Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter referred to as the DGPS), sets out the legal framework applicable to the processing of personal data.
This Data Use Policy applies to the processing of information belonging to identifiable persons provided or obtained by Customers or Users of the Application.
For a good understanding of this policy, it is specified that:
The Application is provided by Osculteo on behalf of iProtego, a simplified joint stock company with a capital of €40,000, registered with the Marseille Trade and Companies Registry under number 518 552 088.
The term “Application” refers to the website and its functionalities, including the Osculteo monitoring tool.
“We” refers to the company iProtego, publisher of the Osculteo Application, responsible for the processing.
“User” refers to the identifiable persons who are users of the Application.
“Customer” refers to the identifiable persons who have made purchases on the Application.
By using the Application, you acknowledge that you accept the practices and policies described in this User Policy.
The purpose of this Osculteo User/Customer Personal Data Policy is to indicate the type of data we collect and how we use it to inform users/customers in a transparent, understandable and concise manner in accordance with Article 12 of the DGPS.
No processing of user/customer data shall be carried out unless it concerns personal data collected by or for our services or processed in connection with our services and unless it complies with the general principles of the DGPS.
3- What types of information do we collect?
Information provided by the user (direct collection)
When you use our Application, we may collect and/or receive information about you that reveals your identity or is directly related to your identity, such as your Facebook ID. Data is collected directly from users/customers. The types of personal information collected may include your first and last name, email address, nickname or customer number. Login and identification data such as IP address, browser information, acceptance data (click), user name, and any other information necessary to provide the Application’s services may also be collected.
Information automatically collected from third parties
We also collect automatically collected content and information about you from third parties, including information about your full name, your Facebook user profile and photos of you, tagged or not, on Facebook. To work, our application only requires the following Facebook permissions: “Email” and “User_photos”.
4- What are our purposes and the legal bases of the processing operations?
Depending on the case, the user/customer data will be processed for the following purposes:
– Carrying out the service provision
– Customer relationship and service management
– Community management
– User account management
– Online purchase
– Subscription to services
– Management of unsubscription requests
– Newsletter management
– Statistics and statistics
– Improvement of our services and satisfaction survey
– Mobile application management
These purposes are based on the legal basis of the performance of a contract, the consent of the user/customer and the legitimate interest of the controller.
5- How do we use this information?
We use the information described in this Data Use Policy internally only, to provide the service offered by the Application and to analyze, develop and improve our service. The purpose of this collection is the service itself in order to meet the user/customer’s request. The information is used only for the purpose of the service provided by the Application. The information will not be used for any purpose other than that provided for in the Application service. This information is not used for any other purpose.
6- Do we share the information collected?
The information collected as part of the Application service will not be shared outside iProtego and is only intended for the company and more particularly for authorized personnel.
The information collected will under no circumstances be communicated, sold, shared, loaned, rented. No supplier, service provider, company or person outside the company may receive the information collected as part of the Application.
The Facebook photos used in the Application will not be published or publicly displayed in any medium whatsoever.
They are intended for private use and are processed internally only. The Facebook photos used in the Application remain the property of the User, who may delete them at any time via his account.
Internally, the only recipients are therefore: authorized marketing department personnel, customer relations personnel, administrative services, IT departments and their line managers.
iProtego staff are subject to a confidentiality obligation.
In addition, personal data may be communicated to any authority legally entitled to know them. In this case, iProtego is not responsible for the conditions under which the staff of these authorities have access to and use the data.
7- How do we keep this information?
The data storage period is defined in the light of the legal and contractual constraints weighing on iProtego according to the following principles:
– Customer data: Personal data relating to customers will not be stored for longer than is strictly necessary for the management of the commercial relationship, with the exception of those necessary to establish proof of a right or contract that can be archived. Customer data are kept for the duration of the business relationship. They may be kept for commercial prospecting purposes for a maximum of 3 years from the end of this commercial relationship.
– Data relating to Users: For the duration necessary for the performance of the services, unless the User deletes his account and therefore all his personal data. However, data may be stored for a longer period of time if consent via an explicit act of will has been obtained.
– Data relating to contacts and prospects: 3 years from the date of their collection or the last contact made by the prospect.
– Cookies data: 6 months
– Data in the context of the fight against money laundering: 5 years from the date of collection.
After these fixed deadlines, the data are either deleted or stored after archiving for evidential purposes, for a maximum period of 10 years.
8- How to access your information?
In accordance with the law n° 78-17 of 6 January 1978 known as the Data Protection Act, any person may ask us whether personal data concerning him/her is processed, the user/customer has a right of access and a right of questioning. Similarly, if it is found that the data are inaccurate or out of date, he or she may request that they be corrected. All information concerning the user/customer is accessible via the User area.
To exercise the rights listed below, the customer/user must send his request to the following address: firstname.lastname@example.org or by post to the following address: iProtego, customer relations department Osculteo, 13 rue trigance 13002 Marseille, the requests must be accompanied by a copy of his updated identity document.
– Right of access: customers and users have a right of access allowing them to ask us if data concerning them are being processed. Customers and users may request a copy of their personal data processed by iProtego.
– Right of rectification / update: any customer/user has the right to request the rectification of inaccurate or incomplete information concerning him/her.
– Right to erase: any customer or user has a right to erase and may request the erasure of his data.
– Right to portability: iProtego offers the possibility for customers/users to retrieve part of their data in an open and readable format. This portability request can be made directly via the user’s account by clicking on “download my data”.
– Post-mortem right: customers and users are informed that they have a right to formulate guidelines for the storage, erasure and communication of their post-mortem data.
9- How do we ensure the security of information?
We undertake to take all necessary precautions to prevent the information from being modified, erased by mistake, or made available to unauthorised third parties. Physical and technical security measures are in place to ensure the security of the information.
These measures include mainly:
– Authorization management for data access
– Internal safeguard measures
– Adoption of a security policy
– Adoption of continuity / disaster recovery plans
In the event of a violation of personal data, we undertake to notify the CNIL under the conditions prescribed by the RGPD.
In the event that the breach would pose a high risk to customers and/or users and the data has not been protected, we will notify the customers and users concerned and provide them with the necessary information and recommendations.
10- Right to file a complaint with the CNIL
Customers and users concerned by the processing of their personal data are informed of their right to lodge a complaint with the supervisory authority, the CNIL, if it considers that the processing of their personal data does not comply with European data protection regulations.
11- Changes to the data use policy
We reserve the right to modify this Data Use Policy, in particular in the event of legal or jurisprudential changes or new recommendations from the CNIL. We will notify you of any material changes in the use of your data, and will give you the opportunity to review the revised version before continuing to use our Services.