Last updated: April 10th, 2026
Hyperion Consulting (SASU)
SIRET: 94804171000013
TVA: FR73948041710
126 Avenue du General Leclerc, 92100 Boulogne-Billancourt, France
Director: Mohammed Cherifi
For the purposes of the General Data Protection Regulation (GDPR), the data controller is:
Hyperion Consulting
Email: [email protected]
Given the size and nature of our operations, the appointment of a Data Protection Officer (DPO) is not mandatory under Article 37 of the GDPR. However, for all data protection inquiries, you may contact:
A Record of Processing Activities (ROPA), as required by Article 30 of the GDPR, is maintained internally and is available upon request to the supervisory authority.
We collect several categories of information:
Information that can directly or indirectly identify you:
We use cookies and similar tracking technologies. See Section 9 for detailed information.
We process your personal data based on the following legal grounds:
We use your personal data for the following purposes:
When collecting data, we will indicate whether providing certain information is:
Consequences of not providing mandatory data: We may not be able to provide certain services to you.
We retain your personal data only for as long as necessary for the purposes set out in this Privacy Policy:
Customer data
Duration of the business relationship plus 2 years
Marketing data
Until you withdraw consent or 2 years after last interaction
Technical logs
3 months
Cookie data
See cookie policy (Section 9)
Your personal data may be shared with the following categories of recipients:
We use the following sub-processors to operate our services. Each is bound by a Data Processing Agreement (DPA) compliant with GDPR Article 28:
Mistral AI
Large-language-model inference for chatbot and AI Readiness Assessment
📍 France (EU)
DPA / Privacy →Resend
Transactional and marketing email delivery
📍 United States (EU Standard Contractual Clauses in place)
DPA / Privacy →Stripe Payments Europe, Ltd.
Marketplace subscription payment processing
📍 Ireland (EU) with transfers to the United States under SCCs
DPA / Privacy →PayPal (Europe) S.à r.l. et Cie, S.C.A.
Alternative marketplace payment method
📍 Luxembourg (EU)
DPA / Privacy →Sentry (Functional Software, Inc.)
Application error monitoring and performance telemetry
📍 United States (EU Standard Contractual Clauses in place)
DPA / Privacy →Google Analytics 4 (Google Ireland Ltd.)
Anonymized website analytics with Consent Mode v2
📍 EU data processing, sub-transfers to the United States under SCCs
DPA / Privacy →Upstash / local Redis
Session store, rate-limit counters, cache
📍 Self-hosted in France (EU) on the OVHcloud VPS
DPA / Privacy →We do not sell, trade, or rent your personal information to any third party. We do not engage in cross-context behavioral advertising.
Your information, including Personal Data, may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ.
If we transfer data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:
You have the right to obtain information about these safeguards by contacting us.
Under GDPR, you have the following rights regarding your personal data:
Right of access (Art. 15)
Obtain confirmation whether we process your data and access to it
Right to rectification (Art. 16)
Correct inaccurate or incomplete data
Right to erasure (Art. 17, 'right to be forgotten')
Request deletion of your data under certain circumstances
Right to restriction of processing (Art. 18)
Request limitation of processing under certain circumstances
Right to data portability (Art. 20)
Receive your data in a structured, commonly used, machine-readable format
Right to object (Art. 21)
Object to processing based on legitimate interests or for direct marketing
Right to withdraw consent (Art. 7.3)
Where processing is based on consent, you can withdraw it at any time without affecting prior lawfulness
Right not to be subject to automated decision-making (Art. 22)
Including profiling that produces legal or similarly significant effects
Right to compensation (Art. 82)
Claim material or non-material damages for infringements of GDPR
Right to lodge a complaint (Art. 77)
File a complaint directly with the French supervisory authority (CNIL) — details below
To exercise these rights, submit a request through our Data Subject Request form at /data-subject-request, or contact us at: [email protected]. We may need to verify your identity before processing your request. Verification will be proportionate to the sensitivity of the data involved.
You also have the right to lodge a complaint with the supervisory authority:
Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
Tel: +33 (0)1 53 73 22 22
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
However, no method of transmission over the Internet or electronic storage is 100% secure.
Cookies are small text files placed on your device when you visit our website. We use the following types of cookies:
Essential cookies
Necessary for the website to function
Analytical cookies
Help us understand how visitors use our website
Functional cookies
Remember your preferences
Marketing cookies
Used to deliver relevant advertisements
We will request your consent before placing non-essential cookies on your device. You can withdraw consent at any time through your browser settings or our cookie management tool.
Some of our pages may contain content from third-party services (e.g., Google Analytics) which may set their own cookies. We do not control these cookies.
Below is a complete list of cookies used on this website:
| Cookie | Purpose | Type | Duration | Provider |
|---|---|---|---|---|
| hyperion_cookie_consent | Stores your cookie consent preferences (GDPR/ePrivacy) | Necessary | Persistent (until consent version changes) | Hyperion Consulting |
| admin_token | Authentication for the admin dashboard | Necessary | 2 hours | Hyperion Consulting |
| marketplace_session | Authenticated session for the Marketplace area (JWT) | Necessary | 24 hours | Hyperion Consulting |
| portal_session | Authenticated session for the Client Portal (JWT) | Necessary | 7 days | Hyperion Consulting |
| portal_csrf | Cross-site request forgery protection for the Client Portal | Necessary | Session | Hyperion Consulting |
| _ga, _ga_* | Google Analytics 4 — distinguishes users and sessions with IP anonymization and Consent Mode v2; deployed only after explicit opt-in | Analytics | 2 years / 24 hours | |
| NEXT_LOCALE | Stores your preferred language/locale setting | Functional | 1 year | Hyperion Consulting |
You can withdraw or modify your cookie consent at any time by clicking the 'Cookie Settings' link in the footer of any page. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
We do not use automated decision-making that produces legal effects or similarly significantly affects you.
We do not use automated profiling or third-party contact enrichment services. Lead qualification is based solely on information you voluntarily provide through our website forms.
In accordance with Article 50 of the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), we inform you that the following AI systems are in use on this website:
Answers questions about our services and content using retrieval-augmented generation
Model: Mistral Large (provider: Mistral AI, France)
Disclosure: The interface clearly indicates you are interacting with an AI system, not a human.
Your rights: You may at any time request to speak with a human via [email protected]. Outputs are not used for automated decision-making.
Generates a personalized AI maturity score and recommendations from your quiz answers
Model: Deterministic scoring logic combined with optional Mistral-generated recommendations
Disclosure: Results are for informational purposes only, do not constitute professional advice, and do not produce legal or similarly significant effects.
Your rights: You may request deletion of your results and associated personal data under Article 17 GDPR.
Blog articles, research digests, and tool guides may be drafted with AI assistance before human editorial review
Model: Mistral Large (provider: Mistral AI, France)
Disclosure: Articles containing AI-generated content are labeled as such where material; all content is reviewed by a human editor before publication.
Your rights: You may report inaccurate AI-generated content to [email protected].
We do not engage in any of the AI practices prohibited under Article 5 of the AI Act (social scoring, emotion recognition in workplace, biometric categorization, subliminal manipulation, exploitation of vulnerabilities, untargeted facial scraping, real-time remote biometric identification).
The AI systems operated on this website do not fall within the high-risk categories listed in Annex III of the AI Act.
In accordance with Article 4 of the AI Act, we ensure our staff operating AI systems have a sufficient level of AI literacy.
For a detailed, system-by-system transparency notice, see our AI Transparency page.
We have reviewed our processing activities against Article 35 GDPR criteria. No processing activity currently triggers a mandatory DPIA (we do not process special categories of data at scale, do not engage in systematic profiling with legal effects, and do not conduct large-scale monitoring of public areas). We maintain this assessment under review and will perform DPIAs for any new processing likely to result in a high risk to data subjects.
Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18.
In accordance with Article 8 of the GDPR and Article 45 of the French Data Protection Act (Loi Informatique et Libertés), the age of digital consent in France is set at 15. For users under 15 residing in France, the consent of a parent or guardian is required for any information society service directly offered to the child.
Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.
We may update our Privacy Policy from time to time. We will notify you of any material changes by:
You are advised to review this Privacy Policy periodically. Continued use of our Service after changes constitutes acceptance of the updated policy.
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:
126 Avenue du General Leclerc
92100 Boulogne-Billancourt, France
Response time: We will respond to your requests within one month of receipt, as required by GDPR.
This Privacy Policy is governed by French law and complies with the General Data Protection Regulation (EU) 2016/679.