Privacy Policy

PROUD Co.Lab ("PROUD", "we", "us") is a workplace culture transformation platform and leadership coaching provider, registered in France (SIRET registration in progress). We operate proudcolab.com and all associated services.

As data controller under the GDPR (Regulation (EU) 2016/679), we are responsible for how your personal data is collected, used, and protected.

Data Protection Contact: [email protected]

Category

Data Points

Why We Collect It

Notes

Identity

Full name, date of birth

Account creation, age verification

DOB not used in matching

Contact

Email address, organisation name, job title

Platform access, communications, invoicing

Professional

CV / profile data, skills, experience

Talent matching (Phase 3+), coaching personalisation

Payment

Billing name, address (via Stripe)

Processing subscription payments

Card details held by Stripe only

Usage

Login activity, session data, feature usage

Platform improvement, security

Communications

Email preferences, newsletter opt-in

Marketing via Mailchimp (with consent)

Technical

IP address, browser type, device info, cookies

Security, analytics (Google Analytics)

Date of birth is collected solely for age verification purposes. It is never used in the job matching algorithm or shared with employers. It is not visible on talent profiles.

Special category data: Our platform is DEI-focused. We may process data relating to ethnicity, disability, sexual orientation or religion only with your explicit consent and only in aggregated, anonymised form for DEI analytics. Gender is not collected. You are never required to provide sensitive information.

Contract performance (Art. 6(1)(b)): To deliver coaching programmes and platform services.

Legitimate interests (Art. 6(1)(f)): Platform security, fraud prevention, service improvement.

Consent (Art. 6(1)(a)): Marketing emails, optional DEI data, non-essential cookies. Withdraw at any time.

Legal obligation (Art. 6(1)(c)): Tax records, invoicing, compliance with French and EU law.

Creating and managing your account and coaching programme access

Delivering live coaching sessions via Zoom

Processing payments via Stripe

Sending programme communications and updates

Sending marketing emails if opted in (Mailchimp) — unsubscribe at any time

Analysing platform usage to improve services (Google Analytics)

Generating anonymised DEI analytics reports for your organisation (with consent)

Complying with legal and regulatory obligations

Processor

Purpose

Data Shared

Location

Zoom

Live coaching sessions

Name, email, session data

USA (SCCs applied)

Stripe

Payment processing

Billing info, payment data

EU / USA (SCCs applied)

Mailchimp (Intuit)

Email marketing

Name, email, preferences

USA (SCCs applied)

Google Analytics

Website analytics

Anonymised usage, cookies

USA (SCCs applied)

AWS (Amazon)

Cloud hosting & storage

All platform data

EU — Frankfurt region

All third-party processors are bound by Data Processing Agreements (DPAs). Where data is transferred outside the EU/EEA, we use Standard Contractual Clauses (SCCs) approved by the European Commission.

Account data: Account lifetime + 3 years after closure

Date of birth: Account lifetime + 1 year

Payment records: 10 years (French Code de Commerce)

Coaching session records: 2 years after programme completion

Marketing data: Until unsubscribe or consent withdrawn

Analytics data: 26 months (Google Analytics)

CV / profile data: Until deletion requested or account closure

You have the following rights under GDPR. To exercise any right, email [email protected]. We will respond within 30 days.

Right

What It Means

Access

Request a copy of all personal data we hold about you.

Rectification

Correct inaccurate or incomplete data at any time.

Erasure

Request deletion of your data (right to be forgotten).

Restriction

Limit how we process your data in certain circumstances.

Portability

Receive your data in a structured, machine-readable format.

Object

Object to processing based on legitimate interests or for marketing.

Automated Decisions

Not to be subject to solely automated decisions with significant effects.

Withdraw Consent

Withdraw consent at any time without affecting prior processing.

You may also lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertes): www.cnil.fr

All data in transit encrypted via TLS 1.2+

All data at rest encrypted via AES-256

EU-only data residency on AWS Frankfurt servers

Multi-factor authentication for all admin access

Regular security audits and penetration testing (Phase 3+)

Data breach notification within 72 hours to CNIL as required by GDPR Art. 33

Our platform is intended for professionals aged 18 and over. We do not knowingly collect data from minors. If you believe a minor has submitted data, contact [email protected] immediately.

We will notify you by email of any material changes at least 30 days before they take effect. Continued use of the platform after that date constitutes acceptance.