Privacy Policy
What are the key concepts of the General Data Protection Regulation (GDPR)?
To the notions already defined in the general conditions, are added the following terms whose meaning is defined by the “General Data Protection Regulation” (GDPR), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC:
Personal Data: any information which allows, in any form whatsoever, the identification of the natural persons to whom it applies. A natural person is deemed to be identifiable who can be identified in particular by reference to a name, an identification number or to one or more specific elements, specific to their physical, physiological, genetic, psychological, economic, cultural or social identity.
Persons concerned: people who can be identified, directly or indirectly in the context of the Company's activities (commercial activity, marketing, customer relations, etc.), i.e. all Users, Customers and Prospects of 'Indy.
Data controller: organization which – alone or jointly with others – determines the “why” and the “how” of data processing, that is to say its purpose (objectives pursued) and its means (conditions of implementation). implemented, particularly on a technical, material and organizational level).
Subcontractor: organization which processes data on behalf and on the instructions of another organization, Data Controller.
Processing of Personal Data: any operation applied to data or sets of personal data, such as collection, recording, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, limitation, erasure or destruction.
Who is the Data Controller of your Personal Data?
The Blendy by Cogesten Company determines the purposes and means of processing your Personal Data.
As part of the publishing of the Site and the management of Accounts, the Company therefore acts as Data Controller within the meaning of Article 4 of the GDPR.
What categories of Personal Data are concerned?
Identification data: first and last name; mail address ; password ; telephone number; occupation ; company (name, company name or SIRET).
Connection data: country of connection; IP adress ; log ; User ID, etc.
Web data: cookies and browsing data; reviews and comments left on multiple channels, such as our websites or social networks.
Financial data: data relating to the credit card of the Data Subject as part of the payment of the subscription made through a service provider.
Banking data: data relating to the bank account of the Data Subject as part of bank synchronization carried out through our service providers.
Although presenting a high sensitivity or issue, financial and banking data are not part of so-called “sensitive” data from the point of view of fundamental freedoms and rights (article 9 of the GDPR). Although these data must be subject to appropriate guarantees due to their particular nature or their confidential nature, their processing is nevertheless not subject to specific rules within the framework of European data protection regulations.
Who are the recipients of your Personal Data?
Access to Personal Data is strictly regulated. The Company ensures that the data is only accessible to authorized internal or external recipients.
Internal recipients:
Authorized personnel from the marketing, sales, customer relations, administrative and technical departments as well as their line managers. Authorized personnel from the services responsible for control (auditor, service responsible for internal control procedures, etc.).
External recipients:
The Company's partners and subcontractors and, more particularly, their personnel authorized to access only the data necessary for the implementation of their services.
Organizations, court officers and ministerial officers, as part of their debt recovery mission;
The recipients of your Personal Data within the Company are subject to a specific confidentiality obligation. The Company decides which recipient is authorized, internally, to receive data.
The authorization policy is regularly updated and takes into account the arrivals and departures of Company employees with access to the data.
If an employee realizes that he has access to data to which he should not have access, he has an obligation to notify the competent department without delay.
All access to processing relating to the Personal Data of the Persons concerned is subject to a traceability measure.
Furthermore, your Personal Data may be transmitted to third-party service providers who are required to use them only within the framework of the missions that the Company has entrusted to them, in particular: For the implementation of bank synchronization, the Company is in relationship with financial companies with which it has entered into a specific partnership agreement;
When the Company uses Subcontractors and independent contractors to support it in the provision of a certain number of services: customer messaging platform, advertising, statistics, data management and hosting, payment services, etc. These service providers have limited access to the data of the Persons concerned, as part of the strict execution of these services. When the Data Subject publishes, in free comment areas (blog, Facebook page, etc.), information accessible to the public;
When the Data Subject authorizes a third party's website to access their data. In this context, the Company ensures that the security of your Data is preserved through strict control:
In the event that personal information is transferred within the European Union, the Company ensures the adherence of these third-party service providers to the principles of the “General Data Protection Regulation” (GDPR);
In the event that personal information is transferred outside the European Union, the Company ensures that the third country concerned has a level of protection deemed adequate by European regulations (for example in the case of transfer of data to United States, monitoring of third-party service provider's adherence to the “Privacy Shield” principles).
Your Personal Data may also be communicated to any authority legally authorized to know it. The Company may in particular transmit data to follow up on claims presented against it and to comply with administrative and legal procedures.
In this case, the Company is not responsible for the conditions under which the personnel of these authorities have access to and use your data.
How long is your Personal Data retained?
The Company retains your data for a certain period of time to provide you with its services or assistance.
The Company may also retain some of your information as necessary, even after you have closed your account or no longer needs it to provide its services to you.
However, your Personal Data will not be subject to transfer, rental or exchange for the benefit of third parties.
The duration of data retention is defined by the Company with regard to the legal and contractual constraints that weigh on it and failing that, according to its needs:
Retention periods for each category of Personal Data
Data relating to Users and Customers (identification data, web data, customer relationship monitoring):
Data relating to Users and Customers is kept for the duration of the Account opening and up to 30 days afterwards, upon request. This duration can be increased by 3 years for animation and prospecting purposes and by 5 years in archives from the deletion of the Account or unsubscription.
Data relating to Prospects (identification data and web data):
Data relating to Prospects is kept for a maximum period of 3 years from their collection or the last contact from the Prospect.
Technical data (connection data and cookies):
Connection data (IP addresses and logs of the Persons concerned) are kept for a period of one year from the last connection or the last use of Indy. Cookies can be kept for a period of 13 months from the last manifestation of consent.
Financial data (payment terms):
Financial transactions relating to the payment of subscription fees via the site are entrusted to a payment service provider who ensures hosting, smooth running and security. Recipient of your Personal Data relating to your bank card numbers, it collects and stores it in our name and on our behalf during the execution of payment transactions. We never have access to your payment data.
Banking data (connection data, account synchronization and history recovery):
The collection of bank transactions is entrusted to one of our bank synchronization providers who ensure their hosting, smooth running and security. Each collects and stores in our name and on our behalf connection data and data relating to banking transactions during the time you use Indy. We never have access to identification data at the banking interface.
Data enabling the establishment of proof of a right or a contract (customer data, etc.) or kept for compliance with a legal obligation (billing data, etc.), are subject to an intermediate archiving policy for a period not exceeding the duration necessary for the purposes for which they are kept, in accordance with the provisions in force.
After the set deadlines, the data is either deleted or kept after having been anonymized, in particular for reasons of statistical use. Data Subjects are reminded that the deletion or anonymization of data stored in its systems are irreversible operations and that the Company is no longer able to restore them thereafter.