Privacy Policy – pharmatext.ai

Last updated: November 2025

This Privacy Policy explains how LAG ("we", "our", or "us") collects, uses, and protects personal information when you participate in the pilot program for our web application, pharmatext.ai (the "App").

1. Data Controller

The entity responsible for processing your personal data (the "data controller") is:

LAG SAS
18 rue d'Anjou
75008 Paris
France
Registration Number (SIRET): 948 338 785 00017
Email: privacy@pharmatext.ai

2. Information We Collect

We collect only the data necessary to provide and improve the App:

• Account Information: Your name, email address, and authentication information required to create and secure your account.
• User-Generated Content: Any text, documents, or other content you voluntarily upload or create within the App.
• Usage Data: Basic technical information about your interaction with the App, such as login times, features used, and error occurrences. This helps us improve the service.
• Session Recordings (Pilot Only): During the 3-week pilot period, we collect session replay data including your interactions with the App (mouse movements, clicks, page views, and form inputs). Session recordings are associated with your email address to help us understand user behavior and improve the product. We automatically mask sensitive input fields (such as passwords) from being recorded. IP addresses are anonymized.

3. How We Use Your Data and Legal Basis

We process your data based on the following legal grounds under the GDPR:

• To Provide the Service (Performance of a Contract): We use your Account Information and User-Generated Content to operate and maintain the App as described in our Pilot Terms.
• To Improve Our Service (Legitimate Interests): We analyze aggregated and anonymized Usage Data to understand how the App is used, identify areas for improvement, and fix bugs. During the pilot period, we collect session recordings based on our legitimate interest in improving the product and user experience. You have the right to object to this processing.
• To Communicate With You (Legitimate Interests): We may use your email address to send important service updates or request feedback related to the pilot program.

We do not sell your personal data or share it with third parties for their marketing purposes.

4. Data Storage, Security, and Sub-processors

Your data is stored securely in the European Union. We have implemented technical and organizational measures to protect your information.

• Data Location: All data is stored on Google Cloud servers located in the EU region. Google acts as our data sub-processor.
• Session Recording Provider: Session recordings are processed by PostHog, Inc., a product analytics platform. We use PostHog's EU Cloud hosting option to ensure all session replay data remains in the European Union. PostHog acts as our data sub-processor and has entered into a Data Processing Agreement (DPA) with us. For more information about PostHog's data practices, visit posthog.com/privacy.
• Security: We use industry-standard security measures, including encryption in transit (TLS/SSL) and at rest, to protect your data. Access to personal data is strictly limited to authorized personnel. Session recordings automatically mask password fields and other sensitive inputs.

5. Data Retention

We retain your personal data only for as long as necessary for the pilot program:

• Account Data: All personal data associated with your pilot account will be deleted within 90 days after the conclusion of the pilot period, unless you request earlier deletion.
• Session Recordings: Session replay data will be retained for the duration of the 3-week pilot period plus 30 days for analysis, after which it will be permanently deleted (maximum 60 days total).
• Anonymized Data: We may retain anonymized usage data for statistical purposes.

6. Your Rights Under GDPR

As a user in the EU, you have the following rights regarding your personal data:

• Right of Access: You can request a copy of the personal data we hold about you.
• Right to Rectification: You can request that we correct any inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): You can request the deletion of your personal data, including session recordings.
• Right to Restrict Processing: You can request that we limit the processing of your data under certain conditions.
• Right to Data Portability: You can request to receive your data in a structured, commonly used, and machine-readable format.
• Right to Object: You can object to our processing of your data, including session recordings, under certain conditions. If you object to session recordings, we will stop collecting this data for your account.

To exercise any of these rights, please contact us at privacy@pharmatext.ai. You also have the right to lodge a complaint with a supervisory authority, in particular the French authority, the CNIL (Commission Nationale de l'Informatique et des Libertés).

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies for the following purposes:

• Essential Cookies: Required for authentication and to keep you logged in. These cannot be disabled as they are necessary for the App to function.
• Analytics Cookies (PostHog): During the pilot period, PostHog uses cookies to enable session recordings and track your usage of the App. These cookies help us understand user behavior and improve the product. The main cookie used is called "ph_phc_[project_id]_posthog" and includes a unique user identifier linked to your email address.

You can disable analytics cookies by adjusting your browser settings, though this may affect our ability to improve the App based on your usage patterns.

8. Changes to This Privacy Policy

We may update this policy as our App evolves. Any changes will be posted on this page with a new "Last updated" date. We encourage you to review it periodically.