This privacy policy (hereafter referred to as the "Privacy Policy") outlines the legal framework for the collection, use, and processing by the company D.H. COMPANY (hereafter referred to as the "Company") of personal data, meaning any information that can directly or indirectly identify a person (hereafter referred to as "Personal Data") concerning the individuals involved (hereafter referred to as "Data Subject(s)"):
The Company's contacts at client companies utilizing the services offered by the SaaS software solution "FULLWHERE" (hereafter referred to as "Clients");
The Client's staff who use the Solution in their professional capacity (hereafter referred to as "Users");
People visiting the website, https://www.fullwhere.com/ (hereafter referred to as "Visitors").
Under the Privacy Policy, D.H. COMPANY, a simplified joint-stock company based at 43 rue de Turenne, 75003 Paris, registered with the Paris Trade and Companies Registry under number 889 362 398, acts as the data controller for the Personal Data concerning Clients, Users, Visitors, and its own employees.
Through the Solution, the Company's Clients have access to the following services:
Centralization of interactions with their own clients (hereafter referred to as "End Clients");
Communication tools with End Clients and responses to interactions with End Clients;
Implementation of satisfaction surveys;
Collaboration and support for internal Client teams in managing End Client interactions.
The Company acts as a subcontractor processing Personal Data concerning End Clients, under documented instructions from the Client detailed in a subcontracting agreement compliant with the GDPR.
As the data controller, the Company retains full control over the Personal Data and determines the purpose, nature, objectives, means, and duration of the processing of collected Personal Data.
The Company is committed to complying with applicable regulations regarding Personal Data, particularly the obligations arising from the European Regulation No. 2016/679 (GDPR).
The Company collects Personal Data only in accordance with the terms of this Privacy Policy and any legal and reasonable instruction given by the Data Subject at any time.
ARTICLE 1: DATA COLLECTION
1.1 Throughout the duration of using the Solution and/or the Site, the Company may collect Personal Data related to the Data Subjects.
When creating an account on the Solution, the User consents to the processing of their Personal Data within a scope strictly necessary for the proper functioning of the Solution.
1.2 Personal Data is provided directly by the Data Subjects (for example, when they provide information via the Site or enter into a commercial relationship with the Company).
Personal Data may also be generated by the Company in the course of providing the Services.
Collected Personal Data includes, among other things, the following:
ARTICLE 2: USE OF COLLECTED PERSONAL DATA (PURPOSES OF PROCESSING)
The Company uses, stores, and processes Personal Data for the following purposes and on the following legal grounds (or legal basis for processing):
The Company reserves the right to review, browse, or analyze Personal Data, including communications exchanged between the Company and the Individuals Concerned through the Solution, the Site, or otherwise, to comply with its legal obligations, particularly for fraud prevention, risk assessment, regulatory compliance, and investigation purposes.
ARTICLE 3: RETENTION OF PERSONAL DATA
Personal Data is retained only for as long as necessary to fulfill the purpose for which the Company holds this Personal Data, to meet the needs of the Individuals Concerned, or to fulfill its legal obligations.
To determine the retention period of Personal Data, the Company applies the following criteria:
Upon the expiration of durations or the end of the use of the Services by the Data Subject, Personal Data will be destroyed, or the Company will proceed to anonymize them.
However, the Company may retain certain Personal Data collected in separate storage areas to justify, if necessary, the complete fulfillment of its contractual or legal obligations. The Personal Data thus retained will be limited to what is strictly necessary.
ARTICLE 4 : SHARING AND DISCLOSURE OF PERSONAL DATA
4.1 The Company may disclose Personal Data to administrative and judicial authorities, or to authorized third parties, if required or permitted by law, or if such disclosure is reasonably deemed necessary: (i) to meet the Company's legal obligations, (ii) to comply with judicial processes and address claims made against the Company, (iii) to respond to verified requests in the context of a judicial investigation or alleged or suspected illegal activity or any other activity that may expose the Company to legal liability.
4.2 Subject to the Data Subject's authorization, the Company has the ability to subcontract all or part of the execution of the Services in compliance with current legal provisions.
Any subcontractor will be authorized to process, on behalf of the Company, solely for the purpose of proper execution of the Services, within the limits of the contractual conditions signed between the Company and the subcontractor, and may not derogate from the terms of this Privacy Policy.
The Company declares:
That it has provided all instructions regarding the handling of Personal Data by the processor in writing;
That it will ensure, both beforehand and throughout the duration of the processing, that the processor complies with the obligations outlined by the European regulations on Personal Data protection;
That it will oversee the processing, including conducting audits and inspections of the processor.
The Company commits to ensuring that the processor:
Processes Personal Data solely for the purpose(s) covered by the subcontracting agreement;
Processes Personal Data according to the Company's instructions;
Guarantees the confidentiality of the processed Personal Data;
Has undergone all necessary training concerning Personal Data protection;
Considers, during the design and implementation of its tools, products, applications, or services, the principles of Personal Data protection by design and default;
Immediately informs the Company if it believes that an instruction constitutes a breach of the European regulations on Personal Data protection or any other provision of Union law or the law of Member States relating to Personal Data protection.
Personal Data may also be transmitted to business partners that enable the Company to properly execute Services, and their management, processing, and payment in accordance with the contractual conditions signed between the partner and the Company, which cannot deviate from the terms of this Privacy Policy.
Only with the express consent of the Data Subject, the Company may reuse Personal Data or transmit it to partner companies for purposes such as sending commercial information by email.
The Company asserts it receives all necessary documentation from the subcontractor to demonstrate compliance with obligations and enable audits, including inspections by the Company or another auditor it has designated, and contribute to these audits.
The Company remains solely responsible to the Data Subjects for the provision of services entrusted to a subcontractor concerning Personal Data.
4.3 The Company uses the services of Airtable company acting as a host of Personal Data. Airtable servers are hosted in the United States by AWS servers (US-East-1).
Pursuant to Decree No. 2021-1362 of October 20, 2021, relating to the retention of data enabling the identification of any person who has contributed to the creation of online content, taken under Article II, 6 of Law No. 2004-575 of June 21, 2004, the Data Subject is informed that the host is obligated to retain :
Information relating to the civil identity of the Data Subject (including name, surname, date and place of birth, postal addresses, email addresses, phone number) until the expiration of a period of five (5) years from the end of the validity of the user's contract ;
Other information provided by the Data Subject during the subscription of a contract or creation of an account (username used, pseudonyms used, data intended to enable the user to verify or modify their password, potentially via a double user identification system, in their most recent updated version, until the expiration of a period of one (1) year from the end of the validity of the Data Subject's contract or account closure ;
Payment information (type, reference, amount, date, time and place of the transaction) until the expiration of a period of one (1) year from the end of the validity of the User's contract or account closure ;
Technical data identifying the connection source or related to terminal equipment used (connection identifier, types of protocols used for connection to service and content transfer) until the expiration of a period of one (1) year from the connection or use of terminal equipment ;
Traffic and location data (assigned identifier, nature of the operation, date and time of the operation, identifier used by the operator) for a duration of one (1) year in case of an injunction by the Prime Minister. Such is the case since October 10, 2023, and therefore until October 10, 2024, pursuant to Decree No. 2023-933 of October 10, 2023, ordering conservation for a year due to the serious and current threat against national security of certain categories of connection data.
4.5 Data Transfer
In this context, the Company will not transfer Personal Data to third parties established outside the European Union that do not offer an adequate level of protection in light of legal requirements for Personal Data protection.
ARTICLE 5: SECURITY
The processing of Personal Data is performed through operations of collection, recording, organization, storage, consultation, formulation, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure, and destruction of Personal Data.
The Company ensures adequate and appropriate security of Personal Data and has taken useful precautions to preserve its safety and confidentiality, notably preventing it from being altered, damaged, or shared with unauthorized individuals.
Personal Data is protected in such a way to minimize the risk of destruction, loss (including accidental loss), unauthorized access/use, or use incompatible with the initial purpose of collection.
The Company will implement all necessary technical and organizational measures to respect the protection of Personal Data and combat unauthorized processing.
The Company has implemented measures to protect the security of Personal Data according to its Personal Data Security Policy, accessible anytime on request from the relevant service of the Company available at this address: support@fullwhere.com
If the Company discovers a breach of rights in the processing of Personal Data, this breach will be notified to the CNIL within a period not exceeding seventy-two (72) hours after becoming aware.
Any breach related to Personal Data processing will be notified by the Company to the affected Data Subject in case of high risk for them as impacted individuals.
ARTICLE 6: RIGHTS OF DATA SUBJECTS
In all cases, Data Subjects benefit from the following rights, unless legal limitations apply:
Right of access: (a) obtain confirmation of whether or not there is a processing (understood as any operation on Personal Data) of their Personal Data by the Company, even if not yet recorded, and request the Company to make these Personal Data available in an intelligible form, and (b) obtain a report and, if necessary, a copy of the following information: the origin and category of the Personal Data; the logic applied in case of processing carried out using automated instruments; the purposes and methods of processing; the identification data of the holder and those responsible for processing; the recipients or categories of recipients to whom Personal Data may be disclosed or who may become aware of it, notably if they are recipients located in third countries or international organizations; if possible, the retention period of Personal Data or criteria used to determine the duration; the existence of automated decision-making processes and, if so, the logic used, its importance, and expected consequences for the Data Subject; the existence of adequate safeguards in case of transfer of Personal Data to a third country or international organization.
Right to rectification: obtain without undue delay the updating and correction of inaccurate Personal Data or, where the User is interested, the integration of incomplete Personal Data.
Right of modification: revoke consent easily, at any time, without obstacles, using, if possible, the same channels used to give it.
Right to erasure (or right to be forgotten): obtain without undue delay the deletion, transformation into anonymous form, or blocking of Personal Data when: (a) such Personal Data was processed illegally; (b) are no longer necessary for the purposes for which they were collected or otherwise processed; (c) the consent upon which processing is based has been withdrawn by the User, with no other legal basis for processing; (d) the User objects to processing, and there is no overriding legitimate reason for the Company to pursue processing; (e) Personal Data must be deleted to comply with a legal obligation; (f) Personal Data was collected as part of offering an information society service to minors.
The Company may refuse erasure where processing is necessary: (a) for exercising freedom of expression and information; (b) complying with a legal obligation, executing a task in the public interest, or exercising public authority; (c) reasons of public health interest; (d) for archiving in the public interest, scientific or historical research, or statistical purposes; (e) establishment, exercise, or defense of legal rights.
Right to restriction: obtain restriction of processing in case of: (a) questioning the accuracy of Personal Data (right to rectification) and for the time necessary for verification by the Company; (b) unlawful processing by the Company instead of erasure; (c) exercising one of its rights in court by the Company; (d) verifying predominance of legitimate reasons of the Company over those of the Data Subject (especially in exercising the right to object).
Right to portability: receive, if processing is carried out using automatic means, without obstacles and in a structured, commonly used and readable format, their Personal Data to transmit it to another Data Controller (that may be a competitor of the Company) or, if technically feasible, obtain direct transmission by the Company to another Data Controller. The right to portability is limited to Personal Data provided by the affected User to the Company (information directly transmitted by the User and notably via contact forms, and those obtained by observing User activity (example: purchase history)) and applies based on the prior consent of the said User.
Right to object: oppose, at any time, entirely or partially, for legitimate reasons relating to their particular situation, the processing of Personal Data concerning them.
Right to file a complaint with the data protection authority (in France, this is the CNIL whose site is accessible by clicking here). In this case, if necessary, the Company will inform third parties to whom Personal Data is communicated of the possible exercise of rights of the Data Subject, except in specific cases (for example, where this realization proves impossible or implies a manifestly disproportionate use of means compared to the protected right).
Right to formulate instructions concerning the fate of your Personal Data after your death, you can modify or revoke these instructions at any time;
Right to withdraw consent: when processing is based on the legal ground of consent, the Data Subject has the right to withdraw consent at any time, and this without charge.
The exercise of these rights by the Data Subject is free, except when the Company is able to justify requesting payment of reasonable fees from the applicant given the nature of the request. These rights must be exercised with the Company electronically at the address support@fullwhere.com or by post at the address 111 bd de la Millière, 13011 Marseille.
These rights must be exercised by indicating one's identity or using a means enabling the Company to identify the Data Subject, along with the subject of the request.
The Company responds to the Data Subject within one (1) month from receipt of the request. However, if the request is particularly complex, this period may extend to three (3) months from the receipt of the request; in this case, the Data Subject will be informed within one (1) month of the extension of the period, as well as the reasons justifying such extension.
If the request is incomplete or lacks clarity, the Company may ask the Data Subject for additional information. In case of doubt about the applicant's identity, the Company may require the Data Subject to justify his identity.
If the Data Subject believes, after contacting the Company, that their rights are not respected, they may file a claim online (using the address support@fullwhere.com) or by postal mail (to the address 111 bd de la Millière, 13011 Marseille, or file a complaint with the Personal Data Protection Authority (in France, this is the CNIL whose site is accessible by clicking here).
ARTICLE 7: CONTACT OF THE DATA PROTECTION REFERENT
The data protection referent is reachable at the address support@fullwhere.com.
