Privacy Policy
Version 2.0 | 2026
DM Squared SAS · 49 Rue de Ponthieu · 75008 Paris · France
RCS Paris 841 059 652 · SIRET 841 059 652 000013 · contalto.com
DM Squared SAS (hereinafter "the Company"), publisher of the Contalto platform, processes personal data in the course of its activities. This Privacy Policy (hereinafter "the Policy") informs you of the manner in which the Company collects and processes your personal data. Please read it carefully.
The Policy applies to all persons whose personal data is collected by the Company: visitors to the contalto.com website (hereinafter "the Site"), Clients and members of their staff, subscribers to the Contalto newsletter, prospects who have contacted the Company, and more generally any person entering into a relationship with the Company (hereinafter "Data Subjects").
Personal data (hereinafter "Data") means any information relating to an identified or identifiable natural person. The data controller for the processing operations described in this document is the Company, whose registered office is at 49, rue de Ponthieu, 75008 Paris, France.
This Policy is designed to comply with the requirements of French Law No. 78-17 of 6 January 1978 on information technology, files and civil liberties as amended, the General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR"), and French laws and decrees transposing it.
Article 1
Acceptance of the Policy
This Policy applies to all Services offered by the Company under the Contalto brand and forms an integral part of the Website's Terms of Use. It applies to all Data Subjects.
The Company reserves the right to modify this Policy at any time. The version in force is the one available on the Site at https://contalto.com at the date of the Data Subject's connection. The invalidity of any clause shall not affect the validity of the Policy as a whole.
Article 2
Processing of Personal Data
All Data provided by the Data Subject to the Company is processed with the strictest confidentiality and is limited to staff who need to know it. The Company collects only Data that is relevant, adequate, non-excessive and strictly necessary for the purposes set out below.
Beyond the retention periods set out below, Data may be anonymised and retained for exclusively statistical purposes. The processing operations described below are not used to establish profiles likely to reveal sensitive data within the meaning of Article 9 of the GDPR.
2.1 Nature of data collected, purpose and retention period
2.2 Legal bases for processing
Performance of contract
This legal basis applies where the Data collected is necessary for the provision of Services and any assistance Clients may require, in particular for the management of platform access accounts.
Legitimate interest
The Company may collect Data on the basis of legitimate interest, such as improving its Services, IT security and managing its commercial relationships via its CRM. The Data Subject may object to such processing at any time.
Consent
The Data Subject's explicit consent is obtained for: (i) sending the Contalto newsletter; (ii) placing non-strictly-necessary cookies on the Site. The Data Subject may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
2.3 Information shared with third parties
General principle
Processing of collected Data is strictly confidential. The Company does not transmit any Data to third parties who would use it for their own commercial or advertising purposes without having obtained the prior consent of Data Subjects.
Technical sub-processors
The Company engages technical service providers (sub-processors within the meaning of Article 28 of the GDPR) to support the provision of its Services. These providers process Data on behalf of and in accordance with the exclusive instructions of the Company. They include in particular:
The Company contractually ensures that all its sub-processors provide sufficient guarantees as to the implementation of appropriate technical and organisational measures, and in particular that AI API providers do not use transmitted data for the purpose of training their models.
With respect to HubSpot, whose servers are located in the United States, data transfers are governed by HubSpot's certification under the EU-US Data Privacy Framework (DPF), adopted by the European Commission on 10 July 2023 (adequacy decision 2023/1795). Data Subjects may consult the DPF register at https://www.dataprivacyframework.gov.
2.4 Data Security
The Company implements all necessary technical and organisational measures to preserve the integrity, availability and confidentiality of Data. These measures include protection against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access. Access to Data is strictly limited to authorised personnel bound by a confidentiality obligation.
The Company undertakes to notify the Client without delay of any incident that may have affected the Data of Authorised Users, in accordance with Articles 33 and 34 of the GDPR.
2.5 Data Hosting
Collected Data is stored on secure servers located in France or in another Member State of the European Union. Where Data transfers are made to third countries, the Company ensures that such transfers benefit from appropriate safeguards in accordance with Chapter V of the GDPR (adequacy decision, standard contractual clauses or DPF certification depending on the country concerned).
Article 3
Rights of Data Subjects
3.1 Nature of rights
In accordance with the GDPR and French laws transposing it, each Data Subject has the following rights:
- Right to object: object to the processing of their Data on legitimate grounds, or without grounds where processing is based
on legitimate interest or for direct marketing purposes
- Right of access: obtain confirmation that Data relating to them is being processed and receive a copy
- Right to rectification: have inaccurate or incomplete Data corrected
- Right to erasure ('right to be forgotten'): request deletion of their Data in the cases provided for by the GDPR
- Right to data portability: receive their Data in a structured, commonly used format
- Right to restriction: request suspension of the processing of their Data in certain circumstances
- Right to withdraw consent: withdraw consent at any time without affecting the lawfulness of prior processing
- Post-mortem directive: communicate instructions regarding the retention and disclosure of their Data after death
3.2 Exercising rights
Data Subjects may exercise their rights at any time by submitting a request accompanied by proof of identity via one of the following means:
- By email: info@contalto.com
- By post: DM Squared SAS, 49 rue de Ponthieu, 75008 Paris, France
A response will be provided within one (1) month of receipt of the request, which may be extended to three (3) months for complex requests. Data Subjects may also unsubscribe from the newsletter at any time via the unsubscribe link in each email, or by contacting info@contalto.com.
Data Subjects also have the right to lodge a complaint with the competent supervisory authority. For Data Subjects located in France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy, 75007 Paris — www.cnil.fr. Data Subjects located in other EU Member States may contact their local supervisory authority.
Article 4
Cookies and Trackers
The Site uses cookies and trackers to ensure its operation, analyse its audience and, with your consent, optimise your experience and send you relevant communications.
4.1 Categories of cookies used
4.2 Managing your cookie preferences
On your first visit to the Site, a cookie management banner allows you to accept or refuse non-strictly-necessary cookies by category. You may modify your preferences at any time by clicking the 'Cookie settings' link accessible in the Site footer.
The complete and up-to-date list of cookies placed on the Site, including their names, lifespans and providers, is available in the consent manager accessible from the Site. For more information on cookies and how to manage them, please visit: https://www.cnil.fr/fr/cookies-les-outils-pour-les-maitriser.
Article 5
Govering Law and Jurisdiction
This Policy is governed by French law. In the event of any conflict between the French version of this Policy and any translation, the French version prevails.
In the event of a dispute relating to the validity, interpretation or performance of this Policy, French courts shall have jurisdiction, regardless of the location and nationality of the Data Subject. Data Subjects also have the right to contact the CNIL at any time, or their local data protection authority if located outside France.