Skip to content

Legal

Privacy policy

Last updated May 20, 2026

Who we are

Cassis is the product and brand of Polymorph SAS ("Polymorph", "Cassis", "we", "us", "our"), a French société par actions simplifiée with its registered office at 1 rue de Stockholm, 75008 Paris, France. References to "Cassis" in this policy mean the same legal entity.

  • SIREN: 100 668 920
  • VAT: FR85 100 668 920
  • Publication director: Aloÿs Augustin
  • Contact: [email protected]

Scope

This policy applies to personal data that Cassis processes about visitors to our website, prospects and customer representatives, design partner contacts, supplier representatives, employment candidates, and other individuals who interact with us.

Our commitment

Cassis processes personal data in line with EU Regulation 2016/679 (the General Data Protection Regulation, or GDPR) and the French Data Protection Act of 6 January 1978, as amended.

Why we process personal data

Website visitors. We process aggregate technical and usage data to measure traffic, improve the site, and detect abuse. We use a privacy-friendly analytics provider that does not set tracking cookies.

Prospects and customer representatives. We process identification and contact data to manage commercial conversations, run design partner programs, deliver our services, invoice, and send service updates and (where permitted) marketing communications.

Suppliers and partners. We process the personal data of supplier and partner representatives to manage the relationship.

Employment candidates. We process the information candidates share with us (CV, skills, qualifications, experience) to evaluate applications.

We do not subject individuals to fully automated decisions producing legal or similarly significant effects.

Our role

Cassis acts as the data controller for the processing described above. When we process customer data on a customer's behalf through our product, we act as a data processor under a separate data processing agreement.

Legal bases

  • Performance of a contract or pre-contractual steps
  • Compliance with a legal obligation
  • Our legitimate interests in operating and growing the business, balanced against your rights and freedoms
  • Consent, where required (for example, for non-essential cookies or specific marketing channels)

Where the data comes from

We collect personal data directly from individuals through our website, product, and business interactions, and from publicly available sources such as professional profiles.

Who has access

Inside Cassis, access is limited to the people who need it to do their job. We rely on a small number of vetted service providers (hosting, infrastructure, CRM, communication, analytics) that process data on our behalf under written instructions. Our subprocessor list is available on request.

Where we process personal data

Some of our providers are located outside the European Economic Area. When that is the case, we rely on appropriate safeguards, including European Commission adequacy decisions, the EU Standard Contractual Clauses, or the EU-US Data Privacy Framework.

How long we keep personal data

  • Invoices and accounting records: 10 years from the end of the accounting year
  • Prospect and customer contact data: up to 3 years after the last meaningful interaction
  • Marketing contact data: up to 3 years after the last interaction or until consent is withdrawn
  • Candidate data: up to 2 years after the last contact if the application is unsuccessful
  • Other data: only as long as needed for the purpose, plus any legal, contractual, or security retention

Cookies and tracking

Cassis uses a privacy-friendly analytics provider (Plausible) that does not use cookies and does not track individuals across sites. Essential cookies that are strictly necessary to operate the site may be set without consent. Non-essential cookies, if any, are set only with consent.

Your rights

You have the right to:

  • Be informed about how we process your personal data
  • Access the personal data we hold about you
  • Have inaccurate data corrected
  • Request deletion in the cases set out by law
  • Object to or restrict processing
  • Receive your data in a portable format
  • Set guidelines for what happens to your data after your death
  • Withdraw consent at any time, where processing relies on consent

To exercise these rights, email [email protected]. We respond within the timeframes required by law and may ask you to confirm your identity.

Security

We implement technical and organizational measures that match the risks of each processing activity, including access controls, encryption in transit, least-privilege defaults, and logging.

Questions or complaints

For any question, contact [email protected]. You can also file a complaint with the French supervisory authority:

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Phone: +33 (0)1 53 73 22 22
cnil.fr

Updates

We may update this policy. The current version is always published on this page, with the "Last updated" date refreshed.