Data protection
Last updated: March 2026
This is a courtesy English translation. In the event of any discrepancy between this version and the French version, the French version prevails and is legally binding.
This privacy policy describes how DAO Partners SAS collects, processes and protects the personal data of users of its website and its clients, in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and French Law No. 78-17 of 6 January 1978 as amended (the French Data Protection Act).
DAO Partners SAS
Société par actions simplifiée (French simplified joint-stock company) with share capital of €15,500
Registered office: 19 avenue Foch, 57000 Metz, France
SIREN: 921 275 244 — SIRET: 921 275 244 00025
Trade and Companies Register: Metz 921 275 244
Represented by its President, Dahbia Benslimane
Data controller contact:
Email: contact@dao-partners.com
Postal address: DAO Partners SAS, 19 avenue Foch, 57000 Metz, France
The website www.dao-partners.com contains no data-collection form, no client portal and no registration system. Personal data potentially collected via the website is limited to data voluntarily transmitted by the user by email to contact@dao-partners.com.
This data may include: first name, last name, email address, telephone number, company name, job title, and any information the user chooses to communicate in their message.
In the performance of an engagement letter, DAO Partners SAS may collect and process the following categories of data:
— Client and representative identification data: first name, last name, job title, email, phone;
— Professional data: company name, SIRET, registered office, banking details for invoicing;
— Data relating to real estate assets: addresses of properties, operating data (revenues, costs, occupancy rates), data from management systems (PMS, channel manager);
— Correspondence data: email exchanges, meeting minutes, documents shared in the course of the engagement.
DAO Partners SAS does not collect any sensitive data within the meaning of article 9 of the GDPR (health data, political opinions, religious beliefs, biometric data, sexual orientation, racial or ethnic origin). No data relating to tenants or occupants of the Client's properties is collected or processed by the Firm.
| Purpose of processing | Legal basis (art. 6 GDPR) | Data concerned |
|---|---|---|
| Responding to contact and qualification requests | Legitimate interest of the controller (art. 6.1.f) | Name, email, phone, company, message |
| Negotiation and conclusion of an engagement letter | Pre-contractual measures (art. 6.1.b) | Identification data, professional data |
| Performance of the engagement (analysis, modelling, prescription) | Performance of the contract (art. 6.1.b) | Identification data, professional data, asset data |
| Invoicing and payment tracking | Performance of the contract (art. 6.1.b) and legal obligation (art. 6.1.c) | Identification data, banking details, invoicing data |
| Compliance with legal, tax and accounting obligations | Legal obligation (art. 6.1.c) | Invoices, accounting records, contractual correspondence |
| Management of the commercial relationship and post-engagement follow-up | Legitimate interest (art. 6.1.f) | Name, email, company, engagement history |
Personal data is accessible exclusively to authorised personnel at DAO Partners SAS who need access in the course of their duties: firm leadership, consultants assigned to the engagement.
DAO Partners SAS may use sub-processors for the operation of its services. These sub-processors act only on instructions from the controller and are contractually bound to ensure the security and confidentiality of the data, in accordance with article 28 of the GDPR.
Current sub-processors are:
— Netlify, Inc. (website hosting) — 512 2nd Street, Suite 200, San Francisco, CA 94107, United States;
— Google LLC (Google Workspace professional email, where applicable) — 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.
DAO Partners SAS does not sell, rent or transfer any personal data to third parties for commercial, advertising or promotional purposes.
Certain sub-processors listed in article 4.2 are established in the United States. These transfers are governed by:
— the EU-US Data Privacy Framework (DPF), where the sub-processor is certified;
— the Standard Contractual Clauses (SCCs) adopted by the European Commission, in accordance with article 46.2.c of the GDPR, where the DPF does not apply.
You may obtain a copy of the safeguards in place by writing to contact@dao-partners.com.
| Category of data | Retention period | Legal basis |
|---|---|---|
| Contact requests (non-converted prospects) | 3 years from last contact | CNIL recommendation, deliberation No. 2016-264 |
| Contractual data (clients) | Duration of contract + 5 years | French statutory limitation (art. 2224 Civil Code) |
| Invoices and accounting records | 10 years from the end of the financial year | Article L.123-22 of the French Commercial Code |
| Data relating to the Client's real estate assets | Returned or destroyed at the end of the engagement, unless otherwise requested | Engagement letter and Terms |
| Professional correspondence | Duration of contract + 5 years | French statutory limitation |
On expiry of the retention periods, data is securely deleted or irreversibly anonymised.
In accordance with articles 15 to 22 of the GDPR and articles 48 to 56 of the French Data Protection Act, any person whose data is processed by DAO Partners SAS has the following rights:
You have the right to obtain confirmation as to whether or not your personal data is being processed and, where it is, access to that data together with information about the processing (purposes, categories of data, recipients, retention period).
You have the right to obtain the rectification of inaccurate personal data or the completion of incomplete data.
You have the right to obtain the erasure of your personal data where: the data is no longer necessary for the purposes for which it was collected; you withdraw your consent and there is no other legal basis for the processing; you exercise your right to object and there is no overriding legitimate ground for the processing; the data has been unlawfully processed. This right does not apply where processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims.
You have the right to obtain the restriction of processing where: you contest the accuracy of the data (for the duration of verification); the processing is unlawful but you prefer restriction to erasure; DAO Partners SAS no longer needs the data but you need it for legal claims; you have objected to processing (pending verification of legitimate grounds).
You have the right to receive your personal data in a structured, commonly used and machine-readable format, and to transmit it to another controller, where processing is based on consent or on a contract and carried out by automated means.
You have the right to object at any time, on grounds relating to your particular situation, to processing based on the legitimate interest of DAO Partners SAS. The Firm shall cease processing unless it demonstrates compelling legitimate grounds overriding your interests, rights and freedoms.
In accordance with article 85 of the French Data Protection Act, you may define directives regarding the retention, erasure and communication of your personal data after your death.
You may exercise these rights by sending your request:
— by email: contact@dao-partners.com;
— by postal mail: DAO Partners SAS, 19 avenue Foch, 57000 Metz, France.
Any request must be accompanied by a valid identity document. DAO Partners SAS undertakes to respond within one (1) month of receipt. This period may be extended by two (2) months for complex requests or a high volume of requests, in accordance with article 12.3 of the GDPR. You will be informed within the month following receipt of your request.
If you consider that the processing of your personal data constitutes a breach of the GDPR or of the French Data Protection Act, you have the right to lodge a complaint with the French Data Protection Authority (CNIL):
CNIL — Commission Nationale de l'Informatique et des Libertés
3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Tel.: +33 (0)1 53 73 22 22
Website: www.cnil.fr
The website www.dao-partners.com uses no advertising cookies, no analytics cookies and no third-party audience-measurement tools. No tracker within the meaning of article 82 of the French Data Protection Act is placed on the user's device.
The host Netlify may place cookies strictly necessary for the technical operation of the site (session management, security, load balancing). These cookies are exempt from consent under article 82 of the French Data Protection Act and the CNIL guidelines of 1 October 2020.
Should cookies subject to consent be installed in the future, this policy will be updated and a consent-management banner will be implemented in accordance with CNIL recommendations.
DAO Partners SAS implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure or unauthorised access, in accordance with article 32 of the GDPR. These measures include:
— encryption of communications via the HTTPS protocol (TLS/SSL certificate);
— hosting of the site on a secure infrastructure (Netlify) with automatically renewed Let's Encrypt certificate;
— access to data restricted to authorised personnel, on a need-to-know basis;
— use of strong passwords and, where applicable, two-factor authentication for access to management tools;
— secure deletion of data on expiry of retention periods.
In accordance with article 28 of the GDPR, DAO Partners SAS ensures that its sub-processors provide sufficient guarantees regarding the implementation of appropriate technical and organisational measures. Relationships with sub-processors are formalised by a contract or terms of service including the mandatory clauses of article 28.3 of the GDPR, notably:
— processing of data only on documented instructions from the controller;
— confidentiality obligation binding authorised personnel;
— implementation of appropriate security measures;
— assistance to the controller in responding to requests from data subjects;
— deletion or return of data at the end of the service.
The website www.dao-partners.com and the services of DAO Partners SAS are addressed exclusively to professionals. The Firm does not knowingly collect personal data from minors. Should DAO Partners SAS become aware that it has collected data from a minor, such data will be immediately deleted.
DAO Partners SAS reserves the right to modify this privacy policy at any time. Any substantial modification will be indicated by updating the "Last updated" date at the top of this document. The version in force is the one accessible on the website at the date of consultation.
We recommend consulting this page regularly to stay informed of any modifications.
This privacy policy is governed by French law and European Union law, in particular Regulation (EU) 2016/679 of 27 April 2016 (GDPR). In the event of any dispute relating to its interpretation or enforcement, the courts of Metz shall have jurisdiction, without prejudice to the right of any data subject to lodge a complaint with the CNIL or to bring proceedings before the courts of their habitual residence.