Privacy Policy

Last updated: February 16, 2024

This Privacy Policy supplements and forms an integral part of the Website’s Terms and Conditions. Its purpose is to inform you about the processing of personal data carried out on the Website, for which we act as the Data Controller.

The terms under which we act as a service provider (Data Processor) for subscribers to our services (Data Controllers) are governed by our General Terms and Conditions of Sale.

  1. DEFINITIONS

Capitalized terms have the meanings set out below:

Company” or “we” refers to COPILHOST, a simplified joint-stock company (société par actions simplifiée) with its registered office at 61 rue de Lyon, 75012 Paris, France, registered with the French National Institute of Statistics and Economic Studies (INSEE) under number 982 397 861 00013, acting in its capacity as a simplified joint-stock company – VAT number FR12982397861 – contact@copilhost.com

Website” refers to the website(s) accessible at the URL www.copilhost.com
and any related sub-sites, including those providing access to content viewing areas, customer-only areas, and similar services made available by the Company.

You” refers to the individuals concerned by the Processing carried out on the Website (users, prospects, customers, etc.).

Policy” refers to this Privacy Policy.

Data” means any information relating to an identified or identifiable natural person (the “data subject”), whether identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to their identity.

Processing” means any operation or set of operations performed on Data, such as collection, recording, organization, storage, adaptation, disclosure by transmission, dissemination, or erasure.

Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing, and a “Data Processor” means the entity which processes Data on behalf of the Data Controller. Unless otherwise stated, we act as the Data Controller for the Data processed on the Website.

Recipient” means any natural or legal person, public authority, department, or other body to which personal data are disclosed, whether or not it is a third party.

Regulations” refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (“GDPR”); French Law No. 78-17 of 6 January 1978 on data processing, data files and individual liberties; the rules governing commercial prospecting set out in the French Postal and Electronic Communications Code; and, more generally, all applicable laws and regulations relating to the Processing of Data that we carry out.

  1. SHOWCASE WEBSITE AND COMMERCIAL PROSPECTING

The Website presents the Company’s activities and includes various forms (contact forms, newsletter subscription forms, etc.). By completing these forms and communicating with us through the Website, you provide us with the following categories of information:

  • Identification data: title/gender, last name, first name; and, on an optional basis, your date of birth, which may be requested in order to offer birthday-related promotions;
  • Contact details and correspondence: email address; postal address (street address, postal code, city); telephone number; and, where you contact customer support, the nature and content of your request;
  • Reviews and contribution data: username, date of the review, review content, the product or service concerned, and, where applicable, a profile photo associated with the review. The Company may enhance its Website by collecting and republishing reviews and contributions relating to its offerings that have been posted by its customers on other websites (in particular social media platforms) where such content is publicly available;
  • Data required to carry out loyalty, prospecting, research, survey, product testing, and promotional activities;
  • Data relating to the organization and management of competitions, prize draws, and any promotional operations;
  • Data collected in connection with the exercise of rights provided for under the Regulations.

Based on our legitimate interests, and where applicable where necessary for the performance of pre-contractual measures taken at your request or for the performance of a contract, we process the above-mentioned Data for the following purposes:

  • Presenting the Company’s products and services;
  • Managing, processing, and monitoring requests and communications with the Company via the Website (including, where applicable, the use of a chatbot or a call-booking tool);
  • Managing relationships with prospects;
  • Managing reviews relating to the Company’s products, services, or content;
  • Prospecting and/or sending information, managing the technical aspects of prospecting operations, and selecting individuals for loyalty programs, prospecting activities, surveys, and product testing;
  • Organizing competitions, prize draws, or any promotional operations on the Website.

Data processed for commercial prospecting purposes are retained for a maximum period of three (3) years from the date of the last active contact initiated by the prospect or customer, or earlier if you withdraw your consent to receive communications from us. Review and contribution Data are retained for as long as the relevant review remains publicly accessible on the Website.

In accordance with our legal obligations, identification and contact data are also processed for the following purposes:

  • Updating our prospecting databases through the organization responsible for managing the telephone marketing opt-out list, in accordance with the provisions of the French Consumer Code;
  • Managing requests relating to rights of access, rectification, and objection, and more generally the rights described in this Policy.
  1. SUBSCRIPTION MANAGEMENT

The Website allows users to take out subscriptions online, which involves the Processing of the following Data:

  • Identification and contact data;
  • Contractual and commercial relationship data: details of the order content; pre-contractual exchanges and communications relating to the order (subject, date, etc.); communications with the Company;
  • Payment and transaction data: transaction date, amount, payment method, order number, and billing information.

This information is necessary for managing our customer and prospect databases and, more specifically, for the following purposes, in accordance with our General Terms and Conditions of Sale accepted at the time of ordering on the Website and with our legal obligations:

  • Carrying out operations relating to the management of records concerning subscriptions, orders, delivery of products or services, statutory and commercial warranties, invoicing, accounting, and monitoring of the commercial relationship (including after-sales service), as well as the management of reviews relating to the Company’s offerings;
  • Preventing and combating fraud related to payment methods, in particular credit card fraud;
  • Managing unpaid invoices and disputes, provided that such processing does not relate to criminal offences and does not result in the exclusion of the individual from the benefit of a right, service, or contract.

Secure payments. All transactions carried out on the Website are secured. Credit and debit card payments are processed by our payment service providers (“PSPs”), as specified in our General Terms and Conditions or on the order page for our products and services. We use SSL encryption to protect your personal data and the payment methods used. At no time do we have direct access to your bank card details as part of this process.

Data retention periods. The personal data we process are retained for the periods set out in the table below.

Data categoryRetention period
Data processed for commercial prospecting purposes3 years from the prospect’s last active interaction or from the date the Data are collected
Data necessary for processing your order and managing contractual and commercial relationships3 years from the customer’s last active interaction or, failing that, from the end of the contractual relationship. For accounting records (purchase orders, delivery notes, customer invoices): 10 years from the close of the financial year
Order contracts with an amount below €120.005 years from the conclusion of the contract
Order contracts with an amount above €120.0010 years from the date of delivery or performance of the service
Bank details: single (one-off) payment13 months for immediate debit cards and 15 months for deferred debit cards, from the debit date (for the purpose of handling any disputes)
Bank details: subscription with automatic renewal13 months for immediate debit cards and 15 months for deferred debit cards, from the debit date of the last payment due at the end of the subscription (for the purpose of handling any disputes)
  1. ACCOUNT CREATION

A personal account is automatically created based on the information provided when you place an order on the Website, or when you register for a free account outside of any order.

For the provision and management of the account, the following information is processed:

  • Identification and contact data;
  • Account login data: username and password, which may be stored automatically on the Website only if you consent to this through your browser settings;
  • Account access and usage data: IP address, login time, duration of the session, account settings, and data relating to the use of any account features.

Processing is carried out for the purposes of managing authentication procedures, handling lost login credentials or passwords, and performing the order in accordance with the purposes applicable to online sales.

The identification and contact data provided when the account is created will be used, with your consent, to keep you informed about the Company’s products and services.

  1. SERVICE IMPROVEMENT

Processing is carried out for the purpose of improving the Website and the services described on it, as well as for the design and development of new services, in accordance with our legitimate interests.

The Data processed include account access and usage data, usage and connection statistics, performance reports relating to the services provided, and data relating to reviews and contributions submitted by users.

The data subjects concerned are users designated by our customers to administer and use the services provided, or to contact us, as well as users of their own websites and messaging services created as part of their subscription.

By using the Website and the services, you expressly agree that we may reuse all of this Data for the purposes described above, independently of the provision of the subscribed services, and you warrant that such reuse is compatible with your own use of the Website and the available services.

Copilhost undertakes to implement appropriate safeguards to ensure the confidentiality of Data relating to the use of the Website and the services provided, in particular through data encryption and aggregation, and undertakes not to process so-called sensitive data for these purposes.

  1. EXERCISING YOUR RIGHTS

For any request relating to the exercise of the rights described below, or for further information, you may contact the Company at contact@copilhost.com or by post at the Company’s registered office address specified in the header.

In accordance with the Regulations, you have the following rights with respect to your Data:

  • Right of access to your Data, including the right to obtain a copy, as well as access to the information set out in this Privacy Policy (Article 15 GDPR). Where the legal basis for the processing is our legitimate interest, you may request information about the balancing test carried out between the interests of our customers and those of the Company prior to such processing.
  • Right to rectification (Article 16 GDPR) and to have your Data updated.
  • Right to erasure of your Data (Article 17 GDPR) where the Data are no longer necessary for the purposes for which they were collected, where you have withdrawn your consent (where processing was based on consent), or where you object to processing based on our legitimate interest or to processing carried out for direct marketing or profiling purposes related to such marketing.
  • Right to withdraw your consent at any time (Article 13(2)(c) GDPR) for any processing based on your consent. In addition, with respect to commercial prospecting, you may unsubscribe at any time from our mailing lists by clicking the unsubscribe link included in our communications or by contacting us to stop receiving promotional messages.
  • Right to restriction of processing (Article 18 GDPR), meaning that, unless there are overriding legitimate grounds, the processing may only continue with your consent, in the following cases:
    – where you contest the accuracy of the Data, for the time necessary to verify them;
    – where the processing is unlawful and you oppose the erasure of the Data and instead request restriction of their use;
    – where we no longer need the Data but they are still required by you for the establishment, exercise, or defence of legal claims;
    – where you have objected to processing based on our legitimate interest, pending verification of whether our legitimate grounds override yours.
  • Right to data portability (Article 20 GDPR) for Data that you have provided directly, where such Data are processed by automated means and based on your consent or on a contract. This right allows you to receive such Data in a structured, commonly used, and machine-readable format, or to request that they be transmitted to another data controller.
  • Right to object (Article 21 GDPR) to the processing of your Data where such processing is based on our legitimate interest.
  • Right to define instructions regarding the use of your Data after your death (Article 40-1 of French Law No. 78-17 of 6 January 1978), including the option to designate a trusted third party to whom the Company must entrust such Data.

You may also obtain further information on the website of the French data protection authority (CNIL).

When submitting a request to exercise your rights, the Company may ask you to clarify your request and to provide proof of identity (which will be retained for one year in the case of a request to exercise the right of access or rectification, and for three years in the case of a request to exercise the right to object). If our response does not fully satisfy you, you retain the right to lodge a complaint with the competent data protection supervisory authority (in France, the CNIL).

  1. DATA RETENTION PERIODS

Commitments. Effective data deletion measures are implemented once the retention or archiving period required to achieve the specified or legally mandated purposes has been reached, in particular following the deletion of your account with the Company or upon termination of the contract with the Company.

Data minimization. In all cases, Data subject to Processing are not retained beyond the period necessary to perform the obligations defined at the time the contract is entered into or required under applicable law. Beyond this period, the Data may be anonymized and retained for statistical purposes, in particular in aggregated form.

Disputes. We may also archive information demonstrating compliance with our contractual obligations until the expiry of the applicable limitation or foreclosure periods for legal actions, for the purpose of defending our interests before the courts in the event of subsequent litigation. This includes, but is not limited to, the retention periods provided for under the French Commercial Code, Civil Code, and Consumer Code.

  1. RECIPIENTS

Commitments. We ensure that any recipient of Data provides sufficient and appropriate contractual guarantees to safeguard your rights, so that Processing complies with the requirements of the GDPR where applicable (in particular with respect to data processing agreements). On the basis of our legal obligations, your Data may also be disclosed where required by law or regulation, or pursuant to a decision of a competent regulatory or judicial authority.

The information you provide to us is intended for internal use by authorized persons only, is strictly confidential, and may not be disclosed to third parties except in accordance with the Regulations, with your explicit consent, or where you have chosen to make such information public.

Sub-processing. Our external service providers (e.g. suppliers, carriers, service partners) may, in the context of the Processing activities described above, receive personal data where this is necessary for the performance of their services.

Transfers outside the EU. We undertake to ensure compliance with the applicable regulations governing transfers of Data to countries outside the European Union, in particular under the following conditions:

  • Data relating to visitors, prospects, and customers may be transferred to countries recognized as providing an adequate level of data protection;
  • Where the destination country does not offer an adequate level of protection, such transfers are governed by appropriate safeguards in accordance with applicable regulations (in particular the European Commission’s standard contractual clauses).

Aggregation of non-personal data. We may publish, disclose, and use aggregated information (relating to Website users, prospects, customers, etc.) that we combine in such a way that no individual can be identified. This Processing is carried out in accordance with our legitimate interests for statistical purposes, market and industry analysis, presentation of our activities, promotional and advertising purposes, and other commercial purposes.

  1. INFORMATION SECURITY

Commitments. We undertake to implement appropriate technical and organizational measures, including physical and logistical security safeguards, to reduce the risks of accidental, unauthorized, or unlawful access to, disclosure, alteration, loss, or destruction of the personal data relating to you.

Warnings. We encourage you to exercise caution regarding the information you choose to make public online. This applies in particular to personal data, including data relating to your private life or sensitive data, that you choose to make public or that may be inferred from your contributions, comments, or statements of any kind on the Website, as well as on social media, groups, and/or conversations with other users of the Website.

HTTPS protocol. The Website’s URL is accompanied by a closed padlock or key icon displayed in your browser, indicating the use of the HTTPS security protocol, which applies in particular to data storage. This means that you are browsing in a secure environment, notably when you are asked to enter your bank card number.

Personal data breach. In the event of an incident resulting in the risk of unauthorized access to, alteration, loss, or disclosure of Data, we undertake to:

  • investigate the causes of the incident;
  • take the necessary measures to limit any negative effects or harm that may result from the incident;
  • notify the competent authority and/or the affected individuals as soon as possible where required by law.

Under no circumstances shall the commitments set out above be construed as an acknowledgment of fault or liability in connection with the occurrence of such an incident.

  1. GENERAL PROVISIONS

Mandatory or optional information. On the Website, mandatory fields are indicated by an asterisk or any other appropriate notice. If a request is incomplete (for example, an online registration or order, or a request for information), the Company reserves the right to request additional information or to prevent validation of the relevant form by any technical means.

Hyperlinks. The Website may contain links to websites, applications, or services operated by third parties. We are not responsible for the processing of personal data carried out by such third-party websites, or by websites linking to the Website. Users are invited to consult the applicable privacy policies of those third parties for further information. This Policy applies solely to the Company’s activities, and the Company cannot be held liable for any failure by a third party to comply with its data protection obligations.

Scope. This Policy does not cover all Processing activities exhaustively, and we reserve the right to supplement it by any means.

Language. This Policy is drafted in French. Where it is translated into one or more other languages, only the French version shall prevail in the event of a dispute.

No waiver. The temporary or permanent failure to enforce one or more provisions of this Policy shall not be deemed a waiver of the remaining provisions, which shall continue in full force and effect.

Amendments and updates. We reserve the right to amend this Privacy Policy. Data subjects will be informed where required by applicable law. The date of the latest update is indicated in the header, and you are encouraged to review it regularly.

11. COOKIE