Privacy Policy

Last updated: March 18, 2026

1. Introduction

This Privacy Policy describes how BFC GROUP, SAS (Société par actions simplifiée) with a share capital of €10,753.00, with its registered office at 14 rue Artaud, 69004 Lyon, registered with the RCS de Lyon under number 830 940 979 (hereinafter "We" or "AI x Leaders"), collects, uses, stores, and protects your personal data when you use the ai-x-leaders.com website and our services.

We act as the data controller within the meaning of Regulation (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter "GDPR") and the French Loi n° 78-17 of January 6, 1978 "Informatique et Libertés" as amended.

Data Controller Contact:
Elodie Hughes, Présidente (Chairwoman)
Email: elodie@ai-x-leaders.com

2. Data Collected

We collect the following categories of personal data:

2.1 Data You Provide Directly

Identification data: last name, first name, email address, phone number;
Professional data: job title, company, industry;
Billing data: postal address, billing details;
Registration data: program choice, payment method, exchanges related to your registration;
Content you publish: messages in the Circle community, exercise and challenge responses, comments.

2.2 Data Collected Automatically

Browsing data: IP address, browser type, operating system, pages viewed, visit duration, traffic source;
Cookies and similar technologies: see Section 7 below.

2.3 Data from Third Parties

Registration platforms: data transmitted via registration forms hosted on third-party platforms (Tally, Stripe, etc.);
Social networks: if you interact with us via LinkedIn or other social networks, we may receive certain information from your public profile.

3. Purposes and Legal Bases for Processing

Purpose	Legal Basis	Data Concerned
Management of registrations and delivery of training	Performance of contract (Art. 6.1.b GDPR)	Identification, professional data, billing
Billing and accounting	Legal obligation (Art. 6.1.c GDPR)	Identification, billing
Communication about our programs and news (newsletter, emails)	Consent (Art. 6.1.a GDPR)	Email, first name
Access to and management of the Circle community	Performance of contract (Art. 6.1.b GDPR)	Identification, published content
Improvement of the website and our services	Legitimate interest (Art. 6.1.f GDPR)	Browsing data
Responding to your requests and customer support	Performance of contract / Legitimate interest	Identification, exchanges
Compliance with our legal and regulatory obligations	Legal obligation (Art. 6.1.c GDPR)	All necessary data

4. Data Recipients

Your personal data may be shared with the following recipients, strictly to the extent necessary to fulfill the purposes described above:

Technical sub-processors: hosting provider (Cloudflare), training platform (Circle), payment platform (Stripe), emailing tool (Substack, or any other tool used), video conferencing tool (Zoom, Google Meet), automation and management tools;
Accounting and legal service providers: as part of our legal obligations;
Public authorities: in the event of a legal obligation or judicial requisition.

We do not sell or rent your personal data to third parties. We do not share your data for third-party advertising purposes.

5. Data Transfers Outside the EU

Some of our sub-processors (Cloudflare, Stripe, Circle, Zoom, etc.) may be established outside the European Economic Area, particularly in the United States. In such cases, transfers are governed by:

Standard Contractual Clauses (SCCs) approved by the European Commission;
The EU-US Data Privacy Framework, where the sub-processor is certified;
Or any other transfer mechanism compliant with the GDPR (Article 46).

You may obtain a copy of the safeguards in place by contacting us at elodie@ai-x-leaders.com.

6. Data Retention Periods

We retain your personal data only for the period necessary for the purposes for which it was collected:

Data Category	Retention Period
Data relating to an active client	Duration of the contractual relationship + 3 years from the end of the service
Billing data	10 years (legal accounting obligation)
Prospecting data (newsletter)	3 years from the last active contact, or until unsubscription
Browsing data / cookies	13 months maximum
Content published in the community	Duration of the contractual relationship, unless deleted by the user

Upon expiry of these periods, your data is deleted or anonymized.

7. Cookies

7.1 What Is a Cookie?

A cookie is a small text file stored on your device (computer, tablet, smartphone) when you visit a website. It allows the site to remember information about your visit.

7.2 Cookies Used on the Website

Cookie Type	Purpose	Legal Basis	Duration
Strictly necessary cookies	Website functionality, security, cookie preference storage	Legitimate interest	Session or 13 months max
Analytical cookies	Audience measurement, website improvement (e.g., Google Analytics, Plausible)	Consent	13 months max
Marketing / third-party cookies	Advertising tracking, conversion pixels (where applicable)	Consent	13 months max

7.3 Managing Your Preferences

On your first visit, a banner allows you to accept or refuse non-essential cookies. You can change your preferences at any time via the "Manage cookies" link at the bottom of the page, or through your browser settings.

Refusing analytical and marketing cookies does not affect your access to the website or services.

8. Your Rights

In accordance with the GDPR and the Loi Informatique et Libertés, you have the following rights:

Right of access (Art. 15 GDPR): obtain confirmation that your data is being processed and receive a copy;
Right to rectification (Art. 16 GDPR): have inaccurate or incomplete data corrected;
Right to erasure (Art. 17 GDPR): request the deletion of your data, subject to legal retention obligations;
Right to restriction of processing (Art. 18 GDPR): obtain the restriction of processing in certain cases;
Right to data portability (Art. 20 GDPR): receive your data in a structured, commonly used, and machine-readable format;
Right to object (Art. 21 GDPR): object to the processing of your data on legitimate grounds, or object to commercial prospecting;
Right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal;
Right to define directives regarding the fate of your data after your death (Loi Informatique et Libertés).

How to Exercise Your Rights

Send your request by email to: elodie@ai-x-leaders.com, specifying your last name, first name, and the nature of your request. Proof of identity may be requested in the event of reasonable doubt about your identity.

We commit to responding within 30 days of receiving your request. This period may be extended by 60 days in the case of complex requests, in which case you will be informed.

Filing a Complaint

If you believe that the processing of your personal data constitutes a violation of the GDPR, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):

CNIL
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07
Website: https://www.cnil.fr

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure, including:

Encryption of data in transit (HTTPS / TLS);
Data access limited to authorized personnel;
Use of sub-processors compliant with recognized security standards;
Regular updates of the tools and platforms used.

10. Changes to the Privacy Policy

We reserve the right to modify this Privacy Policy at any time. In the event of a substantial change, we will notify you by email or through a visible notification on the website. The date of the last update is indicated at the top of this page.

11. Contact

For any questions regarding this Privacy Policy or the processing of your personal data, please contact us:

BFC GROUP — AI x Leaders
Elodie Hughes
Email: elodie@ai-x-leaders.com
Address: 14 rue Artaud, 69004 Lyon, France