDPR. A current list of sub-processors is available on request at privacy@pievra.com.

7. International Data Transfers

Some of our sub-processors (including Google and Stripe) are located outside the European Economic Area (EEA). Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914);
The EU-US Data Privacy Framework where applicable;
Adequacy decisions recognised by the European Commission.

For transfers to the USA, we rely on SCCs supplemented by Transfer Impact Assessments (TIAs) where required.

8. Cookies & Tracking Technologies

We use cookies and similar tracking technologies on pievra.com. You can manage your cookie preferences via our Cookie Consent Banner presented on your first visit.

Essential Cookies (no consent required)

Session authentication cookies — necessary for login and account security;
CSRF protection cookies — necessary for platform security;
Cookie consent preference storage.

Analytics Cookies (consent required)

Google Analytics 4 (_ga, _gid, _ga_*) — used to measure platform usage. Configured with IP anonymisation enabled and advertising features disabled, in line with CNIL guidelines for GA4 (délibération n°2022-091);
Analytics data is retained for 26 months maximum.

Marketing Cookies (consent required)

Used for retargeting and measuring effectiveness of marketing campaigns where you have given explicit consent.

You may withdraw cookie consent at any time by clicking the "Cookie Settings" link in the footer or by using your browser settings. Withdrawing consent does not affect the lawfulness of prior processing.

9. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

📋 Right of Access (Art. 15)

Request a copy of all personal data we hold about you.

✏️ Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data.

🗑️ Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten").

⏸️ Right to Restriction (Art. 18)

Request that we restrict processing of your personal data.

📦 Right to Portability (Art. 20)

Receive your data in a structured, machine-readable format.

🚫 Right to Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing.

🤖 Automated Decisions (Art. 22)

Not to be subject to solely automated decisions with significant effects.

↩️ Withdraw Consent

Withdraw consent for consent-based processing at any time.

To exercise any of these rights, please contact privacy@pievra.com. We will respond within 30 days. We may request proof of identity before processing requests. Exercising your rights is free of charge unless requests are manifestly unfounded or excessive.

You have the right to lodge a complaint with your national supervisory authority. In France, this is the CNIL (see below). In other EU member states, you may contact your local Data Protection Authority.

10. CNIL & French Data Protection Law

CNIL

Commission Nationale de l'Informatique et des Libertés

Pievra complies with French data protection law including the Loi Informatique et Libertés (n°78-17) as amended by the Law of 20 June 2018 implementing the GDPR into French law.

CNIL-Specific Provisions

Web analytics: Google Analytics 4 is configured in accordance with CNIL délibération n°2022-091 of 7 July 2022, including IP anonymisation, disabled advertising features, and data sharing restricted to analytics purposes only;
Cookie consent: Our consent mechanism complies with CNIL guidelines requiring a consent button and a refusal button of equal prominence, and the ability to withdraw consent as easily as it was given;
Data retention: Analytics data retained for maximum 26 months in line with CNIL recommendations;
Right to complain: You may file a complaint with the CNIL at any time at cnil.fr/fr/plaintes or by writing to: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07.

DPO Contact: Our Data Protection Officer can be contacted at dpo@pievra.com for any data protection enquiries, including those specific to French law or CNIL requirements.

11. Minors

The Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor without verified parental consent, we will delete that data promptly. If you believe we have collected data from a minor, please contact privacy@pievra.com.

12. Security Measures

Pievra implements appropriate technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, including:

Encryption of data in transit (TLS 1.3) and at rest (AES-256);
Access controls and role-based permissions;
Regular security assessments and penetration testing;
Staff training on data protection obligations;
Incident response procedures including 72-hour breach notification to supervisory authorities as required by Article 33 GDPR.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or prominent notice on the Platform at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

14. Contact & DPO

For any questions, requests, or complaints regarding this Privacy Policy or our data processing practices:

Privacy enquiries: privacy@pievra.com
Data Protection Officer: dpo@pievra.com
GDPR rights requests: privacy@pievra.com — please include "GDPR Request" in the subject line
CNIL complaints: cnil.fr/fr/plaintes
EU ODR platform: ec.europa.eu/consumers/odr

Privacy Policy