Last update: October 12th, 2023
DataGalaxy (hereinafter referred to as “DataGalaxy,” “we,” or “us”) is committed to the protection of personal data (hereinafter referred to as “PII”) and privacy of the users of its web site, software solution, and services (hereinafter referred to as “Services.”)
In this respect, and in compliance with the legislation in force regarding the processing and protection of personal data and, in particular, the modified law n°78-17 of January 6, 1978 regarding data processing, files, and liberties and the European General Regulation on the Protection of Personal Data of April 27, 2016 (hereinafter the “GDPR,”) DataGalaxy commits itself to respecting the confidentiality, the integrity and the security of your PII.
The following is a collection of information and resources to help you answer questions about your experience with DataGalaxy. We appreciate your interest and are proud to have you as a member of our community!
Therefore, we inform you in this privacy policy (hereinafter the “Privacy Policy”) of the conditions under which your PII may be processed by us, as data controller, when:
- You are browsing our website (www.datagalaxy.com, hereinafter the “Site:”) We have implemented certain audience measurement tools in order to better understand and interact with visitors to our site (hereinafter the “Visitor.”) These tools are also likely to collect a certain number of PII about you.
- You contact us out of interest in our services, in particular by requesting a demo, as a prospect (hereafter “Prospect.”)
- You are using the DataGalaxy platform under a license and/or service agreement with us as a customer (hereafter “Customer.”) You will be required to share your PII in order to ensure the proper execution of this agreement.
- You are entering into a recruitment process with DataGalaxy’s human resources teams, as a candidate (hereafter “Candidate.”)
We may amend this Privacy Policy at any time to ensure transparency in the processing of your PII. We therefore invite you to consult it regularly.
Article 1 – WHAT PII DO WE COLLECT?
By using the DataGalaxy Services, you consent to our collection and processing of the following PII:
Persons Concerned – Customer
Types of PII
Identification data (name, surname, civil status), Billing and financial data (company’s bank details, payments, etc.), Data related to professional life (function, company, professional e-mail address, professional telephone number), Data shared with DataGalaxy teams including the support service, Browsing data on the DataGalaxy platform.
Purpose
Execute the services requested in the contract (creation, configuration and maintenance of your DataGalaxy account, billing management…), Ensure a quality and available support, Ensure a quality commercial relationship, Manage product evolutions to improve the customer experience, Manage marketing events.
Legal basis
The necessity to pursue the legitimate objectives of DataGalaxy, namely:
The execution of the contract to which you are party.
The fulfillment of our legal obligations.
The respect of your consent, if granted, to receive our marketing emails or the legitimate interest of DataGalaxy to send marketing emails.
Persons Concerned – Prospect
Types of PII
Identification data (surname, first name, civil status), Data related to professional life (function, company, professional e-mail address, professional telephone number).
Purpose
Contact you to arrange a demonstration to show you the product, and/or to send you marketing communications, Marketing Event Management.
Legal basis
The necessity to pursue the legitimate objectives of DataGalaxy, namely:
The development and follow-up of its prospect base.
The promotion of its product, especially through commercial prospecting.
Persons Concerned – Visitor
Types of PII
Internet data/browsing data (cookies, logs, nature of the terminal, pages consulted, etc.).
Purpose
To enable the website and navigation to function properly, to offer appropriate advertising.
Legal basis
The necessity to pursue the legitimate objectives of DataGalaxy, namely:
To develop a functional website.
To establish statistics concerning the use of the Website in order to improve it.
Persons Concerned – Candidate
Types of PII
Internet data/browsing data
Data shared with DataGalaxy teams including the recruitment service (CV, test results, etc.).
Purpose
To enable the website and navigation to function properly
To know the interests according to the pages consulted.
Legal basis
The necessity to pursue the legitimate objectives of DataGalaxy, namely:
The development and monitoring of its candidate base.
The promotion of its product in order to develop its attractiveness to potential candidates.
For all other PII collected by any other means, the PII collection form will describe the rules that apply if they are different from the rules in the Privacy Policy.
Article 2 – HOW LONG DO WE KEEP YOUR DCP?
DataGalaxy keeps the collected PII for the time strictly necessary to achieve the purpose of each processing, except for the exceptions provided for by the Law. These retention periods are indicated in the table below.
Persons Concerned – Customer
Types of PII
Identification data, Work-related data.
Duration of retention
Duration of the contract, then 3 years after its end.
Why?
For statistical and more general evidential purposes.
Types of PII
Billing and financial data.
Duration of retention
Duration of the contract, then 10 years after its end.
Why?
For the recovery of unpaid debts and more generally for evidential purposes in accordance with the law.
Types of PII
Data shared with DataGalaxy teams including the support service.
Duration of retention
Duration of the contract.
Why?
To ensure continuous monitoring of exchanges, incidents and requests.
Persons Concerned – Prospect
Types of PII
Identification data, Work-related data.
Duration of retention
3 years after their first collection, unless you request their deletion.
Why?
To enable the website and navigation to function properly.
Persons Concerned – Visitor
Types of PII
Internet data/Browsing data.
Duration of retention
13 months after their first installation on your terminal.
Why?
To enable the website and navigation to function properly.
Persons Concerned – Candidate
Types of PII
Internet data/Browsing data, Data shared with DataGalaxy teams including the recruitment service (CV, tests results…).
Duration of retention
13 months after their first installation on your terminal (cookies), and 2 years from the last contact with DataGalaxy, unless you request their deletion.
Why?
Allow us to keep your contact details and profile data for possible future opportunities.
According to GDPR, your PII may be kept by us until the limitation periods for legal action have been reached. In this case, only the persons in charge of the litigation within the company have access to it. At the end of these periods, your PII are either deleted or irreversibly anonymised.
When we no longer have a legitimate business need to process your PII, we will delete it as soon as technically possible.
Article 3 – WHO HAS ACCESS TO YOUR PII AT DATAGALAXY?
In view of the purpose of each processing, DataGalaxy implements the necessary means to ensure that PII are only accessible by its internal departments that need to know them, if this is strictly necessary for the proper execution of the processing.
PII are therefore transferred to the competent DataGalaxy departments, depending on the type of data and the purpose.
Article 4 – WITH WHICH EXTERNAL BODIES IS YOUR PII SHARED?
1. Service providers
In the course of its business and for the provision of its Services, DataGalaxy may share your PII with third party service providers.
These service providers act, according to article 4.8 of the GDPR, as personal data processors. In such a case, DataGalaxy undertakes to constantly ensure that :
- The service provider is contractually bound to respect the same obligations as ours regarding the protection of PII.
- The service provider presents sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing operations meet the requirements of the legislation on the protection of PII, and in particular of the GDPR.
- The service provider, in case of transfer of PII outside the European Union, contractually ensures their security and confidentiality.
Name
Amazon Web Services, Microsoft AZURE, OVH, Google Cloud Platform
Type of PII
All types of data.
Why?
For hosting and backup purposes.
Type of PII
Identification data, Work-related data, and any other PII you may share with us when you contact us by email.
Why?
To manage our email and daily operations.
Type of PII
Identification data, Work-related data and any other PII you may share with us when we have a contractual negotiation.
Why
To manage daily operations and contractual negociations.
Type of PII
Identification data, Work-related data and any other PII you may share with us when we have a contractual negotiation and/or when you contact us.
Why?
For the purposes of management and documentation of tasks, processes and projects.
b. Statistics and marketing services
Type of PII
Internet data/Browsing data, unless you haven’t given your prior consent.
Why?
To improve your user experience on our Site, perform statistics and measure activity.
Type of PII
Cookies, unless you haven’t given your prior consent.
Why?
For the purpose of managing the collection of visitors’ consent to the collection of cookies.
Name
Event service providers (audiovisual service providers, etc.)
Type of PII
Identification data (when necessary).
Why
For promotional event management purposes.For the purpose of managing the collection of visitors’ consent to the collection of cookies.
c. Customer and candidate relationship management and development
Type of PII
Identification data and Work-related data (Client and Candidates).
Why?
For contract signing purposes.
Type of PII
Identifying and Work-related data, and any other PII that Clients and/or prospects share with us.
Why?
For Customer Relationship Management purposes.
Type of PII
Any PII that you may share with us when reporting an incident or seeking support.
Why
To improve your user experience on our Site, perform statistics and measure activity.
Type of PII
Any PII that you may share with us when reporting an incident or seeking support.
Why?
To manage customer support, incident resolution and follow-up on your requests.
Type of PII
Any PII transmitted by the Candidates when applying for a DataGalaxy job offer.
Why?
For application management and recruitment purposes.
2. Other third parties
Your PII may be shared with other types of third parties :
Type of provider
Independent contractors (providers)
Type of PII
Data strictly necessary for the performance of their duties.
Why?
To run some of the services.
Type of provider
Accountants
Type of PII
Billing and financial data, Work-related data (if necessary)
Why?
For accounting purposes.
Type of PII
The data provided by the Client in the context of the contract.
Why
For dispute resolution purposes.
Type of PII
Any PII that you may share with us when reporting an incident or seeking support.
Why?
To manage customer support, incident resolution and follow-up on your requests.
Type of PII
Any PII transmitted by the Candidates when applying for a DataGalaxy job offer.
Why?
For application management and recruitment purposes.
3. Special cases
We may also share your PII in the following specific cases:
- Where we are required or permitted to do so by law, applicable regulation, court order or regulation, or where such disclosure is necessary in connection with an investigation or proceeding at home or abroad.
- In case of an audit carried out in the context of investments, and/or in case of transfer of a DataGalaxy entity or its assets to any potential buyer.
- When we provide non-personal information to third parties, such as aggregated statistical PII.
Article 5 – WHERE IS YOUR PII STORED?
All PII collected concerning Visitors, Prospects and Candidates are hosted in Europe, regardless of the hosting provider. For Customers, the location of storage depends on the subscription chosen:
- If the Customer is located in the European Union, all of the data contained in our Services (including PII) will always be hosted in Europe.
- If the Customer is located in the United States, all the data contained in our Services (including PII) will always be hosted in Europe.
- If the Customer is located in another country, our teams will make every effort to ensure that all the data contained in our Services (including PII) is hosted in the corresponding country.
Our hosting providers have numerous security certifications, a list of which is publicly accessible on their websites.
Article 6 – WHAT INTERNATIONAL PII TRANSFERS DO WE CARRY OUT?
1. For customers located in the European Union
DataGalaxy does not currently transfer any PII outside the European Union. In the event that we make such transfers, they will only take place indirectly through our subcontractors.
DataGalaxy being subject to the GDPR, if it intends to engage any subcontractor for activities that imply a transfer of PII from the Customer to any country outside the European Union, then it undertakes to ensure that the security and confidentiality of said PII are preserved and this in particular through:
Data protection agreements in place between the EU and destination countries.
Standard contractual clauses issued by the European Commission or a Supervisory Authority in accordance with Article 46 of the GDPR.
Contracts for the outsourcing of Personal Data in accordance with Article 28 of the GDPR.
If a transfer of PII to countries not recognized by the European Commission as having an adequate level of protection is envisaged, DataGalaxy will systematically inform you.
2. For customers located in the United States
DataGalaxy makes its best efforts to limit the transfer of PII outside the United States. When such a transfer is envisaged, it must be linked to support and the improvement of the user experience.
In order to facilitate the management of support and the resulting user experience, we transfer certain PII (surname, first name, email address and message content) relating to users of the Solution at the Customer’s site from the United States to France. The PII are temporarily replicated in France while the issue that led to the support contact is resolved.
As such French support is subject to the RGPD, the security and confidentiality of PII is ensured by local legal provisions, which are very protective.
Article 7 – HOW WE ENSURE THE SECURITY OF YOUR PERSONAL DATA?
In order to ensure the security of the PII you send us, we have put in place a number of appropriate technical and organizational measures. In particular, the security of your PII is ensured by:
- The implementation of access control and management of authorisations for business software.
- Pseudonymisation and encryption of PII, where possible.
- Contracts for the outsourcing of Personal Data in accordance with Article 28 of the GDPR.
- The means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services.
- The means of restoring the availability of and access to PII within an appropriate timeframe in the event of a physical or technical incident.
- A procedure to regularly test, analyse and evaluate the effectiveness of technical and organisational measures to ensure the security of processing.
In order to reinforce the protection of your PII, we strongly recommend that you use a long password with several special characters, which you should change regularly and keep confidential.
Article 8 – WHAT RIGHTS DO YOU HAVE REGARDING THE PROCESSING OF YOUR PII AND HOW TO EXERCISE THEM?
1. Nature of your rights
In accordance with the GDPR, you have the following rights:
- Right to data portability : in accordance with Article 20 of the GDPR, the right to request a copy of your PII from us in a structured, commonly used and machine-readable format in order to provide them to another controller.
- Right of rectification : in accordance with Article 16 of the GDPR, the right to ask us to modify, complete or update your PII which has been found to be inaccurate, incomplete, equivocal or out of date.
- Right to erasure : in accordance with Article 17 of the GDPR, the right to ask us to permanently delete your PII, as soon as possible, in particular when you consider that it is no longer necessary for the purposes for which it was collected or that we are no longer legitimate to process it.
- Right to limit processing : the right to ask us to restrict the processing of all or part of your PII only in the cases listed in Article 18 of the GDPR, namely:
– Check the accuracy of the PII you are disputing
– Serve you for the establishment, exercise or defence of your legal rights, even if DataGalaxy no longer has any use for them
– To verify whether the legitimate reasons pursued by DataGalaxy prevail over yours in case you object to the processing based on DataGalaxy legitimate interest
– Fulfil your request to restrict the use of your PII , rather than erase them, if the processing of those PADs is unlawful
- Right of opposition : in accordance with Article 21 of the GDPR, the right to object at any time, on grounds relating to your situation, to the processing of PII for the purpose of commercial prospecting or, having as its legal basis the pursuit of a legitimate interest. Unless we demonstrate a compelling legitimate interest justifying such processing, we will only process PII not affected by your request.
- Post-mortem right : in accordance with article 85 of the French law 78-17 of January 6, 1978 on data processing, data files and individual liberties, the right to define particular directives concerning the conservation, deletion and communication of your post-mortem PII. These particular directives will only concern the processing carried out by DataGalaxy and will be limited to this perimeter.
2. Exercising your rights
To exercise your rights, we invite you to send us your request directly :
- By e-mail to dpo@datagalaxy.com, or
- By mail to DataGalaxy, Data Protection Officer, 47 rue Vivienne, 75002 Paris, France.
In accordance with the applicable legislation, we will ask you to prove your identity. Therefore, we thank you in advance for specifying when sending your request :
- Your name, first name, e-mail address
- The purpose of your request, the nature of the right you wish to exercise and the reasons for it.
DataGalaxy will have a maximum of one (1) month to respond to your request, which may be extended up to 2 (two) months depending on the complexity of the request. If we do not respond to your request, we will inform you of the reasons and of the possibility to lodge a complaint with a supervisory authority and to seek legal redress.