Data Privacy Policy

Version of 10/05/2021


LEEWAY, a simplified joint stock company with a capital of 12,254.18 euros, whose registered office is located at 13, rue Sainte Ursule - 31000 Toulouse, registered in the Toulouse Trade and Companies Register under number 881 239 800 (the « Company »), offers a tool for centralizing and managing contracts within companies on a secure digital platform (the « Platform » or the « Solution »).

The present document uses and includes the definitions of the terms provided for in the General Terms and conditions of Use of the Platform, some of which are recalled for information purposes below:

« Subscriber »: means individually and/or collectively the Client, the Manager(s) and/or the Collaborator(s).

« Subscriber Account »: means the personal space reserved for a Subscriber allowing access to the Solution by means of a login and an individual password and allowing him/her to access the Solution.

« User »: means any user of the Platform, including the Client, the Manager(s), the Collaborator(s) or the Co-contractors.

This policy (the « Data Processing Policy ») is intended to inform the User of the Company's practices regarding the collection, use and sharing of information that the User may provide to the Company through the use of the Platform and/or the Help desk (hereinafter defined). The User shall read this document carefully to understand the Company's practices with respect to the processing of Personal Data (as defined below).

Any personal data identifying the User directly (including name, surname, postal, electronic, and/or telephone contact information) or indirectly, are considered confidential data and are treated as such, subject to the evolution of the legal framework on the qualification of personal data (hereinafter, the « Personal Data »).

By subscribing to and/or using the Solution, the User accepts that the Company may have access to information concerning him/her, in particular, for the Subscriber, when creating his/her Subscriber Account, or concerning the Documents transferred, created or saved directly by him/her on the Platform.

Personal Data will be processed according to procedures strictly related to the purposes mentioned in Article 4 below. In addition, the Company is committed to ensuring that the User's Personal Data is treated securely and confidentially, in accordance with Article 8, and takes adequate measures to prevent the loss, misuse, alteration and deletion of such Personal Data.

The Company provides the Subscriber with a help desk in order to optimize its use of the Platform. The use of the said help desk by the Subscriber may lead the Company to collect Personal Data, the processing of which will be subject to the terms of the Data Processing Policy. This service will take the form of:

a chat, including a dialogue software integrated to the Platform provided by the company Intercom (hereinafter, the « Chat »), and/or

a support service that will provide Subscriber with personalized answers (hereinafter, the « Support Service » or « Support »).

The Chat and the Support Service may be referred to collectively as the "Help Desk”

The data generated when the User uses the Solution is processed and stored on servers located exclusively in France.

Under the terms of the Data Processing Policy, the User instructs the Company to perform all of the operations mentioned below:

to collect, enter, store Documents and Projects for the purpose of their management in accordance with the Service,

to carry out statistics,

to read and analyze the Client’s Personal Data contained in the Documents,

to perform tests and maintenance operations on the Solution,

to archive the Client's data of any kind, and

more generally, to carry out any processing of Personal Data necessary for the performance of the Service.

1. Identification of the Personal Data controller

The data controller of the Personal Data on the Platform and the Help Desk is the Company.

As data controller, the Company may process the User's Personal Data collected on the Platform in accordance with the purposes described in the Data Processing Policy.

The Company determines the purposes, technical and legal means of processing Personal Data and undertakes to take all necessary measures to ensure safe processing and compliance with the French Data Protection Law of January 6, 1978, as amended by the Act of August 6, 2004 (hereinafter, the "Law") and the European Regulation of April 26, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, the "GDPR")

2. Personal Data that may be collected on the Platform

2.1 Personal Data transmitted by the User to the Company

By subscribing and/or using the Platform, the User will be required to transmit to the Company, directly or indirectly, information, some of which may be of an identifying nature. This may include information on the User's person or company, on how to contact him/her, on his/her Documents shared on the Platform, his/her location, navigation or other technical data automatically collected through his/her use of the Solution, etc

This information is mandatory; otherwise, the Company will not be able to provide the User with the full functionality of the Platform or the Help Desk.

When interacting via the Help Desk, the User is sometimes asked, with his/her consent, to leave his/her contact information (name, email and phone number). The processing of information collected in this way will be subject to the terms of the Data Processing Policy.

The User agrees to provide accurate, truthful, up-to-date and complete Personal Identification Data, and guarantees not to make any false statements or provide any erroneous information.

It is the User's responsibility to ensure that the information he/she provides on the Platform does not contain "sensitive" Personal Data within the meaning of Article 9 of the GDPR, such as information about his/her religion, medical information, complete bank identification numbers, etc.

With the User's consent, the Company may publish on the Platform his/her testimonial on his/her experience as a user of the Platform. This testimonial may include, among other things, information about the User's company, name, position, etc. The Company undertakes never to publish such information on the Platform without the explicit consent of the User.

2.2 Personal Data automatically collected by the Company

During each of the User's visits to the Platform, the Company may collect, in accordance with applicable law and with the User's consent, information relating to the devices on which the User uses the Platform or the networks from which the User accesses the Platform, such as:

Platform connection data: IP address, configuration information (type of machine, browser, etc.) and browsing information (date, time, pages viewed, occurrence of errors, content viewed, search terms used, download errors, length of time spent viewing certain pages, your device's advertising ID, interactions with the page, etc.), and

Help Desk usage data: date the conversation was created, date the Subscriber last used the service, etc.

Among the technologies used to collect this information, the Company uses cookies as described in Article 12 below.

The Company does not process sensitive data within the meaning of Article 9 of the GDPR (i.e. personal data revealing racial or ethnic origin, philosophical, political, trade union or religious opinions, or data concerning sex life or health).

3. Legal basis for the collection and processing of Personal Data

The data controller of the Personal Data on the Platform and the Help Desk is the Company.

The specific, free and informed consent of the User,

The execution of a legal obligation incumbent on the Company,

The execution of the Quotation concluded between the Company and the Client (in particular for the execution of the General Terms and Conditions), and

The legitimate interest of the Company (in particular to ensure the security of transactions).

4. Purpose of procession Personal Data

The main purpose of collecting the User's Personal Data is to provide the User with an optimal, efficient and personalized experience when using the Solution. To this end, the User acknowledges that the Company may use his/her Personal Data on the basis of its legitimate interest in providing him/her with a high-quality service.

The Personal Data is collected and processed for the following purposes:

processing of the Client’s Personal Data in the context of the Service,

access and use of the Platform and/or the Help Desk,

access to the Subscriber Account,

processing of requests,

improvement of the browsing on the Platform and correction of possible errors,

improvement and customization of the Platform's features,

compliance with administrative, social, tax, legal and financial obligations,

contact and assistance,

management of commercial and customer relations,

commercial prospecting, and

management of requests to exercise the rights of the persons concerned as listed in Article 9 below.

5. Retention period of Personal Data

In accordance with the requirements imposed by the Law, by the GDPR and, more broadly, by the regulations in force, the Company retains the User's Personal Data for as long as the User uses the Platform.

The Company does not undertake to keep all the Personal Data of the User. The Subscriber's Personal Data will be irreversibly deleted within forty-five (45) working days from the deletion of the Subscriber's Account or from the end of the Quotation not followed by a renewal, or in the case of the Co-contractor within sixty (60) days from his/her last use of the Platform.

Personal Data may also be kept for a period of ten (10) years in the archive, with restricted access, in order to (i) comply with the Company's legal and regulatory obligations, and/or (ii) enable it to assert a legal claim, before being permanently deleted.

6. Recipient of Personal Data

The User's Personal Data is intended for persons duly authorized to process it within the Company, such as, in particular, the persons in charge of the sales department, the customer service, the marketing department, the administrative department and the IT department.

Within the framework of the exercise of its activities and the provision of the Service, the User authorizes the Company to have recourse to subcontractors.

The latter undertake to:

process the Personal Data only for the sole purpose(s) that is/are the subject of the subcontracting and on the instructions of the Company,

if they consider that an instruction constitutes a breach of the GDPR or any other provision of European Union law or the law of the Member State relating to data protection, immediately inform the controller,

if they are required to transfer Personal Data to a third country or to an international organization under European Union law or the law of the Member State to which it is subject, inform the Controller of this legal obligation prior to the processing, unless the relevant law prohibits such information on important public interest grounds, and

guarantee the confidentiality of the Personal Data processed and ensure that the persons authorized to process the Personal Data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality and, where applicable, receive the necessary training in the protection of Personal Data.

However, in cases where the Company uses subcontractors located in countries offering levels of protection that are not equivalent to the level of protection of personal data in the European Union, the Company undertakes to ensure that the said transfer is governed by the signature of standard contractual clauses established by the European Commission or by the establishment of binding corporate rules ("BCR")

7. Disclosure to third parties

Users are informed that, subject to their prior, specific, and positive consent, their Personal Data may be transferred to the Company's business partners, third-party suppliers and/or companies belonging to the same group as the Company. The latter may provide information on their offers and services. The Company ensures that it has clear and effective privacy requirements in place for all such partners.

The Company does not disclose the User's Personal Data to third parties, unless:

the User authorizes such disclosure,

disclosure is necessary to process transactions or to provide functionality requested by the Subscriber,

the Company is compelled to do so by a governmental authority or regulatory agency in the case of a court order, subpoena, or other similar government or judicial request, or to establish or defend a legal claim, or

disclosure is necessary to comply with the Company's legal a

To the extent that the Company is legally authorized to do so, it will inform the User of any request from an administrative or judicial authority regarding his/her Personal Data.

8. Security and confidentiality of the User's Personal Data

The Company undertakes to process Personal Data in a manner that is:






within the strict framework of the purposes pursued and announced,

for the time necessary for their processing, and

in a secure manner,

The security and integrity of its Users' Personal is of significant importance for the Company.

In accordance with the Law and the GDPR, the Company undertakes to take all necessary precautions to preserve the security of the User's Personal Data and, in particular, to protect it against accidental or unlawful destruction, accidental loss, corruption, dissemination or unauthorized access, as well as against any other form of unlawful processing or disclosure to unauthorized persons.

The Company implements security measures in accordance with applicable industry standards to protect the User's Personal Data against the above-mentioned potential breaches.

In order to prevent unauthorized access and to ensure the accuracy and proper use of Personal Data, the Company has put in place appropriate electronic, physical and managerial procedures to safeguard and preserve the data collected through the Platform.

However, the Company recalls that there is no absolute security against hacking of any kind. In the event of a breach of security affecting the rights of Users, the Company undertakes to inform the User without delay and to take all appropriate measures at its disposal to neutralize the intrusion and minimize its impact.

9. Users' rights to their Personal Data

9.1 Withdrawal of consent

The User has the right to withdraw his/her consent at any time. To this end, the User shall make a request to the Company in accordance with the procedures set out in Article 9.8.

Withdrawal of consent does not call into question the lawfulness of the processing already carried out, based on the consent formulated before this withdrawal.

Furthermore, the User may unsubscribe from any newsletter or email from the Company by following the unsubscribe link included in each newsletter or email. Without this practice being systematic, the User authorizes the Company to analyze and track the click-through rates and the number of emails sent and opened by the User to measure, in particular, the performance of its email campaigns.

9.2 Right of access to Personal Data

The Company guarantees the User a right of access to his/her Personal Data.

In accordance with Article 15 of the GDPR, the User has the right to obtain from the Company the following information concerning his/her Personal Data:

the purposes of the processing,

the categories of Personal Data concerned,

the recipients or categories of recipients to whom his/her Personal Data have been or will be communicated, in particular recipients who are established in third countries or international organizations,

where possible, the period for which the Personal Data is to be kept or, where this is not possible, the criteria used to determine this period,

the existence of the right to request from the Company the rectification or erasure of the Personal Data, or a limitation of the processing of his/her Personal Data or the right to object to such processing,

the right to lodge a complaint with a supervisory authority,

any available information as to the source of the Personal Data, and

the existence of automated processing, including profiling, referred to in Article 22(1) and (4) of the GDPR and, where applicable, at least, useful information regarding the underlying logic and the significance and intended consequences of such processing for the data subject.

9.3 Right of rectification and deletion of the User's Personal Data

In accordance with the Law and the GDPR, the User has the right to rectify and/or delete the processing of his/her Personal Data. The User exercises this right by sending a written request to the Company, under the conditions set out in Article 9.8.

The User has the right to obtain the deletion of his/her Personal Data in the cases listed in Article 17 of the GDPR.

The Subscriber can modify his/her Personal Identification Data (first name, last name, email and password) at any time by logging into the "My Account" section of his/her Subscriber Account.

9.4 Right to the portability of Personal Data

In accordance with Article 20 of the GDPR, the User has the right to receive from the Company the Personal Data concerning him/her in a structured, commonly used and machine-readable format. He/She also has the right to transmit his/her Personal Data to another data controller, without the Company's interference, in the cases provided for by the GDPR.

The User also has the right to decide what to do with his/her Personal Data after his/her death (article 40-1 of the French Data Protection Law of January 6, 1978).

9.5 Right to object to the processing of Personal Data

The User has at any time the right to object to the processing of his/her Personal Data, when there are compelling and legitimate reasons relating to his/her particular situation. In this case, the Company will no longer process the Personal Data, unless there are legitimate and compelling reasons for their processing that prevail over the interests and rights and freedoms of the User, or for the establishment, exercise or defense of legal claims

9.6 Right to limit processing

The User has the right to obtain the limitation of the processing of his/her Personal Data in the cases listed in Article 18 of the GDPR.

9.7 Right to make a complaint

The User has the right to lodge a complaint concerning the processing of his/her Personal Data by the Company with the competent supervisory authority. For example, the “Commission Nationale de l'Information et des Libertés” (the "CNIL") is competent on French territory.

9.8 Modalities for exercising the User's rights

To exercise the above rights, the User may send a request by e-mail to the following address: or by mail to the following address: Leeway SAS, 13, rue Sainte-Ursule – 31000 Toulouse, France.

The Company will acknowledge receipt of this request as soon as possible. Following this notification of receipt, the Company will allow itself a period of thirty (30) working days to inform the User of its decision to process, or not, his/her request (unless particular circumstances justify a longer processing period). In processing the User's request, the Company may require that the User accompany it with a photocopy of a proof of identity

In the event that a third party requests the Company to exercise its rights to the data (in particular, insofar as they have been included in the User's Personal Data), the Company will honor such request after appropriate verification. The User will be informed about this situation.

The exercise of these rights is free of charge. However, in the event of a manifestly unfounded or excessive request, the Company reserves the right to (i) require payment of a fee to cover administrative costs, or (ii) refuse to comply with such requests.

9.9 Recourse in case of a breach of Personal Data

In the event of a breach of Personal Data that may pose a risk to the User's rights and freedoms, the Company shall notify the CNIL of the breach as soon as possible, and, if possible, no later than seventy-two (72) hours after becoming aware of it. The Company will also inform the User as soon as possible in accordance with the provisions of Article 34 of the GDPR.

Without prejudice to any other administrative or judicial remedy, the User who considers that the processing of his/her Personal Data constitutes a violation of the provisions of the legislation in force may lodge a complaint with a competent supervisory authority such as the CNIL.

9.10 Request for information

For any question concerning the processing of their Personal Data and the exercise of their rights, Users may contact the Company at the following address:

10. Cookies

The Company uses cookies to improve and personalize the Platform and the Help Desk and/or to measure their audience. A cookie is not used to collect Personal Data from the User without the User's knowledge but to record information about the User's browsing on the Platform and/or Help Desk.

10.1 Purpose of cookies

The cookies used by the Company are intended to enable or facilitate communication and the provision of services requested by Users, to recognize Users when they visit the Platform, to record logged-in sessions, to measure the impact of advertising campaigns and to enable the Company to perform internal analyses of click-through, opening and browsing rates in order to improve content.

The cookies, depending on their category, are used for the following purposes:

Analysis and personalization cookies

These cookies are used in aggregate form to enable the Company to understand the use of the Platform and/or the Help Desk, to measure the effectiveness of its marketing campaigns or to personalize the Platform for the User.

Google Analytics: The Company uses Google Analytics to measure the User's interaction with the Platform and generate statistics in an anonymized manner, such as bounce rates, session times and others for optimization purposes. Browse

Amplitude: We use Amplitude to analyze interactions with the application in order to improve the service offered. Browse

Hubspot: The Company uses Hubspot for its forms, such as the demo request form. Browse

Satismeter: We use Satismeter to conduct customer satisfaction surveys. Browse

Segment: We use Segment to collect, centralize and distribute product activity data. Browse

Sentry: We use Sentry to collect and analyze bugs encountered in the application to provide you with the frictionless experience possible. Browse

Performance and functionality cookies

These cookies are used to provide the User with the Solution, improve the performance and functionality of the Platform.

Amazon Web Services: The Company uses Amazon Web Services to store User Documents and other data generated by the User while using the Platform, securely. The data generated when using the Platform is processed and stored on servers located exclusively in France. Browse

Intercom: The Company uses Intercom in order to offer the Subscriber personalized conversations. Browse

Sendgrid: The Company uses Sendgrid to automatically send activity emails from the Platform, such as, in particular, due date reminder emails. Browse

Stripe: The Company uses Stripe to invoice the Client and provide a secure payment system directly integrated into the application. Browse We use to automate our product presentation communications. Browse

Datadog: The Company uses Datadog as a protection and performance analysis tool. Browse

Advertising cookies

These cookies are used to make advertising messages more relevant to the User. They perform functions such as avoiding the continuous reappearance of the same advertisement, displaying advertisements correctly and, in some cases, selecting advertisements according to your interests.

LinkedIn: The Company uses LinkedIn's pixel technology for retargeting in online advertising campaigns. Unsubscribe

Twitter: The Company uses Twitter pixel technology for retargeting in online advertising campaigns. Unsubscribe

Facebook: The Company uses Facebook pixel technology for retargeting in online advertising campaigns. Unsubscribe

10.2 The User's choices regarding Cookies

The User may, at any time, set his/her browser to modify his/her choices regarding cookies. The setting of the web browser is an efficient and free means of determining, beforehand, the management of such cookies.

10.3 Consent-on cookies

With the exception of the cookies necessary for the operation of the Platform, cookies are not installed automatically; the User's consent is requested prior to their installation, by means of a banner, in accordance with the applicable regulations on the subject.

Continued use of the Platform by the User after being informed of the use of cookies will constitute implicit consent.

The User may express and modify at any time and free of charge through the choices offered by his/her browser software the registration of a cookie.

10.4 Refusal of Cookies

If the User refuses to accept cookies on his/her terminal, or if the User deletes those saved there, he/she will no longer be able to benefit from a certain number of features that are nevertheless necessary to navigate in certain areas of the Platform.

Where applicable, the Company declines all responsibility for the consequences related to the degraded operation of its services resulting from the impossibility for it to record or consult the cookies necessary for their operation and that the User will have refused or deleted.

The period of validity of the consent to the deposit of cookies is thirteen (13) months. At the end of this period, the User's consent shall be obtained again.

10.5 How to exercise the choices according to the Browser used by the User?

The settings for cookie management depend on the User's browser.

As an indication, the User may oppose to the recording of Cookie by configuring his/her browser as follows:

For Internet Explorer:

Go to Tools > Internet Options.

Click on the Privacy tab then settings.

Under Settings, select Advanced, select « Ignore automatic processing of cookies».

For more information:

For Firefox:

At the top of the Firefox window, click on the Firefox button and select Settings.

Select the Privacy tab.

Go to the Cookies and Site Data section.

Unselect Accept Cookies.

For more information:

For Chrome:

Go to Chrome > Settings.

Select « Privacy and security » section.

Click "Cookies and other site data”.

In the "General Settings" section, you can block third-party cookies and data.

For more information:

For Safari:

Go to Safari > Settings.

Click on the Privacy tab.

In the "Block Cookies" section, select “Block all Cookies”.

For more information:

For Opera:

Click on Opera (top left of the window).

Go to Settings.

Click on the Advanced tab.

In the "cookies" section, select "Never accept cookies".

For more information:

11. Modification of the Data Processing Policy

The Company reserves the right to modify the Data Processing Policy at any time and at its sole discretion, in particular in order to comply with the obligations provided for by the regulations and laws in force.

Likewise, the Company will make such changes when it makes improvements, additions or changes to the Solution due to its practices regarding the User's Personal Data.

The Company shall notify the User of any significant changes in a timely manner.

12. Contact

For any question relating to the Data Processing Policy or for any request relating to the User's Personal Data, the User may contact the Company by email ( or by mail (Leeway SAS, 13, rue Sainte-Ursule – 31000 Toulouse, France).

Hundreds of companies manage their contracts with Leeway
Ready to ace your contract management?
Request a demo
Your Leeway Team