Application Privacy Policy

Effective Date: December 1st, 2025
Last Updated: March 13th, 2026

‍

This Privacy Policy applies specifically to the Pearl application and platform ("Service"), operated by Pearl SAS ("Pearl," "we," "us," or "our"). It describes how Pearl collects, uses, stores, shares, and protects personal data — including data accessed through third-party integrations such as Google services — when you use our application.

For information about data collected on our marketing website (heypearl.ai), please refer to our Website Privacy Policy.

‍

1. Data Controller

Pearl SAS acts as the data controller for personal data processed in connection with the Service, unless otherwise specified in a separate Data Processing Agreement.

Pearl SAS
11 Rue Sauffroy, 75017 Paris, France
SIREN: 941309171 — EU VAT: FR87941309171
Contact: contact@heypearl.ai

‍

2. Data We Collect

‍

In the course of providing the Service, Pearl may collect and process the following categories of personal data:

(a) Account information: name, email address, professional role, and organizational affiliation, provided during account registration.

(b) Usage data: activity logs, feature usage, timestamps, and interaction data generated through your use of the Service.

(c) Content data: documents, notes, conversation data, and other materials you submit to the Service ("User Content").

(d) Integration data: data retrieved from or transmitted to third-party services at your direction, including data accessed through Google OAuth integrations (such as Gmail, Google Calendar, or Google contacts). This data is accessed only within the scope of the permissions you explicitly grant and solely for the purpose of providing the Service features you activate.

(e) Technical data: IP address, browser type, device information, and similar technical identifiers collected automatically when you access the Service.

‍

3. How We Use Your Data

‍

Personal data collected through the Service is used exclusively for the following purposes:

(a) Providing, maintaining, and improving the features and functionality of the Service;
(b) Managing your account and authenticating your access;
(c) Powering AI-assisted features and generating AI outputs within the Service;
(d) Communicating with you regarding the Service, including support and service notifications;
(e) Ensuring the security and integrity of the Service;
(f) Complying with applicable legal obligations.

Pearl does not use your data — including data accessed through Google services — for targeted advertising, to sell to data brokers, to provide to information resellers, for credit-worthiness determination, or for any purpose unrelated to providing or improving the Service's functionality.

Pearl does not use your User Content or data retrieved from third-party integrations to train general-purpose AI models without your explicit, separate consent.

‍

4. How We Share Your Data

‍

Pearl does not sell your personal data. Data may be shared only in the following limited circumstances:

(a) Service providers and subprocessors: Pearl works with trusted third-party providers who assist in operating the Service (e.g., cloud hosting, analytics). These providers act on Pearl's behalf and are bound by appropriate contractual data protection safeguards in compliance with GDPR Article 28.

(b) Third-party integrations you authorize: When you connect a third-party service (e.g., a CRM or email provider), data may be transmitted to that service at your explicit direction. Pearl does not share integration data with any party other than the integration you have activated.

(c) Legal obligations: Pearl may disclose data to competent authorities where required by applicable law or legal process.

Data accessed through Google services is not transferred to third parties except as necessary to provide the specific Service features you have activated, or as required by law.

‍

5. Data Protection Mechanisms

‍

Pearl implements appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

(a) Encryption in transit: All data transmitted between your browser and Pearl's services is encrypted using TLS (Transport Layer Security). This applies to all data flows, including data accessed via third-party integrations.

(b) Encryption at rest: Personal data stored within Pearl's platform is encrypted at rest using industry-standard encryption protocols.

(c) Access controls: Access to personal data is restricted to authorized Pearl personnel on a strict need-to-know basis, enforced through role-based access controls and strong authentication requirements, including multi-factor authentication where applicable.

(d) Audit logging: Access to sensitive data — including integration data retrieved from third-party services — is logged and subject to periodic review.

(e) SOC 2 Type II certification: Pearl's platform is SOC 2 Type II certified, demonstrating our ongoing commitment to rigorous security controls over data confidentiality, availability, and integrity.

(f) Minimal data access: When accessing data through third-party integrations (such as Google services), Pearl requests only the minimum permissions necessary to provide the features you activate. Integration data is not retained beyond what is strictly necessary for the Service.

For further details on Pearl's security practices, please visit our Trust Center at https://trust.heypearl.ai.

‍

5.1 Sensitive Data

‍

Certain data processed through the Service is considered sensitive in nature. This includes, but is not limited to:

• The content of professional communications accessed via Gmail (email body, subject line, sender, and recipients)
• Calendar events and meeting details accessed via Google Calendar
• CRM records and business contact information
• Any personal data retrieved from third-party integrations authorized by you

Pearl applies the following specific protections to sensitive data:

(a) Encrypted in transit and at rest: All sensitive data is encrypted using TLS during transmission and encrypted at rest using industry-standard protocols.

(b) Strict access controls: Access to sensitive data is limited to authorized Pearl personnel with a specific operational need, is logged, and is subject to audit.

(c) Minimal collection: Pearl accesses only the data fields strictly necessary to provide the features you activate — no more.

(d) No secondary use: Sensitive data is never used for advertising, sold to third parties, or used to train AI models.

(e) Deleted on disconnection: Sensitive data retrieved from Google services is permanently deleted when you disconnect the integration or delete your account.

(f) SOC 2 Type II: Pearl's handling of sensitive data is covered under our SOC 2 Type II certification, independently audited for security, confidentiality, and availability controls.

‍

6. Data Retention and Deletion

‍

Pearl retains personal data only for as long as necessary to provide the Service and fulfill the purposes described in this Policy, or as required by applicable law.

(a) Account data: deleted upon account deletion, subject to legal retention requirements;
(b) Usage and technical data: retained for a maximum of twenty-four (24) months;
(c) Content data: deleted upon account deletion, except for content shared within your organization as described in the Terms of Service;
(d) Integration data: retained only for as long as strictly necessary to provide the Service feature for which it was accessed, and deleted upon account termination or upon your request.

You may request deletion of your personal data at any time by contacting contact@heypearl.ai. Upon a valid deletion request, Pearl will delete or anonymize your personal data within a reasonable timeframe, except where retention is required by law.

‍

7. Legal Basis for Processing (GDPR)

‍

Processing of personal data is carried out on the following legal bases under the General Data Protection Regulation (EU) 2016/679 ("GDPR"):

(a) Performance of a contract: processing necessary to provide the Service in accordance with your Subscription Agreement;
(b) Legitimate interest: processing necessary for the security, improvement, and proper functioning of the Service;
(c) Legal obligation: processing required to comply with applicable laws and regulations;
(d) Consent: where required, processing based on your freely given, specific, and informed consent (including for non-essential integrations).

‍

8. International Data Transfers

‍

Where personal data is transferred outside the European Economic Area, Pearl ensures that appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms.

‍

9. Your Rights

‍

In accordance with applicable data protection laws, including the GDPR, you have the right to:

(a) Access your personal data held by Pearl;
(b) Rectify inaccurate or incomplete personal data;
(c) Request the erasure of your personal data;
(d) Restrict or object to the processing of your personal data;
(e) Receive your personal data in a portable format;
(f) Withdraw consent at any time, where processing is based on consent;
(g) Lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL) or another competent supervisory authority.

To exercise any of these rights, please contact Pearl at contact@heypearl.ai.

‍

10. Data Breach Response

‍

In the event of a personal data breach likely to result in a risk to your rights and freedoms, Pearl will notify the relevant supervisory authority (CNIL) within 72 hours of becoming aware, and will inform affected individuals without undue delay, in accordance with GDPR Articles 33–34.

‍

11. Changes to This Policy

‍

Pearl may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting a notice within the Service or by sending an email to the address associated with your account. Your continued use of the Service after the effective date of any update constitutes your acceptance of the revised Policy.

‍

12. Contact

‍

For any questions or concerns regarding this Privacy Policy or Pearl's data practices, please contact:

‍

Pearl SAS
11 Rue Sauffroy, 75017 Paris, France
Email: contact@heypearl.ai
Trust Center: https://trust.heypearl.ai

‍