Our personal data policy
1. What is the purpose of this Policy and who does it concern?
Visiativ Software (a French simplified joint-stock company [Société par actions simplifiée] with a share capital of €9,639,220, having its registered office at 26 rue Benoît Bennier, 69260 Charbonnières-les-Bains, registered with the Lyon Corporate Register under number 353695174) is a company of the VISIATIV Group, which publishes software solutions under the name “MOOVAPPS” (hereinafter the “Solutions”).
The Solutions are marketed either by the VISIATIV Group directly via one of its subsidiaries (hereinafter “VISIATIV”), or indirectly, through its approved third-party retailers.
The purpose of this Policy is to inform our professional Customers or future Customers, who wish to use the Solutions for their professional activity, and make them available to their natural person users (employees, customers, etc.) (hereinafter the “Users”), of how we (VISIATIV, and as applicable, our approved retailers) process the personal data of Users that transit via our Solutions (hereinafter “Personal Data”).
We therefore inform you of our commitment to comply, within the framework of the tasks you entrust to us, with the European General Data Protection Regulation no. 2016/679 of 27 April 2016, which came into force on 25 May 2018, and the new French data protection law no. 78-17 amended by Law no. 2018-493 of 20 June 2018 (hereinafter the “Applicable data protection regulations”).
This Policy is provided for information purposes only and is non-exhaustive, particularly with regards to the technical aspects of our Solutions and the security measures taken, which may vary from one Solution or service to another.
To find out more and to receive the documentation, you may send your request to: email@example.com. We will endeavour to reply as soon as possible.
Additional information can also be found on our website: https://www.moovapps.com.
Any subscription by you will give rise to a contractual agreement specifying the respective undertakings of each party, in accordance with Applicable data protection regulations.
2. What role does VISIATIV play in the processing of your Users’ Personal Data?
For the purposes of data protection regulations, professional Customers using our Solutions are the “Data Controllers” of their Users’ Personal Data.
We are therefore your “Processors”, acting on your behalf, and we therefore undertake to act exclusively upon your instructions.
As Controllers, you must observe a number of obligations, particularly in terms of transparency vis-à-vis your Users, and obtain their consent if you consider it necessary. You must also allow them to exercise their rights such as their rights of objection, deletion, restriction and enforceability.
VISIATIV will assist you, as far as possible according to our Solutions and the resources available to us, and will help you, in the manner specified in your contract with VISIATIV or our approved retailers, to comply with your own commitments.
To this end, Customers using Solutions are authorised to reproduce this Policy, and to adapt it, but without you being exempted from your legal obligations as Data Controllers.
We draw your attention to the fact that this Policy is not intended to replace all the information that Users are entitled to expect from the Data Controller, which you are responsible for verifying.
3. Which Personal Data of your Users will VISIATIV process via the Solutions?
Everything depends on you, and the service you subscribe to. In principle, we do not have direct access to the Personal Data of Users transiting via our Solutions (except, for example, to manage User registration, depending on the Solutions: last name, first name, email address). To meet our respective undertakings, we ask you to make a list of all the Personal Data that will potentially be sent via our Solutions. We will use our best efforts to adapt our security and organisational measures, if necessary, to the Personal Data in question and the Solutions available.
In particular, we must be expressly informed if the Personal Data is “sensitive”, for which we reserve the right, depending on the case, to refuse to process it on your behalf.
In addition, depending on the Solutions, VISIATIV offers free access to blogs, communities and support forums.
The Customer must ensure that their Users bear in mind that all the information they provide in each of these spaces may be read, collected and used by all the other individuals having access to them.
4. Which types of Personal Data processing does VISIATIV do for its Customers?
The types of Personal Data processing performed within the framework of supplying the Solutions are particularly, depending on the options selected: potential access to Personal Data for the purpose of registering for the service or in the event of maintenance of the Solutions or on-site installation; hosting of the Solutions; display, copying, retrieval, back-up, restoration and deletion of data; transfer of Personal Data between the different internal departments, and to partners or companies in the VISIATIV Group which are bound by confidentiality commitments and solely for the purpose of supplying the services.
In any event, VISIATIV will only process Personal Data where it is strictly necessary for the tasks you have entrusted to us.
5. Who may have access to and process the Personal Data of your Users?
5.1. Approved retailers of the VISIATIV Group
VISIATIV Group may use the services of partner companies to market its Solutions and for certain services (such as on-site installation at the Customer’s premises for example, or level-1 support). In this case, VISIATIV Group ensures that these approved retailers, as “Processors” of your Personal Data, comply with data protection Regulations and with this Policy when, in providing their services, they may have access to Personal Data, according to the scope defined in your contract.
5.2. Approved third-party service providers
To provide our services in the most satisfactory manner possible, we are required to grant certain expressly authorised third parties direct or indirect access to Personal Data. We have taken care to set up partnerships with several selected service providers, whose services and solutions complete, facilitate and improve our own services, or are necessary to be able to supply them.
These service providers are, inter alia: server hosting and colocation service providers; communication and content delivery network (CDN) operators; information and data security service providers, billing and payment service providers; domain name registration offices; fraud detection and prevention service providers; Web analysis, email distribution, session recording and remote access or performance measuring service providers; content providers; legal and financial advisors.
5.3. Third-party developers
As part of the “Partner Programme”, VISIATIV authorises third-party developers to design and offer their own applications (“Third-Party App(s)”), which interface with the Solutions.
5.4. Entities in the VISIATIV Group
Other companies in the VISIATIV Group may have access to Personal Data, for the sole purpose of the services.
5.5. Administrative and judicial authorities
VISIATIV may be compelled, in order to meet a statutory or regulatory obligation, to disclose certain Personal Data upon the demand of an administrative or judicial authority without the possibility of availing itself of professional secrecy.
In this case, we will take all necessary precautions in delivering the Personal Data and we will particularly satisfy ourselves that such delivery is legally founded and legitimate.
6. What is the scope of the processing done by VISIATIV on your behalf?
The Personal Data processing performed by VISIATIV (or its approved retailers) is exclusively processing that is strictly necessary to provide the services you order, in accordance with your instructions and with our contractual agreements, any other use is prohibited without your express, prior agreement.
In any event, VISIATIV expressly undertakes not to rent or resell the Personal Data of your Users.
7. For how long will VISIATIV keep the Personal Data of your Users?
VISIATIV undertakes to only use the Personal Data of your Users for the term of our contractual relationship and, if the services you select so require, for a longer period that we shall agree upon together.
At the end of this retention period, and except to comply with a statutory or regulatory obligation, VISIATIV will destroy or return to you the Personal Data of your Users based on the services selected, in compliance with our agreements.
8. Where is the Personal Data of your Users processed?
Personal Data is processed on secured servers located either within the European Union or outside the European Union, but only if the transfer outside the EU meets one of the conditions below:
- The processing is done in a “third country” for which an adequacy decision has been made by the European Commission;
- The processing is done by a firm based in the United States carrying Privacy Shield certification or any other equivalent certification;
- The processing is done within the framework of the standard contractual clauses issued by the European Commission;
- The processing is done within the framework of Binding Corporate Rules.
VISIATIV will provide any technical information about the hosting of its Solutions upon request.
If recipients of Personal Data, as listed in section 5 above, are established outside the European Union, VISIATIV ensures that the processing is done within the framework of at least one of the aforementioned compliance tools (except for administrative or judicial authority recipients or any other public or private organisation authorised to receive Personal Data, to which VISIATIV is not contractually bound).
9. Which security measures does VISIATIV take?
VISIATIV has particularly taken the following measures to guarantee the secure processing of your Users’ Personal Data: physical security of premises; organisational security: process for authorising access to information systems processing Data; software security: password policy, protection of sensitive IT environments by updated antivirus software for Windows environments; introduction of internal control and self-assessment procedures to ensure the security level is maintained over time.
We remain at your disposal to provide a more detailed description of the security measures we take.
Naturally, these measures and precautions will only be effective and capable of achieving the security objective pursued if the Personal Data you transfer do not contain or carry any virus, worm, Trojan horse and other harmful or destructive content that could affect our information systems and User rights.
9.2. Focus on the cloud
VISIATIV has taken particular care in designing its Cloud infrastructure to meet the most demanding security requirements in accordance with the “Security & Privacy by Design” concept.
As an example, the following systems have been put in place: double firewall, total isolation of instances by docker container technology in Linux, systematic deployment of software packages by Ansible (deployment tool) in Linux.
We will endeavour to reply as soon as possible.
10. Which system must be implemented to respect the rights of Users as data subjects of the Personal Data transiting via the Solutions?
As Data Controller, in direct contact with your Users, you are particularly responsible, within the framework of providing the Solutions, for: clearly informing Users of the processing performed via the Solutions, the main principles of which are set out in this Policy, subject to the specific features of the service selected and the Solution concerned; for obtaining the Users’ consent if you consider it necessary; for replying to User requests concerning their rights and for guaranteeing their effective exercise of those rights.
In general, the Solutions do not provide as a standard feature a Personal Data processing policy for Users, nor do they include systems for managing User consent or processing requests from Users to exercise their rights, under your own responsibility.
We will study any specific request in this regard, in order to contribute, as far as possible, to your compliance with your own obligations.
11. What happens in the event of a Personal Data breach?
VISIATIV undertakes to notify you of any Personal Data breach of which we become aware as soon as possible, and vice versa.
VISIATIV will send you all the information in its possession, so that you are able to fulfil your obligation to notify the competent supervisory authority and data subjects and to remedy the problem.
12. Final information
VISIATIV would like to specify that, when the services provided include links to other websites or services, we are not responsible for the privacy practices implemented on such websites or services.
Furthermore, this Policy does not apply to third-party websites and the related services. Therefore, we advise you to read the applicable third-party privacy statements.
Lastly, VISIATIV reserves the right to make any necessary changes and corrections to this Policy. We recommend that you consult it from time to time to identify any changes, if we have not already informed you of them.
Version applicable as at 28/08/2018