Personal data processing policy

The present Data Processing Policy ("DP") applicable to the Kiliba Service, which supplements the General Terms of Use ("GTU"), provides information relating to the collection, processing, use and protection of the personal information and data of the User and its Members. Capitalized terms and expressions used in this TTP that are not defined below shall have the same meaning as in the GTU.

‍

1. Processing of personal data

‍

Use of the Service requires the transfer, collection, processing and use of the User's and Member's personal data.

Consequently, the personal data provided by the User when using the Service is subject to automated processing by the Company, which the User expressly acknowledges and accepts.

For the purposes hereof, the User is the party responsible for processing the personal data provided, with the Company acting exclusively as the User's subcontractor. The User and the Company undertake to comply with the provisions of Law no. 78-17 of January 6, 1978, as well as Regulation EU 2016/679 of the European Parliament and of the Council of April 27, 2016.

‍

The User hereby expressly authorises the Company, acting as a subcontractor, to process on its behalf the personal data necessary to carry out the automated production and distribution of advertising e-mails to its Members. The Company's individual liability is limited to the data processing activities carried out by the Company in accordance with this TTP.

‍

2. Purposes of the processing

‍

The purposes of the processing carried out by the Company are :

‍

to provide the User with a tool to automate the sending of emails to its Members;
to automatically send to the User's Members e-mails such as newsletters, events, promotions, news, etc. ;
to automatically send reminder e-mails to the User's Members, allowing them to finalize their order;
to automatically send to the User's Members advertising e-mails presenting new products, or products similar or related to those they have ordered or consulted on the e-commerce Site;
to provide the User with statistical information on advertising campaigns carried out using the Service;
manage Users' requests to exercise their rights.

‍

3. Personal data processed

‍

The personal data processed are the following:

‍

For Members: email address ;last name ;first name ;postal address ;birthday ;gender ;username ;list of purchases made on the E-commerce Site ;date of purchases made on the E-commerce Site ;date of registration on the E-commerce Site ;list of products viewed on the E-commerce Site ;list of products added to the shopping cart on the E-commerce Site ;date of last connection to the E-commerce Site ;IP address.

This data is periodically collected in the User's e-commerce Site databases.

For Users: e-commerce Site name and link; professional email; surname; first name; telephone number; date of last connection to the Platform; IP address.

‍

4. Categories of persons concerned

‍

The categories of persons concerned are the User and natural persons, whether consumers, professionals or traders, who have created an account on the User's e-commerce Site and who have agreed, where applicable, to the use of their e-mail addresses for commercial purposes.

‍

The User undertakes to inform and obtain the express authorization of the Members concerning the use by the User and by the Company of their personal data at the time of the collection of their personal data, or to have any other legal basis authorizing it to collect and process personal data, and guarantees the Company against any prejudicial consequences, for any reason whatsoever, related to the use of said data.

The User is required to implement a system enabling Members to exercise their rights in relation to their personal data. The User must document in writing any instructions given to the Company concerning the processing of Members' personal data entrusted to the Company.

5. Legal basis

‍

The processing of User and Member personal data is based on the performance of the contract concluded between the User and the Company and on a legal obligation to which the Company is subject.

‍

6. Retention period of personal data

‍

Members' personal data is kept for as long as the User's Account is active, as well as for an additional period of thirty (30) days in the event of termination of the User's Subscription. An account is considered inactive when the User has not logged on to the Platform for a period of at least one (1) year and has not paid the corresponding monthly or annual fees within this period.

‍

The User's personal data is kept for the duration of his Subscription and for a further period of five (5) years from the end of his Subscription.

For any useful purpose, the User is informed that the Company reserves the right to archive the personal data that it may have collected in execution of the present document, for the duration of the statute of limitations for liability claims. In this case, the archived data is stored on a secure server to which only the Company's manager can have access, and this, exclusively in the context of a dispute whose resolution requires the judicial communication of said data.

‍

7. Security of personal data

‍

Fraudulent access to the Service is prohibited and punishable by law, as is the maintenance, alteration and obstruction of an automated data processing system, and the fraudulent introduction, deletion or modification of data. The Company makes its best efforts, in accordance with the rules of the art, to secure the Service and access to personal data in view of the complexity of the Internet. The User acknowledges that due to the characteristics and constraints of the Internet network, the personal data collected cannot be protected against any form of intrusion, including piracy.

‍

The Company undertakes to implement the following security measures for the processing of personal data:

‍

full encryption of personal data collected during transfer and for storage, using the HTTPS protocol;
the deletion of personal data collected from Members at the end of a period of thirty (30) days from the date of the User's express request;
deletion of all personal data collected from Members after a period of thirty (30) days in the event of termination of the Subscription by the User;
the implementation by the Company's subcontractors of redundant and encrypted backups on several sites to ensure the functioning of the Service.

In the event of expiry or termination of the present contract, the Company undertakes to destroy the personal data of Members entrusted to it, including all copies existing in the information systems of the Company and its subcontractors, within a period of thirty (30) days, subject to the provisions of article 6 above. Upon request, the Company will provide the User with a written certificate of destruction at the end of this period.

‍

8. Hosting of personal data

‍

The personal data collected are hosted by :

-in France at Gravelines (59820) with the hosting company OVH, a simplified joint stock company with a share capital of €10,174,560, headquartered at 2 rue Kellermann - 59100 Roubaix - France, registered with the LILLE Trade and Companies Register under the unique identification number 424 761 419 - sales@ovh.net

- in Stockholm (Sweden - Stockholm eu-north-1) at the web host

Amazon Web Services EMEA, a company incorporated under foreign law, whose registered office is at : L 1855 38, avenue John F. KENNEDY, Luxembourg, registered with the Registre du Commerce et des Sociétés de NANTERRE under identification number 831 001 334 - aws-EU-privacy@amazon.com

9. Transfer of personal data

‍

The User is informed and must obtain the express consent of its Members to the transfer of their personal data outside the European Union, to the United States of America.

This transfer takes place as part of the e-mail processing process, the subcontractors located in the United States of America have entered into a contract with the Company that includes the European Commission's standard contractual clauses in their June 2021 updated version and undertakes to comply with the provisions of European Regulation nᵒ 2016/679, known as the General Data Protection Regulation. The data collected may also be transferred to third parties other than the Company's subcontractors in the form of totally and irreversibly anonymous statistics.

‍

10. Company commitments

‍

The Company undertakes to :

process data only for the purposes for which they are outsourced;
process the data in accordance with the documented instructions of the User;
guarantee the confidentiality of personal data processed in the framework of the present ;
ensure the encryption of data collected on the User's databases, both for their transfer and for their recording on the Platform;
ensure that persons authorized to process personal data hereunder undertake to respect the confidentiality of such data and receive the necessary training to that effect;
take into account the principles of data protection by design and data protection by default when developing and updating the Service.

‍

11. Subcontractors

‍

The Company is expressly authorised to use other processors to carry out specific processing activities necessary for the operation of the Service. The subcontractors that the Company is authorised to use are the following:

‍

Twilio and Sendgrid for sending e-mails using the SMTP protocol;
OVH for hosting and backup of collected data;
AWS for hosting and backup of collected data;
Salesforce for tracking sales on the e-commerce site;
Hubspot for tracking leads and messages to the KILIBA database;
Profile for the evolutionary maintenance of the Platform (access to the code of the User's prestashop module);
Intercom for Platform messaging support (chat) ;
Amplitude for tracking Users' browsing on the Platform;
Etheractive Studio for data analysis (for statistical purposes only) in connection with the Platform.

In the event of a change of subcontractor, the Company undertakes to inform the User in advance, specifying the processing activities subcontracted, the identity and contact details of the subcontractor and the dates of the subcontract. The User has a minimum of thirty (30) days from the date of receipt of this information to present his objections. This subcontracting may only be carried out if the User has not raised any objections within the agreed period.

‍

Any subcontractor of the Company is required to comply with the obligations hereunder on behalf of and in accordance with the instructions of the User. It is the Company's responsibility to ensure that its subcontractors provide the same sufficient guarantees regarding the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the legislation in force. If a subcontractor of the Company does not fulfil its data protection obligations, the Company shall remain fully liable to the User for its obligations.

‍

12. Cookies

‍

The User is informed that the Plug-in uses cookies which are installed directly on the terminals of the Members when they connect to the E-commerce Site.

Cookies are small files containing textual information, generally consisting of letters and numbers. They are deposited on the member's terminal (computer, tablet, smartphone, etc.) via their browser when they connect to the e-commerce site.

This operation recognizes the Member's device as soon as a connection is established between the e-commerce Site server and the Member's browser.

The main purpose of a cookie is simply to enable the e-commerce Site's server to adapt its content in order to personalize the Member's visit to the Site.

The cookies used by the Plug-in guarantee the security and operation of the Plug-in and the Platform.

They are also used to track Members' browsing on the e-commerce site (necessary cookies).

These cookies do not require Members' consent.

However, the Member is free to refuse the deposit of these cookies on his/her browser.

In its capacity as data controller, it is the User's responsibility to inform its Members of the installation and use of cookies, and to allow Members who so wish to refuse the installation of cookies on their terminals.

The User is informed that if the Member refuses to accept cookies on his/her terminal, the Plug-in will not function correctly.

In the event of refusal on the part of the Member, the User shall be liable to degraded use of the Platform.

The necessary cookies used by the Plug-in are :

‍

Type of cookies

Persistent or session cookies

Submitter

Duration

Purpose

Cookie required

Persistent cookie

Prestashop

Maximum 13 months

This cookie is used to track members' visits to the e-commerce site and to save the contents of their shopping cart (technical solution for tracking members on the e-commerce site).

Cookie required

Session cookie

Adobe ecommerce

Expires at end of browsing session

This cookie enables the tracking of Members' visits (over a single session) to the e-commerce site and the saving of their shopping cart (technical solution to ensure that the Member is the same throughout the visit to the e-commerce site).

‍

13. Support

‍

Wherever possible, the Company will assist the User in fulfilling its obligations with regard to requests to exercise the rights of the persons concerned (right of access, rectification, deletion and opposition, right to limit processing, right to data portability, right not to be the subject of an automated individual decision (including profiling)). These services may give rise, under the applicable legal conditions, to invoicing at the current rates.

Where the persons concerned send requests to exercise their rights directly to the Company, the latter will send said requests to the User by e-mail as soon as they are received.

The Company will notify the User of any breach of his personal data as soon as possible after becoming aware of it and by any written means (including electronic correspondence).

The Company will provide the User with all useful information to enable the User to notify the relevant supervisory authority (CNIL) of this violation.

The Company will assist the User in carrying out impact analyses relating to data protection, and in prior consultation with the relevant supervisory authority (CNIL). This assistance may give rise, under the applicable legal conditions, to invoicing under the tariff conditions in force. ‍

14. Data Protection Officer

‍

For any questions relating to this TDP, the User may contact the Company's Data Protection Officer at the following email address: dpo@kiliba.com

15. Treatment register

‍

The Company declares that it keeps a written record of all categories of processing activities carried out on behalf of the User including: ‍

the name and contact details of the User on whose behalf it is acting, of any subcontractors and, if applicable, of the data protection officer;
the categories of processing carried out on behalf of the User;
where applicable, transfers of personal data to a third country, including the identification of that third country and documentation of the existence of appropriate safeguards;
a general description of the technical and organizational security measures implemented in connection with the processing of personal data on behalf of the User.

The Company provides the User with the documentation necessary to demonstrate compliance with all its obligations and to enable the User to carry out audits, including inspections, and to contribute to such audits. In accordance with applicable legal conditions, these services may be invoiced at current rates.

‍16. Contact information

‍

The Company can be contacted: ‍

by e-mail: support@kiliba.com;
by mail: KILIBA - Personal data - 127-129, rue d'Aguesseau - 92100 Boulogne-Billancourt

17. Language

‍

This PDT is written in French.

In the event of translation into one or more foreign languages, the French version shall prevail in the event of dispute.