Privacy Policy
Last updated: March 2026
Licorne Society SAS ("Leonar", "we", "us"), which operates the Leonar platform, is committed to protecting and respecting your personal data. This Privacy Policy explains how we collect, use, store, and share your personal data when you visit our website, create an account, or use our Services.
This policy is written in accordance with Regulation (EU) 2016/679 (the "GDPR") and French Law No. 78-17 of 6 January 1978 (Loi Informatique et Libertes).
1. Who is the data controller?
The data controller is:
Licorne Society SAS
19A rue du Rocher, 75008 Paris, France
RCS Paris 890 811 193
Email: contact@leonar.app
Data Protection Officer: dpo@licornesociety.com
2. Scope of this policy
This Privacy Policy covers the personal data that Leonar processes as a data controller, namely:
- data of visitors to our website (www.leonar.app);
- data of users who create an Account on the Platform;
- data of persons who contact us (support, sales, demos).
This policy does not cover candidate or prospect data processed by Leonar on behalf of its customers (as a data processor). That processing is governed by the Data Processing Agreement (DPA) entered into between Leonar and each customer. If you are a candidate or prospect whose data has been processed through the Platform by a Leonar customer, please contact that customer directly to exercise your rights.
3. What data do we collect and why?
3.1 Website visitors
| Data collected | Purpose | Legal basis | Retention |
|---|---|---|---|
| IP address, browser type, device, pages visited, referral source | Website analytics, security, and performance monitoring | Legitimate interest (Art. 6(1)(f) GDPR) | 13 months (anonymized analytics) |
| Cookies and similar technologies | See Section 8 below | Consent (where required) or legitimate interest | See Section 8 |
3.2 Account holders (Users)
| Data collected | Purpose | Legal basis | Retention |
|---|---|---|---|
| First name, last name, email address, company name, job title | Account creation and management | Performance of contract (Art. 6(1)(b) GDPR) | Duration of the Account + 5 years (legal statute of limitations) |
| Password (hashed) | Authentication | Performance of contract | Duration of the Account |
| Billing information (company name, address, VAT number) | Invoicing and payment processing | Performance of contract and legal obligation (Art. 6(1)(c) GDPR) | 10 years from the end of the fiscal year (French accounting law) |
| Platform usage data (features used, actions performed, session data) | Product improvement, analytics, troubleshooting | Legitimate interest | 24 months from collection (aggregated/anonymized thereafter) |
| Connection logs (IP address, timestamps, device) | Security, fraud prevention, legal compliance | Legal obligation (Art. 6(1)(c) GDPR) | 12 months |
| Support communications (emails, chat messages) | Providing support and resolving issues | Performance of contract | Duration of the Account + 2 years |
3.3 Prospects and demo requests
| Data collected | Purpose | Legal basis | Retention |
|---|---|---|---|
| First name, last name, email, company, job title, phone number | Responding to inquiries, scheduling demos, commercial follow-up | Legitimate interest (B2B prospecting) or consent where required | 3 years from last contact |
3.4 Data we do NOT process as controller
To be clear, the following data is processed by Leonar only as a data processor on behalf of its customers, and is not covered by this Privacy Policy:
- Candidate and prospect profiles (names, professional information, LinkedIn URLs, CVs)
- Messages and communications sent or received through the Platform (LinkedIn, email, WhatsApp)
- AI-generated scores, match percentages, and recommendations
- Contact lists synchronized from Third-Party Platforms
For information on how this data is processed, please refer to the DPA between Leonar and the relevant customer.
4. Who has access to your data?
Your personal data is accessible only to:
- Leonar staff who need access to perform their duties (support, engineering, sales, management), bound by contractual confidentiality obligations;
- Service providers (sub-processors) acting on our behalf, listed in Section 5 below;
- Legal and regulatory authorities, where disclosure is required by applicable law or a binding court order.
We never sell or rent your personal data to third parties. We never share your data with third parties for their own marketing purposes.
5. Service providers and sub-processors
The following service providers process personal data on our behalf as a controller:
| Provider | Purpose | Location | Transfers outside EU | Safeguards |
|---|---|---|---|---|
| Supabase Inc. | Primary hosting, database, backups | France (EU) | None | Data hosted in EU |
| Vercel Inc. | Website and application hosting, CDN | Global (EU primary) | Possible (US edge nodes) | EU-US Data Privacy Framework; or, if invalidated, Standard Contractual Clauses (EU Commission Decision 2021/914) |
| Stripe Inc. | Payment processing | Ireland (EU) / United States | Possible (US) | EU-US Data Privacy Framework; or, if invalidated, SCCs. PCI DSS compliant. |
| Intercom Inc. | Customer support chat and messaging | United States / Ireland (EU) | Possible (US) | EU-US Data Privacy Framework; or, if invalidated, SCCs |
| Google LLC | Google Workspace (email), Google Analytics | United States | Yes (US) | EU-US Data Privacy Framework; or, if invalidated, SCCs |
Note: The sub-processors listed above relate only to data processed by Leonar as controller (your Account data, website analytics, etc.). Sub-processors involved in processing candidate data on behalf of customers (including Anthropic, Google Gemini, and Unipile) are listed in the DPA.
This list may be updated from time to time. Material changes will be communicated via our website.
6. International data transfers
We make every effort to host and process your personal data within the European Union. Where transfers outside the EU are necessary, we ensure that appropriate safeguards are in place:
- EU-US Data Privacy Framework (DPF): For transfers to US-based providers certified under the DPF, we rely on the European Commission's adequacy decision of 10 July 2023.
- Standard Contractual Clauses (SCCs): Where the DPF does not apply or is invalidated, we rely on Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), supplemented by additional technical and organizational measures where necessary.
- Adequacy decisions: For transfers to countries benefiting from an adequacy decision, no additional safeguards are required.
You may request a copy of the applicable transfer mechanisms by contacting our DPO.
7. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): obtain confirmation of whether your data is being processed and, if so, a copy of it.
- Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): request deletion of your data when it is no longer necessary, when you withdraw consent, or when processing is unlawful.
- Right to restriction (Art. 18): request that processing be limited in certain circumstances (e.g., while the accuracy of data is being verified).
- Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Right to object (Art. 21): object to processing based on legitimate interest, including for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right to withdraw consent: where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to provide guidelines on post-mortem data: under French law, you may provide instructions regarding the storage, erasure, and communication of your data after your death.
How to exercise your rights
Contact our Data Protection Officer at dpo@licornesociety.com. We may request proof of identity if there is reasonable doubt. We will respond within one (1) month, extendable to three (3) months for complex requests.
If you believe your rights have not been respected, you may lodge a complaint with the CNIL:
Commission nationale de l'informatique et des libertes (CNIL)
3 place de Fontenoy β TSA 80751
75334 Paris Cedex 07
Phone: +33 1 53 73 22 22
Website: www.cnil.fr
8. Cookies and tracking technologies
8.1 What are cookies?
Cookies are small text files stored on your device when you visit our website. They help us understand how you use our site, improve your experience, and measure the effectiveness of our communications.
8.2 Types of cookies we use
| Category | Purpose | Consent required? |
|---|---|---|
| Strictly necessary | Essential for website functionality (session management, security, load balancing) | No (exempt under ePrivacy Directive) |
| Analytics | Measure website traffic and usage patterns (e.g., Google Analytics) | Yes |
| Functional | Remember your preferences (e.g., language, login state) | No (legitimate interest) |
| Marketing | Track effectiveness of marketing campaigns and retargeting | Yes |
8.3 Managing your preferences
When you first visit our website, a cookie consent banner allows you to accept or refuse non-essential cookies. You can change your preferences at any time via the cookie settings link in the website footer, or by configuring your browser settings.
Google Analytics: We use Google Analytics with IP anonymization enabled. You can opt out by installing the Google Analytics Opt-out Browser Add-on.
9. Data security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- Role-based access control and row-level security at the database level
- Hashed passwords stored separately from user identifiers
- Automated daily backups with point-in-time recovery
- Logging and monitoring of access for security audit purposes
- Staff training on data protection at least twice per year
- Incident response procedures with defined escalation processes
No system is completely secure. If you become aware of any security vulnerability, please report it to contact@leonar.app.
10. Data retention
We retain personal data only for as long as necessary for the purposes described in this policy, or as required by applicable law. Specific retention periods are set out in the tables in Section 3.
When retention periods expire, data is irreversibly deleted or anonymized. Anonymized data may be retained indefinitely for statistical and product improvement purposes.
In the event of litigation or a pending legal claim, relevant data may be retained for the duration of the proceedings, even beyond the standard retention periods.
11. Children
The Platform is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us and we will take steps to delete it.
12. Google API compliance
Leonar's use and transfer to any other application of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
13. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email or in-app notification at least thirty (30) days before they take effect.
We encourage you to review this page periodically.
14. Contact
For any questions regarding this Privacy Policy or your personal data, please contact:
Licorne Society SAS
19A rue du Rocher, 75008 Paris, France
Email: contact@leonar.app
Data Protection Officer: dpo@licornesociety.com