LEEWAY, a simplified joint stock company with a capital of 12,254.18 euros, whose registered office is located at 13, rue Sainte Ursule - 31000 Toulouse, registered in the Toulouse Trade and Companies Register under number 881 239 800 (the « Company »), offers a tool for centralizing and managing contracts within companies on a secure digital platform (the « Platform » or the « Solution »).
The present document uses and includes the definitions of the terms provided for in the General Terms and conditions of Use of the Platform, some of which are recalled for information purposes below:
« Subscriber »: means individually and/or collectively the Client, the Manager(s) and/or the Collaborator(s).
« Subscriber Account »: means the personal space reserved for a Subscriber allowing access to the Solution by means of a login and an individual password and allowing him/her to access the Solution.
« User »: means any user of the Platform, including the Client, the Manager(s), the Collaborator(s) or the Co-contractors.
This policy (the « Data Processing Policy ») is intended to inform the User of the Company's practices regarding the collection, use and sharing of information that the User may provide to the Company through the use of the Platform and/or the Help desk (hereinafter defined). The User shall read this document carefully to understand the Company's practices with respect to the processing of Personal Data (as defined below).
Any personal data identifying the User directly (including name, surname, postal, electronic, and/or telephone contact information) or indirectly, are considered confidential data and are treated as such, subject to the evolution of the legal framework on the qualification of personal data (hereinafter, the « Personal Data »).
By subscribing to and/or using the Solution, the User accepts that the Company may have access to information concerning him/her, in particular, for the Subscriber, when creating his/her Subscriber Account, or concerning the Documents transferred, created or saved directly by him/her on the Platform.
Personal Data will be processed according to procedures strictly related to the purposes mentioned in Article 4 below. In addition, the Company is committed to ensuring that the User's Personal Data is treated securely and confidentially, in accordance with Article 8, and takes adequate measures to prevent the loss, misuse, alteration and deletion of such Personal Data.
The Company provides the Subscriber with a help desk in order to optimize its use of the Platform. The use of the said help desk by the Subscriber may lead the Company to collect Personal Data, the processing of which will be subject to the terms of the Data Processing Policy. This service will take the form of:
a chat, including a dialogue software integrated to the Platform provided by the company Intercom (hereinafter, the « Chat »), and/or
a support service that will provide Subscriber with personalized answers (hereinafter, the « Support Service » or « Support »).
The Chat and the Support Service may be referred to collectively as the "Help Desk”
The data generated when the User uses the Solution is processed and stored on servers located exclusively in France.
Under the terms of the Data Processing Policy, the User instructs the Company to perform all of the operations mentioned below:
to collect, enter, store Documents and Projects for the purpose of their management in accordance with the Service,
to carry out statistics,
to read and analyze the Client’s Personal Data contained in the Documents,
to perform tests and maintenance operations on the Solution,
to archive the Client's data of any kind, and
more generally, to carry out any processing of Personal Data necessary for the performance of the Service.
The data controller of the Personal Data on the Platform and the Help Desk is the Company.
As data controller, the Company may process the User's Personal Data collected on the Platform in accordance with the purposes described in the Data Processing Policy.
The Company determines the purposes, technical and legal means of processing Personal Data and undertakes to take all necessary measures to ensure safe processing and compliance with the French Data Protection Law of January 6, 1978, as amended by the Act of August 6, 2004 (hereinafter, the "Law") and the European Regulation of April 26, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, the "GDPR")
By subscribing and/or using the Platform, the User will be required to transmit to the Company, directly or indirectly, information, some of which may be of an identifying nature. This may include information on the User's person or company, on how to contact him/her, on his/her Documents shared on the Platform, his/her location, navigation or other technical data automatically collected through his/her use of the Solution, etc
This information is mandatory; otherwise, the Company will not be able to provide the User with the full functionality of the Platform or the Help Desk.
When interacting via the Help Desk, the User is sometimes asked, with his/her consent, to leave his/her contact information (name, email and phone number). The processing of information collected in this way will be subject to the terms of the Data Processing Policy.
The User agrees to provide accurate, truthful, up-to-date and complete Personal Identification Data, and guarantees not to make any false statements or provide any erroneous information.
It is the User's responsibility to ensure that the information he/she provides on the Platform does not contain "sensitive" Personal Data within the meaning of Article 9 of the GDPR, such as information about his/her religion, medical information, complete bank identification numbers, etc.
With the User's consent, the Company may publish on the Platform his/her testimonial on his/her experience as a user of the Platform. This testimonial may include, among other things, information about the User's company, name, position, etc. The Company undertakes never to publish such information on the Platform without the explicit consent of the User.
During each of the User's visits to the Platform, the Company may collect, in accordance with applicable law and with the User's consent, information relating to the devices on which the User uses the Platform or the networks from which the User accesses the Platform, such as:
Platform connection data: IP address, configuration information (type of machine, browser, etc.) and browsing information (date, time, pages viewed, occurrence of errors, content viewed, search terms used, download errors, length of time spent viewing certain pages, your device's advertising ID, interactions with the page, etc.), and
Help Desk usage data: date the conversation was created, date the Subscriber last used the service, etc.
The Company does not process sensitive data within the meaning of Article 9 of the GDPR (i.e. personal data revealing racial or ethnic origin, philosophical, political, trade union or religious opinions, or data concerning sex life or health).
The data controller of the Personal Data on the Platform and the Help Desk is the Company.
The specific, free and informed consent of the User,
The execution of a legal obligation incumbent on the Company,
The execution of the Quotation concluded between the Company and the Client (in particular for the execution of the General Terms and Conditions), and
The legitimate interest of the Company (in particular to ensure the security of transactions).
The main purpose of collecting the User's Personal Data is to provide the User with an optimal, efficient and personalized experience when using the Solution. To this end, the User acknowledges that the Company may use his/her Personal Data on the basis of its legitimate interest in providing him/her with a high-quality service.
The Personal Data is collected and processed for the following purposes:
processing of the Client’s Personal Data in the context of the Service,
access and use of the Platform and/or the Help Desk,
access to the Subscriber Account,
processing of requests,
improvement of the browsing on the Platform and correction of possible errors,
improvement and customization of the Platform's features,
compliance with administrative, social, tax, legal and financial obligations,
contact and assistance,
management of commercial and customer relations,
commercial prospecting, and
management of requests to exercise the rights of the persons concerned as listed in Article 9 below.
In accordance with the requirements imposed by the Law, by the GDPR and, more broadly, by the regulations in force, the Company retains the User's Personal Data for as long as the User uses the Platform.
The Company does not undertake to keep all the Personal Data of the User. The Subscriber's Personal Data will be irreversibly deleted within forty-five (45) working days from the deletion of the Subscriber's Account or from the end of the Quotation not followed by a renewal, or in the case of the Co-contractor within sixty (60) days from his/her last use of the Platform.
Personal Data may also be kept for a period of ten (10) years in the archive, with restricted access, in order to (i) comply with the Company's legal and regulatory obligations, and/or (ii) enable it to assert a legal claim, before being permanently deleted.
The User's Personal Data is intended for persons duly authorized to process it within the Company, such as, in particular, the persons in charge of the sales department, the customer service, the marketing department, the administrative department and the IT department.
Within the framework of the exercise of its activities and the provision of the Service, the User authorizes the Company to have recourse to subcontractors.
The latter undertake to:
process the Personal Data only for the sole purpose(s) that is/are the subject of the subcontracting and on the instructions of the Company,
if they consider that an instruction constitutes a breach of the GDPR or any other provision of European Union law or the law of the Member State relating to data protection, immediately inform the controller,
if they are required to transfer Personal Data to a third country or to an international organization under European Union law or the law of the Member State to which it is subject, inform the Controller of this legal obligation prior to the processing, unless the relevant law prohibits such information on important public interest grounds, and
guarantee the confidentiality of the Personal Data processed and ensure that the persons authorized to process the Personal Data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality and, where applicable, receive the necessary training in the protection of Personal Data.
However, in cases where the Company uses subcontractors located in countries offering levels of protection that are not equivalent to the level of protection of personal data in the European Union, the Company undertakes to ensure that the said transfer is governed by the signature of standard contractual clauses established by the European Commission or by the establishment of binding corporate rules ("BCR")
Users are informed that, subject to their prior, specific, and positive consent, their Personal Data may be transferred to the Company's business partners, third-party suppliers and/or companies belonging to the same group as the Company. The latter may provide information on their offers and services. The Company ensures that it has clear and effective privacy requirements in place for all such partners.
The Company does not disclose the User's Personal Data to third parties, unless:
the User authorizes such disclosure,
disclosure is necessary to process transactions or to provide functionality requested by the Subscriber,
the Company is compelled to do so by a governmental authority or regulatory agency in the case of a court order, subpoena, or other similar government or judicial request, or to establish or defend a legal claim, or
disclosure is necessary to comply with the Company's legal a
To the extent that the Company is legally authorized to do so, it will inform the User of any request from an administrative or judicial authority regarding his/her Personal Data.
The Company undertakes to process Personal Data in a manner that is:
within the strict framework of the purposes pursued and announced,
for the time necessary for their processing, and
in a secure manner,
The security and integrity of its Users' Personal Data.is is of significant importance for the Company.
In accordance with the Law and the GDPR, the Company undertakes to take all necessary precautions to preserve the security of the User's Personal Data and, in particular, to protect it against accidental or unlawful destruction, accidental loss, corruption, dissemination or unauthorized access, as well as against any other form of unlawful processing or disclosure to unauthorized persons.
The Company implements security measures in accordance with applicable industry standards to protect the User's Personal Data against the above-mentioned potential breaches.
In order to prevent unauthorized access and to ensure the accuracy and proper use of Personal Data, the Company has put in place appropriate electronic, physical and managerial procedures to safeguard and preserve the data collected through the Platform.
However, the Company recalls that there is no absolute security against hacking of any kind. In the event of a breach of security affecting the rights of Users, the Company undertakes to inform the User without delay and to take all appropriate measures at its disposal to neutralize the intrusion and minimize its impact.
The User has the right to withdraw his/her consent at any time. To this end, the User shall make a request to the Company in accordance with the procedures set out in Article 9.8.
Withdrawal of consent does not call into question the lawfulness of the processing already carried out, based on the consent formulated before this withdrawal.
Furthermore, the User may unsubscribe from any newsletter or email from the Company by following the unsubscribe link included in each newsletter or email. Without this practice being systematic, the User authorizes the Company to analyze and track the click-through rates and the number of emails sent and opened by the User to measure, in particular, the performance of its email campaigns.
The Company guarantees the User a right of access to his/her Personal Data.
In accordance with Article 15 of the GDPR, the User has the right to obtain from the Company the following information concerning his/her Personal Data:
the purposes of the processing,
the categories of Personal Data concerned,
the recipients or categories of recipients to whom his/her Personal Data have been or will be communicated, in particular recipients who are established in third countries or international organizations,
where possible, the period for which the Personal Data is to be kept or, where this is not possible, the criteria used to determine this period,
the existence of the right to request from the Company the rectification or erasure of the Personal Data, or a limitation of the processing of his/her Personal Data or the right to object to such processing,
the right to lodge a complaint with a supervisory authority,
any available information as to the source of the Personal Data, and
the existence of automated processing, including profiling, referred to in Article 22(1) and (4) of the GDPR and, where applicable, at least, useful information regarding the underlying logic and the significance and intended consequences of such processing for the data subject.
In accordance with the Law and the GDPR, the User has the right to rectify and/or delete the processing of his/her Personal Data. The User exercises this right by sending a written request to the Company, under the conditions set out in Article 9.8.
The User has the right to obtain the deletion of his/her Personal Data in the cases listed in Article 17 of the GDPR.
The Subscriber can modify his/her Personal Identification Data (first name, last name, email and password) at any time by logging into the "My Account" section of his/her Subscriber Account.
In accordance with Article 20 of the GDPR, the User has the right to receive from the Company the Personal Data concerning him/her in a structured, commonly used and machine-readable format. He/She also has the right to transmit his/her Personal Data to another data controller, without the Company's interference, in the cases provided for by the GDPR.
The User also has the right to decide what to do with his/her Personal Data after his/her death (article 40-1 of the French Data Protection Law of January 6, 1978).
The User has at any time the right to object to the processing of his/her Personal Data, when there are compelling and legitimate reasons relating to his/her particular situation. In this case, the Company will no longer process the Personal Data, unless there are legitimate and compelling reasons for their processing that prevail over the interests and rights and freedoms of the User, or for the establishment, exercise or defense of legal claims
The User has the right to obtain the limitation of the processing of his/her Personal Data in the cases listed in Article 18 of the GDPR.
The User has the right to lodge a complaint concerning the processing of his/her Personal Data by the Company with the competent supervisory authority. For example, the “Commission Nationale de l'Information et des Libertés” (the "CNIL") is competent on French territory.
To exercise the above rights, the User may send a request by e-mail to the following address: email@example.com or by mail to the following address: Leeway SAS, 13, rue Sainte-Ursule – 31000 Toulouse, France.
The Company will acknowledge receipt of this request as soon as possible. Following this notification of receipt, the Company will allow itself a period of thirty (30) working days to inform the User of its decision to process, or not, his/her request (unless particular circumstances justify a longer processing period). In processing the User's request, the Company may require that the User accompany it with a photocopy of a proof of identity
In the event that a third party requests the Company to exercise its rights to the data (in particular, insofar as they have been included in the User's Personal Data), the Company will honor such request after appropriate verification. The User will be informed about this situation.
The exercise of these rights is free of charge. However, in the event of a manifestly unfounded or excessive request, the Company reserves the right to (i) require payment of a fee to cover administrative costs, or (ii) refuse to comply with such requests.
In the event of a breach of Personal Data that may pose a risk to the User's rights and freedoms, the Company shall notify the CNIL of the breach as soon as possible, and, if possible, no later than seventy-two (72) hours after becoming aware of it. The Company will also inform the User as soon as possible in accordance with the provisions of Article 34 of the GDPR.
Without prejudice to any other administrative or judicial remedy, the User who considers that the processing of his/her Personal Data constitutes a violation of the provisions of the legislation in force may lodge a complaint with a competent supervisory authority such as the CNIL.
For any question concerning the processing of their Personal Data and the exercise of their rights, Users may contact the Company at the following address: firstname.lastname@example.org.
The Company reserves the right to modify the Data Processing Policy at any time and at its sole discretion, in particular in order to comply with the obligations provided for by the regulations and laws in force.
Likewise, the Company will make such changes when it makes improvements, additions or changes to the Solution due to its practices regarding the User's Personal Data.
The Company shall notify the User of any significant changes in a timely manner.
For any question relating to the Data Processing Policy or for any request relating to the User's Personal Data, the User may contact the Company by email (email@example.com) or by mail (Leeway SAS, 13, rue Sainte-Ursule – 31000 Toulouse, France).