Privacy & Data Processing

Publisher / Data Controller for NoFurther's own processing: NoFurther AI / NoFurther Systems — SAS, registered with the Paris Trade and Companies Register under number 989 403 449, VAT Number FR77 989 403 449, registered office 46 Rue Chardon Lagache, PO Box Abi Aad, 75016 Paris, France. President: Mr. Omar Karl Abi-Aad. Directeur Général: Mr. Carl Souhait. Email support@nofurther.agency. Privacy contact privacy@nofurther.agency. Phone: +1 270 260 3444.

Our public website is currently hosted through providers including HighLevel Inc., GoHighLevel, and LeadConnector. Our client platform is built using Lovable and may rely on providers for CRM, payments, AI, email, SMS, WhatsApp, calendar, advertising, analytics, file handling, logging, support, and internal operations. The exact providers used may vary depending on technical requirements, client configuration, integrations, and service delivery needs.

NoFurther acts as an independent controller when we process personal data for our own purposes, including website operation, prospecting and sales, bookings, billing, client relationship management, platform account administration, security, compliance, marketing, internal analytics, service improvement, and legal/accounting obligations.

NoFurther acts as a processor when we process personal data on behalf of a client as part of agreed services, including lead management, CRM automation, AI qualification, client acquisition systems, advertising workflows, messaging automations, reporting, dashboard operations, uploaded files, and platform workflows. In that case, the client is generally the controller and NoFurther processes the data according to the client's documented instructions and the applicable DPA.

We may collect the following categories of personal data:

• Identity and contact data: first name, last name, company name, job title, email address, phone number, country, address, billing details, business registration information where needed.
• Account and platform data: user account information, login identifiers, role and permission settings, account status, workspace or client-space membership, authentication data handled by technical providers, invitation status, access history, user preferences, platform activity.
• Booking and communication data: call booking details, calendar availability, appointment history, SMS messages, WhatsApp messages, emails, support messages, chat messages, call notes, conversation summaries, AI setter conversations, post-booking messages, post-call notes, internal follow-up status.
• Business and client data: business model, offer details, revenue ranges, advertising spend, sales process information, CRM fields, pipeline status, lead data, customer data, campaign data, funnel data, performance data, sales-call information, onboarding questionnaire answers, strategic information.
• Uploaded files and documents: documents, PDFs, spreadsheets, images, screenshots, contracts, reports, client assets, brand assets, business data, sales materials, onboarding materials, files required for service delivery.
• Payment and billing data: invoice data, billing contact details, billing address, payment status, payment method metadata, transaction references, Stripe payment metadata, VAT or tax information, refund or chargeback information. Full card numbers are not intentionally stored by NoFurther and are handled by payment providers such as Stripe.
• Technical, device, and usage data: IP address, browser type, device type, operating system, time zone, session identifiers, pages viewed, click behavior, form interaction, referral source, platform logs, error logs, security logs, approximate location, cookies, integration event logs, API or webhook logs.
• AI interaction data: prompts, inputs, uploaded materials, chat messages, AI-generated outputs, AI scoring results, profile analyses, generated scripts, generated VSL materials, lead scores, conversation summaries, system feedback, usage metadata.
• Integration data: data from or through GoHighLevel / LeadConnector, Stripe, Twilio / WhatsApp, Google Calendar, Google Workspace, Slack, project-management tools, advertising platforms, analytics tools, hosting/database providers, and API or webhook services.

We collect data when you visit our website; submit a form; book a call; contact us; sign an agreement; make a payment; create or access a platform account; upload files; use AI tools; interact with our chat or support tools; connect third-party integrations; when a client provides data to us for service delivery; or when data is generated automatically by our systems, integrations, logs, cookies, or analytics tools.

We use personal data to operate the website and Platform; create and manage user accounts; deliver services; onboard clients; manage bookings and calls; process payments and invoices; provide support; generate AI-assisted outputs; analyze leads, conversations, and profiles; manage CRM and acquisition workflows; send service-related communications; send marketing communications where permitted; monitor performance; improve systems and services; secure the Platform; detect fraud, misuse, and unauthorized access; comply with accounting, tax, contractual, and legal obligations; manage disputes and enforce agreements; and maintain internal records.

Depending on the situation, we rely on contractual necessity, legitimate interests, consent, legal obligation, and client instructions where we act as processor. Consent is used where legally required, including certain marketing communications, non-essential cookies, retargeting pixels, and optional communication preferences.

NoFurther operates or may operate a client platform built using Lovable. The platform may allow users to access dashboards, onboarding materials, forms, files, AI tools, billing information, support chat, project milestones, performance data, client resources, and service-delivery workflows.

When users access the platform, we may process account data, login and authentication data, user permissions, platform activity, uploaded files, chat messages, AI prompts and outputs, business information, CRM data, customer and lead data, billing-display data, support requests, task and milestone activity, technical logs, cookies, and analytics data.

The platform may process personal data relating to a client's own leads, customers, prospects, users, employees, contractors, or business contacts. This may include names, email addresses, phone numbers, company details, lead status, CRM tags, sales notes, conversation history, booking information, qualification data, AI lead scores, customer messages, campaign attribution, form answers, pipeline status, and purchase or payment metadata where applicable.

For this type of data, the client is generally the controller and NoFurther acts as processor under the applicable agreement and DPA. The client is responsible for providing privacy notices, obtaining consents, managing opt-outs, and ensuring the data was lawfully collected.

The platform may use AI tools and external AI providers to provide AI chat, profile analysis, lead scoring, conversation summaries, VSL generation, ad copy generation, strategy generation, business diagnostics, sales-call analysis, reporting assistance, and support automation.

To provide these features, data submitted through the platform may be transmitted to AI providers for processing. This may include prompts, uploaded files, chat messages, business information, lead data, customer data, onboarding answers, and CRM information.

NoFurther does not intentionally use client confidential data to train public AI models. However, data may be processed by AI providers as necessary to generate outputs, depending on the technical configuration used. Users should not submit sensitive personal data, regulated data, or confidential third-party data to AI features unless they are authorized to do so and the processing is necessary for the agreed services.

Users may upload files to the platform. These files may contain business information, documents, images, PDFs, spreadsheets, contracts, screenshots, strategy documents, brand assets, or client/customer information. Uploaded files may be stored, viewed, analyzed, processed by AI, shared internally with authorized NoFurther personnel or contractors, and used to provide services. Users must not upload sensitive or unlawful data unless expressly agreed in writing.

The platform may include human chat, AI chat, support messaging, internal notes, or client communication tools. Messages may be stored and processed for support, client delivery, service follow-up, AI summaries, internal coordination, quality control, dispute management, security, and legal compliance. Users should not send sensitive, unlawful, or unnecessary personal data through chat.

NoFurther may process credentials, API keys, OAuth tokens, authorization data, or connected-account metadata where necessary to integrate third-party tools or deliver services. This may include access to CRM accounts, advertising accounts, analytics accounts, messaging tools, payment processors, calendars, file-storage systems, project-management tools, and other business software.

Where possible, access should be permission-based, revocable, and limited to what is necessary. Credentials and API keys may be used only for service delivery, integration, support, troubleshooting, security, and authorized operational purposes.

The platform may display billing information, invoices, payment status, subscription status, outstanding amounts, or payment metadata. This information may not be synced in real time. It may be updated periodically and may be delayed or temporarily inaccurate. Official billing records remain the issued invoice, payment processor record, bank record, signed agreement, or written confirmation from NoFurther's billing team.

The website and platform may use cookies, pixels, tags, local storage, analytics tools, and similar technologies for authentication, security, session management, remembering preferences, analytics, product improvement, advertising attribution, retargeting, conversion tracking, and performance monitoring.

Essential cookies may be placed where necessary to operate the website or platform. Non-essential cookies, including analytics, advertising, and retargeting cookies, are used only where legally permitted and, where required, after consent. Refusing non-essential cookies may affect analytics, personalization, or advertising features but should not block essential access unless technically necessary.

When you provide your phone number or contact details, we may contact you by SMS, WhatsApp, call, email, or platform notification for appointment reminders, confirmations, onboarding steps, client portal invitations, payment and invoice updates, service-related messages, support, deliverable notifications, and marketing communications where permitted. You may opt out of promotional SMS by replying STOP where supported. You may unsubscribe from marketing emails through the unsubscribe link or by contacting us. Service, contractual, transactional, security, and billing communications may still be sent where necessary.

We may share personal data with hosting providers, database providers, CRM providers, payment processors, messaging providers, AI providers, analytics providers, advertising platforms, project-management tools, file-storage tools, email providers, calendar providers, legal/tax/accounting/compliance advisors, contractors and team members under confidentiality obligations, public authorities where legally required, and buyers, successors, or professional advisors in case of restructuring, merger, sale, or acquisition. We do not sell personal data.

Our providers may include, depending on service configuration, Lovable, GoHighLevel / LeadConnector, Stripe, Twilio / WhatsApp Business providers, Google Workspace, Slack, project-management tools such as ClickUp, Asana, or Notion, advertising platforms such as Meta, Google, LinkedIn, or TikTok, AI providers such as OpenAI, Anthropic, or equivalent providers, analytics and monitoring providers, and other technical service providers.

A more specific subprocessor list may be provided to clients upon request or included in the DPA. If Lovable uses infrastructure, databases, hosting, storage, authentication, analytics, or AI providers that process personal data, those providers should be added to the subprocessor list once confirmed.

The website and platform may be accessed by users located in France, the EU, the UK, the US, Canada, and other countries. Some providers may process personal data outside the EEA. Where legally required, NoFurther relies on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, UK transfer addenda, Swiss addenda, data-processing agreements, contractual safeguards, and provider security commitments.

We retain personal data only as long as necessary for the purpose for which it was collected, including legal, contractual, accounting, tax, security, dispute-resolution, and service-delivery needs.

• Website/contact inquiries: up to 3 years after last interaction.
• Prospect and sales data: up to 3 years after last meaningful contact.
• Client account data: duration of the client relationship plus a reasonable offboarding period.
• Invoices and accounting records: legally required accounting/tax period, generally up to 10 years where applicable.
• Contract records: duration of the contract plus applicable limitation periods.
• Support and communication records: duration necessary for service, security, and dispute management.
• Platform logs: as needed for security, debugging, and compliance.
• Uploaded client files: duration of the client relationship plus offboarding/deletion period unless otherwise agreed.
• Cookies: according to the cookie type and applicable consent rules.

Where we act as processor, retention is governed by the DPA and client instructions unless legal obligations require otherwise.

We use reasonable technical and organizational measures to protect personal data, including access control, role-based permissions, confidentiality obligations, encryption in transit where appropriate, secure hosting providers, password and authentication controls, logging and monitoring, backups where feasible, vendor controls, incident-response procedures, data minimization, and separation of client workspaces where feasible. No system is perfectly secure. Users are responsible for securing their own devices, passwords, accounts, team access, and third-party integrations.

Depending on your location and applicable law, you may have the right to access your personal data; correct inaccurate data; request deletion; restrict processing; object to processing; withdraw consent; request data portability; object to direct marketing; and lodge a complaint with a supervisory authority. To exercise your rights, contact privacy@nofurther.agency. We may need to verify your identity before responding. If you are an end customer, lead, or contact of one of our clients, we may need to forward your request to the relevant client, because the client may be the controller of your data.

If you are located in France or the EU and believe your data protection rights have been violated, you may lodge a complaint with the competent supervisory authority. For France, this is the CNIL.

The Platform is intended for business users and is not directed to children. We do not knowingly collect children's personal data. Clients must not upload children's data unless expressly agreed in writing and legally authorized.

Unless expressly agreed in writing, you must not provide or upload health data, biometric data, genetic data, criminal-offence data, children's data, political opinions, religious beliefs, trade-union information, sexual-orientation data, government IDs, full payment-card data, passwords in plain text, or highly confidential or regulated data. If such data is accidentally uploaded, you must notify us and delete it where possible.

The Platform may use AI and automation to generate scores, summaries, recommendations, classifications, or operational suggestions. Unless expressly stated otherwise, these outputs are intended to support human decision-making and are not intended to produce legal or similarly significant effects without human review. Clients remain responsible for how they use AI outputs in their own business decisions.

If we identify a personal data breach affecting data we process as controller, we will assess and notify affected individuals and authorities where legally required. If we identify a security incident affecting personal data processed on behalf of a client, we will notify the client without undue delay according to the DPA.

We may update this Privacy Policy from time to time. The updated version will be posted on the Platform with the new Last updated date. Material changes may be communicated where legally required or appropriate.

For privacy questions or rights requests: NoFurther AI / NoFurther Systems — SAS, 46 Rue Chardon Lagache, PO Box Abi Aad, 75016 Paris, France. Email privacy@nofurther.agency. General support support@nofurther.agency.