Last updated: May 6, 2026

Privacy policy

Enriq places particular importance on protecting your personal data. This privacy policy (hereinafter the “Policy”) aims to inform you, with full transparency, about how we collect, use, and protect your personal data when you use the enriq.ai website and the Enriq service.

This Policy applies to anyone (hereinafter “you”) who:

visits the enriq.ai website,
uses the Enriq application after creating an account,
is contacted by Enriq as part of a commercial outreach effort.

Data controller

The controller of the personal data collected through the Enriq site and application is:

Nolann Biron, sole proprietor, registered in the French National Business Register (RNE) under SIREN number 819 713 744, with registered office at 4ter route de Bergerac, 33750 Camarsac, France.

Contact email: hello@enriq.ai

The data controller is hereinafter referred to as “Enriq” or “we”.

Scope and relationship with our customers

Enriq acts as the data controller for the data it collects directly from site visitors, application users, and prospects.

However, when a user connects a company’s advertising accounts to Enriq (Google Ads, Meta Ads, Microsoft Ads, TikTok Ads), Enriq acts as a data processor within the meaning of Article 28 of the GDPR, on behalf of that company. The processing of this data is governed by a specific agreement (Data Processing Agreement) accessible at enriq.ai/dpa.

This Policy does not cover the processing of data accessed by Enriq in the context of this processor relationship.

Acceptance

Use of the enriq.ai site and the Enriq application implies acknowledgement of this Policy. We invite you to review it regularly; any update is signalled by changing the effective date indicated at the top of this document.

Data collected and purposes

Enriq collects only the data necessary for the purposes described below. No data is collected without your knowledge, nor used for purposes other than those mentioned in this Policy.

If you visit the enriq.ai site

When you arrive on the site, no audience-measurement cookie is placed and no browsing data is sent to our analytics tools. A consent banner is shown on your first visit.

Our hosting provider Cloudflare Pages also keeps standard technical logs (IP address, browser, page requested, date/time, referring page) for security and abuse-prevention purposes, in accordance with Cloudflare’s policy.

If you accept the “audience measurement” category

We activate PostHog (PostHog Inc., data stored in the European Union — eu.posthog.com) to measure site audience and improve content. We then collect:

Pages visited and exit points.
Technical browser metadata: device type, browser, operating system, language, screen size.
A pseudonymous identifier stored on the browser side, allowing successive visits to be recognised.

If you decline or do not respond

No cookie is set and no events are sent.

When you submit the “waitlist” form:

We collect your email address.
This data is stored in our database (Neon Postgres, European Union).
A confirmation email is sent to you.
A “waitlist sign-up” event is recorded in PostHog server-side with your email address as identifier. This recording results from your voluntary form submission and is independent of the browser-side “audience measurement” consent.

This data is collected for the following purposes: analysing and improving the site, responding to your requests, sending you communications when you have consented, and measuring the performance of our content.

If you use the Enriq application

When you create your account and use the service, we collect:

your account credentials: email, password (or Google / Microsoft SSO identifier);
information about your professional activity: company domain name, industry, business model, monthly advertising spend, monthly revenue;
the access credentials to the advertising platforms you connect to Enriq (Google Ads, Meta Ads, Microsoft Ads, TikTok Ads), via secure OAuth-based authentication protocols;
billing data transmitted via our payment provider Stripe;
technical usage data: connection logs, IP address, error logs;
analytics data through our analytics tool PostHog:
- Identifiers: email address, name, language, account creation date, declared expertise level.
- Identifiers of your organisation and workspace.
- Pages visited within the application and product usage events (conversation creation, advertising account connection, etc.).
- Technical browser metadata: device type, browser, operating system, language, screen size.
- Session recording: enabled for users in trial period (100%) and sampled for active subscribers (10%). Input fields are masked by default. No recording for users without a subscription.
- Traces of calls to our AI models (model used, number of tokens, latency, cost), without the content of messages.

This data is collected for the following purposes: creating and managing your account, providing the Enriq service, accessing the advertising accounts you connect, billing your subscription, ensuring service security, and improving the product.

Enriq accesses connected advertising-account data on a read-only basis. No changes are made to your campaigns by Enriq. Enriq does not collect or process any personal data of advertisers’ prospects, customers, or audiences: the advertising APIs used only return aggregated performance and account-structure data, and do not provide access to audience content or user identifiers.

Enriq may also use, in strictly aggregated and non-identifying form, certain technical usage and performance data from connected advertising accounts, for purposes of service improvement, R&D, and statistical analysis. Such processing in no way enables the re-identification of an advertiser, and is governed by our Data Processing Agreement.

If you are an Enriq prospect

As part of our commercial outreach activities, we may collect:

your professional contact details (last name, first name, role, professional email, company) from publicly accessible sources (professional networks, your company website) or from B2B data providers;
the interactions you have with our messages (open, click, reply).

This data is collected for the following purposes: introducing Enriq, offering a demonstration or commercial discussion, and adapting our approach to your needs.

You may object to this processing at any time by replying to one of our messages or by writing to hello@enriq.ai.

Legal bases

In accordance with Article 6 of the GDPR, each processing operation is based on a legal basis. For the processing operations described in this Policy, the legal bases relied upon are as follows:

Purpose	Legal basis
Creation and management of your Enriq account	Performance of the contract
Provision of the Enriq service and access to connected advertising accounts	Performance of the contract
Billing and accounting obligations	Performance of the contract and legal obligation
Service security, fraud and abuse prevention	Legitimate interest
Site audience measurement and analytics (PostHog)	Legitimate interest, or consent where required by regulation
Response to contact requests	Legitimate interest
Sending the newsletter	Consent
B2B commercial outreach	Legitimate interest
Improvement of the Enriq product	Legitimate interest

When processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of prior processing.

When processing is based on our legitimate interest, you have a right to object that you can exercise under the conditions described in the section on your rights.

Enriq’s status with respect to connected advertising accounts

When you connect a company’s advertising accounts to Enriq (your own, or those of your clients when you manage multiple accounts on a mandated basis), an important distinction applies under the GDPR.

Enriq is a data processor

For data from connected advertising accounts (campaign structure, keywords, creatives, audiences, performance, conversions), Enriq acts as a data processor within the meaning of Article 28 of the GDPR.

The data controller for this data is the company that holds the advertising account, i.e. the advertiser. Enriq processes this data only on the advertiser’s instructions, for the sole purpose of providing the subscribed service.

Contractual framework

This processor relationship is governed by a specific agreement, the Data Processing Agreement (DPA), publicly accessible at enriq.ai/dpa.

This DPA specifies in particular:

the nature and purposes of the processing carried out by Enriq,
the categories of data processed,
the duration of processing,
Enriq’s obligations regarding security and confidentiality,
the list of authorised sub-processors,
the procedures for notification in the event of a data breach,
the conditions for returning or deleting data at the end of the service.

Exercise of rights by data subjects

If you are a person whose data is held in an advertising account connected to Enriq (for example as a prospect or customer of an advertiser using Enriq) and you wish to exercise your rights, you must contact the advertiser directly, as they are the data controller.

Enriq, acting as processor, will forward to the advertiser any request received directly, and will assist in handling the request in accordance with the commitments made in the DPA.

Recipients and sub-processors

Your personal data is accessible to Enriq, and may be transmitted to third-party providers (“sub-processors”) strictly necessary for the operation of the service. No data is sold, rented, or transferred to third parties for commercial purposes.

Each sub-processor is bound to Enriq by a Data Processing Agreement compliant with Article 28 of the GDPR, and acts only on Enriq’s instructions, within the limits of the purposes described in this Policy.

The current list of Enriq’s sub-processors is as follows:

Provider	Role	Server location
Cloudflare, Inc.	Site hosting and CDN services	United States
Fly.io, Inc.	Application hosting (back-end)	European Union
Neon, Inc.	Database	European Union
PostHog, Inc.	Audience measurement and product analytics	European Union
OpenAI OpCo, LLC	Generative AI models	United States
Stripe, Inc.	Payment processing and billing	United States and European Union
Google Ireland Ltd., Meta Platforms Ireland Ltd., Microsoft Ireland Operations Ltd., TikTok Information Technologies UK Ltd.	Advertising APIs accessed on the user’s instruction	Varies by provider

Any change to this list (addition, replacement, or removal of a sub-processor) will be reported by updating this Policy and communicated to affected customers in accordance with the commitments in the Data Processing Agreement.

Transfers outside the European Union

Some of our sub-processors are established outside the European Union, primarily in the United States. These transfers are strictly governed by the protection mechanisms provided for by the GDPR.

For each transfer outside the EU, Enriq relies on one or more of the following mechanisms:

the provider’s adherence to the Data Privacy Framework (DPF) between the European Union and the United States, which guarantees an adequate level of protection for transfers to certified US companies;
the conclusion of the Standard Contractual Clauses (SCC) adopted by the European Commission (decision 2021/914), which impose on the provider commitments equivalent to GDPR requirements;
the implementation of additional technical and organisational measures where necessary (encryption of data in transit and at rest, access control, logging).

The main transfers concerned are as follows:

Cloudflare (United States): certified under the Data Privacy Framework. The data processed is essentially technical browsing metadata, with no sensitive personal content.
OpenAI (United States): transfer governed by the Standard Contractual Clauses. Data sent via the API is not used to train OpenAI’s models, in accordance with OpenAI’s contractual commitments to API customers. Data transmitted is retained by OpenAI for a limited period of 30 days for abuse-prevention purposes, before deletion.
Stripe (United States and European Union): certified under the Data Privacy Framework, transfer also governed by the Standard Contractual Clauses.

Security

Enriq implements appropriate technical and organisational measures to protect your personal data against loss, alteration, unauthorised disclosure, or unlawful access.

These measures include in particular:

encryption of data in transit (TLS 1.2 or higher) between your browser, the Enriq application, and all sub-processors;
encryption of data at rest within the database and storage systems;
a strict access-control policy based on the principle of least privilege: only authorised personnel within Enriq have access to data, and only to the extent necessary for their tasks;
the use of secure authentication protocols (OAuth) for connections to third-party advertising platforms, with no plaintext password storage;
logging of access and sensitive operations, for anomaly detection and traceability;
rigorous selection of our sub-processors based on their security guarantees (ISO 27001, SOC 2 certifications, documented GDPR compliance).

In the event of a data breach likely to result in a risk to your rights and freedoms, Enriq will notify the CNIL (French Data Protection Authority) within 72 hours in accordance with Article 33 of the GDPR, and will inform you as soon as possible when required by regulation.

Retention periods

Your personal data is retained only for the period strictly necessary to fulfil the purposes for which it was collected, plus any additional periods provided for by applicable legal and regulatory obligations.

Indicatively, the main retention periods applied by Enriq are as follows:

user account data is retained throughout the duration of your contractual relationship with Enriq, and deleted within a maximum of 30 days after termination or deletion of the account;
data from connected advertising accounts is retained for the duration of your subscription and deleted at the end of that period, in accordance with the commitments made in the Data Processing Agreement;
billing data is retained for 10 years from the close of the relevant accounting year, in accordance with applicable legal and tax obligations;
prospect data (contact requests, commercial outreach) is retained for 3 years from the last contact that received no follow-up;
audience measurement data collected via PostHog is retained for 24 months;
technical logs (connection logs, error logs) are retained for 12 months for security and traceability purposes;
rights requests you send us are retained for 3 years from their handling, for evidentiary purposes.

Beyond these periods, your data is deleted or anonymised irreversibly. Only your express agreement, or a specific legal obligation, may justify longer retention.

Cookies and trackers

The enriq.ai site and the Enriq application use cookies and trackers to ensure proper operation, measure audience, and improve your experience.

Details of the cookies used, their purposes, lifespan, and how you can accept, refuse, or configure them are set out in our Cookie policy.

You may modify your cookie preferences at any time via the management module accessible at the bottom of every page on the site.

Your rights

In accordance with Articles 15 to 22 of the GDPR and the French Data Protection Act of 6 January 1978 (as amended), you have the following rights regarding your personal data:

Right of access: obtain confirmation that data concerning you is processed by Enriq, and receive a copy.
Right to rectification: have inaccurate or incomplete data concerning you corrected.
Right to erasure (“right to be forgotten”): request the deletion of your data, under the conditions provided by the GDPR.
Right to restriction of processing: request the temporary suspension of the processing of your data, in the cases provided by the GDPR.
Right to object: object to processing based on Enriq’s legitimate interest, or to processing for commercial outreach purposes, at any time and without justification.
Right to portability: receive the data you have provided to us in a structured and machine-readable format, and transmit it to another data controller.
Right to withdraw consent at any time, when processing is based on this legal basis, without affecting the lawfulness of prior processing.
Right to set directives regarding the fate of your data after your death, in accordance with Article 85 of the French Data Protection Act.

How to exercise your rights

To exercise any of your rights, or for any question regarding the processing of your personal data, you can contact us by email at hello@enriq.ai.

To protect the confidentiality of your data, we may need to ask you to verify your identity before responding to your request, where reasonable doubt arises.

Enriq undertakes to respond to your request within one month of receipt. This period may, if necessary, be extended by two months due to the complexity or volume of requests, in which case you will be informed.

If, after contacting us, you consider that your rights have not been respected, you have the right to lodge a complaint with the French Data Protection Authority (CNIL):

online: www.cnil.fr/fr/plaintes;
by post: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France.

Changes to the Policy

This Policy may evolve to reflect regulatory developments, changes to the Enriq service, or the addition of new sub-processors.

Any change will be published on this page and signalled by updating the effective date indicated at the top of this document. In the event of a substantial change affecting your rights, we will inform you by an appropriate means (in-app notification, email, or banner on the site).

We invite you to review this Policy regularly to stay informed of changes.