LETTRIA PERSEUS

PRIVACY POLICY

TURFU SAS — Paris Trade and Companies Register 835 074 857

21, rue de Berri, 75008 Paris, France — hello@lettria.com

Version: 2026-05-26

Effective date: May 25, 2026

At Lettria, the protection of your personal data is a priority.

When you use the websites accessible on the subdomains perseus.lettria.com, perseus.lettria.net and app.perseus.lettria.net as well as all their respective subdomains (the “Site”), and when you use the Perseus Platform (web console and API), we may collect personal data about you.

The purpose of this policy is to inform you of the terms under which we process such data in accordance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”), the French Act No. 78-17 of 6 January 1978 on information technology, data files and civil liberties (together the “Applicable Regulations”) and Directive 2002/58/EC as transposed.

1. Who is the data controller?

When you browse our Site and use the Platform, the data controller is TURFU, doing business as Lettria, SAS, registered with the Paris Trade and Companies Register under no. 835 074 857, with its registered office at 21, rue de Berri, 75008 Paris, France (“We”).

When you use the Platform in the context of a professional activity to process Documents likely to contain personal data relating to third parties, you act as data controller and Lettria acts as a processor within the meaning of Article 28 of the GDPR. The terms of such processing are governed by the Data Processing Agreement (DPA) attached to the Terms.

For any question relating to this policy or to the processing of your data, you may contact our data protection officer at: dpo@lettria.com.

2. What data do we collect?

Personal data is data that allows the identification of an individual, directly or by cross-referencing with other data.

We collect the following categories of personal data:

2.1 Account and identification data

Last name, first name, email address, telephone number (where applicable);
Account identifier, password (in hashed form);
Professional information: entity affiliation, role, declaration of professional use.

2.2 Billing data

Company name, billing address, intra-EU VAT number where applicable;
Consumption and billing history;
Last four digits and type of credit card (for identification purposes only);
Full banking data is collected and stored directly by our payment services provider (PSP), Stripe (see Section 4).

2.3 Browsing and usage data

Type of device, operating system, browser, screen resolution, browser language;
Country, region, city (inferred from IP address);
Page URL, page title, referrer (source), UTM parameters, host name, timestamp;
Custom events (interactions with the interface), session properties (session identifier, user identifier);
Login logs and API usage logs.

2.4 Documents submitted via the Platform

The text documents (the “Documents”) that you submit to the Platform in connection with your use of the Services may contain personal data concerning you or concerning third parties. When you act as a professional Customer, you are responsible for the processing of such data and Lettria acts as a processor; the terms of such processing, the retention periods and Lettria’s commitments (in particular the prohibition on use for the training of AI models and the default 90-day retention) are governed by the DPA and by Article 11 of the Terms.

2.5 Contact and support data

Any information that you send us as part of your contact, support or complaint requests.

Mandatory data is identified when you provide it. It is signaled by any appropriate means.

3. On what legal bases, for what purposes and for how long do we retain your personal data?

Purpose	Legal basis	Retention period
Providing our services available on our Site and via your Account (account creation, access to the console and the API, management of workspaces and members).	Performance of the contract entered into between You and Us (Article 6(1)(b) GDPR).	Account data: retained for the entire duration of the Account. Login logs: 1 year (in compliance with the French LCEN Act and CNIL recommendations). Account inactive for 2 years: sending of a reactivation email, then deletion in the absence of a response within a one (1) month period.
Processing the Documents you submit via the Platform and generating the associated Deliverables.	Performance of the contract (Article 6(1)(b) GDPR). For data contained in the Documents, Lettria acts as a processor; the legal basis is then the responsibility of the Customer as data controller.	Documents and Deliverables are retained for 90 days by default, or for the duration configured by the Customer from the console, in accordance with Article 11.4 of the Terms.
Billing the Services and collecting payments.	Performance of the contract (Article 6(1)(b) GDPR) and legal accounting and tax obligations (Article 6(1)(c) GDPR).	Transactional data (excluding banking data): 5 years (Article L. 123-22 of the French Commercial Code). Supporting documents related to the contract: 10 years from the end of performance (Article L. 123-22 of the French Commercial Code).
Analyzing your use of the Services, understanding your expectations and improving the features offered (analysis of exchanges, aggregated audience and navigation statistics).	Our legitimate interest in improving our services (Article 6(1)(f) GDPR); where applicable, your prior consent for non-essential cookies (Article 82 of the French Data Protection Act).	Data retained for a maximum of 25 months, in accordance with CNIL recommendations. Once anonymized, this data is no longer considered personal and may be retained without time limit.
Building a customer and prospect database.	Our legitimate interest in developing and promoting our business (Article 6(1)(f) GDPR).	Customers: throughout the contractual relationship. Prospects: 3 years from the last active contact.
Sending newsletters, solicitations and promotional messages by email.	For customers: our legitimate interest in informing them (similar products, Article L. 34-5 of the French Post and Electronic Communications Code); for prospects: your prior consent (Article L. 34-5 of the French Post and Electronic Communications Code).	3 years from the last active contact or the withdrawal of consent.
Responding to your requests for information, contact or support.	Our legitimate interest in responding to your requests (Article 6(1)(f) GDPR).	3 years from the last contact.
Managing requests to exercise rights (access, rectification, erasure, etc.).	Legal obligation (Article 6(1)(c) GDPR, Articles 12 to 22 of the GDPR).	Proof of identity (where applicable): retained only for the time necessary for verification. Record of the request and the response: 5 years from the response, for evidentiary purposes.
Retaining administrative information and documents related to our business, legal defense.	Legal obligation (Article 6(1)(c) GDPR) and legitimate interest in defending our rights (Article 6(1)(f) GDPR).	Transactions (excluding banking data): 5 years. Contracts and signature-related documents: 10 years from the end of performance of the services. Evidentiary archiving after active deletion: duration corresponding to the applicable civil prescription period (Article 2224 of the French Civil Code), i.e. 5 years, in a separate environment with restricted access.

4. Who are the recipients of your data?

The following will have access to your personal data, within the limits of their respective authorizations:

The authorized personnel of our company (product, engineering, support, finance, compliance teams);
Our Subprocessors, the exhaustive list of which applicable to the provision of the Services is set out below and reflects the list set out in Article 3 of the DPA;
Where applicable: public and private bodies (administrative, judicial, accounting authorities), exclusively to meet our legal obligations;
Where applicable: our advisers (lawyers, certified public accountants, statutory auditors) bound by confidentiality obligations.

List of the main Subprocessors:

Subprocessor	Purpose	Location	Safeguards
Amazon Web Services (AWS)	Hosting of the Platform, storage of Documents and Deliverables, hosting of the Bedrock service.	Primary EU region (eu-west-3 Paris), with maintenance/support that may be provided from the United States.	SCCs, Data Privacy Framework certification, commitment of non-use for training.
Google LLC (Google AI Studio / Gemini)	Language model processing for ontology generation and graph extraction.	United States.	SCCs, Data Privacy Framework certification, enterprise API configuration excluding training.
Anthropic PBC (via AWS Bedrock)	Language model processing for ontology generation and graph extraction.	United States; possible access via EU Bedrock depending on configuration.	SCCs (via AWS Bedrock), commitment of non-use for training.
Datadog, Inc.	Storage and analysis of infrastructure and monitoring logs.	United States (EU residency options).	SCCs, Data Privacy Framework certification.
Stripe Payments Europe Ltd / Stripe Inc.	Payment services provider (payment processing, fraud prevention).	Ireland (European entity); occasional flows to the United States.	SCCs, Data Privacy Framework certification.

The up-to-date list of Subprocessors (including those acting for ancillary functions such as transactional email delivery, customer support management or internal productivity tools) is available upon request at dpo@lettria.com.

5. May your data be transferred outside the European Union?

Your data is primarily hosted on the servers of our infrastructure provider Amazon Web Services in the European Union region (Paris).

However, some processing operations involve transfers to third countries, in particular to the United States:

The language models we use for ontology generation and graph extraction (Google Gemini, Anthropic Claude via AWS Bedrock) may be hosted and processed in the United States;
Our monitoring solution (Datadog) may store certain technical data in the United States;
Our payment services provider (Stripe) may occasionally transfer data to the United States for fraud and operational needs;
AWS technical support may be provided from the United States.

The transfer of your data in this context is secured by the following safeguards, set out in Chapter V of the GDPR:

European Commission adequacy decisions (Article 45 of the GDPR), in particular our US providers’ certification under the Data Privacy Framework (DPF) (Implementing Decision (EU) 2023/1795 of 10 July 2023). AWS, Google LLC, Anthropic PBC, Datadog and Stripe Inc. are DPF-certified as of the date of this policy;
Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914 of 4 June 2021) where the adequacy decision does not apply or as a complement thereto;
Complementary technical, contractual and organizational measures where Transfer Impact Assessments so require, in accordance with the Schrems II case law (CJEU, 16 July 2020, Case C-311/18).

You may obtain a copy of the applicable safeguards upon request at dpo@lettria.com.

6. Cookies and trackers

We use cookies and other trackers on the Site and the Platform. A cookie is a small file placed on your terminal (computer, smartphone, tablet) when you access the Site.

We distinguish between:

Essential (or strictly necessary) cookies: indispensable to the operation of the Site and the Platform (authentication, security, load balancing, storage of technical preferences). These cookies do not require your prior consent, in accordance with Article 82 of the French Data Protection Act.
Audience measurement and performance cookies: enable us to understand how you use the Site and the Platform in order to improve it. Where they are not exempted by the CNIL guidelines, their placement is subject to your prior consent.
Third-party and advertising cookies: where applicable, placed by third-party partners and subject to your prior consent.

Upon your first visit, a consent banner enables you to accept, refuse or fine-tune your preferences for non-essential cookie categories. You may modify your choices at any time from the “Cookie Settings” link accessible in the footer of the Site.

The detailed list of cookies used, their purpose, their duration and their issuer is accessible from the cookie management center.

7. What are your rights over your data?

You have the following rights over your personal data:

Right to information (Articles 13 and 14 of the GDPR): this is precisely the purpose of this policy.
Right of access (Article 15 of the GDPR): you may at any time access all of your personal data and obtain a copy thereof.
Right to rectification (Article 16 of the GDPR): you may at any time rectify your inaccurate, incomplete or outdated personal data.
Right to restriction (Article 18 of the GDPR): you may obtain the restriction of the processing of your data in certain cases defined by the GDPR.
Right to erasure (Article 17 of the GDPR): you may require that your personal data be erased in the cases provided for by the GDPR.
Right to data portability (Article 20 of the GDPR): you may receive the data you have provided to us in a structured, commonly used and machine-readable format, and require its transfer to the recipient of your choice.
Right to object (Article 21 of the GDPR): you may object to the processing of your personal data, in particular to profiling. We may maintain the processing despite this objection on compelling legitimate grounds or for the defense of legal claims.
Right to withdraw your consent (Article 7 of the GDPR): for purposes based on consent, you may withdraw your consent at any time, without affecting the lawfulness of processing carried out before such withdrawal.
Right to define directives relating to the retention, erasure and communication of your personal data after your death, in accordance with the French Data Protection Act.
Right to lodge a complaint with a competent supervisory authority (Article 77 of the GDPR). In France, the CNIL — 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr.

You may exercise these rights by writing to us at the contact details set out in Section 8 below. We may, on this occasion, ask you to provide us with additional information or documents to verify your identity.

If you have used the Platform as a professional Customer and the request relates to data contained in Documents submitted by you or by a third-party Customer, we will forward the request to the relevant Customer in accordance with Article 1.2.4 of the DPA.

8. Contact point to exercise your rights

For any request relating to your personal data or to exercise your rights:

Email: dpo@lettria.com
Postal address: TURFU SAS — Lettria, 21, rue de Berri, 75008 Paris, France

We undertake to respond to your request within one (1) month of receipt, extendable by two (2) additional months for complex or numerous requests, in accordance with Article 12 of the GDPR.

9. Amendments to this policy

We may amend this policy at any time, in particular to comply with any regulatory, judicial, editorial or technical developments. These amendments will apply from the effective date of the amended version.

You are therefore invited to consult the latest version of this policy regularly. We will inform you by email at the address associated with your Account of any significant change to this privacy policy, at least thirty (30) days before its entry into force.

Effective date of this version: May 25, 2026.