Privacy policy
Hymeria: Consulting reinvented through the combination of human intelligence and the power of AI.
Last updated: April 23, 2026Hymeria (hereinafter "we" or "the Company") attaches fundamental importance to the protection of your personal data. The purpose of this privacy policy (the "Policy") is to inform you transparently and comprehensively about how we collect, use, store and protect your data, in accordance with the General Data Protection Regulation (GDPR) No. 2016/679 and French Law No. 78-17 of January 6, 1978 as amended, known as the "Informatique et Libertés" Act.
It applies to all individuals who interact with Hymeria through our website, our consulting services, our communications and more generally as part of our relationship.
1. Who we are
Hymeria is an AI-augmented consulting firm, incorporated as a Société par Actions Simplifiée (French simplified joint-stock company) with a share capital of €1,500, registered in the Nanterre Trade and Companies Register under number 103 861 910, with its registered office at 177, route de l'Empereur, 92500 Rueil-Malmaison, France.
Hymeria acts as data controller within the meaning of Article 4 of the GDPR for all processing described in this Policy. Any contact relating to the protection of your data may be sent to contact@hymeria.com or by post to the address of the registered office.
2. What data do we collect?
We collect only the data strictly necessary for the purposes described below, in accordance with the minimization principle set out in Article 5 of the GDPR. This data can be grouped into three main categories:
2.1 Data you provide directly
- Identity and contact details: first name, last name, postal address, email, phone number.
- Professional data: job title, company, industry, organization size.
- Content of exchanges: messages submitted via the contact form, quote requests, documents shared within an engagement.
- Contractual data: information needed to formalize and perform a consulting engagement (engagement letters, purchase orders, billing details).
2.2 Data collected automatically
- Browsing data: IP address, browser type and version, pages viewed, visit duration, referrer URL.
- Performance data: audience and usage metrics collected via analytics tools (see section 6).
- Cookie and tracker data: in accordance with our cookie policy available in the footer.
2.3 Data received from third parties
- Information shared by a partner or referrer in the context of an introduction.
- Data from public sources (LinkedIn, official registries) as part of B2B prospecting.
3. Why do we use your data?
Each processing operation relies on a specific legal basis, in accordance with Article 6 of the GDPR. The sections below summarize our main processing activities:
3.1 Managing contact requests and prospects
Legal basis: legitimate interest (Art. 6.1.f) and pre-contractual measures (Art. 6.1.b).
We process your data to respond to your information requests, send you proposals tailored to your needs and follow up on the commercial relationship.
3.2 Performing consulting engagements
Legal basis: performance of the contract (Art. 6.1.b).
Within our engagements, we may process data relating to contact persons at our clients, identified stakeholders and, where applicable, individuals mentioned in the analyses or documents shared.
3.3 Communications and marketing
Legal basis: consent (Art. 6.1.a) for individuals; legitimate interest (Art. 6.1.f) for B2B contacts pursuant to Article L. 34-5 of the French Post and Electronic Communications Code.
We may send you communications about our publications, studies, viewpoints, events and service offerings. You can unsubscribe at any time via the link included in every communication or by writing to contact@hymeria.com.
3.4 Improving our services and our site
Legal basis: legitimate interest (Art. 6.1.f).
We analyze browsing behavior on our site in order to improve its usability, the relevance of its content and its technical performance.
3.5 Legal and accounting obligations
Legal basis: legal obligation (Art. 6.1.c).
Certain data is retained to comply with our legal obligations, notably accounting, tax, social-security and evidentiary requirements.
4. Use of artificial intelligence in processing your data
Hymeria is an AI-augmented consulting firm. As such, we want to inform you specifically about the conditions under which AI systems may be involved in processing data concerning you.
4.1 Guiding principles
- Systematic human oversight: no significant decision concerning you is made on the sole basis of automated processing (Art. 22 GDPR). A qualified consultant always validates outputs.
- Data minimization: we share with AI tools only the data necessary for the task at hand, anonymizing or pseudonymizing it beforehand wherever possible.
- No model training: our clients' data is not used to train third-party AI models. We select providers offering contractual no-training clauses.
- Contractual framing: every AI provider is subject to a subprocessor agreement compliant with Article 28 of the GDPR.
4.2 Your AI-specific rights
In accordance with the GDPR and in the spirit of the European AI Regulation (AI Act, Regulation (EU) 2024/1689), you may at any time request information on the role played by AI systems in processing your data, request human intervention or object to automated processing. Such requests should be sent to contact@hymeria.com.
5. How long do we keep your data?
We apply retention periods strictly proportionate to the purposes of each processing operation, consistent with CNIL recommendations and applicable legal obligations:
- Prospects and contact requests: 3 years from the last contact, in line with CNIL recommendations for B2B prospecting.
- Client and contractual data: duration of the contractual relationship, then intermediate archiving for 10 years under accounting and tax obligations (Art. L. 123-22 of the French Commercial Code).
- Browsing data and analytics cookies: 13 months maximum, in line with CNIL cookie guidelines.
- Records related to the exercise of rights: 5 years from the response provided.
At the end of these periods, your data is irreversibly deleted or anonymized.
6. Who has access to your data?
6.1 Within Hymeria
Access to personal data is strictly limited to those who need it for their duties, based on the principle of least privilege.
6.2 Our subprocessors
We use technical providers acting as subprocessors within the meaning of Article 28 of the GDPR, notably:
- Site hosting: Hostinger International Ltd, 61 Lordou Vironos Street, 6023 Larnaca, Cyprus.
- Audience measurement and analytics tools (e.g. GDPR-compliant solutions or configured with IP anonymization).
- Communication and CRM tools.
- AI providers selected with reinforced confidentiality clauses.
Each subprocessor is bound to Hymeria by a contract guaranteeing a level of protection equivalent to our own, and can only use your data for the purposes assigned to them.
6.3 Authorized third parties
Your data may be shared with public authorities, courts or court officers, only where we are legally compelled to do so.
6.4 No data sale
Hymeria never sells, rents or transfers your personal data to third parties for commercial purposes.
7. Transfers outside the European Union
Some of our subprocessors may be located, or may store data, outside the European Economic Area (EEA). In such cases, we ensure that these transfers are framed by appropriate safeguards within the meaning of Articles 44 to 49 of the GDPR:
- European Commission adequacy decision (e.g. United Kingdom, United States under the Data Privacy Framework).
- Standard Contractual Clauses (SCCs) adopted by the European Commission.
- Binding Corporate Rules where applicable.
You can obtain additional information about these safeguards by contacting contact@hymeria.com.
8. Your rights
In accordance with the GDPR (Articles 15 to 22) and the Informatique et Libertés Act, you have the following rights:
8.1 Right of access (Art. 15)
You can obtain confirmation that data concerning you is being processed, together with a copy of that data and information about how it is processed.
8.2 Right to rectification (Art. 16)
You can request the correction of inaccurate or incomplete data concerning you.
8.3 Right to erasure (Art. 17)
You can request the deletion of your data when it is no longer necessary, when you withdraw your consent or object to processing, or when the data has been collected unlawfully.
8.4 Right to restriction (Art. 18)
You can request the temporary suspension of processing, notably while a challenge to the accuracy of the data is being verified.
8.5 Right to portability (Art. 20)
You can receive the data you have provided to us in a structured, commonly used, machine-readable format and transmit it to another controller.
8.6 Right to object (Art. 21)
You can object at any time to processing based on our legitimate interest, on grounds relating to your particular situation. You can also object to direct marketing at any time, without justification.
8.7 Right to withdraw consent
When processing is based on your consent, you can withdraw it at any time, without affecting the lawfulness of processing carried out before such withdrawal.
8.8 Post-mortem directives
You can issue directives about what happens to your data after your death, in accordance with Article 85 of the Informatique et Libertés Act.
How to exercise your rights
These rights can be exercised by writing to contact@hymeria.com, or by post to: Hymeria, 177, route de l'Empereur, 92500 Rueil-Malmaison, France, for the attention of the data protection officer.
We undertake to respond within one (1) month of receiving your request (this period may be extended to three months in the event of complexity or high volume, with prior notification). We may ask you to verify your identity in order to protect your data against unauthorized access.
If you believe your rights are not being respected, you have the right to lodge a complaint with the French data-protection authority CNIL:
- Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
- Site: www.cnil.fr
9. Data security
Hymeria implements a set of technical and organizational measures designed to guarantee the confidentiality, integrity, availability and resilience of your data, in accordance with Article 32 of the GDPR. These measures include:
- Encryption of communications (HTTPS/TLS).
- Access controls based on the principle of least privilege.
- Strong authentication for access to systems holding personal data.
- Regular awareness training for our team on security best practices.
- Rigorous selection of subprocessors based on their security guarantees.
In the event of a personal data breach likely to entail a risk to your rights and freedoms, Hymeria undertakes to notify the CNIL within 72 hours in accordance with Article 33 of the GDPR, and to inform you as soon as possible if such a breach is likely to entail a high risk (Art. 34 GDPR).
10. Cookies and trackers
The hymeria.com site uses cookies and other trackers. A cookie is a small file placed on your device when you visit a website. Some are essential to the operation of the site; others require your consent.
10.1 Strictly necessary cookies
These cookies are essential for the site to function properly and cannot be disabled. They do not require consent (Art. 82 of the Informatique et Libertés Act).
10.2 Analytics and audience-measurement cookies
These cookies, subject to your consent, let us measure our site's audience and improve its content. We prioritize privacy-friendly solutions configured with data anonymization (e.g. no sharing with advertising third parties).
10.3 Managing your preferences
You can change your cookie preferences at any time via the banner or the management panel available in the footer of our site, or by configuring your browser. Refusing certain cookies may affect some site functionality.
A detailed cookie policy listing all trackers placed, their lifetime and their precise purpose is available in the site footer.
11. Links to third-party sites
Our site may contain links to third-party sites. This Policy does not apply to those sites. We invite you to consult their own privacy policies. Hymeria cannot be held responsible for the data-protection practices of these third parties.
12. Changes to this Policy
Hymeria reserves the right to modify this Policy at any time, notably to comply with regulatory or case-law developments, or to reflect changes in our services. The version in force is the one published on our site, with mention of the last-updated date.
In the event of a substantial change affecting your rights, we will inform you by email if we have your contact details, or via a notification on our site.
13. Contact and complaints
For any question relating to this Policy, the exercise of your rights or our data-protection practices:
Email: contact@hymeria.com
Postal mail: Hymeria, 177, route de l'Empereur, 92500 Rueil-Malmaison, France, for the attention of the data protection officer
Site: www.hymeria.com
We undertake to handle your request with care and diligence, in accordance with your rights and applicable regulations.
This document is protected by Hymeria's intellectual property rights. Any reproduction without authorization is prohibited.