555-555-5555
mymail@mailservice.com
Factomos policy on personal data
Update of April 1, 2022
Personal data collected by Factomos as part of the provision of services on the application https://app.factomos.com (hereinafter the "Services") are collected, processed and stored in accordance with the laws and regulations on personal data, and in particular the Law "Computing and Freedomof January 6, 1978, in the version currently in force and Regulation (EU) 2016/679 of April 27, 2016 (General Data Protection Regulation – hereinafter the “GDPR").
For the purposes of this clause, the expression "personal data"(hereinafter "Personal data”) must be understood as corresponding to “personal dataas defined by the GDPR.
Factomos acts as data controller for the Personal Data collected as part of the management of its customer relationship with the company using the Services (hereinafter the "Customer").
On the other hand, concerning the Personal Data which is entered by the Customer or the end user in the context of the use of the services (and in particular the invoicing services), Factomos acts as a subcontractor of personal data.
1. Concerning the Personal Data for which Factomos is responsible for processing
The Personal Data communicated by the Customer is only used (by Factomos, its service providers and subcontractors) for the following purposes:
| Type of processing | Personal Data concerned | Purpose |
|---|---|---|
| Customer Personal Data | surname, first name, email address and company to which the contact person is attached to the Customer. Management of the contractual relationship with the Client. | Management of the contractual relationship with the Client. The processing of Personal Data is carried out on the basis of the contractual relationship referred to in Article 6.1 (b) of the GDPR, resulting from the use of the Services. |
| Personal Data relating to the exercise of the rights of data subjects | Data communicated by the person concerned in the context of the exercise of their rights and in particular surname, first name, address, identity card, etc. | Management of the exercise of the rights of data subjects. The processing of Personal Data is carried out on the basis of the legal obligation referred to in Article 6.1 (c) of the GDPR. |
| Personal Data relating to litigation | Any Personal Data collected as part of the processing mentioned above. | Management of customer disputes for the defense of Factomos' interests in court. The processing of Personal Data is carried out on the basis of the legitimate interest referred to in Article 6.1 (f) of the GDPR. |
All information concerning the Personal Data collected through Cookies is available by clicking on the
Cookies Policy.
The Personal Data is intended for Factomos' authorized departments and personnel for the fulfillment of its previously defined processing purposes (customer service, legal department, etc.).
They may be communicated, for some of the aforementioned purposes, and only if such communication proves necessary, to Factomos service providers who may be involved in the processing of Personal Data.
These recipients act solely on our behalf and on the instructions of Factomos and only receive the Personal Data necessary for the purpose involving such communication. These include the following providers in particular:
Personal Data may also be communicated to other recipients:
The Personal Data collected in this context are under no circumstances transferred to third parties or transferred outside the European Union.
The person whose Personal Data is collected by Factomos has a right of access, rectification, erasure, opposition, limitation of processing and portability of Personal Data. To exercise his rights, he must send his request to Factomos at the following address: Factomos, 10, rue de la Paix - 75002 Paris or email: contact@factomos.com.
If the person whose Personal Data is collected considers, after having contacted Factomos, that his rights are not respected, he can lodge a complaint with the National Commission for Computing and Liberties (CNIL).
- concerning the Personal Data processed within the framework of the contractual relationship: in active form for the duration of the contractual relationship with the Customer, then in the form of archives for a period of 18 (eighteen) months from the termination of the contractual relationship with the Client;
- concerning the Personal Data relating to the exercise of the rights of the personal concerned: In active form for the duration necessary to process the request then for a maximum period of 5 years from the request to exercise rights, in the form of archiving after processing the request.
The duration mentioned above is likely to be extended in the event of a dispute between Factomos and the Customer/person concerned, until the end of the dispute.
2. Concerning the Personal Data for which Factomos acts as a subcontractor
2.1 The different types of processing concerned
The nature and purpose of this processing, the type of Personal Data, the categories of persons concerned and the retention period of Personal Data are detailed below:
2.1.1 Regarding Personal Data
resulting from the use of bill management services
| Nature and Purpose of the processing | Execution of the Services, namely: establishment of the Customer's or end user's invoices, management of reminders, management of the status of invoices (paid/unpaid), storage of information entered or downloaded by the Customer or the end user as well as than documents created on the Factomos web application. |
| Categories of data subjects | customers of the Customer or the end user of the Services. |
| Types of data concerned | Personal data necessary for the management of the Customer's or end user's invoicing, namely: surname, first name, address, email, telephone, products and/or services purchased, price paid, date of payment, delivery and performance, date and order number |
| The duration of the conversation | in active form until the deletion of the Services user account, then in archive form for an additional period of 18 (eighteen) months from the deletion of the account. |
2.1.2 Regarding Personal Data
collected to allow access to the Services to collaborators/sub-users
| Nature and Purpose of the processing | allow the Customer or the end user to give its collaborators/sub-users access to its account for the use of the Services. |
| Categories of data subjects | Customer's or End User's collaborators/sub-users. |
| Types of data concerned | Surname, first name, email address of collaborators/sub-users, company to which they are attached, type of access granted, and, if applicable, the accounts for which access is granted for users of the "Expert" version. |
| The duration of the conversation | in active form until the deletion of the Services user account or until the access given to the person concerned by the owner of the account is deleted, then in archival form for an additional period of 18 (ten -eight months. |
2.1.3 Concerning Personal Data collected in the context of sponsorship
| Nature and Purpose of the processing | Allow a Customer to sponsor a third party in order to make them aware of the Services and to benefit, if applicable, from a discount on their subscription. |
| Categories of data subjects | Contact person at the sponsored company. |
| Types of data concerned | email address, Customer having sponsored the company of the interlocutor |
| The duration of the conversation | In active form for as long as the Referring Customer's account uses the Services, then in archival form for an additional 18 (eighteen) months. |
2.1.4 Regarding Personal Data
collected to allow access to the Services to beneficiaries on whose behalf a Customer of the "Expert» of the Factomos web application has subscribed
| Nature and Purpose of the processing | Send the Beneficiaries a connection link to their account for using the Services. |
| Categories of data subjects | Contact person for the Beneficiaries. |
| Types of data concerned | Last name, first name, email address, connecting company, identity of the Customer of the "Expert" version of the Factomos web application who took out the subscription on behalf of the Beneficiary. |
| The duration of the conversation | Personal Data is kept in active form until the account is deleted, then in archive form for an additional period of 18 (eighteen) months from the deletion of the Services user account. |
2.1.5 Regarding Personal Data
of prospects for which a Customer of the "Expertof the web application asked Factomos to send an invitation to use its Services
| Nature and Purpose of the processing | Allow Factomos to send prospects an invitation to use the Services. |
| Categories of data subjects | Contact person for prospects. |
| Types of data concerned | Last name, first name, email address, company to which you belong. |
| The duration of the conversation | If the prospect has not taken out a subscription, the Personal Data is kept for a period of 45 (forty-five) days in active form from the sending of the link allowing him to connect to his user account. Services then, in the form of archives, for an additional period of 18 (eighteen) months. If the prospect has finally taken out a subscription, the Personal Data is kept in active form until the account is deleted, then in archive form for an additional period of 18 (eighteen) months. |
2.2 Commitments of Factomos and the user
With regard to this Personal Data, Factomos and the user undertake to comply with the laws and regulations regarding Personal Data.
The user, in his capacity as responsible for processing the Personal Data collected, authorizes Factomos, which is the subcontractor for the processing of this Personal Data, to process on his behalf and in accordance with his instructions the Personal Data necessary for the sole purpose of the performance of the Services.
Factomos will only have a temporary right of use on the Personal Data and strictly limited to the sole and unique purposes of performing the Services.
Factomos may only access or use Personal Data insofar as this proves necessary in the context of the performance of the Services and provided that such access or use is limited to what is strictly necessary to perform the Services.
Factomos is therefore prohibited from using Personal Data for other purposes and from disclosing, without the User's prior consent, Personal Data to third parties, for any reason whatsoever.
Factomos undertakes to guarantee the confidentiality of the Personal Data processed on behalf of the user.
Factomos will ensure that access to Personal Data is restricted to staff members who need access to Personal Data to provide the Services and will ensure that such staff members:
- are legally bound by contractual confidentiality, Personal Data protection and security obligations at least as restrictive as those contained in this Personal Data Policy;
- are aware of the laws and regulations applicable to the protection of Personal Data;
- will only process Personal Data on instructions from the user.
Factomos also undertakes to set up and maintain optimal physical security, on its Personal Data processing center, in particular in terms of authorized access, and logical, at the level of the IT infrastructure and networks, and this in particular to ensure that the Personal Data will be kept without it being damaged in any way (in particular, accidental or illicit destruction, accidental loss, any illicit form of processing, deformation, data damaged or communicated to unauthorized persons, misuse or fraudulent use of Personal Data).
Factomos undertakes in particular to implement the following security and prevention procedures:
- prevent any unauthorized external intrusion to Personal Data;
- implement all technical means to ensure the security of Personal Data, in particular through the use of firewalls, preventing any intrusion, regardless of its nature and the technique used, from unauthorized users, or from passwords highly secure access;
- implement the required physical security means such as securing the premises;
- assign only qualified personnel who are aware of safety procedures;
- to restrict access to Personal Data to only persons authorized or empowered for this purpose.
Factomos will carry out regular tests of the security measures in order to assess their effectiveness.
Despite these measures to protect Personal Data, no transmission or storage technology is infallible. Thus, Factomos and the user mutually undertake to immediately notify each other of any violation (security breach) of Personal Data as soon as they become aware of it.
The notification sent in this way must specify:
- the categories and number of persons concerned;
- the categories and number of Personal Data records concerned;
- the likely consequences of the breach;
- any steps taken to mitigate and manage the breach.
Factomos will take steps to mitigate the effects and minimize any harm resulting from any breach of Personal Data and to comply with any instructions given by the user with respect to such breach.
Factomos will cooperate with the user, assist the latter and make available to him all the information required to demonstrate compliance with the obligations set out in this policy relating to Personal Data, at the request of the user.
The user may carry out audits as well as carry out security tests in order to verify Factomos' compliance with the obligations of this Personal Data Policy. The user must first notify Factomos, at least 30 (thirty) working days in advance, of the day on which the audit is carried out, the name of the auditor as well as the conditions for carrying out the audit. Factomos may oppose the choice of auditor retained by the user. Factomos will then propose three recognized and independent audit companies to which the user can have recourse to carry out this audit.
The user will communicate to Factomos the reports of the results of the security audits and tests. If security flaws identified as critical are detected by the user, Factomos undertakes to correct them within the deadlines defined by the Parties according to the degree of criticality. The user will perform new tests to ensure that the flaws have been corrected.
Factomos will not be able to transfer Personal Data outside the European Union.
Factomos may only engage a subcontractor to process Personal Data if:
- the subcontractor is bound by a written contract requiring Personal Data protection at least as restrictive as that of this Personal Data Policy;
- the user has the right to audit the subcontractor or give him instructions;
- Factomos is fully responsible, vis-à-vis the user, for the performance of the obligations of the subcontractor with regard to the protection of Personal Data;
- Factomos agrees, upon request, to provide a copy of the notices relating to the protection of Personal Data stipulated in its written contract concluded with the subcontractor.
The user hereby expressly authorizes Factomos to use the subcontractors on the list that can be consulted at this address by
click here.
At the request of the user, Factomos must provide him with assistance in order to:
- respond to requests from individuals whose Personal Data has been processed;
- respond to inquiries from any supervisory authority;
- notify a breach of Personal Data to the persons concerned or to the supervisory authorities;
- conduct impact analyzes relating to the protection of Personal Data;
in each case, insofar as these actions are related to the performance of the Services.
The user undertakes for his part to:
- limit the Personal Data communicated to Factomos in the context of the use of the Services to what is strictly necessary;
- ensure the lawfulness of the processing of Personal Data;
- ensure the authorization of the persons concerned for the transmission to Factomos and its subcontractors/providers of their Personal Data in the context of the performance of the Services.
- ensure that data subjects can exercise their rights over their Personal Data (right of access, rectification, erasure and opposition, right to limit processing, right to data portability, must introduce a complaint to the CNIL);
- provide Factomos with the necessary instructions for the processing of Personal Data.
3. List of subcontractors
stripe
: (for online payment of subscription and invoices)
Head office: 10 Boulevard Haussmann, 75009 Paris.
DPO:
dpo@stripe.com
GoCardLess
: (for online payment of subscription and invoices)
Head office: 7 rue de madrid, 75008 PARIS
Telephone: 33 1 70 37 71 23 and email:
france@gocardless.com
GoCardless and GDPR
SQUARK:
(data hosting)
Head office: 5 Passage de l'industrie, 92130 Issy-Les-Moulineaux
