The company WINDDLE, Simplified Joint Stock Company, with a capital of 20,000 euros, registered in the Paris Trade and Companies Register under number 811 521 491, with its registered office located at 5 bis Rue Martel - 75010 Paris, (hereinafter "WINDDLE") is concerned about the protection of personal data of each user of its platform www.winddle.com (after the "Platform") and is committed to protecting them in accordance with the applicable regulations and in particular the Regulation (EU) No. 2016/679 of April 27, 2016 known as the "General Data Protection Regulation" or "GDPR" and the law No. 78-17 of January 6, 1978 modified known as the "Data Processing and Freedoms Act".
It is specified that a user (hereinafter the "User") designates any natural person who creates a Customer Account and/or a Partner Account, but also any natural person who would simply navigate and consult the Platform.
When collecting the User's personal data, WINDDLE implements processing of such data for which it is qualified as "data controller", as defined in the aforementioned texts. As such, WINDDLE undertakes to respect the requirements of the regulations applicable to the protection of personal data at all times and to only process personal data of Users under the conditions set forth below.
1. Personal Data Collected
WINDDLE collects the following personal data about the User:
When creating the User's account:
o name, first name;
o professional phone number and email address;
o professional postal address;
o identifiers and passwords.
- During navigation and use of the Platform:
o IP address, connection data.
2. Purposes of Processing Personal Data
WINDDLE collects the User's personal data for the following purposes:
- Access and use of the Platform by the User;
- Management of the operation and optimization of the Platform;
- Technical support for the User; communication with the User when he requests information through his Account;
- Verification, identification and authentication of the User's connection parameters;
- Prevention and detection of fraud, malware, and management of security incidents;
- Management of any disputes with the Client;
- Establishment of statistics.
3. Duration of Preservation of the User's Personal Data
The personal data of the User collected in connection with the creation of his Account will be kept by WINDDLE for the duration of the contractual and commercial relationship with WINDDLE.
Personal data collected for the purpose of sending newsletters will be kept for a period of three (3) years from the time of collection.
Beyond that, the personal data will be archived by WINDDLE in a secure environment for the legal prescription period for the purpose of evidence to establish, exercise or defend a right in court.
Any User has the right to request the deletion of his personal data at any time by sending an email to the following address: (.)
4. Recipients of User Personal Data
The User's personal data is strictly confidential and intended exclusively for WINDDLE.
Unless legally or judicially obliged to do so, WINDDLE will never disclose, transfer, rent or transmit the User's personal data to third parties other than:
- the Platform host, as mentioned in the legal notices, available on the winddle.com website for the purpose of performing technical hosting services and database management
- WINDDLE's subcontractors when they act in accordance with the provisions of the regulation applicable to the protection of personal data, on instructions from WINDDLE and under the contract conditions signed with WINDDLE. The recipients are technical providers for the functional needs of the Platform and analytical solution providers:
o The Rocket Science Group LLC d/b/a Mailchimp: Mailchimp emailing service allowing WINDDLE to notify Users on the one hand, and to process responses to its emails on the other hand.
o Zendesk: customer support request management service.
o Sentry: a service that catalogs and analyzes application errors that may occur when using the platform.
5. Transfer of Personal Data outside the European Union
The User acknowledges having been informed and accepts that Personal Data concerning him/her be hosted on Amazon Web Services (AWS) servers located in the AWS "Singapore" Region. The User is informed that AWS is committed to offering an adequate level of protection by respecting the contract clauses approved by the European Commission.
The User acknowledges having been informed and accepts that Personal Data concerning him/her be communicated to subcontractors located outside the European Union:
- The Rocket Science Group LLC d/b/a Mailchimp stores Personal Data on its servers located in the United States. The Rocket Science Group LLC is Privacy Shield certified: https://mailchimp.com/legal/
- Zendesk stores Personal Data outside the European Union. Zendesk is Privacy Shield certified and is committed to offering an adequate level of protection by respecting the contract clauses approved by the European Commission: https://www.zendesk.fr/company/customers-partners/privacy-policy/
- Sentry stores Personal Data on its servers located in the United States. Sentry is Privacy Shield certified: https://sentry.io/privacy/
6. Security Measures Implemented
WINDDLE is committed to ensuring the security and integrity of the User's personal data. To this end, WINDDLE implements and maintains technical and organizational security measures for the Platform, Account and, more generally, its information system, adapted in view of the nature of the personal data processed and the risks presented by their processing. These measures aim to (i) protect personal data against destruction, loss, alteration, disclosure to unauthorized third parties, (ii) ensure the availability of personal data and access to it in appropriate timeframes in case of physical or technical incident.
7. User's rights over their personal data
The User has the following rights over their personal data, which they can exercise at any time by writing to the following email address:
- Right of access: to know their personal data;
- Right to update and rectify: to obtain the updating or rectification of their personal data when they are inaccurate or incomplete, either by logging into their User Account and configuring the settings of that account, or by requesting the update of their personal data;
- Right to erase: to obtain the erasure of their personal data when they are no longer necessary in view of the purposes for which they were collected or the User objects to the processing of their personal data;
- Right to restrict processing: to obtain the restriction of the processing of their personal data when the User challenges the accuracy of the data, when the data retention period has come to an end but the User still needs to retain the personal data for the establishment, exercise or defense of a right in court, or if the User objects to the processing;
- Right to portability: to obtain the communication of the personal data that the User has communicated to WINDDLE in a readable format, or to request that WINDDLE transmit the personal data that the User has communicated to another data controller;
- Right to object: to object at any time, for reasons relating to their personal situation, to the processing of their personal data, particularly in the case where the objection concerns commercial prospecting, including profiling;
- Withdrawal of consent: to withdraw their consent to the future processing of their personal data by WINDDLE, when the processing is based on consent;
- Right to file a complaint: to file a complaint with the National Commission on Informatics and Liberties if the User considers that the processing carried out by WINDDLE constitutes a violation of their personal data.
Before exercising any of these rights, WINDDLE may request proof of the User's identity to verify its accuracy.
In case of difficulty in exercising their rights, the User can file a complaint with the CNIL, online at the address https://www.cnil.fr/fr/plaintes or by postal mail to the following address: CNIL - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07.
* * * * *
Annex - Glossary
The words and expressions used in this Data Protection Policy have the meaning given to them by the GDPR and the Data Protection Act:
- Recipient: refers to the natural or legal person, public authority, service or any other body that receives communication of personal data, whether or not they are a third party (...)
- Personal data: refers to any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more specific elements of their physical, physiological, genetic, psychological, economic, cultural or social identity.
- Data controller: refers to the natural or legal person, public authority, service or other body that, alone or jointly with others, determines the purposes and means of the processing.
- Processor: refers to the natural or legal person, public authority, service or other body that processes personal data on behalf of the controller or the initial subcontractor.
- Processing: refers to any operation or set of operations performed or not using automated means and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of availability, alignment or interconnection, restriction, erasure or destruction.