In case of conflict between language versions, the French version prevails for data subjects located in France.
1. Introduction
99MINDS SAS ("99MINDS", "we", "us" or "our"), a société par actions simplifiée registered with the Paris Trade and Companies Register under number 102 816 337, whose registered office is at 200 Rue de la Croix Nivert, 75015 Paris, France, operates the AgencyIQ platform (the "Platform") and the website accessible at https://agency-iq.io (the "Website").
This Privacy Policy describes how we collect, use, share and protect personal data in connection with your use of the Website and the Platform, in accordance with Regulation (EU) 2016/679 of 27 April 2016 ("GDPR") and the French Data Protection Act of 6 January 1978 as amended ("Loi Informatique et Libertés").
Important notice on roles. With respect to Customer Data processed by our B2B customers through the Platform (such as campaign reports uploaded by agencies or in-house marketing teams), 99MINDS acts as a data processor (sous-traitant) on behalf of the customer. The processing of such data is governed by the Data Processing Agreement. This Privacy Policy addresses only the personal data for which 99MINDS acts as data controller (responsable de traitement), notably data concerning Website visitors, prospects, and individual users of the Platform acting on behalf of a customer.
2. Data Controller
The data controller for the purposes set out in this Privacy Policy is:
| Entity | 99MINDS SAS |
| Address | 200 Rue de la Croix Nivert, 75015 Paris, France |
| SIREN | 102 816 337 |
| Contact | privacy@agency-iq.io |
We have not appointed a Data Protection Officer (DPO) as we are not legally required to do so under Article 37 of the GDPR. For any privacy-related enquiries, please contact us at privacy@agency-iq.io.
3. Categories of Personal Data Collected
We may collect and process the following categories of personal data:
3.1 Account and authentication data
- First name, last name
- Professional email address
- Hashed password (we never store passwords in plain text)
- Company / organisation name, job title
- Account settings and preferences
3.2 Billing and subscription data
- Subscription plan and status
- Billing address and VAT number (where applicable)
- Payment status and invoice history (we never store full payment card numbers — these are handled directly by our payment processor, Stripe)
3.3 Usage and technical data
- Log data: IP address, browser type, device type, operating system, referring URL
- Authentication events: login timestamps, session tokens
- Platform activity: features used, queries submitted to AI agents, files uploaded, dashboards created
- Error logs and performance telemetry
3.4 Communications data
- Content of support requests, emails, or chat messages exchanged with our support team
- Feedback, survey responses, and product improvement suggestions
3.5 Marketing data (Website visitors and prospects)
- Email address (where provided voluntarily for demo requests, newsletters, etc.)
- Marketing preferences and consent records
- Analytics data (subject to consent — see Cookie Policy)
4. Legal Bases for Processing
Under Article 6 of the GDPR, we process personal data on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Creating and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Providing and maintaining the Platform | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and issuing invoices | Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) — accounting law |
| Sending service and security notifications | Performance of a contract (Art. 6(1)(b)) |
| Ensuring platform security, fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Product improvement, aggregated analytics | Legitimate interest (Art. 6(1)(f)) |
| Sending marketing communications to prospects | Consent (Art. 6(1)(a)) |
| Sending marketing communications to existing customers about similar services | Legitimate interest (Art. 6(1)(f)) under French soft opt-in rules |
| Complying with legal obligations (tax, accounting, court orders) | Legal obligation (Art. 6(1)(c)) |
| Non-essential cookies and analytics | Consent (Art. 6(1)(a)) |
5. AI Processing
The Platform uses large language models (LLMs) provided by Google (Gemini) via the Google Cloud Vertex AI API to deliver the core features of AgencyIQ (chat interface, data analysis, insight generation).
We have entered into agreements with Google Cloud that expressly prohibit the use of customer data for training Google's AI models. Customer content submitted through the Platform is processed solely to generate the response requested by the user and is not used to improve third-party AI models.
Personal data that may transit through AI processing is limited to the content of queries and files you voluntarily submit. You are responsible for not submitting sensitive personal data (special categories under Article 9 GDPR) through the Platform.
6. Recipients and Data Sharing
We do not sell personal data. We share personal data only with the following categories of recipients:
6.1 Internal
Authorised employees of 99MINDS who need access to perform their duties (support, engineering, billing), subject to confidentiality obligations.
6.2 Processors (sous-traitants)
We use the following processors to deliver the Service. All processors are bound by data processing agreements compliant with Article 28 of the GDPR.
- Google Cloud EMEA Limited (Ireland) — cloud infrastructure, AI inference
- Vercel Inc. (USA, EU region) — frontend hosting
- Supabase Inc. (Singapore/USA, EU region) — database and authentication
- Stripe Payments Europe Limited (Ireland) — payment processing
- Customer support and email delivery tools (list available on request)
6.3 Legal and regulatory recipients
- Public authorities, courts, tax authorities, or law enforcement, where required by applicable law or valid legal process
- Professional advisers (lawyers, auditors, accountants) under confidentiality obligations
- Acquirers or their advisers in the context of a corporate transaction (merger, acquisition, restructuring), subject to appropriate confidentiality safeguards
7. International Data Transfers
We endeavour to keep personal data within the European Economic Area (EEA). Customer Data and core processing take place in EU data centres (Frankfurt, Ireland, Paris).
However, some of our processors are established outside the EEA or may involve transfers to third countries (notably the United States). Where such transfers occur, we rely on the following safeguards under Chapter V of the GDPR:
- European Commission adequacy decisions, including the EU-US Data Privacy Framework where applicable (e.g., for Google Cloud, Vercel)
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914)
- Supplementary technical and organisational measures (encryption in transit and at rest, access controls) where required
You may request a copy of the safeguards in place by contacting privacy@agency-iq.io.
8. Retention Periods
| Data category | Retention period |
|---|---|
| Account data (active accounts) | Duration of the subscription |
| Account data (after subscription ends) | Active subscription + 1 year, then deletion or anonymisation |
| Billing and accounting records | 10 years from the end of the financial year (Art. L.123-22 Code de commerce) |
| Server and security logs | 12 months maximum |
| Support communications | 3 years from the last contact |
| Marketing data (prospects) | 3 years from last contact or explicit consent withdrawal, whichever is earlier |
| Cookies and trackers | As set out in the Cookie Policy (maximum 13 months for consent-based cookies) |
9. Security Measures
We implement appropriate technical and organisational measures under Article 32 of the GDPR, including:
- Encryption of data in transit (TLS 1.2+) and at rest
- Role-based access controls and least-privilege principles
- Secure password storage (hashing with industry-standard algorithms)
- Regular security monitoring, logging and vulnerability management
- Confidentiality obligations for all personnel and processors
- Data backup and disaster recovery procedures
No system is perfectly secure. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the CNIL within 72 hours and affected individuals where required by Article 34 of the GDPR.
10. Your Rights
Under Articles 15 to 22 of the GDPR and the Loi Informatique et Libertés, you have the following rights in relation to your personal data:
- Right of access — to obtain confirmation of whether we process data concerning you, and a copy of such data
- Right to rectification — to have inaccurate or incomplete data corrected
- Right to erasure ("right to be forgotten") — to request deletion of your data, subject to legal retention obligations
- Right to restriction of processing — in the circumstances set out in Article 18 of the GDPR
- Right to data portability — to receive your data in a structured, commonly used, machine-readable format
- Right to object — to processing based on our legitimate interests, and to direct marketing at any time
- Right to withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal
- Right to lodge a complaint — with the CNIL (Commission Nationale de l'Informatique et des Libertés), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France — www.cnil.fr
- Right to define post-mortem directives — concerning the conservation, erasure and communication of your data after your death, in accordance with Article 85 of the Loi Informatique et Libertés
To exercise these rights, please contact us at privacy@agency-iq.io. We may require you to verify your identity before processing your request. We will respond within one month of receipt of the request, subject to extension of two further months for complex or numerous requests (Article 12(3) GDPR).
11. Automated Decision-Making
We do not make decisions producing legal or similarly significant effects based solely on automated processing, within the meaning of Article 22 of the GDPR. The AI-generated insights produced by the Platform are advisory outputs; all business decisions remain under the control of our customers.
12. Children
The Platform is a professional B2B tool not intended for individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe that a minor has provided us with personal data, please contact us so that we can delete it.
13. Changes to this Policy
We may update this Privacy Policy from time to time. The updated version will be published on the Website with a revised "Last updated" date. Material changes will be notified to active users by email or in-product notice.
14. Contact
For any question or request concerning this Privacy Policy, please contact:
99MINDS SAS — Privacy Team
200 Rue de la Croix Nivert, 75015 Paris, France
Email: privacy@agency-iq.io