Privacy notice
This Privacy Notice applies to:
- visitors to our website;
- business prospects who interact with us, request information, or receive marketing communications; and
- business customers and their representatives who use or subscribe to our services.
It explains how Exwayz collects, uses, shares, and protects personal data in these contexts, as well as the rights available to individuals under applicable data protection laws, in particular the General Data Protection Regulation (GDPR).
Protecting your privacy is important to Exwayz. When you interact with us or use our services, you may share personal data with us, and we take this responsibility seriously. This Privacy Notice is intended to help you understand how and why we process your personal data and how you can exercise your rights.
This Privacy Notice applies regardless of whether you interact with us directly, through our website, or through the use of our services by your organization.
1. WHO IS RESPONSIBLE FOR PROCESSING YOUR PERSONAL DATA?
Exwayz, a French company registered under the number 900 329 608 R.C.S. Paris, with its registered office at 39 Rue de la Gare de Reuilly, 75012 Paris, France, acts as the data controller for the personal data described in this Privacy Notice.
2. WHAT PERSONAL DATA DO WE COLLECT?
We may collect and process different categories of personal data, depending on how you interact with Exwayz, whether as a website visitor, a business prospect, or a business customer.
The categories of personal data processed may vary depending on the services used, the nature of the relationship with Exwayz, and applicable contractual arrangements.
a. Data you provide directly
When you contact us, request information, book a demonstration or otherwise interact with us, we collect the personal data that you choose to provide, which may include in particular:
- identification data (such as your first and last name);
- professional contact details (such as business email address, phone number, company, job title);
- company-related information (such as company name, industry, or size);
- the content of your communications with us.
We only collect personal data that is necessary for the relevant purpose. Providing such data is voluntary; however, if you choose not to provide certain information, we may be unable to respond to your request or provide access to certain services.
b. Data collected automatically
When you visit our website or use our services, we may automatically collect the following technical and usage data through our analytics script, Fathom Analytics:
- IP address;
- user-agent.
We want to process as little personal information as possible when you use our website. That is why we have chosen Fathom Analytics for our website analytics, which does not use cookies and complies with the GDPR and ePrivacy Directive. Using this privacy-friendly website analytics software, your IP address is only briefly processed, and we have no way of identifying you. Fathom Analtycis’ privacy policy is available at: https://usefathom.com/privacy.
c. Data collected from third-party sources
Subject to applicable law, we may receive personal data from third-party sources, in particular in a B2B context, such as:
- professional social networks;
- publicly available databases or websites;
- business partners or service providers.
Such data may be used, in particular, to identify potential business contacts, maintain and develop our commercial relationships.
d. Exclusion of sensitive data
We do not intentionally collect or process special categories of personal data within the meaning of Article 9 of the GDPR (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sexual orientation).
If such data is inadvertently provided to us, it will be deleted as soon as we become aware of it, unless we are legally required to retain it.
3. WHY DO WE COLLECT YOUR DATA AND HOW LONG DO WE RETAIN IT?
We process personal data only for specific, explicit, and legitimate purposes, based on an appropriate legal basis under the GDPR, and for no longer than is necessary to achieve those purposes.
The table below is intended to provide a clear overview of why we process personal data, the legal bases relied upon, and how long such data is retained.
a. Contract management and service provision
| Purpose | Legal basis | Retention period |
| Management of contractual relationships and provision of services | Legitimate interest in performing the contract between your company and Exwayz | Duration of the contractual relationship |
| Compliance with accounting, tax, and regulatory obligations | Processing is necessary to comply with legal obligations | Retained in intermediate archives for the applicable statutory retention periods |
| Management of pre-litigation and litigation | Legitimate interest in establishing, exercising, or defending legal claims | Duration of the applicable statute of limitations (generally 5 years) |
b. Marketing and commercial prospecting
| Purpose | Legal basis | Retention period |
| Marketing communications and commercial prospecting by electronic means | Legitimate interest in promoting and developing our business; consent where required by law | Until withdrawal of consent (where applicable), or 3 years from: (i) the end of the commercial relationship for customers, or (ii) the last contact or data collection for prospects |
c. Commercial activity management
| Purpose | Legal basis | Retention period |
| Business analytics, statistics, and service improvement | Legitimate interest in improving our services, user experience, and business performance | 1 year |
d. Security, operation and performance of services
| Purpose | Legal basis | Retention period |
| Monitoring, ensuring security, preventing fraud, and maintaining the performance of our website and services (including logs and technical data) | Legitimate interest in ensuring the security and proper functioning of our services | 1 year |
e. Data subject rights management
| Purpose | Legal basis | Retention period |
| Handling requests to exercise data subject rights | Compliance with a legal obligation | Time necessary to process the request (generally 1 month, up to 3 months for complex requests) |
Personal data may be retained for longer periods where required to comply with legal obligations or for the establishment, exercise, or defense of legal claims. In all cases, personal data is not retained beyond what is strictly necessary. Once the applicable retention period expires, data is deleted or irreversibly anonymized.
4. WITH WHOM DO WE SHARE YOUR PERSONAL DATA?
We do not sell personal data.
We share personal data only where necessary and only with appropriate recipients, in accordance with the purposes described in this Privacy Notice.
a. Internal recipients
Personal data may be accessed by Exwayz’s authorized employees, strictly on a need-to-know basis and solely for the performance of their duties.
b. External recipients
We may share personal data with the following categories of external recipients, where necessary:
- professional advisors (such as legal counsel, auditors, or accountants);
- technical and operational service providers acting as data processors on our behalf (such as hosting providers, CRM tools, or analytics providers);
- public or judicial authorities, where disclosure is required by applicable law or a binding legal request.
All data processors are subject to appropriate contractual obligations, including confidentiality and data protection commitments in accordance with the GDPR.
c. Corporate transactions
Personal data may also be disclosed in the context of a potential or actual merger, acquisition, restructuring, or sale of all or part of Exwayz’s assets, subject to appropriate safeguards.
d. International data transfers
Some of our service providers are located outside the European Economic Area (EEA), including in the United States.
Where personal data is transferred to a third country that is subject to an adequacy decision adopted by the European Commission pursuant to Article 45 of the GDPR, including transfers to U.S. recipients certified under the EU–US Data Privacy Framework, such transfers are based on that adequacy decision.
Where personal data is transferred to a third country that is not subject to an adequacy decision, such transfers are governed by appropriate safeguards in accordance with Articles 46 et seq. of the GDPR, in particular the Standard Contractual Clauses adopted by the European Commission.
Where required under applicable data protection law, we implement supplementary technical and organizational measures to ensure a level of protection essentially equivalent to that guaranteed within the EEA.
You may obtain further information on international data transfers and, where applicable, a copy of the relevant safeguards (excluding confidential information) by contacting us as indicated in Section 7.
5. WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM?
Under applicable data protection laws, you have the following rights, subject to legal conditions:
- To withdraw your consent at any time where processing is based on consent;
- To obtain confirmation as to whether we process your personal data and, if so, to access it and receive a copy;
- To request correction or completion of inaccurate or incomplete data;
- To request erasure of your data or restriction of processing in certain circumstances;
- To receive your data in a structured, commonly used, and machine-readable format, or to request its transmission to another controller;
- To define instructions regarding the processing of your data after your death;
- To object to processing based on our legitimate interests, unless we demonstrate compelling legitimate grounds or the processing is required for legal claims;
- To object at any time to the processing of your data for direct marketing purposes.
You can exercise your rights by contacting us at the email address provided in Section 7.
You also have the right to lodge a complaint with the competent supervisory authority. In France, the relevant authority is the CNIL (www.cnil.fr).
These rights may be subject to limitations or exceptions under applicable law.
6. PROTECTION OF MINORS
Our services are intended for business users only and are not designed for use by minors. We do not knowingly collect personal data from minors.
Any individual providing information to Exwayz in connection with an order or service represents that they are of legal age. If we become aware that we have collected personal data from a minor without appropriate consent, we will promptly delete such data.
Please contact us if you believe that personal data relating to a minor has been provided to us without proper authorization.
7. CONTACT
For any questions regarding this Privacy Notice, to exercise your rights, or to raise a complaint, please contact us at: contact@exwayz.fr.
8. CHANGES TO THIS PRIVACY NOTICE
We may update this Privacy Notice from time to time to reflect changes in legal requirements, our services, or our data processing practices. The version in force at the time of data collection applies.
The version of the Privacy Notice in force at the time the personal data is processed applies.
Where appropriate, we will inform you of material changes by posting a notice on this page.
Effective date: 19/01/2026