Privacy Policy

1. Who Are We?

The website https://enrow.io and the ENROW service (hereinafter the "Service") are operated by:

SCHRUTE FARMS, a French limited liability company (SARL) with a share capital of €500, having its registered office at 123 Rue De Rome, 75017 Paris, France, registered with the Paris Trade and Companies Register (RCS Paris) under number 981 316 300, intra-community VAT number FR76981316300.

Joint Managers: Thomas LUCY and Louis CONGARD.

Data Protection Officer (DPO): Louis CONGARD — dpo@enrow.io.

ENROW is a professional data enrichment service intended exclusively for business-to-business (B2B) commercial prospecting. The Service enables its clients to search for professional email addresses, telephone numbers, LinkedIn profiles and company information.

2. What Data Do We Collect?

We collect different categories of data depending on your relationship with ENROW.

3. Where Does the Enrichment Data Come From?

The data held in ENROW's enrichment database originates from the following sources:

• Publicly available sources on the Internet: company websites ("Team", "Contact", "About" pages), online professional directories, press releases, business press articles, publications on professional social networks;
• Professional social networks: information made publicly available by users on their professional profiles (LinkedIn and other equivalent platforms);
• Official public registers: trade registers (Infogreffe, Companies House, etc.), legal and regulatory databases;
• Search engines: information indexed by public search engines;
• Third-party professional data providers: ENROW engages specialist providers of professional contact data, firmographic data and business signals. Such providers are contractually bound to ENROW by GDPR compliance obligations;
• ENROW's proprietary technologies: search, inference and verification algorithms developed internally by ENROW.

ENROW does not collect data from data breaches, stolen databases or any unlawful source.

4. Information Provided to Data Subjects (Article 14 GDPR)

The data held in ENROW's enrichment database has not been collected directly from the data subjects. Article 14 of the GDPR requires the data controller to provide certain information to individuals whose data is processed without having been collected directly from them.

5. Why and on What Legal Basis Do We Process Your Data?

6. With Whom Do We Share Your Data?

Your personal data may be disclosed to the following categories of recipients, in strict compliance with the principle of data minimisation:

7. Transfers Outside the European Economic Area

All Service data is hosted within the European Union (AWS Paris, eu-west-3). The vast majority of our sub-processors operate exclusively within the EEA.

Certain processing operations may involve a transfer to the United States, governed by the following mechanisms:

• EU-US Data Privacy Framework (DPF) adequacy decision: European Commission decision of 10 July 2023 recognising an adequate level of protection for certified companies in the United States;
• Standard Contractual Clauses (SCCs): adopted by the European Commission (Implementing Decision 2021/914), supplemented where necessary by additional technical measures.

Services involving a transfer outside the EEA:

• Anthropic (Claude.ai): DPF + SCCs. No data used for model training. Ad hoc processing without persistence;
• Google Ads, Meta, LinkedIn, Google Fonts, YouTube: DPF. Subject to your prior consent (cookies).

Full details of the transfer mechanisms for each sub-processor are set out in Annex 3 of the DPA, available upon request.

8. How Long Do We Retain Your Data?

ENROW applies the principle of storage limitation (Article 5(1)(e) GDPR) and retains your data only for the period strictly necessary for the purposes described above.

Upon expiry of the periods indicated, data shall be automatically and permanently deleted or, where technically feasible, irreversibly anonymised.

9. What Are Your Rights?

In accordance with the GDPR (Articles 15 to 22) and the Loi Informatique et Libertés, you have the following rights:

• Right of access (Article 15): you may obtain confirmation as to whether or not personal data concerning you is being processed by ENROW, and obtain a copy thereof. You may also obtain information on the purposes of processing, the categories of data, the recipients, the retention period and the origin of the data.
• Right to rectification (Article 16): you may request the correction of inaccurate data or the completion of incomplete data. If you have changed job, telephone number or company, please contact us to update your information.
• Right to erasure (Article 17): you may request the deletion of your data. ENROW shall carry out the deletion and place you on the permanent exclusion list within 24 business hours. This right is limited where processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims.
• Right to object (Article 21): you may object at any time to the processing of your data based on ENROW's legitimate interest, including for commercial prospecting purposes. Upon objection, ENROW shall cease processing and place the data subject on its permanent exclusion list.
• Right to restriction of processing (Article 18): you may request the temporary suspension of the processing of your data, in particular during verification of the accuracy of the data or examination of your objection.
• Right to data portability (Article 20): this right applies where processing is based on consent or the performance of a contract. As ENROW's processing is primarily based on legitimate interest, the right to portability does not apply as of right. Notwithstanding, ENROW shall use reasonable endeavours to comply with any reasonable request in a structured, machine-readable format.
• Right to withdraw consent: for processing based on consent (cookies, marketing), you may withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
• Right not to be subject to automated decision-making (Article 22): ENROW does not take any decision based solely on automated processing producing legal effects or significantly affecting data subjects. ENROW's algorithms are used exclusively for the search and verification of professional data.
• Right to issue post-mortem instructions (Article 85 Loi Informatique et Libertés): you may issue instructions regarding the retention, deletion and communication of your data after your death.

10. How to Exercise Your Rights

11. How Do We Protect Your Data?

ENROW implements technical and organisational measures in accordance with Article 32 of the GDPR, appropriate to the nature, scope and risks of the processing:

• Encryption: data at rest encrypted using AES-256. Data in transit protected by TLS 1.2 or higher. Passwords hashed via bcrypt with individual salting;
• Access control: multi-factor authentication (MFA) on all critical access. Production access limited to the two joint managers. RBAC (Role-Based Access Control) model for Service users;
• Network isolation: databases and internal services isolated within an AWS VPC with no public access. Only the application may access them;
• Monitoring: comprehensive action logging (encrypted logs, via SigNoz). Automated alerts in the event of anomalies;
• Backups: automatic daily backups, encrypted, tested and validated;
• Penetration testing: annual penetration test by an independent third-party provider;
• Secure development: systematic code review (pull requests), automated vulnerability detection in dependencies (Dependabot);
• Hosting: exclusively within the European Union (AWS Paris, eu-west-3). AWS holds ISO 27001, SOC 1/2/3 certifications.

Full details of our technical and organisational measures are set out in the DPA (Annex 2). The Information Systems Security Policy and Business Continuity Plan are maintained up to date and available upon request under NDA.

12. What Happens in the Event of a Data Breach?

In the event of a personal data breach likely to result in a risk to your rights and freedoms, ENROW undertakes to:

• Notify the CNIL within seventy-two (72) hours (Article 33 GDPR);
• Inform affected Clients within seventy-two (72) hours;
• Inform you directly where the breach presents a high risk to your rights and freedoms (Article 34 GDPR);
• Document the breach in an internal register and take the necessary corrective measures.

13. Automated Decision-Making and Profiling

ENROW uses proprietary algorithms to search for, infer and verify professional data. These algorithms are used exclusively for the provision of the enrichment Service (finding an email, verifying a telephone number, etc.).

ENROW does not take any decision based solely on automated processing which would produce legal effects or significantly affect data subjects within the meaning of Article 22 of the GDPR. Enrichment data is not used for scoring, profiling for discriminatory purposes, credit scoring, hiring decisions or any other decision having a legal or significant impact on individuals.

14. Minors

The Service is restricted to natural persons aged eighteen (18) years or over acting for professional purposes. ENROW does not knowingly collect data concerning minors. The enrichment database contains only B2B professional data and does not target minors. Should we become aware that data of a minor has been collected, we shall delete it forthwith.

15. Cookies

ENROW uses cookies and similar technologies on its website and within the Service. Full details of the cookies used, their purposes, durations and the means of managing them are set out in our Cookie Policy, accessible on the website https://enrow.io. Your consent is collected via the Cookiebot banner on your first visit and may be changed at any time.

16. Information for California Residents (CCPA/CPRA)

This section provides supplementary information for residents of the State of California (USA), in accordance with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

17. International Compliance

This policy applies within the framework of the following regulations, depending on your location:

• European Union: Regulation (EU) 2016/679 (GDPR) and Loi n°78-17 of 6 January 1978, as amended (Loi Informatique et Libertés);
• United Kingdom: UK GDPR (European Union (Withdrawal) Act 2018) and Data Protection Act 2018;
• Switzerland: the new Swiss Federal Act on Data Protection (nFADP), in force since 1 September 2023;
• California (USA): CCPA as amended by the CPRA (see section 16 above).

References to the GDPR in this policy shall be deemed to include the equivalent provisions of the above regulations, to the extent that they are applicable.

18. Amendments to This Policy

ENROW reserves the right to amend this policy at any time to reflect changes in its practices or applicable regulations. The date of last update is indicated at the top of this document.

In the event of a material amendment affecting the manner in which your data is processed, ENROW shall notify you by email or via the Service no fewer than thirty (30) days prior to the new version coming into effect. Continued use of the Service after notification shall constitute acceptance. For individuals whose data is held in the enrichment database, the updated policy shall be published on the website.

19. Contact

For any enquiry relating to this policy, the protection of your data, or to exercise your rights:

• Data Protection Officer: Louis CONGARD
• Email: dpo@enrow.io
• Postal address: SCHRUTE FARMS / ENROW — DPO — 123 Rue De Rome, 75017 Paris, France