Personal Data Protection Charter
IDO-DATA is a simplified joint stock company with a share capital of €11,220, whose registered office is located at Bel Air Camp, 11 Avenue du Bel Air - 69 100 Villeurbanne, and registered with the Trade and Companies Register under number 821 890 928 RCS LYON (hereinafter "IDO-DATA"). IDO-DATA is a company specializing in the design, development, manufacture and operation of Internet-connected objects and related digital services that improve the security of goods and people, decision-making and the optimization of resource consumption.
Within the framework of its activities, IDO-DATA has designed and developed a connected device, aimed at securing the activity of water sports enthusiasts (paddle, kitesurf, kayak, small yachts, etc.), designed in collaboration with the Société Nationale des Sauveteurs en Mer, a French public utility association, whose head office is located at 8, Cité d'Antin - 75 009 PARIS, identified under the SIRET number 77566502900184 (the "S.N.S.M."), and by Mr. Philippe STARCK, whose company PHS General Design CSA, a company incorporated under Luxembourg law with a share capital of €31,400, whose registered office is located at 31, rue du Fort Elisabeth L-1463 Luxembourg (Luxembourg), is the rights manager (the "DIAL Solution"). The DIAL Solution consists of a geolocatable bracelet to be worn by the User (the "Wristband"), connected to the "DIAL Solution" application. DIAL The "DIAL Application", available, via mobile telephony, on the App Store or Google Play (the "DIAL Application"), allowing, following the purchase of Digital Usage Credits, to transmit the position of the said User to the emergency services, in the event of activation of an alert on the Wristband. The specific functionalities of the DIAL Solution are detailed in the commercial brochure, which can be consulted on the Internet site accessible at https://dial.snsm.support/ and/or any suffixes and/or access fields that refer to it, as well as in the precautions for use appearing in the specific instructions for use accompanying the sale of any Wristband (the "Precautions for Use").
THE DIAL SOLUTION CONSISTS OF AN INDICATIVE HELP TO FIND THE USER'S POSITION. IT CAN IN NO WAY REPLACE THE NECESSARY SUPERVISION TO BE ENSURED IN ALL SITUATIONS BY ANY LEGAL REPRESENTATIVE, SUCH AS THE RESPECT OF THE INSTRUCTIONS AND INSTRUCTIONS GIVEN BY THE PROFESSIONALS OF RESCUE IN SUPERVISED AREAS.
For IDO-DATA, the preservation of Users' personal data is important.
IDO-DATA undertakes to implement adequate measures for the protection, confidentiality and security of Users' personal data, in accordance with the regulations in force in Europe, as set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "RGDP"), and repealing Directive 95/46/EC (General Data Protection Regulation), and French, in particular the rules of national law implementing the RGPD.
The purpose of this charter (the "Charter") is to inform and enlighten Users about the purposes of the collection and processing of their personal data by IDO-DATA, in its capacity as data controller.
Users are therefore invited to read the Charter very carefully, to print it and to keep a copy.
By using the DIAL Solution, the User accepts all of the provisions included in the Charter relating to the collection and processing of his or her data, for the purposes explained below.
Users are required to provide their personal data in digital format when using the DIAL Solution.
1. Identity of the persons whose data are collected and processed by IDO-DATA
As part of its operation of the DIAL Solution, IDO-DATA will collect and process data from the following Users:
- The Customer: who, following the purchase of a Wristband, designates the holder of the corresponding User Account on the DIAL Application, who is responsible for the administration of the DIAL Solution, including registering prior to any use on the DIAL Application, managing dedicated User Accounts, designating Referrals, and purchasing the Digital Usage Credits necessary to operate the DIAL Solution.
- Referrer: which designates a Referrer designated by the Customer, when registering on the DIAL Application and/or at any time, on the same DIAL Application, as Referrer, following acceptance of this charge by the latter, during the activation periods of the Wristband, under normal conditions of use or in alert mode. The Referrer is the one who can track the position of the User who is the physical wearer of the Bracelet during these periods. It is its responsibility to transmit, via the DIAL Solution, the User's position to the emergency services, in the event that the alert mode is triggered or at any time, as soon as legitimate and sufficient information indicates it.
- The physical wearer of the Bracelet: which designates the person who actually wears the Bracelet, during a given period of activity, and who can activate, in the event of an emergency or any other event justifying it, the alert mode of the Referrer, so that the latter can notify the emergency services.
The customer, any referrer and the physical wearer of the Wristband being referred to together above and below as the "Users", for the purposes of operating the DIAL Solution.
It is these Users who are concerned by the collection and processing of personal data determined hereafter.
2. Categories of personal data collected
User data that IDO-DATA may collect and process may consist of (without limitation) the following data:
a) the identity of the Users: title, surnames, first names, company name, address, telephone number (fixed and/or mobile), e-mail addresses, age ;
b) data relating to the means of payment: name of the banking establishment, nature of the bank card, without however including the bank card number and/or the cryptogram, billing e-mail address, billing address, postal or bank identity statement, partial bank card numbers, expiry date of the bank card.
The visual cryptogram of the Customer User's bank card, collected uniquely by the payment intermediary designated in Article 4 below (and not by IDO-DATA), following insertion by the Customer User, for the purposes of transactions for the purchase of Digital Usage Credits required within the framework of the operation of the DIAL Solution. The said visual cryptogram is not kept, in accordance with the regulations in force;
c) data relating to the connection, such as confirmation of registration and creation of User Account(s), the identity of the active Referrer(s) on each User Account, the balance of current Digital Usage Credits;
d) the geolocation data of the User physically wearing the Bracelet, during the only period of activation of the said Bracelet by the User, corresponding to a given period of activity, to the exclusion of any systematic and regular profiling or monitoring outside this period; it being specified that without the activation of the Bracelet by the hand of the User, no geolocation data is collected by IDO-DATA, the decision to activate the Bracelet thus always being made by the User concerned;
e) data relating to the monitoring of the commercial relationship: requests for documentation, trial requests, purchased bracelets, services or orders, quantity, amount, frequency, delivery addresses, transaction numbers, history and details of purchases in Digital Usage Credits made, product returns, origin of the sale (seller, representative, partner, affiliate), correspondence with the customer and after-sales service, exchanges and comments from customers and prospects, person(s) in charge of customer relations;
f) data relating to the payment of invoices: terms of payment, discounts granted, promotional codes, receipts, balances and unpaid invoices that do not result in the exclusion of the person from the benefit of a right, a service or a contract subject to authorisation by the Commission as provided for in the provisions of Article 25-I-4° of the Act of 6 January 1978 as amended;
(g) the data needed to carry out customer loyalty, canvassing, studies, surveys, product tests and promotional activities, since the selection of persons can only be made on the basis of the analysis of the abovementioned data;
(h) data relating to the organisation and processing of competitions, lotteries and any promotional operations, such as the date of participation, the replies to the competitions and the nature of the prizes offered ;
(i) data relating to the contributions of persons who submit opinions on products, services or content, in particular their pseudonym ;
j) data collected through the actions referred to in Article 32-II of the Act of 6 January 1978 as amended (electronic communication services).
3. Principles applicable to the collection and processing of personal data
Legal basis for the collection and processing of personal data
IDO-DATA processes the personal data of the Users in the cases allowed by the regulations in force and under the following conditions:
- Obtaining the free, specific, informed and unambiguous consent of the User (or his legal representative in case of minority or incapacity) to the processing of his personal data;
- Collection of personal data necessary for the execution of the User's request;
- Compliance with the legal and/or regulatory obligations imposed on IDO-DATA (such as the fight against fraud and corruption);
- Protection of IDO-DATA's legitimate interests (such as protecting the security of its computer network).
User navigation information applicable to the collection and processing of personal data
When using the DIAL Solution or certain related services, certain data is collected automatically, such as the User's geolocation, IP address, the reference of the navigation software used, navigation data (date, time, content viewed, search terms used, etc.) or operating system references.
The data collected during navigation is deleted at the end of the navigation session on the DIAL Solution, by the User or, if applicable, within a maximum of 13 months from the date of collection.
Purposes of the collection and processing of personal data
IDO-DATA collects and processes User data for the following purposes:
- in order to execute the functionalities of the DIAL Solution, namely an indicative aid in the search for the position of the User who is the physical wearer of the Wristband, during the only period of activation of the said Wristband by the latter, corresponding to a given period of activity, for the purposes of prevention and safety of the User who is the physical wearer of the Wristband during this same period, and to alert the Referrer, in the event of an emergency or danger justifying it, following activation of the alert mode, always by the User who is the physical wearer of the Wristband, so that the said Referrer can notify the emergency services;
- for the purposes of using, managing user accounts, registering new users, maintaining, developing and improving the DIAL Solution;
- for billing and communication to the payment intermediary designated in Article 4 below, for the purposes of transactions for the purchase of Digital Usage Credits required within the framework of the operation of the DIAL Solution, by the customer User, without which the DIAL Solution cannot function;
- for IDO-DATA's communication and marketing needs, including more specifically the distribution of IDO-DATA's commercial offers in connection with the launch of the DIAL Solution, the sending and communication of newsletters and news plans ("newsletters"), informative or commercial alerts to Users,
- to respond to solicitations and requests for information (online contact forms), including surveys, polls and other invitations, including discovery of the DIAL Solution and legal downloads of the DIAL Application,
- to respond to job applications (personal data collected: surname(s), first name(s), e-mail, telephone number, CV, covering letters if attached,
- to disseminate via the DIAL Solution and/or any social and communication networks and/or any other IDO-DATA supports and materials, whatever the form or nature, existing or future, the comments and/or opinions of the Users on the said DIAL Solution and/or on IDO-DATA,
- for any measure or project that is more broadly in line with an objective of interest to Users or to improve the relationship and customer experience,
- to meet current or pending regulatory requirements.
Retention period of personal data
The length of time Users' personal data is kept depends on the purpose concerned.
In this context, the personal data of Users are kept for the time necessary to fulfil their request.
In the absence of any realization, personal data are deleted within the time recommended by the Commission Nationale Informatique et Libertés (CNIL), after a period of three years from the date of their collection on the DIAL Solution, subject to :
- the legal possibilities and obligations with regard to archiving,
- obligations to retain certain data for evidential purposes and/or to make them anonymous.
The personal data of any User, collected and processed for the purposes of executing offers, is kept for the duration necessary for the management of the contractual relationship.
By way of exception, personal data required for the establishment of proof of a right or a contract are archived in accordance with the legal provisions (5 or 10 years after the end of the business relationship as the case may be).
4. Recipients of the personal data collected
The personal information collected is exclusively intended for IDO-DATA and is not subject to assignment, transfer or exchange to third parties, other than for the purposes of operating the DIAL Solution.
To this end, the personal data of the Users will be transmitted and processed by the following persons, for the following purposes:
- to the payment intermediary, for the purposes of transactions involving the purchase of Digital Usage Credits required in the context of the operation of the DIAL Solution, by the customer User. This payment intermediary is: Stripe Payments Europe, Ltd, The One Building, 1 Grand Canal Street Lower, Dublin 2, Co. Dublin, Ireland (IRELAND) ;
- technical service providers for the storage of personal data collected, for the purposes of data hosting, under the conditions of Article 5 below.
Only IDO-DATA's authorised personnel and its service providers, for the purposes set out in article 3 above, may have access to the personal data collected and may be required to process them, without prejudice to their possible transmission to the bodies in charge of a control or inspection mission in accordance with the legislation and/or regulations in force or for the purposes of responding to a judicial or administrative decision.
IDO-DATA is entitled to use the personal data of the users, in particular for statistical, measuring, transfer and/or exchange purposes to third parties, subject to complete anonymisation, in compliance with the applicable text provisions.
5. Transfer of personal data
The personal data of the Users collected are hosted in France, as well as on servers located outside the European Union, via the hosting company Pubnub, whose head office is located at 725 Folsom St - San Francisco, California 94107 (United States of America).
Data controllers and processors may transfer data outside the European Union (EU) and the European Economic Area (EEA), provided that they regulate such transfers using the different legal tools defined in Chapter V of the DPMR.
In this context, in order for transfers of personal data outside the European Union to be deemed justified, the data controller must ensure that appropriate measures have been put in place so that the said personal data benefit from a sufficient and adequate level of protection.
In order to ensure a high level of protection for data transferred from the European territory to third countries, bodies wishing to transfer data can thus use various tools, including the European Commission's adequacy decision concerning certain countries ensuring an adequate level of protection (art. 45 of the RGPD: https://www.cnil.fr/fr/reglement-europeen-protection-donnees/chapitre5#Article45).
The adequacy decision is the primary legal framework tool, insofar as it is taken on the basis of an overall examination of the legislation in force in a State, on a territory or applicable to one or more specific sectors within that State.
With regard to transfers of personal data from European companies to American companies, the United States of America has only been recognised by the European Commission as adequate for certain specific processing operations. In this context, adequacy concerns transfers to American companies that have joined the Data Protection Shield, better known as the "Privacy Shield". These transfers do not require specific supervision.
The Data Protection Shield is a self-certification mechanism for companies established in the United States that has been recognised by the European Commission as providing an adequate level of protection for personal data transferred by a European entity to companies established in the United States.
This mechanism is therefore considered to provide legal safeguards for such data transfers.
On August 1, 2016, the Data Protection Shield came into force. It is now possible to use it to transfer personal data to the United States, provided that the companies receiving the data have first registered in the register kept by the US administration. Beyond this formal obligation, American companies will have to comply with the substantive obligations and guarantees provided by the Data Protection Shield.
Before transferring personal data to a US-based company that claims to be certified to the Data Protection Shield, European companies must ensure that the US company has active certification (certifications must be renewed annually) and that the certification covers the data in question.
In order to verify whether a certification is active and applicable, European companies should consult the Data Protection Shield List which is published on the US Department of Commerce website (https://www.privacyshield.gov/welcome).
Following verification on the Data Protection Shield List published on the website of the US Department of Commerce (https://www.privacyshield.gov/welcome), Pubnub is among the companies having an active and applicable certification covering all data:
With regard to the active and applicable certification of the company Pubnub, it is considered as validly certified to the Data Protection Shield.
In support of the European Commission's declaration of adequacy of the transfers of personal data from European companies to American companies having adhered to the Data Protection Shield, the transfers of Users' personal data to the company Pubnub, for the purposes of hosting said personal data, are deemed to be well founded.
Our hosting provider Pubnub also guarantees its compliance with the European RGPD regulation, both in its general policy and in the security of products and the compliance of the Internet of Things (IoT), the interconnection between the Internet and connected objects, including the DIAL Solution and Application.
Find out more about how Pubnub complies with the GDMP:
6. Protective measures implemented by IDO-DATA
IDO-DATA collects and processes Users' personal data in compliance with the regulations in force.
When the disclosure of a User's personal data to third parties is necessary and authorized, IDO-DATA ensures that these third parties guarantee the same level of protection for the said personal data as that implemented by IDO-DATA. In this context, IDO-DATA asks each of its contractual partners for confirmation of compliance with the applicable regulations.
IDO-DATA implements technical and organisational measures to ensure that the storage of Users' personal data is secure and for the duration necessary for the purposes pursued.
IDO-DATA draws the attention of the Users to the fact that no transmission or storage technology is completely infallible.
Also, in the event of a proven breach of Users' personal data, which may create a high risk for the rights and freedoms of the Users, IDO-DATA will inform the competent control authority of this breach in accordance with the procedures provided for by the regulations in force.
Users must exercise caution to prevent any unauthorized access to their personal data and in particular to their computer and digital terminals (computer, smartphone, tablet in particular).
7. User Rights
In accordance with the regulations in force, Users have the following rights, subject to legal and regulatory limitations:
Right to information on the collection and processing of personal data
IDO-DATA undertakes to make its best efforts to ensure that the information communicated to Users is accessible, accurate and transparent on the conditions of collection and processing of their personal data.
Right of access / right to erasure ("right to oblivion") / right of rectification / right to object / right to limit processing
Any User may, at any time, access the personal information concerning him/her held by IDO-DATA. The customer has the right to receive a copy in electronic form (IDO-DATA is entitled to charge a fee based on the administrative costs incurred for additional copies).
Each User has the right to request the deletion and/or correction of his personal data if they are erroneous or obsolete. IDO-DATA may retain certain personal data when required by law or for legitimate reasons.
Users may object at any time for legitimate reasons:
- the use of their personal data for direct marketing purposes, or
- to the re-use of their personal data for processing other than those listed in article 2 above, except in the event that IDO-DATA fulfils one of its legal and/or regulatory obligations.
Users have the right to request that the processing of their personal data be limited to what is strictly necessary. This law is applicable only:
- if the User concerned contests the accuracy of his personal data;
- if the User concerned justifies that the processing of his personal data is unlawful and requests a limitation of their use rather than their deletion;
- if IDO-DATA no longer needs the personal data of the User concerned and the User still needs this data for the establishment, exercise or defence of legal rights;
- if the User concerned objects to the processing of his/her personal data based on the legitimate interest of the data controller, justifying an overriding legitimate interest.
Right of complaint to a supervisory authority
Any User, who considers that the efforts made by IDO-DATA to preserve the protection of his personal data do not guarantee the respect of his rights, has the possibility of lodging a complaint with the competent control authority (CNIL or any other authority mentioned on the list available from the European Commission).
Right to portability of their personal data
Users have a right to the portability of their personal data, authorising them to obtain from IDO-DATA said personal data concerning them, in a structured, commonly used and readable format.
Users may in this context request that their personal data be passed on to another data controller.
Right to decide on the fate of personal data following death
Users also have the right to organise the fate of their personal data after their death by adopting general or specific guidelines that IDO-DATA undertakes to respect.
In the absence of such guidelines, IDO-DATA recognises the possibility for heirs to exercise certain rights, in particular the right of access if it is necessary for the settlement of the deceased's estate and the right of opposition.
Exercise by Users of their rights
In order to exercise their rights, any The user can contact IDO DATA at the following address:
Bel Air Camp, 11 Avenue du Bel Air - 69 100 Villeurbanne
Tel : +33 (0)4 28 29 61 45
In order to help them exercise their rights, IDO-DATA informs Users that the CNIL has established and made available to them, on its website accessible at www.cnil.fr, sample letters.
Before processing the request(s) of the Users, IDO-DATA will be entitled to verify their identity, by asking them for any useful proof.
IDO-DATA will respond to each User's requests as soon as possible and in any case within one (1) month from the User's proof of identity.
In the event of the complexity of the requests and/or their number, this period may be extended by a further two (2) months, IDO-DATA undertakes in any event to inform the User concerned of the extension and the reasons for the extension.
8. Amendment of the Charter
IDO-DATA reserves the right to make changes to the Charter at any time, in order to comply with legislative and regulatory changes and/or to improve its personal data processing and protection policy.
In case of modification, a new version will be updated and put online with the date of "Last update".
Any new version of the Charter will have to be subject to the prior acceptance of the Users.