Pursuant to the amended Statute No. 78-17 of 6 January 1978 and the regulation (EU) 2016/679 of April 26, 2016, general regulation on data protection (hereinafter, “GDPR”), the Company informs any person accessing the services offered on the Site (hereinafter, the “User”) of its commitment to respect the confidentiality, integrity and security of the data that the User will be required to communicate to it through the website https://www.uncovery.io/ (hereinafter, the “Site”).
Any personal data identifying the User directly (in particular his or her surname, first name, postal, electronic or telephone details) or indirectly are considered as confidential data and are treated as such, subject to changes in the legal framework on the qualification of personal data (hereinafter, the “Personal Data”).
Identity of the Controller
The controller which collects and processes the User’s data on the Site is: Uncovery, a limited liability corporation, duly organized and existing under the laws of France, registered with the Trade and Corporations Register of Nanterre under identification number 897 645 651, having its registered office located at 45bis, rue de l’Aigle, 92250 La Garenne-Colombes, France, duly represented by Mr. Adrien Petit, acting as president.
Personal data likely to be collected
When browsing the Site and using the various services offered by the Company, the User agrees that the Company may collect the following categories of data:
- Personal identification data: surname, first name, date of birth, postal address, e-mail address, telephone number;
- Connection-related data: IP address, password
The User undertakes to provide updated and valid Personal identification data, within the framework of the information required on the Site and guarantees not to make any false declaration or provide any erroneous information.
Method of Personal Data’s collection
The User consents to the collection of his/her Personal Data by the Company when he/she provides information during the following processes:
- User account creation form;
Legal basis for the collection and processing of Personal Data
Users’ Personal Data are collected on the basis of the following legal grounds:
- The specific, free and informed consent of the User (in particular for the creation of the User account);
- The performance of a legal obligation incumbent on the Company;
- The legitimate interest of the Company (in particular to ensure the security of transactions).
Purposes of Personal Data processing
Mandatory Personal Data are the data strictly necessary for the processing or requests of the User. In the absence of communication of the said data, the User is informed that certain services offered by the Company cannot be provided. The compulsory nature of the information requested is indicated to the User at the time of collection.
The optional Personal Data collected by the Company is intended to get to know the User better and to improve his/her browsing experience on the Site.
Personal Data is collected and processed for the following purposes:
- Creation of the User account;
- Contact and assistance;
- Management of the commercial relationship;
- Commercial prospecting;
- Improvement of the service;
- Management of operations relating to the management of services (contracts, invoices, orders, etc.);
- Access to the personal area of the Site (accessible by login and password);
- Management of purchases / delivery of ordered products.
Users are informed that, subject to their prior, specific and positive consent, the Personal Data transmitted may be transferred to the Company’s business partners and/or companies belonging to the same group as the Company, so that the latter can inform Users about their offers and services.
Retention period of Personal Data
Personal data is deleted or archived after a period of five (5) years after the last Use of the Site by the User.
This data may also be kept for a period of ten (10) years thereafter in the archive database, under restricted access, in order to: (i) comply with the Company's legal and regulatory obligations; and/or (ii) enable it to assert a right in court, before being definitively deleted.
Recipient of Personal Data
The User's Personal Data is intended for use by the persons duly authorized to process it within the Company, in particular, and depending on the nature of the processing and the type of data, the persons in charge of the sales department, customer service, marketing, administrative, logistics and IT departments.
While carrying out its activities and providing its services, the Company may use of subcontractors.
- Process the User's Personal Data on his behalf and on his instructions;
- Present sufficient guarantees as to the implementation of appropriate technical and organizational measures to ensure the security and confidentiality of the User's data.
In cases where the Company uses subcontractors located in countries offering levels of protection that are not equivalent to the level of protection of personal data in the European Union, the Company undertakes to ensure that the said transfer is governed by the Data Protection Shield set up between the European Union and the United States ("Privacy Shield") or by the signature of standard contractual clauses established by the European Commission or by the implementation of internal company rules ("BCR").
Measures implemented by the Company to ensure the security and confidentiality of Personal Data
The Company undertakes to process Personal Data in a manner that is:
- Within the strict framework of the purposes pursued and announced;
- For the duration necessary for the processing operations put in place.
The Company implements and updates the appropriate technical and organizational measures to ensure the security and confidentiality of the Personal Data, preventing them from being distorted, damaged or communicated to unauthorized third parties.
User’s rights on Personal Data
It is possible for the User, by simple written request, to access his/her Personal Data, to request its modification or correction, or to demand that it no longer appears in the Company's database.
As part of the right of access, the User is authorized, in accordance with article 15 of the GDPR, to question the Company in order to obtain: (i) communication of the Personal Data concerning him/her in an accessible form; (ii) confirmation that his/her Personal Data is or is no longer being processed; (iii) communication of the purposes of the processing, the categories of Personal Data processed and the recipients to whom his/her Personal Data is communicated; and (iv) the duration of the storage of his/her Personal Data or the criteria used to determine this duration.
In accordance with article 16 of the GDPR, the right of rectification gives the User the right to require the Company to rectify, complete or update his/her Personal Data when it is inaccurate, incomplete, equivocal or out of date.
Under the conditions set forth in article 17 of the GDPR, the User has a right to the deletion of his/her Personal Data, allowing him/her to ask the Company to delete his/her Personal Data as soon as possible, in particular when it is no longer necessary with regards to the purposes for which it was collected.
The User also has the right to limit the processing of his/her Personal Data in the cases listed in article 18 of the GDPR. He/she may thus request that his/her Personal Data be kept only for the purposes of:
- Verifying the accuracy of the Personal Data that it contests;
- To be used for the purpose of ascertaining, exercising or defending his/her rights in court, even though the Company no longer has any use for it;
- To verify whether the legitimate reasons pursued by the Company prevail over his/her own in the event that he/she opposes processing based on the legitimate interest of the Company;
- Satisfy his request for limitation of the use of his data - rather than deletion - in the event that the processing of his data is unlawful.
In the circumstances provided for in article 20 of the GDPR, the User has a right to the portability of his Personal Data, allowing him/her to recover from the Company the Personal Data he/she has provided, in a structured, commonly used and machine-readable format, for the purpose of forwarding them to another data controller.
In accordance with Article 21 of the GDPR, the User has the right to object, at any time, to the processing of his Personal Data for commercial prospecting purposes.
In accordance with article 85 of Law 78-17 of January 6, 1978 relating to data processing, files and freedoms, the User has the possibility to define specific directives relating to the conservation, deletion and communication of his/her personal data post-mortem. These specific directives will only concern the processing carried out by the Company and will be limited to this scope only.
In order to exercise the aforementioned rights of access, rectification, deletion, limitation, portability and opposition, the User need only send his/her request by e-mail to the following address: firstname.lastname@example.org
The Company will provide the person exercising one of these rights with information on the measures taken, as soon as possible and in any event within one (1) month of receipt of the request. This period may be extended by two (2) months, depending on the complexity and number of requests.
If the Company does not comply with the request, it will inform the person as soon as possible, and at the latest within one (1) month of receipt of the request, of the reasons for its inaction and of the possibility of lodging a complaint with a supervisory authority and of lodging a judicial appeal.
The exercise of these rights shall be free of charge. However, in the event of a manifestly unfounded or excessive request, the Company reserves the right: (i) to require payment of a fee taking into account administrative costs; or (ii) to refuse to comply with such requests.
Remedies in case of Personal Data’s violation
In the event of a violation of its Personal Data that may create a risk to its rights and freedoms, the Company shall notify the CNIL, French independent administrative authority on personal data, of the violation as soon as possible, and, if possible, seventy-two (72) hours at the latest after becoming aware of it. The Company will also inform the User as soon as possible in accordance with the provisions of article 34 of the GDPR.
Without prejudice to any other administrative or jurisdictional remedies, the User who considers that the processing of his/her Personal Data constitutes a violation of the provisions of the legislation in force may file a complaint with a competent supervisory authority such as the CNIL.
Request for information
For any questions concerning the processing of their personal data and the exercise of their rights, Users may contact the dedicated service by e-mail at the following address: email@example.com