In addition to the concepts already defined in the general terms and conditions, the following terms are added, the meaning of which is defined by the "General Data Protection Regulation" (GDPR), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC:
Personal Data: any information which allows, in any form whatsoever, the identification of the natural persons to whom it applies. An identifiable natural person is one who can be identified in particular by reference to a name, an identification number or one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
Data subjects: persons who can be identified, directly or indirectly, in the context of the Company's activities (commercial activity, marketing, customer relations, etc.), i.e. all Indy's Users, Customers and Prospects.
Data controller: organisation which - alone or jointly with others - determines the "why" and "how" of data processing, i.e. its purpose (objectives pursued) and its means (conditions of implementation, in particular in technical, material and organisational terms).
Sub-processor: an organisation that processes data on behalf of and on the instructions of another organisation, the Data Controller.
Processing of Personal Data : any operation applied to personal data or sets of data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The Company Blendy by Cogesten determines the purposes and means of processing your Personal Data.
Within the framework of the publication of the Website and the management of the Accounts, the Company therefore acts as a Data Controller within the meaning of Article 4 of the RGPD.
Identification data: first and last name; e-mail address; password; telephone number; profession; company (name, company name or SIRET).
Connection data: country of connection; IP address; log; User ID, etc.
Web data: cookies and browsing data; reviews and comments left on multiple channels, such as our websites or social networks.
Financial data: data relating to the data subject's credit card in the context of the payment of the subscription made through a service provider.
Banking data: data relating to the bank account of the Person concerned within the framework of the banking synchronisation carried out via our service providers.
Although it is sensitive or highly relevant, financial and banking data are not considered "sensitive" from the point of view of fundamental rights and freedoms (Article 9 of the GDPR). While such data must be subject to appropriate safeguards due to its particular nature or confidentiality, its processing is not subject to specific rules under the European data protection regulation.
Access to Personal Data is strictly controlled. The Company ensures that the data is only accessible to authorised internal or external recipients.
Authorised staff of the marketing, sales, customer relations, administrative and technical departments and their line managers. Authorised staff of the departments responsible for control (auditor, department responsible for internal control procedures, etc.).
External recipients:The Company's partners and subcontractors and, more specifically, their personnel authorised to access only the data necessary for the implementation of their services.
Organisations, legal auxiliaries and ministerial officers, within the framework of their debt collection mission;
The recipients of your Personal Data within the Company are subject to a specific confidentiality obligation. The Company decides which recipients are authorised internally to receive data.
The clearance policy is regularly updated and takes into account the arrival and departure of Company employees with access to data.
If an employee becomes aware that he or she has access to data to which he or she should not have access, he or she is obliged to notify the relevant department without delay.
All accesses concerning the processing of Personal Data of Data Subjects are subject to a traceability measure.
In addition, your Personal Data may be transmitted to third party service providers who are required to use it only for the purposes that the Company has entrusted to them, in particular For the implementation of bank synchronization, the Company is in relation with financial companies with which it has entered into a specific partnership agreement;
When the Company resorts to Subcontractors and independent contractors to assist it in the provision of a certain number of services: customer messaging platform, advertising, statistics, data management and hosting, payment services, etc. These service providers have limited access to the data of the Data Subjects, within the strict framework of the execution of these services. When the Person concerned publishes, in the free comment areas (blog, Facebook page, etc.), information accessible to the public;
When the Person concerned authorises a third party's website to access his/her data. In this context, the Company ensures that the security of your Data is preserved through strict control:
In the event that Personal Information is transferred within the European Union, the Company ensures that these third party service providers adhere to the principles of the "General Data Protection Regulation" (GDPR);
In the event thatPersonal Information is transferred outside the European Union, the Company ensures that the third country concerned has a level of protection deemed adequate by European regulations (e.g. in the event of a transfer of data to the United States of America, checking the adherence of the third party service provider to the principles of "Privacy Shield").
Your Personal Data may also be communicated to any authority legally entitled to know it. In particular, the Company may disclose data to respond to claims made against it and to comply with administrative and judicial proceedings.
In this case, the Company is not responsible for the conditions under which the personnel of these authorities have access to and use your data.
The Company retains your data for a certain period of time in order to provide its services or support to you.
The Company may also retain some of your information if necessary, even after you have closed your account or it no longer needs it to provide its services to you.
Your Personal Data will not, however, be transferred, rented or traded to third parties.
The duration of data retention is defined by the Company with regard to the legal and contractual constraints which weigh on it and, failing that, according to its needs:
Retention periods for each category of Personal Data
Data relating to Users and Clients (identification data, web data, monitoring of customer relations):
Data relating to Users and Clients are kept for the entire duration of the opening of the Account and for up to 30 days thereafter, on request. This period may be increased by 3 years for animation and canvassing purposes and by 5 years for archiving purposes as of the deletion of the Account or unsubscription.
Data relating to Prospects (identification data and web data):
Data relating to Prospects is kept for a maximum of 3 years from the date of its collection or the last contact from the Prospect.
Technical data (connection data and cookies):
Connection data (IP addresses and logs of the Persons concerned) are kept for a period of one year from the last connection or last use of Indy. Cookies may be stored for 13 months from the last manifestation of consent.
Financial data (payment methods):
Financial transactions relating to the payment of subscription fees via the site are entrusted to a payment service provider who ensures the hosting, smooth operation and security of the system. The recipient of your Personal Data relating to your credit card numbers, it collects and stores them in our name and on our behalf for the time of the execution of the payment operations. We never have access to your payment data.
Banking data (connection data, account synchronisation and historical data):
The collection of banking transactions is entrusted to one of our banking synchronisation service providers, who ensure the hosting, smooth running and security of the transactions. Each of them collects and stores login and bank transaction data on our behalf for the duration of your use of Indy. We never have access to the identification data at the banking interface.
The data used to establish proof of a right or a contract (customer data, etc.) or kept to comply with a legal obligation (invoicing data, etc.), are subject to an intermediate archiving policy for a period not exceeding the time required for the purposes for which they are kept, in accordance with the provisions in force.
After the set periods, the data are either deleted or kept after being anonymised, in particular for statistical purposes. Data subjects are reminded that the deletion or anonymisation of data stored in its systems are irreversible operations and that the Company is no longer able to restore them.