Privacy Policy

Last updated: 01/09/2023

1. Who is the data controller?

Regarding the processing related to your navigation on our website and/or the management of contractual relationships and your account (the "Account") on the platform, the data controller is the company ARSEN, SAS, registered with the RCS of Orléans under number 881 923 775 and with its registered office at Le Lab'O village by CA, 1 avenue du Champ de Mars, CS 30019 45074 Orléans Cedex 2 ("We").

This Policy does not apply to the processing of personal data for which we act as a data processor. When our clients use the services available on our platform, including creating phishing campaigns, we collect and process personal data of our clients' employees on behalf and for the account of our clients.

Therefore, with regard to the processing of personal data concerning your employees, which you may entrust to us in the context of using our services as clients, you act as the data controller, and we act as a data processor within the meaning of the GDPR. It is your responsibility to ensure compliance with the information and rights of the data subjects and, more generally, with the applicable regulations on the protection of personal data.

If your personal data is processed by one of our clients, please refer to their privacy policy or other information notices that they have provided regarding the processing they carry out.

2. What data do we collect?

A personal data is data that allows the direct or indirect identification of an individual.

We collect data that falls into the following categories:

  • Identification data (name, first name, email address, phone number);
  • Data related to your professional life (company name, position/function);
  • Login data (connection logs, encrypted passwords);
  • Browsing data (IP address, pages visited, date and time of connection, browser used, operating system, user ID, IFA);
  • Data from recordings of phone calls between you and our customer service (call content, call dates);
  • Any information you wish to transmit to us as part of your contact request.

3. On what legal bases, for what purposes, and for how long do we retain your personal data?

Purposes Legal Bases Retention Periods
Allow you to create an account to access our Platform Performance of the contract you or your company have entered into with Us Data is kept for the entire duration of your account. Connection logs of accounts will be retained for 1 year.
Execute your quote, perform operations related to the management of our clients concerning contracts, orders, invoices, and monitoring of the contractual relationship with our clients Performance of the contract you or your company have entered into with Us Personal data is kept for the entire duration of the contractual relationship. In addition, your data may be archived for evidentiary purposes for a period of 5 years. Invoices are archived for a period of 10 years.
Create a file of clients and prospects Our legitimate interest in developing and promoting our business For clients: data is kept for the entire duration of the contractual relationship. For prospects: data is kept for a period of 3 years from your last contact.
Improve our services through call recordings Our legitimate interest in improving our services. Phone call recordings: 6 months from the date of collection. Documents analyzing the content of phone calls: 1 year from the date of collection.
Send newsletters, solicitations, and promotional messages Our legitimate interest in retaining and informing our clients and prospects of our latest news Data is kept for 3 years from your last contact with Us
Respond to your information requests Our legitimate interest in responding to your requests Data is kept for the time necessary to process your information request and deleted once the information request is processed.
Prepare statistics regarding the audience of the Website and the Platform Your consent Data is kept for 25 months.
Manage requests to exercise rights Our legitimate interest in responding to your requests and keeping a record of them If we request proof of identity from you: we only keep it for the time necessary for identity verification. Once the verification is done, the proof is deleted. If you exercise your right to object to receiving prospecting: we keep this information for 3 years. The information allowing the management of your requests to exercise rights under the GDPR will be kept for 3 years from the request.

4. Who are the recipients of your data?

The following may have access to your personal data:

  • Our company's personnel;
  • Our subcontractors: hosting and office suite provider, CRM tool, ticketing and chatbot software, data extraction and enrichment tools, newsletter sending provider, audience measurement and analysis provider, internal communication and knowledge tools, telephony and call recording tools, email service provider, password manager, accounting service provider;
  • If applicable: public and private organizations, exclusively to meet our legal obligations.

5. Could your data be transferred outside of the European Union?

Your data is kept and stored for the entire duration of the processing on the servers of Google and Pipedrive, located within the European Union.

In the context of the tools we use (see the article on recipients regarding our subcontractors), your data may be subject to transfers outside of the European Union. The transfer of your data in this context is secured using the following tools:

  • either the data is transferred to a country that has been the subject of an adequacy decision by the European Commission, in accordance with Article 45 of the GDPR: in this case, this country provides a level of protection considered sufficient and adequate to the GDPR provisions;
  • or the data is transferred to a country whose data protection level has not been recognized as adequate under the GDPR: in this case, these transfers are based on appropriate safeguards as indicated in Article 46 of the GDPR, adapted to each provider, including but not limited to the conclusion of standard contractual clauses approved by the European Commission, the application of binding corporate rules, or pursuant to an approved certification mechanism;
  • or the data is transferred on the basis of one of the appropriate safeguards described in Chapter V of the GDPR.

6. What are your rights regarding your data?

You have the following rights regarding your personal data:

  • Right to information: this is precisely why we have written this policy. This right is provided for in Articles 13 and 14 of the GDPR
  • Right of access: you have the right to access all of your personal data at any time, pursuant to Article 15 of the GDPR.
  • Right to rectification: you have the right to rectify at any time your inaccurate, incomplete, or outdated personal data in accordance with Article 16 of the GDPR
  • Right to restriction: you have the right to obtain restriction of processing of your personal data in certain cases defined in Article 18 of the GDPR.
  • Right to erasure: you have the right to demand that your personal data be erased, and to prohibit any further collection for the reasons stated in Article 17 of the GDPR
  • Right to lodge a complaint with a competent supervisory authority (in France, the CNIL), if you believe that the processing of your personal data constitutes a violation of applicable laws. (Article 77 of the GDPR)
  • Right to define directives regarding the retention, erasure, and communication of your personal data after your death
  • Right to withdraw your consent at any time: for purposes based on consent, Article 7 of the GDPR provides that you may withdraw your consent at any time. This withdrawal will not affect the legality of the processing carried out before the withdrawal.
  • Right to data portability: under certain conditions specified in Article 20 of the GDPR, you have the right to receive the personal data you have provided to us in a standard machine-readable format and to request their transfer to the recipient of your choice.
  • Right to object: under Article 21 of the GDPR, you have the right to object to the processing of your personal data. However, please note that we may continue to process them despite this objection, for legitimate reasons or for the defense of rights in court.

You can exercise these rights by writing to us at the contact details below. We may ask you for additional information or documents to justify your identity on this occasion.

7. What cookies do we use?

To learn more about cookie management, we invite you to consult our Cookie Policy.

8. Point of contact to exercise your rights

Contact address: ‍Arsen Le Lab'O village by CA 1 avenue du Champ de Mars CS 30019 45074 Orléans Cedex 2

Modifications

We may change this policy at any time, in order to comply with any regulatory, jurisprudential, editorial, or technical developments. These changes will apply on the effective date of the modified version. Therefore, you are invited to regularly consult the latest version of this privacy policy. Nevertheless, we will inform you of any significant changes to this privacy policy.