Privacy Policy

SYFRAH CONSULTING ("Company", "we", "us", or "our"), a French société par actions simplifiée registered under SIREN 953 278 553, is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use syfrah ("the Service"). We process personal data in compliance with the General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique et Libertés), and other applicable data protection laws. By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

The data controller responsible for your personal data is: SYFRAH CONSULTING Paris, 75001 France SIREN: 953 278 553 For privacy-related inquiries: Email: contact@syfrah.com You can also contact our Data Protection Officer (DPO) at: contact@syfrah.com

We collect information you provide directly and data generated through your use of the Service: 3.1 Information You Provide • Account information: Name, email address, company name, job title, phone number • Payment information: Billing address, payment card details (processed by Stripe) • Communications: Messages, feedback, and support requests you send us • Profile information: Professional interests, preferences, and settings 3.2 Information Collected Automatically • Usage data: Pages visited, features used, searches performed, time spent • Device information: Browser type, operating system, device identifiers • Log data: IP address, access times, referring URLs, error logs • Cookies and similar technologies: See Section 9 for details 3.3 Information from Third Parties • Single Sign-On (SSO) providers: If you sign in via Google or Microsoft • Payment processors: Transaction confirmations from Stripe • Analytics providers: Aggregated usage statistics We do not collect sensitive personal data (health data, racial origin, political opinions, etc.) unless strictly necessary and with your explicit consent.

Under GDPR, we process your personal data based on the following legal grounds: 4.1 Contract Performance (Article 6(1)(b)) Processing necessary to provide the Service, including: • Account creation and management • Processing subscriptions and payments • Providing customer support • Delivering requested features and functionality 4.2 Legitimate Interests (Article 6(1)(f)) Processing necessary for our legitimate business interests, including: • Improving and developing the Service • Analyzing usage patterns and trends • Preventing fraud and ensuring security • Marketing to existing customers (with opt-out option) 4.3 Legal Obligations (Article 6(1)(c)) Processing required to comply with laws, including: • Tax and accounting requirements • Responding to legal requests • Fraud prevention obligations 4.4 Consent (Article 6(1)(a)) Processing based on your explicit consent, including: • Marketing communications to non-customers • Non-essential cookies and tracking • Sharing data with third parties for marketing You may withdraw consent at any time by contacting us or using the unsubscribe link in marketing emails.

We use your personal data for the following purposes: 5.1 Service Delivery • Creating and managing your account • Processing transactions and sending invoices • Providing access to features based on your subscription • Responding to inquiries and support requests • Sending service-related notifications 5.2 Service Improvement • Analyzing usage to improve features and user experience • Conducting research and development • Testing new features and functionality • Fixing bugs and technical issues 5.3 Communications • Sending important service updates and announcements • Marketing communications (with your consent or to existing customers) • Personalized recommendations based on your usage 5.4 Security and Compliance • Protecting against unauthorized access and fraud • Enforcing our Terms of Service • Complying with legal obligations • Resolving disputes

We do not sell your personal data. We may share your data with: 6.1 Service Providers Third parties who help us operate the Service: • Cloud hosting: AWS (EU regions available) • Payment processing: Stripe • Email services: Sendgrid • Analytics: Google Analytics (with IP anonymization), Mixpanel • Customer support: Intercom All service providers are contractually bound to protect your data and process it only as instructed. 6.2 Business Transfers In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you of any such change and any choices you may have. 6.3 Legal Requirements We may disclose data when required by law or to: • Comply with legal process (court orders, subpoenas) • Protect our rights, property, or safety • Prevent fraud or illegal activities • Respond to government requests 6.4 With Your Consent We may share data with third parties when you explicitly consent, such as integrations you enable. 6.5 Aggregated Data We may share anonymized, aggregated data that cannot identify you for industry analysis and benchmarking.

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. When transferring data outside the EEA, we ensure appropriate safeguards are in place: • Standard Contractual Clauses (SCCs) approved by the European Commission • Adequacy decisions by the European Commission • Binding Corporate Rules where applicable • EU-US Data Privacy Framework certification (for US providers) You can request a copy of the safeguards we use by contacting contact@syfrah.com. For EU/EEA customers who request EU-only data residency (Enterprise plan), we can ensure your data is stored and processed exclusively within the European Union.

We retain your personal data only as long as necessary for the purposes outlined in this policy: 8.1 Active Accounts We retain your data for as long as your account is active and you use the Service. 8.2 After Account Closure • Account data: Deleted within 30 days of account closure • Backup data: Purged within 90 days • Payment records: Retained for 10 years (legal requirement) • Anonymized analytics: Retained indefinitely 8.3 Specific Retention Periods • Support communications: 3 years after resolution • Marketing data (non-customers): Until consent withdrawal or 2 years of inactivity • Security logs: 1 year • Cookie data: See Section 9 You can request deletion of your data at any time, subject to legal retention requirements.

We use cookies and similar technologies to enhance your experience: 9.1 Essential Cookies Required for the Service to function (authentication, security, preferences). These cannot be disabled. 9.2 Analytics Cookies Help us understand how you use the Service. We use Google Analytics with IP anonymization. 9.3 Functional Cookies Remember your preferences and settings to personalize your experience. 9.4 Marketing Cookies Track your activity across websites for targeted advertising. Only used with your consent. 9.5 Managing Cookies You can control cookies through: • Our cookie consent banner • Your browser settings • Third-party opt-out tools (e.g., NAI, DAA) Note: Blocking certain cookies may affect Service functionality. For detailed information, see our Cookie Policy.

As a data subject, you have the following rights: 10.1 Right of Access (Article 15) Request a copy of your personal data and information about how it is processed. 10.2 Right to Rectification (Article 16) Request correction of inaccurate or incomplete personal data. 10.3 Right to Erasure (Article 17) Request deletion of your personal data ("right to be forgotten") in certain circumstances. 10.4 Right to Restriction (Article 18) Request limitation of processing while we verify your concerns. 10.5 Right to Data Portability (Article 20) Receive your data in a structured, machine-readable format and transfer it to another controller. 10.6 Right to Object (Article 21) Object to processing based on legitimate interests, including profiling and direct marketing. 10.7 Right to Withdraw Consent Withdraw consent at any time for processing based on consent. 10.8 Right to Lodge a Complaint File a complaint with a supervisory authority. In France: CNIL (Commission Nationale de l'Informatique et des Libertés) - www.cnil.fr To exercise your rights, contact us at contact@syfrah.com. We will respond within 30 days. We may request identity verification before processing your request.

We implement comprehensive security measures to protect your data: 11.1 Technical Measures • Encryption at rest (AES-256) and in transit (TLS 1.3) • Secure authentication with optional two-factor authentication (2FA) • Regular security audits and penetration testing • Firewalls, intrusion detection, and DDoS protection • Secure software development practices 11.2 Organizational Measures • Access controls and least-privilege principles • Employee security training and confidentiality agreements • Incident response procedures • Regular security reviews and risk assessments 11.3 Certifications • SOC 2 Type II certified • GDPR compliant • HIPAA compliant infrastructure (for healthcare customers) Despite our efforts, no security system is impenetrable. We cannot guarantee absolute security of your data. If a data breach occurs that affects your personal data, we will notify you and relevant authorities as required by law.

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at contact@syfrah.com. If we discover that we have collected data from a child, we will delete it promptly.

The Service may contain links to third-party websites, including clinical trial registries (ClinicalTrials.gov, WHO ICTRP, etc.) and other external resources. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information. This Privacy Policy applies only to syfrah and not to any third-party services.

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. When we make material changes: • We will update the "Last Updated" date at the top of this page • We will notify you via email or prominent notice on the Service • We may request your renewed consent where required We encourage you to review this Privacy Policy regularly. Your continued use of the Service after changes indicates acceptance of the updated policy. Previous versions of this Privacy Policy are available upon request.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: SYFRAH CONSULTING Paris, 75001 France General Privacy Inquiries: contact@syfrah.com Data Protection Officer: contact@syfrah.com General Support: contact@syfrah.com Mailing Address: SYFRAH CONSULTING Attn: Data Protection Officer Paris, 75001 France We aim to respond to all inquiries within 30 days. For complaints, you may also contact the French Data Protection Authority: CNIL (Commission Nationale de l'Informatique et des Libertés) 3 Place de Fontenoy, TSA 80715 75334 Paris Cedex 07, France www.cnil.fr