Back to Elevay

Privacy Policy

Last updated: April 1, 2026

1. Data Controller

The data controller for personal data processed through Elevay is:

  • Company: Elevay
  • Country: France
  • Email: privacy@elevay.dev
  • Data Protection Officer: privacy@elevay.dev

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use Elevay in compliance with the General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique et Libertés), and other applicable data protection laws.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Name and email address
  • Authentication credentials (via Google OAuth or email/password)
  • Profile picture (if provided via Google)
  • Company/organization name

2.2 Customer Data (CRM Data)

Data you upload or create within the Service:

  • Contact information (names, emails, phone numbers, job titles, LinkedIn URLs)
  • Company information (names, domains, industry, size, revenue)
  • Deal/opportunity data (names, stages, values, notes)
  • Email content (sent and received through connected mailboxes)
  • Notes, tasks, and meeting records
  • Outbound email sequences and templates
  • Chat conversations with the AI assistant

2.3 Usage Data

We automatically collect:

  • Pages visited, features used, and actions taken within the Service
  • Browser type, operating system, and device information
  • IP address and approximate location
  • Timestamps and session duration
  • Error logs and performance data

2.4 Enrichment Data

When you use our data enrichment features, we may retrieve additional information about your contacts and companies from third-party data providers, including:

  • Company firmographic data (industry, employee count, revenue, funding)
  • Contact professional data (job title, department, seniority)
  • Social media profiles and public web data

3. How We Process Data

3.1 Core Service Delivery

We process your data to provide the CRM, email sequencing, pipeline management, and analytics features of the Service.

3.2 AI and LLM Processing

Elevay uses artificial intelligence to provide features such as:

  • Email generation and suggestions: Your contact data and context may be sent to AI providers to generate email drafts
  • Lead scoring and prioritization: Contact and company data is analyzed by AI models to calculate engagement scores
  • Deal coaching and intelligence: Deal history and interaction data may be processed by AI to provide recommendations
  • Natural language querying: Your questions and relevant CRM data are processed to generate answers with citations
  • Automatic summarization: Meeting notes, emails, and activity history may be summarized by AI

When data is sent to third-party AI providers, we minimize the data transmitted to only what is necessary for the specific feature. We do not allow AI providers to use your data for training their models.

3.3 Data Enrichment

Company domains and contact email addresses may be sent to enrichment APIs to retrieve publicly available business information. This processing occurs only when you actively trigger an enrichment action.

4. Legal Basis for Processing

Under GDPR, we process personal data on the following legal bases:

  • Performance of contract (Art. 6(1)(b)): Processing necessary to provide the Service as described in our Terms of Service, including CRM functionality, email sending, and AI features.
  • Legitimate interest (Art. 6(1)(f)): Processing for security, fraud prevention, service improvement, and analytics, where our interests do not override your fundamental rights.
  • Consent (Art. 6(1)(a)): Where we process data based on your explicit consent (e.g., optional enrichment features, marketing communications). You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, such as financial record-keeping.

5. Data Retention

  • Account data: Retained for the duration of your account plus 30 days after deletion to allow for recovery.
  • Customer Data (CRM): Retained for the duration of your account. Deleted within 30 days of account closure or upon GDPR deletion request.
  • Usage and analytics data: Retained in anonymized form for up to 24 months for service improvement.
  • Email opt-out records: Retained indefinitely to ensure ongoing compliance with unsubscribe requests.
  • Billing records: Retained for 10 years as required by French commercial law.

6. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access (Art. 15): Request a copy of all personal data we hold about you. You can use the data export feature in your account settings or contact us.
  • Right to rectification (Art. 16): Request correction of inaccurate personal data. You can edit most data directly within the Service.
  • Right to erasure (Art. 17): Request deletion of your personal data. You can use the account deletion feature or contact us. We will delete your data within 30 days, subject to legal retention obligations.
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON). Available via the data export API endpoint.
  • Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
  • Right to object (Art. 21): Object to processing based on legitimate interest, including profiling and automated decision-making.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: You have the right to lodge a complaint with the French data protection authority (CNIL) or your local supervisory authority.

To exercise any of these rights, contact us at privacy@elevay.dev. We will respond within 30 days.

7. Sub-processors

We use the following third-party sub-processors to deliver the Service:

ProviderPurposeLocation
Supabase (PostgreSQL)Database hosting and storageEU (Frankfurt)
VercelApplication hosting and edge functionsGlobal (US primary)
Anthropic (Claude)AI/LLM processing for chat, scoring, email generationUnited States
OpenAIAI/LLM processing, embeddingsUnited States
Apollo.ioContact and company data enrichmentUnited States
StripePayment processingUnited States
Google (OAuth, Gmail API)Authentication and email connectivityGlobal

We maintain data processing agreements (DPAs) with all sub-processors. We will notify you of any material changes to our sub-processor list.

8. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA). When transferring personal data outside the EEA, we rely on:

  • EU-US Data Privacy Framework (for US-based processors that are certified)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission, where available

We conduct transfer impact assessments where required and implement supplementary measures to ensure an adequate level of data protection.

9. Cookies and Tracking

Elevay uses the following types of cookies:

  • Strictly necessary cookies: Required for authentication and session management. These cannot be disabled.
  • Functional cookies: Remember your preferences and settings (e.g., sidebar state, filter selections).
  • Analytics cookies: Help us understand how you use the Service to improve performance and usability. These are only set with your consent.

We do not use third-party advertising cookies. We do not sell your data to advertisers.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Role-based access control and tenant isolation
  • Regular security audits and vulnerability assessments
  • Secure authentication via OAuth 2.0 and hashed credentials
  • Automated backups with encryption

11. Children's Privacy

Elevay is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via email or in-app notification. The "Last updated" date at the top reflects the most recent revision.

13. Contact & Data Protection Officer

For any privacy-related questions, to exercise your data rights, or to contact our Data Protection Officer:

  • Email: privacy@elevay.dev
  • Company: Elevay
  • Country: France

You also have the right to lodge a complaint with the French data protection authority:

  • CNIL (Commission Nationale de l'Informatique et des Libertés)
  • 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
  • Website: www.cnil.fr