Compass — Privacy Policy · by CL Corporate Affairs

1. Introduction

Compass is a political intelligence platform operated by CL Corporate Affairs Consulting E.I. (hereinafter “CL” or “CL Corporate Affairs Consulting”, used interchangeably throughout this document), headquartered at 1 avenue de l’Observatoire, 75006 Paris, France (SIREN: 902 992 189), with a representation office at Avenue de Tervueren 103, B-1040 Brussels, Belgium. This Privacy Policy explains how we collect, use and protect personal data within the Compass platform, in compliance with Regulation (EU) 2016/679 (the “GDPR”) and the French Loi Informatique et Libertés.

Compass is built and operated by a working public affairs consultancy, and may be made available to fellow practitioners, in-house public affairs teams, trade associations, NGOs and other organisations whose activity overlaps with our own field of practice. This particular context shapes the way we have designed the platform: while CL upholds, as a foundational professional duty, a strict commitment to refusing any conflict of interest (see also section 3 of the Terms and Conditions), we believe that this contractual and ethical commitment must be matched by technical and organisational guarantees giving each user real, demonstrable control over their own data. The provisions that follow — in particular the optional end-to-end encryption (section 10.1) and our deliberate AI policy (section 9) — are the practical expression of that conviction. They are not generic compliance statements: they reflect a positioning choice that we consider inseparable from the kind of platform a public affairs consultancy can responsibly offer to its peers.

2. Data controller

CL Corporate Affairs Consulting E.I.
1 avenue de l’Observatoire, 75006 Paris, France
Avenue de Tervueren 103, B-1040 Brussels, Belgium
Contact: cl.eu.com/contact

3. Roles and responsibilities under the GDPR

The allocation of data protection roles within Compass depends on the specific context of use, assessed on a case-by-case basis in accordance with Articles 4(7), 4(8), 26 and 28 of the GDPR. The determining factor is which party decides the purposes and essential means of each processing operation — not the contractual label alone.

When CL uses Compass for its own consulting activity, CL Corporate Affairs Consulting acts as sole data controller for all data processed within the platform, including reference data, stakeholder mapping, position analysis and engagement records.

When a third-party user accesses Compass in the context of their own public affairs activities, the respective roles are determined by the nature of the mission and the degree of autonomy of each party:

If the user defines the strategy, selects the stakeholders, determines the data to be collected and controls the outputs, the user acts as data controller and CL Corporate Affairs Consulting acts as data processor (Article 4(8) GDPR), providing the technical infrastructure and processing data only on behalf of and under the instructions of the user.
If CL Corporate Affairs Consulting and the user jointly determine the objectives and essential means of processing (e.g. CL Corporate Affairs Consulting designs the mapping methodology, selects data sources and defines scoring criteria while the user sets the strategic objectives), both parties may be considered joint controllers (Article 26 GDPR). In that case, the respective obligations are defined in the engagement agreement.

In all cases, CL Corporate Affairs Consulting is committed to implementing appropriate technical and organisational measures to ensure the security and confidentiality of personal data, in compliance with the GDPR. Where CL Corporate Affairs Consulting acts as data processor, the Terms and Conditions of the platform govern the obligations of each party in accordance with Article 28 GDPR.

3.1 Specific case — CL-designed analytical methodologies

The roles described in section 3 distinguish who decides what within a given processing operation. Within that framework, one nuance deserves to be stated explicitly: Compass embeds a number of analytical methodologies designed by CL Corporate Affairs Consulting — in particular the influence weighting applied to stakeholders, the urgency scoring that flags time-sensitive engagement, the activate-target detection that surfaces priority contacts, and the predictive estimation of legislative timelines derived from past procedural patterns. The user controls who is added to the platform, what data is entered, and the strategic purpose pursued; CL is the author of the methodology that turns that user-controlled data into a score, a ranking or an estimate.

Under the GDPR, the determination of essential means of processing is one of the criteria that distinguishes a controller from a processor (Article 4(7) GDPR; EDPB Guidelines 07/2020 on the concepts of controller and processor, §38 onward). Because the weighting and ranking methodologies embedded in Compass shape how a user’s data is analysed and presented, CL Corporate Affairs Consulting acknowledges that, for these specific analytical operations, it retains a share of responsibility for the methodological design — alongside the user, who remains the controller for the underlying data, the choice of data subjects and the strategic purpose pursued. This is consistent with the case-law of the Court of Justice of the EU, which has held that joint controllership can arise for specific phases of a processing operation (judgments C-210/16 Wirtschaftsakademie and C-40/17 Fashion ID).

Concretely, the user remains free to disagree with a score, to override it manually, and to use Compass without relying on the suggested weighting — positions and influence values can always be set or overridden by hand. CL describes the high-level logic of each scoring methodology in the platform’s in-product help, documents methodology changes in transparent release notes, and stands by the methodology it designs. That residual methodological responsibility does not extend to the user’s overall mapping work: for the data entered, the subjects selected and the purpose pursued, the user remains the controller.

4. Categories of data processed

Compass processes three distinct categories of personal data, each with its own regime:

Reference data — institutional and organisational information sourced from official, publicly accessible databases of the European Union (European Parliament, Council of the EU, European Commission, EU Transparency Register). This includes names, functions, mandates, committee memberships, political group affiliations, nationality and official contact details of public figures acting in their institutional capacity. CL Corporate Affairs Consulting is responsible for the collection and periodic updating of this data.
Stakeholder mapping and position data — publicly available information aggregated by the user, with optional AI assistance: publicly declared positions, published statements, votes, press releases, public social media posts (from accounts explicitly validated by the user). The user selects the stakeholders to track, validates each position attributed, and determines how this data is used in the context of their professional activity.
Internal notes and engagement records — free-text content entered exclusively by the user: meeting reports, phone call notes, follow-up actions, informal observations, personal assessments. This content is drafted by the user alone, accessible only to the user who created it, and is not accessed, moderated, analysed or exploited by CL Corporate Affairs Consulting in any way. The user is solely responsible for the content, accuracy and lawfulness of these notes, in the same way as for any private professional record.

User account data (name, email address, company, phone number if provided, hashed login credentials) is also processed for the purpose of providing access to the platform.

Browsing data: a single session cookie (HTTP-only, strictly functional, no tracking) is used for authentication.

5. Legal basis and purposes

The processing of personal data within Compass is based on the following legal grounds:

Legitimate interest (Article 6(1)(f) GDPR): the core purpose of Compass is to support public affairs professionals in understanding the positions, expectations and scope of influence of political stakeholders. This includes stakeholder mapping, position tracking and engagement management — activities recognised as core professional functions of public affairs practitioners. The data processed is limited to information that is publicly available or directly relevant to the professional relationship between the user and the stakeholder.
Performance of a contract (Article 6(1)(b) GDPR): user account data is processed to provide access to the platform and deliver the agreed service.
Legal obligation (Article 6(1)(c) GDPR): where applicable, compliance with transparency obligations (EU Transparency Register, HATVP declarations under French law).

6. Legitimate interest assessment

In accordance with Article 6(1)(f) of the GDPR, the reliance on legitimate interest as a legal basis for the processing of stakeholder data has been assessed as follows:

Legitimacy of the interest: monitoring legislative processes, mapping stakeholder positions and managing institutional engagement are lawful and well-established professional activities in the field of public affairs and institutional representation. These activities serve the legitimate interest of the data controller in carrying out its professional activity effectively.
Necessity: the processing is necessary to achieve these objectives. Understanding who the relevant decision-makers are, what positions they hold and how the legislative balance of power evolves cannot be achieved without processing personal data relating to these public figures.
Balancing of interests: the data processed relates overwhelmingly to individuals acting in their official public capacity (elected representatives, senior civil servants, registered lobbyists). These persons have a reduced expectation of privacy with respect to their institutional activities, which are by nature public. The data is sourced from official institutional databases or from statements the data subjects have themselves made public. The processing does not involve profiling for commercial purposes, does not seek to predict private behaviour, does not target vulnerable individuals, and is limited to what is necessary for legitimate public affairs activities. The data subjects retain at all times their right to object under Article 21 GDPR.

7. Publicly available data and special categories

A significant portion of the personal data processed in Compass relates to public figures acting in their official capacity (Members of the European Parliament, Commissioners, Council officials, registered interest representatives). This data is sourced from official, publicly accessible institutional databases:

European Parliament website, Legislative Observatory (OEIL) and EU Who is Who directory
EU Transparency Register and LobbyFacts.eu
Council of the EU public registers
European Commission organigrammes and press corner
Public social media accounts (X/Twitter, LinkedIn) — only accounts explicitly validated by the user

Where the data processed includes information that may reveal political opinions within the meaning of Article 9(1) GDPR (e.g. recorded votes, publicly declared positions on legislative files, political group affiliation), such processing is permitted under Article 9(2)(e) GDPR, as it relates exclusively to personal data which the data subject has manifestly made public through official institutional channels, parliamentary votes, public statements or voluntary publications on public social media accounts. This exception is applied strictly to data that is already in the public domain by virtue of the data subject’s own actions in their official capacity.

8. Our approach to user control and transparency

Two of the most consequential design choices of Compass — the optional end-to-end encryption of user-authored content (section 10.1) and the platform’s AI policy (section 9) — are governed by the same underlying principle. Modern technologies (advanced cryptography, language models) bring real value to public affairs work, but they also raise legitimate questions about who can read what, where data flows, and what the user actually controls. Rather than answer those questions through generic reassurances, Compass is designed so that the answers are visible, verifiable and chosen by the user.

This translates into three operational rules that apply equally to encryption and to AI:

Explicit user choice over any non-trivial processing. Sensitive options (turning on end-to-end encryption, activating an external AI provider) are never enabled by default and never imposed: each requires a deliberate, informed action by the user. The default configuration is the most privacy-preserving one (no external AI, no transmission outside the EU; encryption available but not forced).
Transparency on what actually happens, including limitations. We document not only what the platform does, but also what it does not do, and where the boundaries of each guarantee lie. Section 10.1 explicitly lists which fields are encrypted and which are not, and why; section 9 explains what is processed locally versus what would be transmitted to a third-party provider if the user chose to activate one. We avoid wording that would suggest stronger guarantees than the technology actually delivers.
Technical guarantees as a complement to ethical and contractual commitments, not a substitute for them. Our refusal of conflicts of interest, our contractual commitment never to read user-authored content, and the technical impossibility we offer through end-to-end encryption operate at three different levels and reinforce one another. Where technology can make a guarantee unbreakable, we deploy it; where it cannot, we say so plainly and rely on the contractual and ethical commitments that govern our profession.

The two sections that follow apply this framework to the two specific cases of AI-assisted analysis (section 9) and end-to-end encryption (section 10.1).

9. AI services

Compass includes an AI layer that supports analytical tasks such as position classification, stakeholder analysis and strategic briefings. The platform is designed around a firm principle: the user always chooses which AI configuration is used, if any, and may at any time switch back to a configuration where no AI is involved.

CL Corporate Affairs Consulting has made a deliberate choice to limit Compass’s AI scope to Mistral, the European AI provider headquartered in Paris (France). No other third-party AI provider — neither OpenAI, nor Anthropic, nor any non-European model — is integrated into the platform, and none is contemplated for future integration. The user may choose between two Mistral-based configurations, described below.

9.1 Local AI — Ollama on the user’s own machine

In this configuration, a Mistral model runs directly on the user’s own computer via the Ollama runtime. The user installs Ollama, downloads a Mistral model (typically ollama pull mistral) and configures Ollama to accept requests from the Compass interface by setting the environment variable OLLAMA_ORIGINS=https://compass.eu.com before starting the service.

In this configuration, no data ever leaves the user’s device for AI processing. The Compass web interface communicates directly with the local Ollama instance through the browser, on http://localhost:11434 — a loopback address treated as a secure context by all modern browsers (Chrome, Firefox, Safari), per the W3C Mixed Content specification. The platform’s server is not involved in the AI exchange, and CL Corporate Affairs Consulting has no technical means of inspecting either the prompts sent or the responses returned.

This is the maximum-privacy option and the configuration recommended for highly sensitive material. It requires a one-off technical setup on the user’s part (Ollama installation, model download, environment variable configuration); detailed installation guidance is provided in the user-facing settings.

9.2 Cloud AI — Mistral commercial API

In this configuration, AI requests are sent to Mistral AI’s commercial API (api.mistral.ai). Mistral AI is a French company; the API is operated from European infrastructure (France and Sweden) and the entirety of the AI processing takes place within the European Union, with no transfer to a third country.

Use of data for model training: under Mistral’s commercial API terms, the prompts sent and the responses returned are not used to train Mistral’s models, except where the user explicitly opts in (which Compass does not do).
Retention: Mistral retains API inputs and outputs for up to 30 rolling days for abuse-monitoring purposes only, then deletes them. A Zero Data Retention (ZDR) option, available on certain Mistral API tiers, can shorten this retention to the duration of the request itself.
Contractual safeguards: a Data Processing Addendum (DPA) and GDPR-aligned terms apply by default. As both CL Corporate Affairs Consulting and Mistral AI are established within the European Union, no transfer outside the EEA occurs and no Standard Contractual Clauses are required.
Sub-processing: in this configuration Mistral AI acts as a sub-processor within the meaning of Article 28(4) GDPR. The applicable framework is fully described in the Mistral documentation referenced below.

Reference documentation — Mistral terms: legal.mistral.ai/terms · Data Processing Addendum: legal.mistral.ai/terms/data-processing-addendum.

9.3 No AI provider is ever imposed on the user

Activation of either AI configuration requires a deliberate user action in Manage my account. The default state of every Compass account is “no AI” — the AI-assisted features are simply absent until the user explicitly chooses Option 9.1 or Option 9.2. The user may also switch between options or revert to “no AI” at any time, with no data persistence between configurations.

AI-generated content, whether produced locally (Option 9.1) or via the Mistral API (Option 9.2), is provided for informational purposes only and should always be reviewed and validated by the user before being acted upon or shared externally. CL Corporate Affairs Consulting does not guarantee the accuracy, completeness or reliability of AI-generated outputs.

10. Data security and hosting

All data processed by Compass is stored on a private, dedicated server located within the European Union, under the physical control of CL Corporate Affairs Consulting. The platform implements the following security measures:

Authentication by email and password, with passwords hashed using PBKDF2-HMAC-SHA256 (600,000 iterations, in line with current OWASP recommendations) and a unique salt per user;
Sessions managed via HTTP-only, SameSite=Strict secure cookies;
Per-session CSRF tokens, verified on every state-changing request;
Automatic account lockout after 5 failed login attempts (15-minute cooldown), and IP-level rate limiting (30-minute block after repeated failures from the same source);
HTTPS encryption in transit (TLS via Let’s Encrypt certificate);
Defence-in-depth HTTP response headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Content-Security-Policy);
Persistent audit log of authentication events, privileged actions and security-relevant failures;
No indexation of the authenticated area by search engines: only the public-facing pages (home page, Privacy Policy, Terms & Conditions) are indexable; every other path — dashboards, account management, administrative interfaces, API endpoints — is explicitly blocked via robots.txt and noindex directives;
No data stored on third-party cloud services for AI processing. By default no AI is enabled. When the user activates the local AI option (section 9.1), the Mistral model runs entirely on the user’s own device and no data leaves it. When the user activates the Mistral commercial API option (section 9.2), inputs and outputs transit to Mistral’s European infrastructure (France and Sweden) for processing; retention by Mistral is limited to 30 rolling days for abuse-monitoring purposes only (or to the duration of the request under the Zero Data Retention option), and the data is not used to train Mistral’s models.

Emails related to account management (password creation, reset, change notifications) are sent via SMTP with TLS encryption.

10.1 Optional end-to-end encryption

Why this feature exists. Compass is built and operated by a working public affairs consultancy whose users are often, themselves, public affairs professionals working on sensitive matters — sometimes on dossiers that touch the same policy areas as engagements pursued by CL itself or by its other clients. Even though CL Corporate Affairs Consulting upholds, as a foundational professional duty, a strict policy of refusing any conflict of interest (see also section 3 of the Terms and Conditions) and contractually commits never to read user-authored content (see section 11 of the Terms and Conditions), we believe that users should not be required to take that commitment on trust alone. End-to-end encryption is the technical translation of that conviction: it gives users a way to ensure, by the design of the platform itself, that their analytical work is mathematically out of reach of CL operators, of any third party gaining access to the servers, and of any authority seeking compelled disclosure. It is, in our view, a natural consequence of building a tool for one’s own profession.

What it is, in practical terms. In addition to the baseline security measures above, Compass offers an optional end-to-end encryption mode that users may activate at any time in Manage my account. This feature is not enabled by default; it is an explicit opt-in, intended for users who handle particularly sensitive material and who wish to add a technical guarantee on top of CL’s contractual commitments. Users who do not activate it are, of course, fully covered by the contractual non-consultation commitment, which applies regardless of encryption status; the feature is offered as an additional layer for users who want it, not as a prerequisite to use the platform.

What is encrypted. When end-to-end encryption is enabled on an account, the following data is encrypted in the user’s browser before being stored on the server: the list of dossiers the user tracks, personal notes, the user-authored content of the stakeholder mapping (attributed position summaries, supporting arguments, private comments and curated sources), watch keywords (in Secure Search mode), topic names, user-authored biographies and profile notes, engagement log entries (meeting records, takeaways, signals), the user’s personal radar cache, and any other content authored personally by the user. The scope of encryption is deliberately broad and aims to prevent any observer of the server — including CL operators — from profiling the user’s activity, interests or analytical positions.

What is not encrypted, and why. The following categories remain unencrypted, by design: public reference data shared across all users (Members of the European Parliament, Commissioners, Commission staff, Council staff, Transparency Register organisations, institutional calendar events, all sourced from official EU databases); account information required for authentication and notifications (first name, last name, email, phone number, organisation); technical identifiers required for SQL joins (primary keys, foreign keys, user identifiers); audit timestamps (creation, modification, login times); cryptographic lookup hashes (irreversible SHA-256 digests of watch keywords in Secure Search mode, used for server-side matching without revealing the keyword); and the analytical scores and the rankings derived from them (the influence, urgency, involvement and attitude scores attached to each stakeholder, together with the priority quadrant and activate-target flags computed from them). These last are not free text authored by the user but values produced by the analytical methodologies designed by CL (influence weighting, urgency and activate-target scoring), which the server computes and re-computes; keeping the numeric scores legible to the engine is precisely what lets the platform position stakeholders on the map, rank them and recompute their quadrant. The written reasoning that justifies each score is itself encrypted, and a bare figure — an influence of 80, say — is in any event far less revealing than the analyst’s rationale, which stays protected. These categories are either already public by nature, or necessary to the technical operation of the service. We list them here, rather than mention encryption in vague terms, because we consider that an honest description of the boundaries of the guarantee is part of the guarantee itself.

How it works — in plain language. When a user activates end-to-end encryption, two things happen inside their browser, both invisible to the server. First, a new master key is generated locally: this is the key that will actually encrypt the user’s content. Second, this master key is itself put inside a sealed envelope whose lock is opened only by the user’s login password. The server stores the sealed envelope, but never the master key in clear form, and never the password. Each time the user logs in, the password unlocks the envelope locally in the browser, the master key is recovered for the duration of the session, and the encrypted fields can be read; when the user logs out, everything goes back inside its sealed envelope on the server side. CL never holds the master key and cannot reconstruct it: the cryptographic guarantee is that what is stored on our servers, in encrypted form, is unreadable to us by construction.

How it works — in technical terms. The scheme is zero-knowledge: the keys that decrypt user data never leave the user’s device and are not stored on the server in any retrievable form. More specifically:

Key derivation. A first key is derived in the browser from the user’s login password using PBKDF2-HMAC-SHA256 with 600,000 iterations (in line with current OWASP recommendations) and a 16-byte random salt generated at activation. The salt is stored server-side (it is not secret); the password itself, and the key derived from it, are not.
Two-key (key-wrapping) design. The key derived from the password is not used directly to encrypt the user’s data. Instead, it serves to protect a separate, randomly generated master key, which is the key that actually encrypts the user’s content. Only the master key, in its protected (“wrapped”) form, is stored on the server. This two-key design is the same approach used by reputable zero-knowledge applications (such as professional password managers and end-to-end encrypted messengers). It has one important practical consequence, described in the next paragraph: it allows users to change their login password without re-encrypting any of their stored data.
Authenticated encryption. User data is encrypted with AES-256-GCM, a 96-bit nonce drawn from a cryptographically secure random source for each write, and an authentication tag verified on read. The same algorithm protects the master key inside its envelope.
Storage format. Encrypted payloads are stored as base64url-encoded strings prefixed with a short version tag, so the server can distinguish encrypted from plaintext fields without ever being able to decrypt them.
Browser requirements. The feature uses the standard Web Crypto API available in all modern browsers over HTTPS. It does not depend on any external service or third-party library.

What this means in everyday use. The two-key design has a direct, practical benefit for users:

Changing your password is safe and instantaneous. Through the normal Change password flow (which requires the current password), the master key is briefly recovered with the current password and immediately re-protected with the new one. The user’s stored data is never re-encrypted, never re-uploaded, and there is no risk of losing access — this is structurally the same as in a professional password manager.
Forgetting your password is, by contrast, irrecoverable for encrypted data. If the password is forgotten, the envelope that protects the master key cannot be opened by anyone — not by CL, not by the user. The Forgot password flow can reset the password, but it cannot recover the master key, and the existing encrypted fields therefore become permanently unreadable. This trade-off is the price of the zero-knowledge design and is the reason the feature is strictly opt-in. Users who activate end-to-end encryption are strongly encouraged to store their password in a password manager and to keep at least one secure backup of it.

Consequences for CL. Because the key that protects the master key is derived from the user’s password and never leaves their browser, CL Corporate Affairs Consulting and its administrators cannot, by construction, read the encrypted fields of an account that has end-to-end encryption turned on. This property is enforced technically, not merely contractually, and applies even in the face of an internal investigation, a security incident or a legal order: CL does not hold the key, cannot reconstruct it, and cannot be compelled to produce the clear-text content of encrypted fields. This limitation applies equally to CL itself and is assumed as a deliberate consequence of the zero-knowledge design (see also section 11 of the Terms and Conditions).

Fields that are not encrypted remain technically accessible to CL operators. In the absence of end-to-end encryption, this includes the content of notes, stakeholder mapping, attributed positions, private comments and all other user-authored content. The non-consultation of these fields by CL is governed exclusively by the contractual commitment set out in section 11 of the Terms and Conditions and is not, in the absence of end-to-end encryption, enforced by a technical impossibility. We consider that this distinction must be stated explicitly: it is the difference between a guarantee that we promise to honour and a guarantee that the platform itself enforces.

Even when end-to-end encryption is activated, certain operational metadata remain technically visible to CL operators, as an unavoidable consequence of running a web service. These metadata do not allow reconstruction of encrypted content, but may allow inference of certain usage characteristics:

Approximate data volume — the number of encrypted rows stored in each of the user’s personal tables is visible to the server (for instance, that a user has 47 tracked dossiers or 312 engagement log entries), without the content itself being readable;
Activity timestamps — logins, writes and reads are timestamped for audit purposes;
IP address — required by the TCP/IP protocol, allowing inference of approximate geographic location;
Correlated activity patterns — if multiple users modify related records at similar times, a collaborative relationship may be inferred.

These structural metadata fall within the same contractual non-consultation commitment as any other non-encrypted data (section 11 of the Terms and Conditions). CL Corporate Affairs Consulting commits not to exploit them for any purpose other than the technical supervision of the service (security monitoring, debugging, capacity planning). We document them here, rather than omit them, because the credibility of the broader guarantee depends on a transparent description of its boundaries.

Conversely, fields that have been encrypted with end-to-end encryption cannot be read by anyone other than the user, including CL itself. This is a property of the cryptographic design, not a contractual promise: the decryption key is derived from the user’s password inside their own browser and never leaves the user’s device. CL does not hold the key, cannot reconstruct it, and cannot be compelled to produce the clear-text content of encrypted fields — neither in response to a legal order, nor in the course of a security investigation, nor at the request of a third party who would gain access to the servers. This limitation applies equally to CL Corporate Affairs Consulting and is assumed as a deliberate consequence of the zero-knowledge design.

10.2 Separation between the Compass platform and CL Corporate Affairs consulting practice

CL Corporate Affairs Consulting operates two distinct activities through a single legal entity: the publication of Compass and a public-affairs consulting practice. This dual role may, in some cases, create a conflict-of-interest risk that the contractual non-consultation commitment (section 11 of the Terms and Conditions) and the optional end-to-end encryption (section 10.1) already address. The following provisions complete that framework with practical commitments that do not require any formal compliance apparatus to honour.

(a) Non-reuse of user data in CL consulting engagements. CL Corporate Affairs Consulting commits never to use, in its own consulting engagements, any data, analysis, position, mapping, comment, draft amendment, watchlist or insight entered by a Compass user — whether end-to-end encryption is activated or not. This commitment covers the identity of the dossiers tracked by the user, the substance of their analytical work, and even the simple fact that the user takes an interest in a given topic. Where end-to-end encryption is activated, the commitment is additionally enforced by cryptographic impossibility (section 10.1).

(b) Three-tier data taxonomy. Compass processes three distinct categories of data, each with its own protection regime:

Public reference data — MEPs, Commissioners, Council and Commission staff, EU Transparency Register, institutional calendars; sourced from official EU databases and shared across all users; not encrypted in any configuration (the data is publicly available by nature).
Account data — first name, last name, email, phone, organisation. Required for authentication and notifications; stored in clear; protected by the GDPR baseline plus the contractual non-consultation commitment; not affected by end-to-end encryption (which would prevent login and contact).
User-authored analytical content — tracked dossiers, stakeholder mapping, positions, notes, engagement log, draft amendments, internal observations, watch keywords. When end-to-end encryption is OFF (default), stored in clear server-side; protection rests on the contractual non-consultation commitment plus (a) above. When end-to-end encryption is ON (opt-in), encrypted in the browser before storage with a key derived from the user’s password; CL cannot read the content by construction.

(c) Access policy. Access to the production database is strictly limited to the technical functions required to operate the service, and every privileged action is recorded in the audit trail referenced in section 10. The platform runs on a private server located in the EU and under the physical control of CL Corporate Affairs — without reliance on a public-cloud provider or on any third party with access to user content. The partitioning between accounts is enforced at the application level by user-scoped queries, and reinforced — for accounts with end-to-end encryption activated — by per-user encryption envelopes: no user can access another user’s analytical content.

(d) Reinforced confidentiality commitment. Beyond the GDPR, CL Corporate Affairs Consulting voluntarily aligns its practice with the professional confidentiality standards applicable to public-affairs practitioners: the EU Transparency Register Code of Conduct annexed to the 2021 Interinstitutional Agreement between Parliament, Council and Commission (in particular its provisions on the honest obtaining, handling and release of EU information); the values of integrity, transparency, accuracy and confidentiality set out in the SEAP (Society of European Affairs Professionals) Code of Conduct; and the deontological standards of the French High Authority for Transparency in Public Life (HATVP) for declared interest representatives — notably the prohibition on obtaining information through fraudulent means and on selling information obtained from public officials. When accepting a new consulting engagement, CL Corporate Affairs checks in good faith for any obvious overlap with the known activity of a Compass user, and declines the engagement where one is found.

(e) Simple conflict signalling, in both directions.

From a user to CL. A Compass user who has reason to believe that a CL consulting engagement may overlap with their own work in a conflicting way may signal it via the contact form. CL commits to investigate in good faith and, where a genuine overlap is identified, to suspend the conflicting consulting engagement and to confirm to the user that the situation has been resolved. End-to-end encryption substantially mitigates this risk at source: when encryption is on, CL has no technical way of even noticing such an overlap.
From CL to itself. Symmetrically, when CL identifies through its own consulting practice that a potential engagement intersects with the known activity of a Compass user (to the limited extent technically detectable, and effectively only when encryption is OFF), CL commits to decline the engagement before any work begins — without disclosing the user’s identity to the prospective consulting client.
External recourses remain available, independently of CL. Any person retains the recourses that already exist for them under French and EU law: the CNIL (cnil.fr) for data-protection matters, the HATVP (hatvp.fr) for matters within the lobbying transparency framework, or the competent judicial authorities in case of suspected criminal conduct. These are not channels designated by CL; they exist on their own and CL simply notes their availability to anyone who may want to use them.
No retaliation. CL Corporate Affairs commits to take no retaliatory action against a Compass user who, in good faith, signals a suspected conflict or breach — including no termination of their subscription, no degradation of service, and no disclosure of their identity to third parties beyond what is strictly necessary to investigate.

Each signal is taken seriously. Every report received — from a user, from CL itself, or from a third party — is examined with ethical and legal diligence. We treat this as a core condition of the platform’s credibility, not as an optional courtesy: in a profession where discretion is part of the deliverable, a tool that mishandled conflict-of-interest signals would lose what makes it worth using in the first place.

11. Data retention

User account data: retained for the duration of the account. Deleted upon account deletion or upon request.
Deactivated and removed accounts: when an account is deactivated (by the holder) or removed (by an administrator), sign-in is blocked immediately. An account removed by an administrator is then held in a frozen, restorable state for 30 days; during this window it can be fully restored. After 30 days, the account and all content created under it are permanently and irreversibly purged from the database (entries in the security audit log are kept separately, for the legitimate security purposes described in section 10). Before deletion, account holders can obtain a complete copy of their own content — including end-to-end-encrypted content — through the self-service export described in section 13.
Reference data (institutional, sourced from official EU databases): updated periodically, retained for as long as the platform is in operation. Outdated entries are overwritten on refresh.
Stakeholder mapping and position data: retained for the duration of the mission or project, plus 1 year in the active database. May be archived for up to 6 years for administrative and evidentiary purposes, in line with standard professional retention periods for consulting engagements under French commercial law.
Internal notes and engagement logs: retained for the duration of the mission, then archived for up to 6 years. The user may delete their own notes at any time.

12. Recipients of data

Personal data processed within Compass is accessible only to authorised users of the platform. Each user accesses only the data relevant to their own activity. Internal notes and engagement records are visible only to the user who created them.

No data is shared with third parties, except:

Where required by law (judicial, police or administrative authorities);
With a client of CL Corporate Affairs Consulting, where data sharing is strictly necessary for the execution of a consulting engagement and contractually defined;
With Mistral AI, only where the user has explicitly activated the Mistral commercial API option described in section 9.2. No data is transmitted to any AI service when the user runs Ollama locally (section 9.1) or when no AI is activated (the default).

13. Your rights

The GDPR grants specific rights to individuals whose personal data is processed. Within Compass, these rights apply differently depending on the category of person concerned:

Platform users (account holders) may at any time:

Access their account data and obtain information about its processing;
Rectify inaccurate or incomplete account data;
Delete their account and all associated data;
Change their password from the dashboard;
Export their own content — including end-to-end-encrypted content — through a dedicated self-service export in Manage my account, available only to the account holder. Because encrypted content can only be decrypted with the user’s password inside their own browser, the export is generated client-side while the user is signed in and unlocked; CL never has access to the decrypted content, and the export therefore includes material that is, by construction, unreadable to CL (data portability, Article 20 GDPR). In a collaborative organisation account, each member exports the content they have personally authored; organisation-wide data is handled by the account manager.

Persons referenced as stakeholders (public figures, institutional actors) whose publicly available data is processed in Compass may:

Access data held about them and obtain information about the purposes of processing;
Rectify inaccurate data;
Object to processing based on legitimate interest (Article 21 GDPR), in which case the data controller will assess whether compelling legitimate grounds override the objection;
Request erasure of their data, subject to any overriding legitimate interest or legal obligation.

Who to contact: requests relating to user account data should be addressed to CL Corporate Affairs Consulting. Where a third-party user acts as data controller for stakeholder data they have entered, requests from stakeholders relating to that data should be directed to the relevant user (data controller). CL Corporate Affairs Consulting will assist in routing such requests where appropriate.

To exercise any of these rights, please contact us via our contact form. You may also lodge a complaint with the CNIL (cnil.fr) or any competent supervisory authority.

14. Cookies

Compass uses a single functional session cookie (HTTP-only, SameSite=Strict) required for authentication. This cookie does not collect any personal data beyond the session identifier, does not track users across websites, and expires after 7 days. No tracking, profiling or advertising cookies are used. No audience measurement tool is deployed on the Compass platform.

15. Changes to this policy

This policy may be updated to reflect changes in the platform’s features, applicable legislation or regulatory guidance. Changes will be published on this page with an updated date. Where changes materially affect the processing of personal data, users will be notified upon their next login.