The Company has developed a multifunctional SaaS software solution ‘Flexybeauty’ for use by well-being professionals (the ‘Professionals’), making it possible for them to benefit from a variety of services including point-of-sale software, customer database compilation (the ‘Customer(s)’, the ‘Database’), tracking customer appointments, managing stock and also accessing statistics on their Customer and how often they come into the establishment (the ‘Services’) via the site available from this link: www.flexybeauty.com (the ‘Site’). The solution also offers a direct marketing service.
The Company is the manager in charge of handling the Professionals’ personal data.
The Professional is the Customer Data handling manager, with the Company acting in the capacity of sub-contractor in this scenario.
The Company cares about the personal data of the Professional and their Customers, and therefore undertakes to ensure that the handling of such data – in its capacity as handling manager and handling sub-contractor respectively – is compliant with the framework of the General Conditions of Sale, in conformity with the applicable provisions of the General Data Protection Regulation 2016/679 of the European Parliament and Council dated 27th April 2016 (the ‘GDPR’).
In the event that the Professional does not wish to see their personal data gathered under the conditions set out hereinafter, the Professional absolutely must refrain from using the Services provided by the Company.
It is hereby recalled that all personal data handling prior to 25 May 2018 must be the subject of a declaration to the French National Commission for computerised data and freedoms (hereinafter referred to as the ‘CNIL’).
In conformity with the Computerised Information and Freedoms Act, the handling of personal data submitted by the Professional while signing up to the Registration for Services or during the validation of their Account has been the subject of a declaration made by the Company to the CNIL under number 1786070.
ARTICLE 1. COLLECTED PERSONAL DATA
1.1. Registration data in the personal space
In order to benefit from the Services made available by the Company, the Professional registers on the Site by creating a personal space (the ‘Personal Space’).
During the registration process, the Professional is invited to input the following personal data in conjunction with the Professional’s corporate name:
First and last name
Mobile phone number
Business postal address
At the end of the fifteen (15) day trial period, and in conformity with the provisions of the General Conditions of Sale, access to the Services will be automatically deactivated unless the Professional validates their account in the Personal Space.
Account validation involves gathering the following personal data, in addition to their French economic activity code (the NAF code) and their Siret (business identification) number:
business postal address;
address of headquarters, postal code, town, country;
address of establishment(s);
first and last name of legal representative;
date of birth of legal representative;
country of birth of legal representative;
country of residence of legal representative;
means of payment for access to services (SEPA bank debit or bank card debit). All responses must be submitted, in particular during the registration onto the Personal Space, so that the Company’s Services can be properly executed. In the event that the Professional declines to complete these required fields for any reason whatsoever, then the Professional is hereby informed that it is not possible to execute the Service, and the Professional will not be able to benefit from them.
Last name, first name, contact details (telephone number or email address) of publishing director.
When the Professional signs up to the Services, s/he agrees to submit the personal data referred to above of their own free will.
The Professional is hereby informed that the Company will not collect any data that is sensitive in the sense conveyed by legislation and regulations in force.
The Professional undertakes to only submit data that is accurate, comprehensive and updated on a regular basis where it concerns their identity and personal information. Under no circumstances may the Company’s liability be invoked in the event of data being submitted that is obsolete, unlawful or an affront to public order. In conformity with the provisions set out in the General Conditions of Sale, the Professional undertakes to inform the Company immediately if any third party makes unauthorised or malicious use of their log-in information in their Personal Space.
The Company hereby inform the Professional that it also deposits Cookies or similar tracking technology on the Professional’s computer terminal, and that the following information is gathered:
IP address (Internet Protocol);
Version of browser used on computer terminal;
How the site is used/browsing data
The reasons for handling the data gathered via cookies and trackers, along with the cookie management policy, are given in Article 8.
1.3. Banking information
This means that the Company itself does not collect, handle, host or save any personal data related to banking information, which is collected, handled and hosted directly and solely by the Payment services provider on behalf of the Company.
Consequently, the Professional is hereby informed that the collection, handling and hosting of bank data is processed by the company MANGOPAY SA located at 10 boulevard Royal, L-2449 Luxembourg, being a limited company registered with the Trade and Business Registry of Luxembourg under number B173459, this being in conformity with their own privacy obligations.
In any case, the Company has ensured that Mangopay complies with all of the legal and regulatory obligations in force.
ARTICLE 2. PURPOSE OF HANDLING COMPLETED
The Company collects, handles and saves data submitted by the Professional within the confines of the procedure for registering for and accessing the Services.
The Company therefore gathers and handles a Professional’s personal data solely to execute the Services it provides, and to ensure optimal usage.
The Professional is also hereby informed that the Company’s handling makes it possible for the Company to compile statistical information on the use of the Services so that the Professional can compare usages with other Professionals in the same category. In any case, this data that can be used to compile statistical data is fully anonymised.
The Company guarantees that no personal data will be gathered without their express prior agreement.
The Company hereby informs the Professional that the data collected for the purposes of executing the Services may be transferred to the United States of America to the hosting service Company GOOGLE, which is a member of the Privacy Shield system, and the Professional is expressly informed of this by way of this legal instrument. The Company hereby informs the Professional that the service-provider handling the data hosting guarantees that all security measures that the Professional can legitimately expect have been taken. The Professional is hereby informed that – in line with their own discretionary choice – the Company may change the hosting services provider in favour of a hosting provider located elsewhere within the European Union.
The Company hereby informs the Professional that the data is retained only for the duration of the contractual relationship expressly necessary for the purposes of the handling and until the end of the contractual relationship.
ARTICLE 3. OBLIGATIONS OF THE COMPANY
The Company undertakes to do the following, in line with its capacity as data handling manager and in conformity with the legislation and regulations in force:
To only gather Professionals’ data via the Company’s Services for the purposes set out in Article 2;
To keep a record of the handling operations undertaken on the Site;
To implement all technical and organisational measures to ensure the security of the handling operations undertaken;
To restrict access to Professionals’ data solely to those persons duly authorised to that effect;
To make internal personnel aware of the regulations relating to data handling, and to provide training on this;
To guarantee to Professionals all rights to data access, portability, deletion, correction and challenge in respect of their data gathered during the use of the Services;
To notify the CNIL of any security failure that presents an elevated risk to the Professionals’ rights and freedoms within 72 hours of the discovery of the breach;
In the event that the Professionals’ Services are cancelled, to proceed with destroying their data within three (3) years.
ARTICLE 4. ACCESS TO COLLECTED DATA
The Professional may – before, during or after the data handling – avail him/herself of the right to access, copy, correct, challenge, move, limit and delete data about the Professional.
The Professional may directly configure their data via their personal account, or may exercise their rights by sending an email to this email address: firstname.lastname@example.org, or by sending a letter to this postal address: FLEXYCORP, 31 rue Henri Rochefort, 75017 Paris. This is subject to the Professional providing evidence of their own identity.
The Professional is duly informed that the deletion of their Personal Space will mean that access to the Services and to the data linked to the use of the Services will be withdrawn. The Professional is hereby informed that Customer Data is retained for a period of sixty (60) days from the time of termination, except in the case of any data retained for longer than this as required by legislation or regulations.
Furthermore, the Professional may at any time question the Company if the Professional is of the opinion that their rights are not being respected. If no satisfactory response is given then the Professional may submit a claim to the CNIL. For further information, the Company suggests that the Professional view their rights on the CNIL website that is available using this link: www.cnil.fr.
ARTICLE 5. FRAUDULENT INTRUSION
In the event that the Company becomes the victim of fraudulent intrusion into its systems or a victim of theft, destruction, loss, alteration, divulgence, unauthorised access or any other malicious act, then the Company undertakes to notify the Professional of (i) the nature of the intrusion, (ii) the likely consequences of the malicious act, and (iii) the measures proposed to remedy the malicious act, within a period of seventy-two (72) hours.
The malicious act presenting a significant risk to the Professionals’ rights and freedoms is to be communicated to the CNIL in its capacity as a protection authority.
The Professional is hereby duly informed that the Company’s liability may not be invoked in the event of any IT security breach that may cause damage to computer hardware, nor in the event of any fraudulent intrusion or malicious act of a third party within the system, the Professional’s Account, or the Site.
ARTICLE 6. SPECIFIC PROVISIONS: CUSTOMER DATA
All of the Customer Data remains the exclusive property of the Professional.
The Professional is responsible for handling the Customer Data during the usage of the Services. The Company acts solely in the capacity of sub-contractor. The Professional – in their capacity of handling manager – undertakes to only collect professional data, excluding data that violates persons, their private life, public order and common decency, or is in breach of rules related to their activity and their profession. Collection of Customer Data remains the exclusive responsibility of the Professional.
The Professional is responsible for, among other things, ensuring that the free comment file in the Customer file does not contain any sensitive or prohibited personal data.
The Professional – in their capacity as handling manager – undertakes to comply with all applicable regulation and legislation relating to personal data, especially GDPR provisions. In particular, the Professional is to ensure that Customers are able to exercise their rights to, among other things, copy, correct, challenge, move, limit and delete data about them, at any time. To this end, the Professional indemnifies the Company against any action, without prejudice to any damages or interests that the Company may claim as a result of any failure to abide by the commitments set out herein above, taking into account the possibilities that may exist to this end in respect of the solution.
The Professional and the Company undertake to implement all appropriate technical and organisational means to ensure the safety of the Customer’s personal data by reasonable means.
In its capacity as sub-contractor and in conformity with Article 34 of the French Computerised Information and Freedoms Act, the Company undertakes to take all useful precautions with a view to safeguarding the security of the personal data that has been collected, and particularly to employ all means that enable the Company to prevent personal data from becoming altered or damaged, or communicated to unauthorised third parties.
In its capacity as sub-contractor, and in line with the legal and regulatory provisions in force, the Company and all of its personnel undertake to comply with the following obligations:
To only handle personal data when instructed to do so by the handling manager;
To respect the confidentiality of the data collected;
To refrain from making any copy of the data collected, notwithstanding that which is necessary to the use of the Services made available by the Company, and in particular that which is necessary to safeguard the Services;
To refrain from using data collected for any purposes other than those that determine the core purpose of the handling;
To refrain from divulging the data to any unauthorised third party;
To adopt all necessary measures that make it possible to avoid fraudulent or inappropriate use of the data collected via the Services;
To take all security measures that make it possible to ensure that the data collected and handled via the Services is retained and preserves its integrity, and to provide the handling manager with all the information necessary to show that they are respecting their obligations;
To give all of their support to the handling manager in the fulfilling of their obligations;
To give all of their support to the handling manager for the purposes of guaranteeing that the handling is undertaken securely, as well as providing support with notifying the CNIL of any data breach, communicating data breaches to the person concerned, and undertaking an impact analysis relating to data protection and prior consultations as set out in Articles 32 to 36 of Regulation 2016/679;
To proceed with the deletion of all data collected and all databases on which this data has been kept upon the express request of the handling manager, particularly where this follows an express request on the part of the Professional. This applies in particular where a Professional’s Personal Space has been deleted, or where the handling manager has definitively stopped operating the Services, within the conditions set out in the General Conditions of Sale;
Where the subscription to the Services has been cancelled, and upon the handling manager’s request, to send data to the handling manager at their request and to proceed with destroying all personal data. It is hereby agreed that the ending of the service provision on behalf of the Professional in their capacity as handling manager will result in the deletion of all the data handled by the Company as part of the usage of the Services at the end of a twelve (12) month period;
To never sub-contract the execution of the Service to any third party apart from the hosting service.
ARTICLE 7. MANAGEMENT OF COOKIES
A cookie is a text file that, subject to the Professional’s choice in the matter, is deposited on the Professional’s computer during a web page visit. The purpose of a cookie is to gather information relating to the Professional’s browsing habits and to provide the Professional with services that are appropriate to their computer terminal (computer, mobile device or tablet).
The Professional is hereby informed that when they use the Services, files referred to as ‘Cookies’ are stored on the Professional’s terminal, along with connection trackers, other tracers, or similar technology.
The Professional is hereby informed that the Company deposits cookies and trackers on their terminal in order to make it possible for (i) the Professional to identify him/herself (ii) the Company to administer the Professional’s Personal Space, (iii) the Site’s content to be improved or, where appropriate, (iv) the Site’s audience figures to be measured by calculating statistics relating to the pages viewed by the Professional and for the determination of the most heavily used Services.
The Professional is hereby informed that cookies and trackers are deposited on their terminal for a duration of thirteen (13) months.
However, some of the Service’s functionalities cannot be used without Cookies. Furthermore, while most browsers are configured to accept the installation of all Cookies by default, the Professional may, if they wish, choose to accept the depositing of all Cookies other than functional Cookies, or may choose to systematically reject them, or may choose to accept them depending on who is issuing them. The following configurations may be set up for these purposes.
The Company hereby informs the Professional that they may alter their consent parameters at any time by changing these configurations.