This privacy policy describes how Hippolit SAS (hereinafter "Hippolit", "we") collects, processes and protects personal data within two distinct scopes:
Hippolit's role under the GDPR differs between these two scopes: processor under Article 28 within the application, controller on the marketing website. These two regimes are described in Articles 3 and 4 respectively.
This policy supplements our legal notice.
In accordance with Article 5 of European Regulation 2016/679 (GDPR), personal data shall be:
Processing is lawful only if and to the extent that at least one of the following applies: consent of the data subject; performance of a contract; compliance with a legal obligation; protection of vital interests; performance of a task carried out in the public interest; or legitimate interests pursued by the controller, except where overridden by the data subject's interests or fundamental rights.
When providing the Service to its clients, Hippolit acts as a processor within the meaning of Article 28 GDPR. The client company is the controller: it determines the purposes and means of the processing of its employees' personal data. Hippolit processes these data exclusively on behalf of the client and according to its documented instructions.
As a consequence, any request to exercise rights (access, rectification, deletion, etc.) from an employee must be addressed to their employer (client company), who will then instruct Hippolit for technical execution if necessary.
A bilateral, signable Data Processing Agreement (DPA), compliant with Article 28 GDPR, is available upon request from your Hippolit contact.
Hippolit processes a limited subset of personal data relating to the client's employees, in most cases synchronised from the company's HRIS:
No sensitive data within the meaning of Article 9 GDPR (health, political opinions, biometrics, etc.) is collected.
These data are processed for the following purposes: IT asset management, automation of onboarding and offboarding workflows, internal request management (IT ticketing), activity logging for platform security and traceability. The corresponding legal bases are performance of the contract (Art. 6.1.b GDPR) and the legitimate interest of the controller (Art. 6.1.f GDPR).
Data is hosted and processed exclusively in France and within the European Union. No transfer to a third country is made without the prior written consent of the controller. Our technical processors are:
Any change to this list is subject to prior notification to the controller, who has a right of objection under the conditions defined in the DPA.
The Google Workspace integration is an optional feature of Hippolit's access management module. It is enabled only at the client's explicit initiative and is not a prerequisite for using the Service. Clients who do not enable this module are not subject to any processing of Google data.
When the integration is enabled, Hippolit accesses only the Google data strictly necessary for the operation of this module (for example: employee directory, Workspace account management, automation of arrivals and departures).
This data is never sold, never used for advertising purposes, and is not used to train artificial intelligence models. No human reads this data, except with the user's explicit consent, for security reasons, to comply with a legal obligation, or for internal anonymised operations.
The user can revoke access at any time from their Google account security settings; the corresponding access tokens are then invalidated immediately.
Google APIs - Limited Use.
Hippolit's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
During the term of the contract, a data deletion request may be submitted and will be executed within 72 hours maximum.
On the website www.hippolit.io, Hippolit acts as a controller.
The personal data collected in this context are: last name, first name, email address. They are collected only when you actively perform one of the following actions:
No data is collected automatically through simple browsing. Processing serves the following purposes: responding to your requests, managing demo bookings, and where applicable handling contracting with the Hippolit software. The legal basis is the performance of pre-contractual measures taken at your request (Art. 6.1.b GDPR) and our legitimate interest in responding to your enquiries (Art. 6.1.f GDPR).
This data is kept until your request is handled, then for three (3) years from the last contact for commercial prospecting purposes, in line with CNIL recommendations.
The website www.hippolit.io is hosted by Cloudflare, Inc. - 101 Townsend Street, San Francisco, CA 94107 - https://www.cloudflare.com.
The website uses only cookies strictly necessary for its operation and, subject to your consent, anonymised audience measurement cookies. No third-party advertising cookies are placed.
Hippolit SAS, a simplified joint-stock company with capital of €15,000, registered with the Marseille Trade and Companies Register under number 987 353 497.
Registered office: 45 boulevard André Aune, 13006 Marseille, France.
Contact: team@hippolit.io.
Hippolit has appointed a Data Protection Officer registered with the CNIL under number DPO-171602.
DPO: Morgan Lebois - 45 boulevard André Aune, 13006 Marseille, France - team@hippolit.io.
The DPO is your privileged contact for any question relating to data protection, including rights requests, compliance questions and audits.
In accordance with Articles 15 to 22 of the GDPR and the French Data Protection Act (Law 78-17 of 6 January 1978), you have the following rights: right of access, rectification, erasure, portability, objection, restriction, the right not to be subject to a decision based solely on automated processing, and the right to define directives regarding the fate of your data after death.
How to exercise these rights depending on your situation:
To verify your identity, we may ask you for additional information.
If, after contacting us, you consider that your rights are not respected, you may lodge a complaint with the CNIL - www.cnil.fr.
Hippolit implements the appropriate technical and organisational measures required by Article 32 GDPR: AES-256 encryption at rest via Fscrypt on PostgreSQL volumes, TLS 1.2+ in transit, dedicated database per client, internal access via SSO + mandatory MFA, principle of least privilege, centralised logging, regular penetration tests (last performed in April 2025). Full details are available on our security page and in our GDPR Notice and Security Policy, shared with clients on request.
In the event of a personal data breach, Hippolit will notify the controller without undue delay, and at the latest within 72 hours of becoming aware of it, in accordance with Article 33 GDPR.
Hippolit reserves the right to modify this policy at any time in order to ensure compliance with the applicable law and to reflect changes to the Service. The date at the top of the page indicates the applicable version.
This policy was published on May 16, 2024 and updated on June 1, 2026.