Privacy Policy

1. Introduction

Compass is a political intelligence platform operated by CL Corporate Affairs Consulting E.I., headquartered in Paris, France (SIREN: 902 992 189), with a representation office in Brussels, Belgium. This Privacy Policy explains how we collect, use and protect personal data within the Compass platform, in compliance with Regulation (EU) 2016/679 (the “GDPR”) and the French Loi Informatique et Libertés.

2. Data controller

CL Corporate Affairs Consulting E.I.
1 avenue de l’Observatoire, 75006 Paris, France
Avenue de Tervueren 103, B-1040 Brussels, Belgium
Contact: cl.eu.com/contact

3. Roles and responsibilities under the GDPR

The allocation of data protection roles within Compass depends on the specific context of use, assessed on a case-by-case basis in accordance with Articles 4(7), 4(8), 26 and 28 of the GDPR. The determining factor is which party decides the purposes and essential means of each processing operation — not the contractual label alone.

When CL uses Compass for its own consulting activity, CL Corporate Affairs Consulting acts as sole data controller for all data processed within the platform, including reference data, stakeholder mapping, position analysis and engagement records.

When a third-party user accesses Compass in the context of their own public affairs activities, the respective roles are determined by the nature of the mission and the degree of autonomy of each party:

• If the user defines the strategy, selects the stakeholders, determines the data to be collected and controls the outputs, the user acts as data controller and CL Corporate Affairs Consulting acts as data processor (Article 4(8) GDPR), providing the technical infrastructure and processing data only on behalf of and under the instructions of the user.
• If CL Corporate Affairs Consulting and the user jointly determine the objectives and essential means of processing (e.g. CL Corporate Affairs Consulting designs the mapping methodology, selects data sources and defines scoring criteria while the user sets the strategic objectives), both parties may be considered joint controllers (Article 26 GDPR). In that case, the respective obligations are defined in the engagement agreement.

In all cases, CL Corporate Affairs Consulting is committed to implementing appropriate technical and organisational measures to ensure the security and confidentiality of personal data, in compliance with the GDPR. Where CL Corporate Affairs Consulting acts as data processor, the Terms and Conditions of the platform govern the obligations of each party in accordance with Article 28 GDPR.

4. Categories of data processed

Compass processes three distinct categories of personal data, each with its own regime:

• Reference data — institutional and organisational information sourced from official, publicly accessible databases of the European Union (European Parliament, Council of the EU, European Commission, EU Transparency Register). This includes names, functions, mandates, committee memberships, political group affiliations, nationality and official contact details of public figures acting in their institutional capacity. CL Corporate Affairs Consulting is responsible for the collection and periodic updating of this data.
• Stakeholder mapping and position data — publicly available information aggregated by the user, with optional AI assistance: publicly declared positions, published statements, votes, press releases, public social media posts (from accounts explicitly validated by the user). The user selects the stakeholders to track, validates each position attributed, and determines how this data is used in the context of their professional activity.
• Internal notes and engagement records — free-text content entered exclusively by the user: meeting reports, phone call notes, follow-up actions, informal observations, personal assessments. This content is drafted by the user alone, accessible only to the user who created it, and is not accessed, moderated, analysed or exploited by CL Corporate Affairs Consulting in any way. The user is solely responsible for the content, accuracy and lawfulness of these notes, in the same way as for any private professional record.

User account data (name, email address, company, phone number if provided, hashed login credentials) is also processed for the purpose of providing access to the platform.

Browsing data: a single session cookie (HTTP-only, strictly functional, no tracking) is used for authentication.

5. Legal basis and purposes

The processing of personal data within Compass is based on the following legal grounds:

• Legitimate interest (Article 6(1)(f) GDPR): the core purpose of Compass is to support public affairs professionals in understanding the positions, expectations and scope of influence of political stakeholders. This includes stakeholder mapping, position tracking and engagement management — activities recognised as core professional functions of public affairs practitioners. The data processed is limited to information that is publicly available or directly relevant to the professional relationship between the user and the stakeholder.
• Performance of a contract (Article 6(1)(b) GDPR): user account data is processed to provide access to the platform and deliver the agreed service.
• Legal obligation (Article 6(1)(c) GDPR): where applicable, compliance with transparency obligations (EU Transparency Register, HATVP declarations under French law).

6. Legitimate interest assessment

In accordance with Article 6(1)(f) of the GDPR, the reliance on legitimate interest as a legal basis for the processing of stakeholder data has been assessed as follows:

• Legitimacy of the interest: monitoring legislative processes, mapping stakeholder positions and managing institutional engagement are lawful and well-established professional activities in the field of public affairs and institutional representation. These activities serve the legitimate interest of the data controller in carrying out its professional activity effectively.
• Necessity: the processing is necessary to achieve these objectives. Understanding who the relevant decision-makers are, what positions they hold and how the legislative balance of power evolves cannot be achieved without processing personal data relating to these public figures.
• Balancing of interests: the data processed relates overwhelmingly to individuals acting in their official public capacity (elected representatives, senior civil servants, registered lobbyists). These persons have a reduced expectation of privacy with respect to their institutional activities, which are by nature public. The data is sourced from official institutional databases or from statements the data subjects have themselves made public. The processing does not involve profiling for commercial purposes, does not seek to predict private behaviour, does not target vulnerable individuals, and is limited to what is necessary for legitimate public affairs activities. The data subjects retain at all times their right to object under Article 21 GDPR.

7. Publicly available data and special categories

A significant portion of the personal data processed in Compass relates to public figures acting in their official capacity (Members of the European Parliament, Commissioners, Council officials, registered interest representatives). This data is sourced from official, publicly accessible institutional databases:

• European Parliament website, Legislative Observatory (OEIL) and EU Who is Who directory
• EU Transparency Register and LobbyFacts.eu
• Council of the EU public registers
• European Commission organigrammes and press corner
• Public social media accounts (X/Twitter, LinkedIn) — only accounts explicitly validated by the user

Where the data processed includes information that may reveal political opinions within the meaning of Article 9(1) GDPR (e.g. recorded votes, publicly declared positions on legislative files, political group affiliation), such processing is permitted under Article 9(2)(e) GDPR, as it relates exclusively to personal data which the data subject has manifestly made public through official institutional channels, parliamentary votes, public statements or voluntary publications on public social media accounts. This exception is applied strictly to data that is already in the public domain by virtue of the data subject’s own actions in their official capacity.

8. AI services

Compass includes an AI layer that supports analytical tasks such as position classification, stakeholder analysis and strategic briefings. The platform is designed around a firm principle: the user always chooses which AI provider is used, if any. No AI service is ever activated without the user’s explicit selection, and the user may at any time switch back to a configuration where no AI is involved at all.

CL Corporate Affairs Consulting has adopted a deliberate policy of giving priority to European AI providers and to on-premise processing, in line with European digital sovereignty principles. The platform’s AI configuration is as follows:

• Local AI — Mistral models, served via Ollama (active): Compass uses Mistral models (developed by Mistral AI, a company incorporated in France), run through the Ollama runtime on the Compass server hosted within the European Union. In this configuration, no data leaves the European infrastructure under the control of CL Corporate Affairs Consulting. No third party is involved. This is the AI setup in use today and will remain available to users at all times, including if any external provider is added in the future.
• Possible additions — OpenAI (ChatGPT) and Anthropic Claude: integration of external cloud AI providers such as OpenAI (operated via OpenAI Ireland Limited for EEA-based customers, with processing infrastructure in the United States) or Anthropic Claude (operated by Anthropic, United States) is under consideration but not yet decided. Either, both or neither may be added later. If and when one of these options is introduced, it will appear in the platform settings as an explicit alternative to the local option; activation will require a deliberate user choice, and the provisions below on sub-processing, international transfers and safeguards will then become applicable to that provider.

No AI provider is ever imposed on the user. Users who wish that no data leave the European Union may continue indefinitely with the local option (Mistral + Ollama), which processes all data on the Compass server within the EU, with zero external transfer. The availability of future external providers does not restrict or reduce this option in any way.

Conditional provisions — applicable only when an external AI provider is activated. The following provisions on sub-processing, international transfers and safeguards apply only when, and for as long as, an external AI service (such as OpenAI or Anthropic Claude, should these be added and activated) is explicitly selected by the user. They do not apply to the local Mistral + Ollama configuration, which involves no external transfer and no third-party processor.

Role in the processing chain. Where CL Corporate Affairs Consulting acts as a data processor on behalf of a user, any external AI provider enabled through the platform is intended to act as a sub-processor within the meaning of Article 28(4) GDPR, subject to the applicable contractual documentation and technical configuration. Data flows from the Compass platform to the AI provider’s API for the sole purpose of generating analytical outputs (position classification, strategic briefings, stakeholder analysis). The commercial API terms of reputable providers (including OpenAI and Anthropic) contractually prohibit the use of customer data for model training. Their commercial API documentation generally provides for a controller/processor allocation, together with commitments relating to security, confidentiality, sub-processor management and deletion, subject to the applicable service terms.

International data transfers. The activation of an external AI service operated from outside the European Economic Area may result in the transfer of personal data to a third country, which constitutes a transfer under Chapter V of the GDPR. The following safeguards would apply:

• Standard Contractual Clauses (SCCs): reputable US-based AI providers (including OpenAI and Anthropic) incorporate the EU Standard Contractual Clauses (Module 2: controller to processor), adopted by Commission Implementing Decision (EU) 2021/914, into their commercial API terms. These SCCs are automatically incorporated upon acceptance of the provider’s terms of service and provide the legal framework for transfers under Article 46(2)(c) GDPR.
• EU-US Data Privacy Framework: where applicable, transfers may additionally rely on the adequacy decision adopted by the European Commission on 10 July 2023 under Article 45 GDPR for certified US organisations participating in the EU-US Data Privacy Framework. Users should verify the current certification status of their chosen provider.
• Complementary safeguards: reputable providers implement technical and organisational measures including encryption in transit and at rest, and access controls. According to the providers’ commercial documentation applicable at the time of use, data retention is limited and governed by the provider’s contractual terms; users should review the current documentation before activation. Major providers typically hold ISO 27001 certifications and undergo regular third-party security audits.

User responsibility. CL Corporate Affairs Consulting does not act as a party to the contractual relationship between the user and any external AI provider. A user who activates an external AI service is responsible for reviewing the provider’s DPA, assessing the adequacy of transfer safeguards in light of their own obligations, and where appropriate, conducting a transfer impact assessment. Users who require that no data leave the European Union should stay on the local AI option (Mistral + Ollama), which processes all data on-premises with zero external transfer.

The commercial documentation of Mistral AI, and of the providers envisaged as possible future additions, is available at:

• Mistral AI (EU): Terms & Policies
• OpenAI: Privacy Policy · Data Processing Addendum · Business Terms
• Anthropic: Privacy Policy · Privacy Center · Commercial Terms (incorporating DPA with SCCs)

9. Data security and hosting

All data processed by Compass is stored on a private, dedicated server located within the European Union, under the physical control of CL Corporate Affairs Consulting. The platform implements the following security measures:

• Authentication by email and password, with passwords hashed using PBKDF2-HMAC-SHA256 (600,000 iterations, in line with current OWASP recommendations) and a unique salt per user;
• Sessions managed via HTTP-only, SameSite=Strict secure cookies;
• Per-session CSRF tokens, verified on every state-changing request;
• Automatic account lockout after 5 failed login attempts (15-minute cooldown), and IP-level rate limiting (30-minute block after repeated failures from the same source);
• HTTPS encryption in transit (TLS via Let’s Encrypt certificate);
• Defence-in-depth HTTP response headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Content-Security-Policy);
• Persistent audit log of authentication events, privileged actions and security-relevant failures;
• No indexation of the authenticated area by search engines: only the public-facing pages (home page, Privacy Policy, Terms & Conditions) are indexable; every other path — dashboards, account management, administrative interfaces, API endpoints — is explicitly blocked via robots.txt and noindex directives;
• No data stored on third-party cloud services. The AI layer runs locally on the Compass server (Mistral via Ollama), with no external transfer. Should external AI services be added in the future and explicitly activated by a user (see section 8), data may at that point be transmitted to the provider’s API for processing; any retention by such a provider would be governed by the provider’s own contractual terms and would be outside the direct control of CL Corporate Affairs Consulting.

Emails related to account management (password creation, reset, change notifications) are sent via SMTP with TLS encryption.

9.1 Optional end-to-end encryption

In addition to the baseline security measures above, Compass offers an optional end-to-end encryption mode that users may activate at any time in Manage my account. This feature is not enabled by default; it is an explicit opt-in, intended for users who handle particularly sensitive material and who wish to add a technical guarantee on top of CL’s contractual commitments.

When end-to-end encryption is enabled on an account, the following data is encrypted in the user’s browser before being stored on the server: the list of dossiers the user tracks, personal notes, stakeholder mapping, attributed positions, private comments, priorities, watch keywords (in Secure Search mode), topic names, user-authored biographies and profile notes, engagement log entries (meeting records, takeaways, signals), the user’s personal radar cache, and any other content authored personally by the user. The scope of encryption is deliberately broad and aims to prevent profiling of the user’s activity by any observer of the server.

The following categories remain unencrypted, by design: public reference data shared across all users (Members of the European Parliament, Commissioners, Commission staff, Council staff, Transparency Register organisations, institutional calendar events, all sourced from official EU databases); account information required for authentication and notifications (first name, last name, email, phone number, organisation); technical identifiers required for SQL joins (primary keys, foreign keys, user identifiers); audit timestamps (creation, modification, login times); and cryptographic lookup hashes (irreversible SHA-256 digests of watch keywords in Secure Search mode, used for server-side matching without revealing the keyword). These categories are either already public by nature, or necessary to the technical operation of the service.

Technical design. The scheme is zero-knowledge: the encryption key never leaves the user’s device and is not stored on the server in any form. More specifically:

• Key derivation: a symmetric key is derived in the browser from the user’s login password using PBKDF2-HMAC-SHA256 with 600,000 iterations and a 16-byte random salt generated at activation. The salt is stored server-side (it is not secret); the password and the derived key are not.
• Authenticated encryption: fields are encrypted with AES-256-GCM, a 96-bit nonce drawn from a cryptographically secure random source for each write, and an authentication tag verified on read.
• Storage format: encrypted payloads are stored as base64url-encoded strings prefixed with a short version tag, so the server can distinguish encrypted from plaintext fields without ever being able to decrypt them.
• Browser requirements: the feature uses the standard Web Crypto API available in all modern browsers over HTTPS. It does not depend on any external service.

Consequences of the design. Because the key is derived from the user’s password and never leaves their browser, CL Corporate Affairs Consulting and its administrators cannot, by construction, read the encrypted fields of an account that has end-to-end encryption turned on. This property is enforced technically, not merely contractually.

The same property implies that password recovery destroys access to encrypted data. If a user resets a forgotten password via the Forgot password flow, the old key is unrecoverable, and the existing encrypted fields become permanently unreadable. This trade-off is made explicit at activation and is the reason the feature is opt-in. Users who activate end-to-end encryption are strongly encouraged to store their password in a password manager.

The normal Change password flow (which requires the current password) does not cause any loss of access, since the previous key can be recovered from the current password before the change.

Fields that are not encrypted remain technically accessible to CL operators. In the absence of end-to-end encryption, this includes the content of notes, stakeholder mapping, attributed positions, private comments and all other user-authored content. The non-consultation of these fields by CL Corporate Affairs Consulting is governed exclusively by the contractual commitment set out in section 11 of the Terms and Conditions and is not, in the absence of end-to-end encryption, enforced by a technical impossibility.

Even when end-to-end encryption is activated, certain operational metadata remain technically visible to CL operators, as an unavoidable consequence of running a web service. These metadata do not allow reconstruction of encrypted content, but may allow inference of certain usage characteristics:

• Approximate data volume — the number of encrypted rows stored in each of the user’s personal tables is visible to the server (for instance, that a user has 47 tracked dossiers or 312 engagement log entries), without the content itself being readable;
• Activity timestamps — logins, writes and reads are timestamped for audit purposes;
• IP address — required by the TCP/IP protocol, allowing inference of approximate geographic location;
• Correlated activity patterns — if multiple users modify related records at similar times, a collaborative relationship may be inferred.

These structural metadata fall within the same contractual non-consultation commitment as any other non-encrypted data (section 11 of the Terms and Conditions). CL Corporate Affairs Consulting commits not to exploit them for any purpose other than the technical supervision of the service (security monitoring, debugging, capacity planning).

Conversely, fields that have been encrypted with end-to-end encryption cannot be read by anyone other than the user, including CL Corporate Affairs Consulting itself. This is a property of the cryptographic design, not a contractual promise: the decryption key is derived from the user’s password inside their own browser and never leaves the user’s device. CL does not hold the key, cannot reconstruct it, and cannot be compelled to produce the clear-text content of encrypted fields — neither in response to a legal order, nor in the course of a security investigation, nor at the request of a third party who would gain access to the servers. This limitation applies equally to CL and is assumed as a deliberate consequence of the zero-knowledge design.

10. Data retention

• User account data: retained for the duration of the account. Deleted upon account deletion or upon request.
• Reference data (institutional, sourced from official EU databases): updated periodically, retained for as long as the platform is in operation. Outdated entries are overwritten on refresh.
• Stakeholder mapping and position data: retained for the duration of the mission or project, plus 1 year in the active database. May be archived for up to 6 years for administrative and evidentiary purposes, in line with standard professional retention periods for consulting engagements under French commercial law.
• Internal notes and engagement logs: retained for the duration of the mission, then archived for up to 6 years. The user may delete their own notes at any time.

11. Recipients of data

Personal data processed within Compass is accessible only to authorised users of the platform. Each user accesses only the data relevant to their own activity. Internal notes and engagement records are visible only to the user who created them.

No data is shared with third parties, except:

• Where required by law (judicial, police or administrative authorities);
• With a client of CL Corporate Affairs Consulting, where data sharing is strictly necessary for the execution of a consulting engagement and contractually defined;
• With external AI service providers, if and when such providers are added to the platform and explicitly activated by the user (see section 8). As of the date of this Privacy Policy, the only AI provider in use is the local Mistral + Ollama setup, which runs on the Compass server within the European Union — no data is transmitted to any third-party AI service.

12. Your rights

The GDPR grants specific rights to individuals whose personal data is processed. Within Compass, these rights apply differently depending on the category of person concerned:

Platform users (account holders) may at any time:

• Access their account data and obtain information about its processing;
• Rectify inaccurate or incomplete account data;
• Delete their account and all associated data;
• Change their password from the dashboard;
• Export their data where applicable (data portability).

Persons referenced as stakeholders (public figures, institutional actors) whose publicly available data is processed in Compass may:

• Access data held about them and obtain information about the purposes of processing;
• Rectify inaccurate data;
• Object to processing based on legitimate interest (Article 21 GDPR), in which case the data controller will assess whether compelling legitimate grounds override the objection;
• Request erasure of their data, subject to any overriding legitimate interest or legal obligation.

Who to contact: requests relating to user account data should be addressed to CL Corporate Affairs Consulting. Where a third-party user acts as data controller for stakeholder data they have entered, requests from stakeholders relating to that data should be directed to the relevant user (data controller). CL Corporate Affairs Consulting will assist in routing such requests where appropriate.

To exercise any of these rights, please contact us via our contact form. You may also lodge a complaint with the CNIL (cnil.fr) or any competent supervisory authority.

13. Cookies

Compass uses a single functional session cookie (HTTP-only, SameSite=Strict) required for authentication. This cookie does not collect any personal data beyond the session identifier, does not track users across websites, and expires after 7 days. No tracking, profiling or advertising cookies are used. No audience measurement tool is deployed on the Compass platform.

14. Changes to this policy

This policy may be updated to reflect changes in the platform’s features, applicable legislation or regulatory guidance. Changes will be published on this page with an updated date. Where changes materially affect the processing of personal data, users will be notified upon their next login.