Privacy Policy

Last updated: 19/11/2025

Who we are

Name: Blue Morpho (“we”, “us”, “our”)
Address: 122 Rue Amelot, 75011 Paris, France
Company registration: 982 522 286, RCS Paris
Website: getbluemorpho.com (the “Website”)
Contact details of the Data Protection Officer: dpo@getbluemorpho.com

Who are the data subjects?

We process personal data from:

  • our customers’ representatives

  • our suppliers’ representatives

  • candidates for employment with us

  • visitors to our Website and premises

  • other data subjects

(collectively, the “data subjects”, “you”, “your”).

This Privacy Policy (the “Policy”) applies to any processing of your personal data by us.

Our commitment to data protection

We undertake to use our best efforts to ensure that our personal data processing activities comply with applicable data protection law, including:

  • Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (the “GDPR”), and

  • the French Data Protection Act of 6 January 1978, as amended, supplemented, or replaced from time to time (the “Applicable Data Protection Law”).

For which purposes do we process your personal data?

If you are a representative of one of our customers

We process:

  • personal identification, professional identification, and contact data for the activation, management, and continuation of the commercial relationship with our customers

  • personal and professional identification data to follow up on invoicing

  • bank details, where applicable, to process payments

  • contact data for marketing communications, where permitted by law or based on your consent

If you are a representative of one of our suppliers

We process your personal, professional, and contact data to manage our commercial relationship with our suppliers.

If you are a candidate for employment

We process your personal, professional, and contact data, as well as data related to your professional life (skills, qualifications, experience) and any information contained in your CV, to assess your profile in relation to our recruitment needs.

If you visit our Website

We may process your electronic identification data in aggregate form to measure traffic, improve browsing experience, and detect or prevent fraud and computer security breaches.

Additional purposes

We may also process personal data to:

  • conduct operations to restructure our activities

  • carry out internal and external audits

  • manage disputes and exercise or defend legal claims

We do not subject data subjects to decisions based solely on automated processing that produce legal effects or similarly significant impacts.

In what capacity do we process your personal data?

We act as a data controller, determining the purposes and means of the processing of your personal data.

On which basis do we process your personal data?

The processing of your personal data may be based on one or more of the following:

  • Contractual necessity: to perform a contract or pre-contractual measures at your request (e.g. collaboration or employment application)

  • Legal obligation: to comply with applicable laws (e.g. accounting, taxation)

  • Legitimate interests: to pursue our legitimate business purposes, provided they do not override your rights and freedoms. Our legitimate interests include maintaining and improving our services, ensuring information security, and managing business relationships effectively.

  • Consent: where required (e.g. for marketing communications or use of image rights)

We obtain your free, prior, and informed consent whenever required.

The provision of certain data (e.g. identification or contact details) may be necessary for us to provide our services or fulfill legal obligations. Failure to provide such data may prevent us from performing our services or complying with the law.

We only rely on consent where it is legally required, and we never make the provision of our services conditional on consent to unnecessary data processing.

Where do we source your personal data?

We collect data:

  • directly from you (e.g. during initial contact or service interaction)

  • from publicly available information (e.g. professional profiles or online data when assessing candidates)

Who has access to your personal data?

The following may receive or have access to your personal data (only as necessary for their tasks):

  • our commercial and administrative staff (customer data)

  • our supplier management staff (supplier data)

  • our legal advisors and lawyers (in connection with restructuring or litigation)

We may also share data with processors acting on our behalf, strictly in accordance with our instructions and Applicable Data Protection Law.
 A list of subprocessors is available upon request.

In case of business restructuring (e.g. financing operation), limited personal data may be shared with third parties such as banks, in compliance with Applicable Data Protection Law.

How do we manage our processors?

We ensure that all processors:

  • process personal data only on our instructions

  • do not appoint subprocessors without our prior authorization

  • implement appropriate technical and organizational security measures

  • ensure confidentiality of personnel handling data

  • return or delete data upon termination of services

  • cooperate with audits and assist us in handling data subject rights requests

Where do we process your personal data?

Some recipients may be located or may process personal data outside the European Economic Area (EEA).
 When transfers occur, we apply appropriate safeguards:

  • transfers to countries recognized by the European Commission as providing adequate protection (Article 45 GDPR); or

  • contracts incorporating the European Commission Standard Contractual Clauses (Article 46 GDPR); or

  • for transfers to the United States, certification under the EU–US Data Privacy Framework (Article 45 GDPR).

Retention periods

We retain personal data only as long as necessary for the purposes for which they are processed.

Specifically:

  • Invoices and accounting documents: seven (7) years from the end of the accounting year, as required by law

  • Candidate data: retained for up to two (2) years after the last contact if the application is not successful.

  • Customer and supplier contact data: retained for up to three (3) years after the end of the commercial relationship.

  • Marketing contact data: retained for up to three (3) years after last interaction or until consent is withdrawn.

  • Other data: determined based on:

    • the date of our last contact

    • ongoing disputes or potential claims

    • legal obligations or security considerations

Cookies and tracking technologies

Our Website uses cookies and similar technologies for functionality, analytics, and performance improvement. Non-essential cookies are only placed with your consent. You can manage your preferences at any time through our cookie banner or by visiting our Cookie Policy.

For essential cookies necessary for the Website’s operation, consent is not required.

Your rights

Subject to Applicable Data Protection Law, you have the following rights:

  • Right to be informed: obtain clear, transparent, and understandable information about processing.

  • Right of access: confirm whether we process your personal data and obtain a copy.

  • Right to rectification: correct inaccurate or incomplete data.

  • Right to erasure (“right to be forgotten”): request deletion, subject to legal retention requirements.

  • Right to object: object to processing based on legitimate interests or for marketing purposes.

  • Right to restriction: request limitation of processing under certain conditions.

  • Right to data portability: receive your data in a structured, machine-readable format and transmit it to another controller.

  • Right to set post-mortem guidelines: define instructions for your data after death.

  • Right to withdraw consent: withdraw consent at any time when processing is based on consent.

Requests may be sent to our Data Protection Officer using the contact details below.
 We respond as promptly as possible and within the timeframes required by law.
 We may request proof of identity to verify your request.

Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with processing personal data.
We follow industry best practices to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Questions or complaints

If you have any questions or complaints about how we process your personal data, please contact our Data Protection Officer first:
 Email: dpo@getbluemorpho.com

You also have the right to lodge a complaint with the competent supervisory authority:

Commission Nationale de l’Informatique et des Libertés (CNIL)
 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
 Phone: +33 (0)1 53 73 22 22

Updates

We reserve the right to update this Policy from time to time.

Any changes will be posted on the Website and, where appropriate, communicated directly to you.

In case of conflict or inconsistency between this Policy and another document concerning data protection, this Policy prevails.

The latest version of this Policy, identified by its update date and version number, will always be available on our Website.

Contact

Blue Morpho SAS 122 Rue Amelot 75011 Paris, France Email: dpo@getbluemorpho.com