Privacy Policy – B4 My Meeting (B4MM)

Last Updated: September 2025

About This Privacy Policy

B4 My Meeting (B4MM) is a platform where professionals can analyze publicly available data to generate personality insights and relationship matching for business meetings. We also offer tools that analyze public LinkedIn data to provide personality predictions based on professional experience, writing style, and other publicly available information.

This Privacy Policy explains:

• What data we collect from you

• How we collect, use, process, store, and share your data

• Who we share your data with

• Your rights regarding your personal data

Important: This Privacy Policy applies globally. For users in the EU/UK, additional protections apply under GDPR/UK GDPR (see Section 12).

1. Who We Are

B4 My Meeting (B4MM)
Operated by: Sherpact
Address: 10 rue Saint Germain, 78230 Le Pecq, France
Contact: privacy@b4mm.com
Data Protection Officer: Laurent Garnier (laurent@b4mm.com)

Depending on the context and contractual arrangements, B4MM may act as an independent Controller or as a Processor on behalf of enterprise customers, under Data Processing Agreements.

2. Data We Collect

2.1 User Data (B4MM Customers)

When you create an account and use our services, we collect:

• Account Information: Name, email address, billing information

• Usage Data: Service usage history, generated insights, preferences

• Connected Accounts: When you connect LinkedIn or other professional accounts (authentication only – we do not access private content)

• Public LinkedIn Profile: Your public LinkedIn information analyzed to create your personality insights

2.2 Non-User Data (Analyzed Individuals)

For individuals who are analyzed but don’t have B4MM accounts:

• Public LinkedIn Data Only: Name, job title, professional experience, public posts, skills, and other publicly available professional information

• Generated Insights: Personality predictions and relationship matching derived from public data

• No Private Data: We never collect private messages, non-public posts, or sensitive personal information

3. How We Use Your Data

3.1 Service Provision

• Generate professional personality insights

• Provide relationship matching and communication recommendations

• Optimize business meeting preparation

• Improve and personalize our services

3.2 Business Operations

• Process payments and manage accounts

• Provide customer support

• Analyze usage patterns to improve our platform

• Comply with legal obligations

3.3 Research and Development

We use aggregated, anonymized data to:

• Train and improve our machine learning algorithms

• Create population-level personality research (anonymized)

• Develop new features and insights

4. Legal Basis for Processing (EU/UK Users)

See our GDPR FAQ for detailed information, including lawful bases, rights, and supervisory authorities.

5. Data Sharing and Disclosure

5.1 No Sale of Data

We never sell or rent your personal data to third parties.

5.2 Service Providers

We share data with trusted service providers who help us operate our platform:

• Cloud Hosting: Vercel (US-based, with appropriate safeguards)

• Data Enhancement: Professional data providers (for public information only)

• Payment Processing: Secure payment processors

5.3 Legal Requirements

We may disclose data when required by law or to protect our rights and safety.

6. Data Retention

6.1 User Accounts

• Free Users: 12 month after account creation or last use

• Paid Users: Duration of subscription plus 12 months

• Deletion Rights: Users can delete their accounts and all associated data at any time

6.2 Non-User Analysis

• Generated Insights: Stored only as long as the requesting user maintains their account, unless the individual objects to processing (in which case insights are deleted).

• Source Data: Not stored beyond analysis completion

• Anonymized Data: May be retained indefinitely for research (fully anonymized)

7. Your Rights

You have the following rights regarding your personal data:

• Access: Request copies of your data

• Correction: Update inaccurate information

• Deletion: Request removal of your data

• Restriction: Limit how we process your data

• Portability: Receive your data in a portable format

• Objection: Object to processing, including profiling

📩 To exercise these rights: contact privacy@b4mm.com

8. Data Security

We implement comprehensive security measures including:

• Encryption: Data encrypted in transit and at rest

• Access Controls: Strict employee access limitations

• Regular Audits: Security assessments and monitoring

• Incident Response: Procedures for data breach notification

9. International Data Transfers

Data may be transferred outside your country for processing.

For EU/UK users:

• Adequacy Decisions: Where available

• Standard Contractual Clauses: EU Commission-approved safeguards

• UK Addendum / IDTA: Applied where required under UK law

• Additional Safeguards: Technical and organizational measures

10. Personality Insights and Profiling

10.1 Nature of Our Service

Our personality insights are:

• Predictions, not facts: Based on algorithmic analysis of public data

• Professional focus: Limited to workplace communication and behavior

• Non-sensitive: We avoid generating insights related to health, political views, or other sensitive categories

• Non-automated decisions: No automated decisions are made that produce legal or similarly significant effects

10.2 Transparency

• Insights are clearly marked as “predictions”

• Methodology available upon request

• Confidence levels and limitations disclosed

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Significant changes will be notified via:

• Email to registered users

• Prominent notice on our platform

• Updated “Last Modified” date

12. Regional Specific Information

12.1 EU/UK Users (GDPR/UK GDPR)

Additional protections and rights apply. See our GDPR FAQ for detailed information including:

• Lawful basis explanations

• Data Processing Agreement (DPA) information

• Supervisory authority contact information

• Right to lodge complaints with data protection authorities

12.2 California Users (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Data We Collect and Use

Your CCPA/CPRA Rights

California residents have the following rights:

• Right to Know: Request disclosure of categories and specific pieces of personal data collected.

• Right to Delete: Request deletion of personal data, subject to legal exceptions.

• Right to Correct: Request correction of inaccurate personal data.

• Right to Opt Out of Sale/Sharing: B4MM does not sell or share your data for cross-context behavioral advertising.

• Right to Limit Use of Sensitive Personal Data: B4MM does not collect sensitive personal information as defined under CPRA.

• Right to Non-Discrimination: You will not be discriminated against for exercising your privacy rights.

  ---

How to Exercise Your Rights

📩 Contact us at privacy@b4mm.com with the subject line “CCPA Request”.

We will verify your request using reasonable methods (such as confirming your email address or account information). You may also authorize an agent to submit a request on your behalf, provided they supply proof of authorization.

Response timeline: within 45 days (extendable by an additional 45 days if reasonably necessary, with notice).

13. Contact Us

• General Privacy Questions: privacy@b4mm.com

• Data Protection Officer: Laurent Garnier (laurent@b4mm.com)

• EU/UK Complaints: Your local data protection authority

14. Acceptance and Consent

By using B4MM services, you acknowledge that you have read and understood this Privacy Policy.

• Free Users: By creating an account, you consent to the processing described herein for optional features.

• Paid Users: Processing is based primarily on our contract with you, and additionally on any consents you provide.

• Non-Users: Processing is based on legitimate interest.

Important Disclaimer:
B4MM provides personality insights as advisory predictions only. Customers are solely responsible for how they use the insights in their professional activities. B4MM does not accept liability for business or HR decisions based on the insights.

GDPR – Frequently Asked Questions

Introduction

With customers based across the EU and UK, we understand the importance of GDPR compliance.
This FAQ explains B4MM’s approach to data protection and how we collaborate with our users to ensure GDPR/UK GDPR compliance.

B4MM is a SaaS platform that provides on-demand personality insights and relationship matching for professional meetings. Insights are created exclusively through the analysis of publicly available professional data (primarily LinkedIn profiles).

Definitions

• Controller: Determines how and why personal data is processed.

• Processor: Processes personal data on behalf of and under instructions of a Controller.

• Data Subject: An individual whose personal data is being processed.

1. What is B4MM’s role under GDPR?

Depending on the context, B4MM may act as an independent Controller, a Processor, or a Joint Controller.

• For most processing activities (e.g., generating insights, platform analytics), B4MM acts as Controller, since we determine the purposes and means of processing.

• For enterprise customers, where required by contract, B4MM may act as Processor, with a Data Processing Agreement (DPA) in place.

2. What processing does B4MM conduct?

3. How does B4MM source personal data?

3.1 User Data

• Collected directly during registration

• Public LinkedIn profile (with user consent when connected)

• Usage data generated through platform interaction

3.2 Non-User Data (Analyzed Individuals)

• Public Data Only: job titles, professional experience, public posts, skills, endorsements, summaries, awards, certifications

• Not collected: private messages, non-public social media content, financial data, health or sensitive personal data

3.3 Technical Implementation

• No Direct Scraping: We rely on authorized data providers and APIs

• Client-Side Analysis: Some processing occurs locally in the user’s browser

• No Data Storage: Original text samples are not retained after analysis

4. Which lawful basis applies under GDPR?

4.1 For Registered Users

• Contract Performance (Art. 6.1.b): To provide subscribed services

• Consent (Art. 6.1.a): For optional features and marketing communications

4.2 For Non-Users (Analyzed Individuals)

• Legitimate Interest (Art. 6.1.f), based on a documented Legitimate Interest Assessment (LIA) available to authorities on request.

Three-part assessment:

• Purpose Test: Enhance communication and meeting preparation

• Necessity Test: Limited to publicly available data, proportionate to purpose

• Balancing Test:
  ✅ Low privacy impact: only public data used
  ✅ Professional context: results used for business purposes
  ✅ No automated decisions: insights are advisory only
  ✅ User responsibility: recipients responsible for how they use insights
  ✅ Right to object: always available, free of charge

5. How does B4MM ensure transparency?

5.1 For Users

• Privacy policy and consent process

• Clear information at registration

• Regular updates on service changes

5.2 For Non-Users (Analyzed Individuals)

• Multi-layered transparency approach:

  • Public information page explaining our service and rights

  • QR code access for quick information and opt-out

  • Direct contact for questions and objections

  • Proactive notification where email addresses are publicly available

• Disproportionate Effort Exception: Where notifying each individual is not feasible, B4MM relies on Article 14.5(b) GDPR and provides enhanced public transparency measures.

5.3 Privacy Notice Information Provided

• Identity and contact details of B4MM

• Purposes of processing and lawful basis

• Categories of personal data processed

• Recipients of personal data

• Retention periods

• Rights of individuals and how to exercise them

• Right to lodge complaints with authorities

6. Are personality insights considered “profiling”?

Yes, our insights are profiling (automated analysis of personal aspects).

However:

• GDPR permits profiling when lawful

• No automated decision-making: insights are advisory only

• No legal or similarly significant effects arise from profiling

• Focused on professional communication traits

• Right to object at any time

We never generate insights about: health, politics, religion, sexual orientation, or personal relationships.

7. How long does B4MM retain data?

7.1 User Accounts

• Free accounts: 30 days after last activity

• Paid accounts: subscription duration + 12 months

• Immediate deletion available on request

7.2 Non-User Analysis

• Insights retained only while the requesting user maintains their account

• Deleted without delay if the individual objects or requests erasure

• Source data not retained after analysis

• Fully anonymized research data may be kept indefinitely

7.3 User & Non-User Control

• Users can delete accounts and data anytime

• Non-users can request deletion of generated insights

• Automated deletion processes ensure compliance

8. Security Measures

8.1 Technical

• Encryption (in transit & at rest)

• Role-based access & MFA

• Firewalls, intrusion detection, secure hosting

• Regular patching and vulnerability scans

8.2 Organizational

• Staff data protection training

• Strict access limitations (need-to-know basis)

• Documented breach response procedures

• Third-party security vetting

9. Sub-Processors

We work with carefully selected sub-processors:

A full, up-to-date list of sub-processors is available upon request.

10. International Data Transfers

10.1 Legal Framework

• Adequacy decisions where available (e.g., UK–EU bridge)

• Standard Contractual Clauses (SCCs)

• Additional technical/organizational safeguards

10.2 UK/US Transfers

• For UK transfers: B4MM applies the IDTA or UK Addendum to SCCs

• For US hosting: reliance on SCCs, Data Privacy Framework (DPF) where applicable, plus encryption & access controls

11. Exercising GDPR Rights

11.1 Available Rights

• Access (Art. 15)

• Rectification (Art. 16)

• Erasure (Art. 17)

• Restriction (Art. 18)

• Portability (Art. 20)

• Objection (Art. 21), including profiling

11.2 How to Exercise

• Email: privacy@b4mm.com

• DPO: laurent@b4mm.com

• Response within 30 days (extendable by 60 days if necessary)

• Verification required before fulfilling requests

12. Data Breach Response

• Notify supervisory authority within 72h of awareness (Art. 33)

• Notify affected individuals without undue delay if high risk (Art. 34)

• Immediate containment, risk assessment, regulatory reporting, individual notification, remediation

• Documented in breach register and reviewed for DPIA updates

13. Customer GDPR Audits

• Possible once per year with 30 days’ notice (unless otherwise agreed)

• Must not unreasonably interfere with operations

• Documentation available: policies, processing records, sub-processor agreements, incident response, certifications

• Additional costs may apply

14. Complaints

• Contact B4MM first:

  • DPO: Laurent Garnier (laurent@b4mm.com)

  • Privacy team: privacy@b4mm.com

• Supervisory authorities:

  • France: CNIL (www.cnil.fr)

  • Other EU: local data protection authority

  • UK: ICO (www.ico.org.uk)

15. Additional Resources

• Privacy Policy

• Terms of Service

• Data Processing Agreement (Enterprise)

• Cookie Policy

Business Address: 10 rue Saint Germain, 78230 Le Pecq, France

vente B2B

Data Processing Agreement (DPA)

B4 My Meeting (B4MM)

Preamble

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between B4 My Meeting (B4MM), operated by Sherpact (“B4MM”, “we”, “us”), and the Customer (“Customer”, “you”) for the use of B4MM’s personality insight services (“Services”).

This DPA addresses the requirements of the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, and other applicable data protection laws regarding the processing of personal data.

1. Definitions

• Affiliate: Any entity that directly or indirectly controls, is controlled by, or is under common control with the relevant party.

• Customer Data: Personal data that B4MM processes on behalf of Customer in connection with Customer’s use of the Services.

• Data Subject: An identified or identifiable natural person to whom personal data relates.

• EU Data Protection Laws: GDPR, UK GDPR, and laws implementing or supplementing these regulations.

• Personal Data: Has the meaning given in applicable Data Protection Laws.

• Processing: Has the meaning given in applicable Data Protection Laws.

• Sub-processor: Any third party engaged by B4MM to process personal data on behalf of Customer.

2. Roles and Responsibilities

2.1 Controller and Processor Relationship

• Customer as Controller / B4MM as Processor: For enterprise services performed on Customer’s instructions, Customer acts as Controller and B4MM acts as Processor.

• B4MM as Independent Controller: For standard platform operations, account management, platform analytics, and processing of publicly available data outside Customer’s instructions, B4MM acts as an independent Controller.

2.2 Customer Responsibilities

Customer warrants that:

• It has the lawful basis to instruct B4MM to process personal data.

• It has provided appropriate privacy notices to data subjects.

• It has obtained necessary consents or has another lawful basis.

• Its instructions comply with applicable data protection laws.

2.3 B4MM Responsibilities

B4MM will:

• Process personal data only on documented Customer instructions.

• Ensure personnel are bound by confidentiality.

• Implement technical and organizational security measures.

• Assist Customer in responding to data subject requests.

• Notify Customer of personal data breaches without undue delay.

3. Processing Details

• Subject Matter: Provision of personality insight services through analysis of professional data.

• Duration: For the term of the Services Agreement and until deletion of Customer Data.

• Nature: Collection, analysis, storage, and deletion of personal data related to personality insights.

• Purpose: Generate insights, provide relationship matching, optimize meeting preparation, improve Services.

Data Subjects: Users, analyzed individuals, assessment respondents.
Types of Data: User account data, publicly available professional profile data, generated insights.

4. Customer Instructions

• Initial instructions are set in this DPA and Services Agreement.

• Additional instructions must be documented, agreed in writing, and lawful.

• B4MM will inform Customer if instructions violate applicable law.

5. Security Measures

5.1 Technical

• Encryption (in transit & at rest).

• Role-based access & MFA.

• Firewalls, intrusion detection, secure hosting.

• Logical data separation.

5.2 Organizational

• Personnel background checks & confidentiality.

• Regular training.

• Incident response procedures.

• Ongoing monitoring and assessments.

5.3 Reviews

• Annual security assessments.

• Industry-standard best practices.

• Documentation available on request.

6. Sub-processors

• Customer grants general authorization for B4MM to use sub-processors.

Current sub-processors:

• AWS – Cloud hosting (USA, SCCs + DPF + technical safeguards).

• Professional Data Providers – Public data aggregation (Various, DPAs).

• Payment Processors – Billing and payments (EU/USA, PCI DSS, encryption).

• B4MM maintains an up-to-date list of sub-processors available upon request.

• B4MM provides 30 days’ notice before adding or changing sub-processors.

• Customer may object on reasonable data protection grounds.

7. International Data Transfers

• Adequacy decisions where available.

• Standard Contractual Clauses (SCCs).

• UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs.

• Additional technical/organizational safeguards and transfer impact assessments where required.

8. Data Subject Rights

• B4MM assists Customer in handling requests (access, rectification, erasure, restriction, portability, objection).

• Response to Customer within 10 business days.

• Customer is responsible for responding to individuals within legal timeframes.

• Fees may be charged only if requests are manifestly excessive or unfounded (Art. 12.5 GDPR).

• If B4MM receives requests directly, it forwards them to Customer.

9. Data Retention and Deletion

• Customer Data is retained only for service provision.

• Terminated accounts: deleted within 30 days.

• Backups: purged within 90 days.

• Includes deletion of residual logical copies.

• Certificate of deletion available on request.

• Legal holds may extend retention.

10. Data Breach Response

• B4MM assesses incidents within 2 hours.

• Notifies Customer without undue delay and no later than 72h of confirmation.

• Best effort target: notify within 24h of confirmation.

• Breach report includes scope, impact, remediation.

11. Audits and Compliance

• Customer may audit once per year with 30 days’ notice.

• Scope limited to data protection/security measures.

• Alternatives: certifications (ISO 27001, SOC 2), audit reports, policies.

• Customer bears own costs. B4MM may charge for excessive support.

12. DPIA Assistance

• B4MM provides information for Customer’s DPIA.

• Customer remains solely responsible for conducting and documenting DPIAs.

• If high-risk processing is identified, parties will agree on safeguards.

13. Liability & Indemnification

• Subject to limits of the Services Agreement.

• The party violating this DPA indemnifies the other for fines, penalties, and reasonable legal costs.

14. Term & Termination

• Effective for the duration of Services Agreement.

• Upon termination, Customer Data deleted per Section 9.

• Confidentiality and audit rights survive for 12 months.

15. Amendments

• B4MM may update this DPA to comply with law or improve practices.

• 30 days’ notice for material changes.

• Customer may terminate if unable to accept changes.

16. Governing Law & Disputes

• For EU customers: French law applies.

• For UK customers: laws of England and Wales apply.

• For US customers: state law specified in Services Agreement applies.

• Disputes resolved under the Services Agreement.

17. Contact

• Data Protection Officer: Laurent Garnier (laurent@b4mm.com)

• Privacy team: privacy@b4mm.com

• Address: 10 rue Saint Germain, 78230 Le Pecq, France

18. Signatures

B4 My Meeting (Sherpact)
Signature: ________________________
Name: Laurent Garnier
Title: Data Protection Officer
Date: _____________________

Customer
Signature: ________________________
Name: _____________________
Title: _____________________
Date: _____________________