Nybble Hub: Personal data protection policy
Version dated: February 1, 2024
The purpose of this document is to set out the rights and obligations of the Client and the Company, under the applicable General Conditions of Services (CGS), as well as the Hunter and the Company, under the Terms and Conditions (T&C) applicable to the protection of Personal Data.
The Company has appointed an external DPO: contact@nybble.bzh
For the interpretation of the concepts related to the protection of Personal Data and appearing in this document, please refer to the definitions of article 4 of Regulation (EU) 2016/679 of April 27, 2016 (General Protection Regulation of Data, hereinafter “GDPR”), and the applicable T&C.
As part of the CGS and/or a Quote and/or a Purchase Order, the Company processes Personal Data relating to the Customer and Customer Users, as Data Controller, in accordance with the GDPR and the law No. 78-17 of January 6, 1978 modified. (Article 1)
Within the framework of the T&Cs, the Company processes Personal Data relating to Nybblers, as Data Controller, in accordance with the GDPR and Law No. 78-17 of January 6, 1978 as amended. (Article 2)
For authentication, the Company processes Personal Data relating to Client Users and Nybblers, which are necessary for the creation of the User account, as Data Controller jointly with AUTH0, also Data Controller, in accordance with the GDPR and the law N°78-17 of January 6, 1978 amended. (Article 3)
Article 1: Processing of Personal Data of the Client and Users by the Company as Data Controller
1.1 Data subjects and Personal Data
The Persons Concerned by the processing of Personal Data carried out by the Company are: the Client's representative and the User. The Personal Data processed by the Company are:
- the Customer's representative: Identification data (surname, first name); Date of birth ; Nationality ; Country of Residence ; Mail address ; Telephone number
- the User: Identification data (last name, first name, User name/pseudo); Identifiers (email address, password); Country.
This data is necessary to pursue the purposes described below.
1.2 Purposes and legal basis of processing
| Purpose | Legal basis |
|---|---|
| - Administration and technical and/or commercial management of the contract between the Company and the Client - Management of User accounts. |
article 6-1(b) of the GDPR: Execution of the Contract |
| - Management of the security of the Site, Services and Campaigns (legitimate interest: ensuring the proper functioning and security of the Platform's activity) - Statistics on the Platform's activity (legitimate interest: measurement and development of the platform's activity based on global indicators) - Litigation management (legitimate interest: defense of the Company's rights) - Sending information on the Company (events, new products, etc.) and on its commercial offers corresponding to services similar to those already provided (legitimate interest: commercial development of the Company) |
article 6-1(f) of the GDPR: pursuit of legitimate interests, while respecting the fundamental rights and freedoms of the persons concerned |
| - Management of requests related to the exercise of the rights recognized to persons concerned by the processing of personal data. | Article 6-1(c) of the GDPR: compliance with a legal obligation (article 12 GDPR) |
1.3 Recipients of Personal Data
The Personal Data of the Client's representative and the User are communicated to the authorized personnel of the Company and its Subcontractors ensuring the provision of the Services.
From acceptance of the CGS, the Subcontractors are:
- Microsoft for hosting the Platform (Microsoft Azure – France Central – Paris). More information on the Microsoft website.
1.4 Conservation of Personal Data
As part of the management and execution of the contract between the Company and the Client, the Personal Data of the Client's representative are kept for the entire duration of the Quotation and/or Purchase Order concerned. They are kept in intermediate archives for an additional period of 6 years for evidentiary purposes (criminal limitation period in accordance with article 8 of the French code of criminal procedure), from the end of the Quotation and/or Purchase Order concerned. They are deleted at the end of this period.
As part of the execution of these General Terms and Conditions and for the management of the security of the Site, Services and Campaigns, Users' Personal Data is kept for the entire duration of the account opening. They are kept in intermediate archives for an additional period of 6 years for evidentiary purposes (criminal limitation period in accordance with article 8 of the French code of criminal procedure) from the closure of the account by the User. They are deleted at the end of this period.
For commercial communication, the contact details (email address) of the Client's representative and those of the Client User are kept for a maximum period of 3 years from the last contact with the Data Subjects. They are deleted at the end of this period.
The Personal Data of the Persons Concerned (Customer representative or Client User) necessary for the management of the dispute are kept until all avenues of appeal have been exhausted.
Requests to exercise the rights of Data Subjects (Client representative or Client User) are kept for evidentiary purposes for one year from the Company's response.
1.5 Rights of Data Subjects
The rights recognized to Data Subjects (Client representative or Client User) are:
- right of access, rectification and erasure of their data and under the conditions provided for by the regulations (article 15 to 17 of the GDPR)
- right to limit the processing of this data under the conditions provided for by the regulations (article 18 of the GDPR)
- right to data portability under the conditions provided for by the regulations (article 20 of the GDPR)
- right to object to the processing of data under the conditions provided for by the regulations (article 21 of the GDPR)
- right to lodge a complaint with the CNIL
- right to define directives allowing access to their data in the event of death.
Requests relating to these rights can be made by email to the following address: contact@nybble.bzh, specifying the subject of the request (targeted right) and attaching any supporting evidence allowing the applicant to be identified (in case of doubt of the Company) or to certify the mandate in the event of representation.
Article 2: Processing of Personal Data of Nybblers by the Company as Data Controller
2.1 Data subjects and Personal Data
The Personal Data relating to Nybblers and processed by the Company are:
- For registration on the Platform and identity verification: Identification data (surname, first name, username/alias); Contact data (email address); Date of birth ; Nationality ; Country of Residence ; Phone number
- For the invoicing mandate:
- Individual: Identification data (surname, first name); Nationality ; Contact details (address, region (optional), city, postal code, country).
- Company: Identification data of the representative (surname, first name); Nationality, Company Identification (company name).
- For sending information (Nybble events and commercial offers): Email address.
- For the management of corporate gifts: email address.
- For the production of statistics on the activities of Nybblers: History of connections; History of report submissions; Rankings; Impact score.
- For the production of statistics on the activity of the Platform: aggregated data.
- For the Nybbler classification: History of processed alerts; Answer provided; Processing time ;
- For the publication of Hunter information on the Platform: Identification data (surname, first name, username/pseudo); Contact details (internet accounts); Data relating to activity on the Platform (ranking, score).
- For the proper functioning of the Services: Connection data to the Services.
- For the management of requests to exercise rights under the GDPR (access, data portability, etc.): Identification data (surname, first name, username/pseudonym); Contact details (email address); object of the request.
- For dispute management: Identification data (last name, first name, username/pseudonym); any information necessary to defend Nybble’s rights.
2.2 Purposes and legal basis of processing
| Purpose | Legal basis |
|---|---|
| - Administration and technical and/or commercial management of the Platform and Services. - Nybblers account management. - Execution of Services |
Article 6-1(b) of the GDPR: Performance of the Contract |
| - Management of the invoicing mandate | Article 6-1(b) of the GDPR: Performance of the contract |
| - Management of the security of the Platform, Services and Program (Legitimate interest: ensuring the proper functioning and security of Nybble's activity) - Sending information about Nybble (such as events, news ) and on its commercial offers corresponding to services similar to those already provided (legitimate interest: commercial development of Nybble) - Production of statistics on the Nybbler's activity / Ranking / Monitoring of activities. (legitimate interest: measurement and monitoring of activity on the Platform) - Management of corporate gifts (legitimate interest: Nybbler loyalty) - Statistics on activity on the Nybble Platform (legitimate interest: measurement and development of the activity of the Nybble Platform on the basis of global indicators) - Dispute management (legitimate interest: measurement and development of the activity of the Nybble Platform on the basis of global indicators) < br> - Dispute management (legitimate interest: defense of Nybble's rights) |
Article 6-1(f) of the GDPR: Pursuit of legitimate interests, while respecting the fundamental rights and freedoms of the persons concerned. |
| - Publication of Nybbler information on the Platform | Article 6-1(a) of the GDPR: consent of the data subject |
| - Management of requests related to the exercise of the rights granted to persons concerned by the processing of personal data. | Article 6-1(c) of the GDPR: Compliance with a legal obligation (in particular article 12 of the GDPR) |
2.3 Recipients of Personal Data
The Nybbler's Personal Data is communicated to authorized personnel of the Company and its Subcontractors ensuring the provision of the Services.
From acceptance of the T&Cs, the Subcontractors are:
- Microsoft for hosting the Platform (Microsoft Azure – France Central – Paris). More information on the Microsoft website.
Subject to the prior and express consent of the Nybbler, under the conditions provided for in the rules of the Campaign, certain Personal Data (surname, first name, nationality) may be communicated to the Client User by Nybble.
2.4 Conservation of Personal Data
As part of the management of the Nybbler's account and the management of the Platform, the Nybbler's Personal Data is kept for the entire duration of the account opening. They are kept in intermediate archives for an additional period of 6 years for evidentiary purposes (criminal limitation period in accordance with article 8 of the French code of criminal procedure), from the closure of the account. They are deleted at the end of this period.
As part of the management of the invoicing mandate, these are kept for a period of 10 years from the end of the financial year (article L. 123-22 paragraph 2 of the commercial code).
For commercial communication, the contact details (email address) of the Nybbler are kept for a maximum period of 3 years from the last contact with them. They are deleted at the end of this period.
For Nybbler activity statistics, the data is kept for the entire duration of the account opening and is deleted at the end of this period.
The Nybbler's Personal Data necessary for the management of the dispute is kept until all avenues of appeal have been exhausted.
Requests to exercise Nybbler rights are kept for evidentiary purposes for one year from the Company's response.
2.5 Rights of Data Subjects
The rights recognized to Data Subjects (Nybbler) are:
- right of access, rectification and erasure of their data and under the conditions provided for by the regulations (article 15 to 17 of the GDPR)
- right to limit the processing of this data under the conditions provided for by the regulations (article 18 of the GDPR)
- right to data portability under the conditions provided for by the regulations (article 20 of the GDPR)
- right to object to the processing of data under the conditions provided for by the regulations (article 21 of the GDPR)
- right to lodge a complaint with the CNIL
- right to define directives allowing access to their data in the event of death.
Requests relating to these rights can be made by email to the following address: contact@nybble.bzh, specifying the subject of the request (targeted right) and attaching any supporting evidence allowing the applicant to be identified (in case of doubt of the Company) or to certify the mandate in the event of representation.
3. Data processing carried out by the Company as co-responsible for processing with AUTH0
The Company processes Personal Data relating to the Client User and the Nybbler (in short, to any user registered on the Platform) which is necessary for the creation of the Authentication User account, as Data Controller jointly with AUTH0, also Data Controller, in accordance with Regulation (EU) 2016/679 of April 27, 2016 (General Data Protection Regulation) and Law No. 78-17 of January 6, 1978 as amended.
AUTH0, owned by OKTA INC, an American public company listed on NASDAQ (OKTA), whose head office is located at 100 First Plaza, San Francisco, California, U.S. provides a strong Authentication service, necessary for security and integrity of the Platform provided by the Company.
The Company and AUTH0, as joint controllers of the processing of Personal Data, have entered into a contract to govern their respective obligations with regard to the protection of Personal Data collected and processed, in accordance with article 26 of the GDPR.
3.1 Data subjects and Personal Data
The Personal Data relating to Nybblers and Client Users and processed by the Company are: - For creating the account: Identification data (last name, first name, username/alias); Contact data (email address);
The above Personal Data is communicated by the Company to AUTH0, because it is necessary for the opening of the User account on AUTH0. Details relating to the categories of Personal Data processed by AUTH0 for the provision of the authentication service appear in the confidentiality policy accessible at the address: https://www.okta.com/privacy-policy/
3.2 Purposes and legal basis of processing
| Purpose | Legal basis |
|---|---|
| - Creation of the user account | Article 6-1(b) of the GDPR: Performance of the Contract |
| - Management of requests related to the exercise of the rights granted to persons concerned by the processing of personal data. | Article 6-1(c) of the GDPR: Compliance with a legal obligation (in particular article 12 of the GDPR) |
3.3 Recipients of Personal Data
The Personal Data of the Nybbler and the Client User are communicated to the authorized personnel of the Company and its Subcontractors ensuring the provision of the Services.
From acceptance of the T&Cs, the Subcontractors are:
- Microsoft for hosting the Platform (Microsoft Azure – France Central – Paris). More information on the Microsoft website.
For AUTH0, the recipients of the Personal Data which are processed for the provision of its services and for the achievement of its own purposes set out above appear in the confidentiality policy accessible at the address: https://www.okta.com/privacy-policy/.
3.4 Conservation of Personal Data
As part of the creation of the Nybbler and Clinet User account, the Nybbler's Personal Data is kept for the duration of the account opening. They are kept in intermediate archives for an additional period of 6 years for evidentiary purposes (criminal limitation period in accordance with article 8 of the French code of criminal procedure), from the closure of the account. They are deleted at the end of this period.
For AUTH0, the retention periods of Personal Data which are processed for the provision of its services and for the achievement of its own purposes set out above appear in the confidentiality policy accessible at the address: https://www.okta.com/privacy-policy/.
3.5 Rights of Data Subjects
The rights recognized to Data Subjects for processing carried out by the Company are:
- right of access, rectification and erasure of their data and under the conditions provided for by the regulations (article 15 to 17 of the GDPR)
- right to limit the processing of this data under the conditions provided for by the regulations (article 18 of the GDPR)
- right to data portability under the conditions provided for by the regulations (article 20 of the GDPR)
- right to object to the processing of data under the conditions provided for by the regulations (article 21 of the GDPR)
- right to lodge a complaint with the CNIL
- right to define directives allowing access to their data in the event of death.
Requests relating to these rights can be made by email to the following address: contact@nybble.bzh, specifying the subject of the request (targeted right) and attaching any supporting evidence allowing the applicant to be identified (in case of doubt of the Company) or to certify the mandate in the event of representation.
The rights recognized to Data Subjects for processing carried out by AUTH0 are:
- right of access, rectification and erasure of their data and under the conditions provided for by the regulations (article 15 to 17 of the GDPR)
- right to limit the processing of this data under the conditions provided for by the regulations (article 18 of the GDPR)
- right to data portability under the conditions provided for by the regulations (article 20 of the GDPR)
- right to object to the processing of data under the conditions provided for by the regulations (article 21 of the GDPR)
- right to lodge a complaint with the CNIL
- right to define directives allowing access to their data in the event of death.
For AUTH0, details of the rights and the methods for exercising these rights appear in the confidentiality policy accessible at the address: https://www.okta.com/privacy-policy/.
4. Cookies
Nybble does not use cookies on its Platform.
AUTH0 uses cookies to maintain the session. Details are provided in the privacy policy available at: https://www.okta.com/privacy-policy/.