01 — Data controller and contact

Unless a customer agreement states otherwise, the data controller is Orizone.io, 60 rue François 1er, 75008 Paris, France. For privacy questions or rights requests, please use the Contact us page and select the Legal / privacy topic. If we appoint a Data Protection Officer, this policy will be updated.

02 — Data we collect

We collect only the personal data needed to operate the Services, respond to requests, provide Pulse to customers, protect the product, and improve the experience.

• Account and workspace data, such as name, work email, authentication identifiers, organization, role, locale, preferences, workspace membership, and access permissions.
• Pulse Preview and contact request data, such as name, work email, topic, message, title or game context submitted for evaluation, and follow-up history.
• Customer-provided game context, such as title information, lifecycle moments, notes, roadmap or update context, source configuration, team labels, and other business context shared to help Pulse interpret a game.
• Product usage and operational data, such as pages viewed, actions performed, timestamps, device and browser information, IP address, security logs, diagnostics, and error events.
• Limited billing and commercial data if a paid subscription or pilot is agreed, such as billing contact, company details, invoices, plan information, and payment status. Full payment card data is handled by payment providers and is not stored by Orizone.
• Communications data, such as emails, support messages, meeting notes, feedback, and other information you choose to share with us.

03 — Why we process personal data

We process personal data for the following purposes and legal bases under the GDPR.

• Provide and secure the Services, including authentication, workspace access, customer configuration, Pulse workflows, support, hosting, monitoring, and incident response. Legal basis: performance of a contract and legitimate interests.
• Evaluate Pulse Preview, demo, contact, partnership, investment, press, legal, privacy, support, and access requests. Legal basis: legitimate interests and pre-contractual steps.
• Operate Pulse intelligence workflows, including source configuration, signal interpretation, contextual analysis, decision-oriented outputs, and customer-visible product features. Legal basis: performance of a contract and legitimate interests.
• Improve the product, troubleshoot issues, understand usage, prioritize development, and maintain product quality. Legal basis: legitimate interests and, where required, consent.
• Send administrative, security, product, and commercial communications, including follow-ups requested by you or your organization. Legal basis: contract, legitimate interests, and consent where required.
• Comply with legal, accounting, tax, security, fraud prevention, and regulatory obligations. Legal basis: legal obligations and legitimate interests.

04 — Pulse intelligence, AI, and providers

Pulse may use AI models and specialized service providers to transform game-specific player perception, public discussion, market context, and customer-provided context into structured, decision-ready intelligence.

• We may send limited excerpts of customer context, source-derived material, prompts, metadata, and product inputs to AI or infrastructure providers when necessary to provide Pulse features.
• We apply data minimization and scope prompts to the task being performed. Where practical, we avoid unnecessary personal identifiers and do not send more context than needed for the requested operation.
• AI providers and infrastructure providers act as processors or subprocessors under contractual confidentiality, security, and data protection obligations.
• Unless a customer agreement or provider setting states otherwise, Pulse inputs and outputs are not intended to be used by our AI providers to train their general models.

05 — Source data and customer content boundaries

Pulse is designed to help customers understand player perception while respecting the difference between public platform content, customer-owned context, and personal data.

• Pulse may process public or customer-authorized sources such as reviews, community discussions, video or social reactions, support context, private communities, internal notes, or other sources configured for a customer.
• Content from third-party platforms remains subject to the rights, terms, and policies of those platforms and their users. Orizone does not claim ownership over raw third-party content.
• Where possible, Pulse focuses on analytical outputs, signals, summaries, references, metadata, and decision context rather than storing raw third-party source content longer than needed.
• Customer-provided private context is handled according to the customer agreement and is used to interpret the monitored title or related Pulse workflows.

06 — Cookies and similar technologies

We use cookies and similar technologies on our websites and application surfaces.

• Strictly necessary cookies are used for authentication, security, session management, load balancing, and core service operation.
• Preference cookies may remember choices such as language, locale, interface settings, or consent choices.
• Analytics and performance technologies may help us understand usage, measure reliability, improve user experience, and prioritize improvements.
• Where required by law, we request consent before using non-essential cookies and provide a way to change choices.

07 — How we share data

We do not sell personal data. We share data only where necessary for the Services, legal obligations, security, or customer-requested workflows.

• Service providers and processors, including hosting, database, authentication, email, analytics, security, AI, monitoring, payment, and customer support providers.
• Customer administrators or authorized workspace members, where the information belongs to or is visible within the relevant organization workspace.
• Professional advisers, authorities, or courts where required to comply with legal obligations or protect rights, safety, security, and integrity.
• Successors in a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate safeguards.

08 — International transfers

Some providers may process personal data outside the European Economic Area, including in countries that may not provide the same level of data protection. Where required, we rely on appropriate safeguards such as European Commission Standard Contractual Clauses, adequacy decisions, transfer impact assessments, and contractual security measures.

09 — Data retention

We keep personal data only for as long as necessary for the purposes described in this policy, customer agreements, and legal obligations.

• Account and workspace data is retained while the account or customer workspace remains active, then deleted or anonymized within a reasonable period unless retention is required.
• Pulse Preview and contact requests are retained for follow-up, commercial history, and legal recordkeeping, then deleted or anonymized when no longer needed.
• Customer context and Pulse product data are retained according to the customer agreement, workspace configuration, and operational requirements.
• Logs, diagnostics, and security data are typically retained for limited periods, unless longer retention is needed for security, abuse investigation, or legal reasons.
• Billing, accounting, tax, and legal records are retained for the periods required by applicable law.

10 — Your rights

Subject to legal conditions and limitations, you may exercise the following rights under the GDPR and applicable data protection laws.

• Access your personal data and obtain a copy.
• Rectify inaccurate or incomplete personal data.
• Erase personal data, where applicable.
• Restrict the processing of personal data.
• Object to processing based on legitimate interests.
• Withdraw consent where processing is based on consent.
• Request portability of data you provided, where applicable.
• Define post-mortem instructions regarding your data where French law applies.

11 — Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction.

• Encryption in transit and, where appropriate, encryption or equivalent protection at rest.
• Access controls, authentication, least-privilege permissions, and workspace authorization.
• Operational logging, monitoring, backups, and incident response procedures.
• Vendor review and contractual confidentiality and security obligations for processors.
• Internal practices designed to limit access to personal data to people and systems that need it.

12 — Children

The Services are intended for professional use by game studios, publishers, creators, and related business users. They are not directed at children under 16, and we do not knowingly collect personal data from children.

13 — Third-party websites, platforms, and sources

The Services may contain links to third-party websites, platforms, services, or source materials. Their privacy practices are governed by their own policies. Customers are responsible for ensuring that any private or internal sources they ask Pulse to process are configured and authorized lawfully.

14 — Changes to this policy

We may update this Privacy Policy from time to time. We will publish the updated version on the website and indicate the latest revision date. If changes are material, we may notify customers through the application, by email, or through another appropriate channel.