Protocol 7 AI — Privacy Policy

Section 1

Data Controller

The data controller responsible for the processing of your personal data is:

Protocol 7 AI

Operated by: Cyril CORNET EI
Micro-entreprise registered in France
Address: 200 rue de la Croix Nivert, 75015 Paris, France
SIRET: 102 471 166 00011
Email: [email protected]

As a micro-entreprise with fewer than 250 employees, Protocol 7 AI is not required to designate a Data Protection Officer (DPO) under Article 37 of the GDPR. However, all data protection inquiries can be directed to [email protected] and will be handled within 30 days.

Section 2

Data We Collect

Protocol 7 AI collects and processes the following categories of personal data:

Data you provide directly:

Email address — provided at subscription, used to deliver the Service and communicate with you

Name — if provided during subscription or correspondence

Data collected by our payment processor:

Billing information — credit/debit card details, billing address, and transaction records are collected and processed exclusively by Whop (Whop Inc.) as merchant of record. Protocol 7 AI does not directly access, store, or process your payment card details.

Data collected automatically:

Email engagement data — our email delivery provider (Resend) may collect technical data such as whether an email was delivered, opened, or if links were clicked. This data is used solely to monitor deliverability and improve the Service.

Subscription status — active, cancelled, or expired status as communicated by Whop

Data we do NOT collect:

We do not collect IP addresses through our website

We do not use third-party analytics (no Google Analytics, no Meta Pixel, no advertising trackers)

We do not collect any financial, investment, or portfolio data from subscribers

Section 3

How We Use Your Data

Your personal data is processed for the following purposes:

Deliver the Service — send daily, weekly, and monthly briefings to your registered email address

Manage your subscription — process subscription creation, renewal, cancellation, and communicate account-related information

Process payments — facilitate billing through Whop, including invoicing and refunds

Improve the Service — analyse aggregate email deliverability metrics (open rates, bounce rates) to ensure reliable delivery

Respond to enquiries — answer your questions and provide customer support

Comply with legal obligations — maintain billing records as required by French accounting and tax law

We do not use your data for profiling, automated individual decision-making, or targeted advertising. Your data is never sold, rented, or shared with third parties for marketing purposes.

Section 4

Legal Basis for Processing

In accordance with Article 6 of the GDPR (Regulation (EU) 2016/679), we process your personal data on the following legal bases:

      Article 6(1)(b) — Performance of a contract

      Processing your email address and subscription data is necessary to perform the subscription contract between you and Protocol 7 AI — specifically, to deliver the briefings you have subscribed to.

      Article 6(1)(f) — Legitimate interest

      Processing aggregate email engagement data (delivery, open, and bounce rates) is based on our legitimate interest in ensuring service reliability and improving deliverability. This processing is minimal, non-intrusive, and does not override your rights and freedoms.

      Article 6(1)(c) — Legal obligation

      Retaining billing records and transaction data for the legally required period is necessary to comply with French accounting and tax obligations.

Section 5

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this Policy:

Email address and subscription data — retained for the duration of your active subscription. Upon cancellation, your email is removed from active mailing lists within 30 days.

Billing records and invoices — retained for 10 years after the transaction date, as required by French accounting law (Article L123-22 of the Code de commerce) and tax law (Article L102 B of the Livre des procédures fiscales).

Email engagement data — aggregate engagement metrics are retained for up to 12 months, after which they are deleted or anonymised.

Support correspondence — retained for up to 3 years after the last exchange, in accordance with the statute of limitations for contractual claims under French civil law (Article 2224 of the Code civil).

You may request earlier deletion of your personal data at any time by contacting [email protected], subject to legal retention obligations described above.

Section 6

Third-Party Processors

Protocol 7 AI relies on the following third-party service providers (sub-processors) to deliver the Service. Each provider processes data on our behalf and under contractual obligations consistent with the GDPR:

Whop (Whop Inc. — United States)
Role: Merchant of record, payment processing, subscription management, invoicing, tax collection
Data processed: billing information, email, name, transaction records
Privacy policy: whop.com/privacy/
Transfer safeguard: Standard Contractual Clauses (SCCs) as applicable

Resend (Resend Inc. — United States)
Role: Transactional email delivery (sending briefings to subscribers)
Data processed: email address, delivery/open/bounce metadata
Privacy policy: resend.com/legal/privacy-policy
Transfer safeguard: Standard Contractual Clauses (SCCs) as applicable

We do not sell, rent, trade, or otherwise share your personal data with any third party for marketing, advertising, or any purpose unrelated to the delivery of the Service. Ever.

International transfers: Both Whop and Resend are based in the United States. Data transfers to the US are conducted under Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), or other valid transfer mechanisms under Chapter V of the GDPR.

Section 7

Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR (Articles 15 to 22) and French data protection law:

Right of access (Art. 15) — obtain confirmation of whether your data is being processed and request a copy of your personal data

Right to rectification (Art. 16) — request correction of inaccurate or incomplete personal data

Right to erasure (Art. 17) — request deletion of your personal data, subject to legal retention obligations

Right to restriction (Art. 18) — request that processing of your data be restricted in certain circumstances

Right to notification (Art. 19) — we will notify each recipient to whom your data has been disclosed of any rectification, erasure, or restriction, unless this proves impossible or involves disproportionate effort

Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, machine-readable format

Right to object (Art. 21) — object to processing based on legitimate interest, including any processing for analytics purposes

Right to withdraw consent (Art. 7) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, send a request to [email protected] with the subject line “GDPR Request”. Please include sufficient information to verify your identity (the email address associated with your subscription). We will respond within 30 days of receiving your request, as required by Article 12(3) of the GDPR.

You will not be charged a fee for exercising your rights, except in the case of manifestly unfounded or excessive requests (Art. 12(5)).

Section 8

The Protocol 7 AI website (protocol7.ai) is a static website that does not use:

Tracking cookies or persistent cookies of any kind

Third-party analytics tools (no Google Analytics, no Matomo, no Plausible)

Advertising pixels or retargeting tags (no Meta Pixel, no Google Ads, no TikTok Pixel)

Social media tracking widgets or embedded content that sets cookies

Fingerprinting or any other cross-site tracking technology

The website may use essential, strictly necessary technical cookies for basic functionality (for example, if served through a CDN such as Cloudflare, a security cookie may be set). These cookies do not require consent under Article 5(3) of the ePrivacy Directive (2002/58/EC) as transposed into French law (Article 82 of the Loi Informatique et Libertés).

Because we do not set any non-essential cookies, no cookie consent banner is required or displayed.

The website uses localStorage (a browser-based storage mechanism) solely to save your language preference (English/French). This constitutes strictly necessary functionality and does not require consent under Article 5(3) of the ePrivacy Directive. No personal data is stored in localStorage.

Section 9

Security

Protocol 7 AI implements appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with Article 32 of the GDPR. These measures include:

Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS (HTTPS)

Encryption at rest — subscriber data stored in our systems is encrypted at rest

Access control — access to subscriber data is restricted to authorised personnel only (the sole operator of Protocol 7 AI)

Processor security — our third-party processors (Whop, Resend) maintain their own security certifications and practices as described in their respective privacy policies

No system can guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours and, where required, inform affected individuals without undue delay, in accordance with Articles 33 and 34 of the GDPR.

Section 10

Changes to This Policy

Protocol 7 AI reserves the right to update this Privacy Policy at any time. When we make changes, we will:

Update the “Last updated” date at the top of this page

Notify active subscribers by email if the changes are material (e.g., new categories of data collected, new third-party processors, changes to data retention periods)

Your continued use of the Service after such changes constitutes your acceptance of the updated Policy. If you do not agree with the changes, you may cancel your subscription at any time.

We encourage you to review this page periodically to stay informed about how we protect your data.

Section 11

Contact and Complaints

Protocol 7 AI has not designated a Data Protection Officer (DPO) as the processing activities do not fall within the mandatory designation criteria set out in Article 37 of the GDPR. For all data protection inquiries, please contact us directly at the address below.

For any questions about this Privacy Policy or the processing of your personal data, contact us at:

Protocol 7 AI
Email: [email protected]
Subject line for data requests: “GDPR Request”
Response time: within 30 days

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority. For France, this is:

CNIL — Commission Nationale de l’Informatique et des Libertés
Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Website: www.cnil.fr
Phone: +33 1 53 73 22 22