as of May 7th, 2019
Privacy and security are of utmost importance to Harvestr and we strive to ensure that our technical and organisational measures in place respect your data protection rights.
In subscribing to our services or filling in a contact form on our website (harvestr.io) or other sites owned by Harvestr, you agree and accept that we may gather, process, store and/or use the personal data submitted in accordance with the rules set forth below.
By giving your consent to us, you also retain the right to have your personal data rectified, to be forgotten and/or to be erased.
PERSONAL DATA COLLECTED
1. Identity and contact details of the data processor
Personal data is collected on our website by Harvestr SAS, a Société par Actions Simplifiée registered under the laws of France under number 839 239 704 with the Créteil Trade & Companies Register, and having its registered office at 5 avenue du Général De Gaulle 94160 Saint-Mandé, France.
2. Data collected on the site
When you subscribe to our services, the following data is collected and managed: email, first name, last name, Intracommunity VAT number where applicable, login, postal address, country, telephone number, IP address(es) and domain name.
By using our services, the following data is collected and managed: log-on data and browsing data where you authorise it, order history, complaints, incidents, information on subscriptions and messages on our site. Some data is collected automatically by reason of your activity on the site (see paragraph on cookies below).Please be advised that we may for the purpose of delivering our services have access to some personal information of your customers (for instance their email address).
The data submitted should not include any sensitive personal data, such as Government identifiers (i.e. social security, driving licence, or taxpayer identification numbers), complete credit card or complete personal bank card numbers, medical records or particulars connected with applications for care or treatment associated with private individuals.
3. Purposes of processing and legal basis
The principal purpose of collecting your personal data is to offer you a safe, optimum, efficient and personalised experience. To this end, you agree and accept that we may use your personal data to:
- provide our services and facilitate performance, including verifications relating to you;
- resolve any problems so as to improve the use of our site and services;
- personalise, assess, and improve our services, content and materials;
- analyse the volume and history of your use of our services;
- inform you about our services as well as our partners’ services and/or promotional offers;
- comply with legal and regulatory obligations.
We use the personal data submitted to us only in accordance with the applicable data protection legislation.
For our clients who have signed up on our website, we process your personal data for the performance of the contract between us to provide our services.
For our newsletter, use case studies and marketing material sign ups, we process your personal data based on the express consent you provide for this specific purpose.
We may share non-personally identifiable information (such as visiting pages, exit pages, number of clicks etc.) with third-parties to help us to understand the usage patterns for certain services.
4. Newsletter and marketing emails
For those of you that have expressly opted in to receive our Harvestr newsletter, you are easily able to unsubscribe by following the “unsubscribe” links included in every email.
5. Email statistics
Without systematically doing so, we may analyse and track the various rates (for example: click, open, bounce rates) and the number of emails sent which you open to assess performance rates on our emailing campaigns.
Harvestr may publish a list of Customers & Testimonials on its site with information on our customers’ names and job titles. Harvestr undertakes to obtain the authorisation of every customer before publishing any testimonial on its website. If you wish to be removed from this list, you can send us an email to email@example.com and we will delete your information promptly.
7. Third party disclosures
Personal data relating to you collected on our website are destined for Harvestr’s own use and may be forwarded to Harvestr’s partner companies so that we may obtain assistance and support in the context of carrying out our services. Harvestr ensures that it has in place clear data protection requirements for all of its third party providers.
Harvestr does not sell or rent your personal data to third parties for marketing purposes whatsoever.
In addition, Harvestr does not disclose your personal data to third parties, except if: (1) you (or your account administrator acting on your behalf) requests or authorises disclosure thereof; (2) the disclosure is required to process transactions or supply services which you have requested (i.e. to check you are employing best practice in your mailings or for the purposes of processing an acquisition card with credit-card issuing companies); (3) Harvestr is compelled to do so by a government authority or a regulatory body, in the case of a court order, a summons to appear in court or any other similar requisition from a government or the judiciary, or to establish or defend a legal application; or, (4) the third party is a subcontractor or sub-processor of Harvestr in the carrying out of services (for example: Harvestr uses the services of an Internet provider or a telecommunications company). In any event Harvest will make sure that the recipients of the data comply with the applicable data protection regulation.
In accordance with Article 28 of the GDPR, access to your Personal Data by our sub-processors is subject to the signature of a written agreement which allows us to monitor and control the way our sub-processors handle your personal data.
8. Your data protection rights
In accordance with the French Data Protection Laws and the European General Data Protection Regulation 2016/679 (GDPR) you have a right of access, correction and removal of your personal data which you may exercise by sending us a support ticket directly on the support chat (either on the website or on the app) or, by sending an email at firstname.lastname@example.org. Your requests will be processed within a reasonable timeframe that cannot exceed 30 days as from the receipt by Harvestr of the request sent by the given user. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated in a timely manner. We may require that your request be accompanied by a photocopy of proof of identity or authority (copy of a valid ID document). This is a security measure to ensure that your personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to improve the efficiency of our response.
You are also able at any time to modify personal data by logging into your account and clicking on “User Settings”.
You in particular benefit from the following rights:
1/ Access and communication of your personal data
You may at any time request an access to your personal data processed by Harvestr.
Harvestr may oppose a given request should it be considered as being obviously abusive (such as, in particular, in the event or recurrent or systematic requests from a given user).
2/ Amendment/rectification of the personal data
You may request to amend, update, lock or delete your personal data that may be incorrect, partial or obsolete. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement. You may additionally define the guidelines applicable to your personal data in the event of your death.
3/ Right of opposition
You may exercise your opposition right for (i) legitimate reasons or (ii) to oppose to the commercial use of your personal data.
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data. Harvestr shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4/ Right to erasure
You have the right to obtain from Harvestr the erasure of your personal data without undue delay, in particular if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. Upon such request, Harvestr shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to proceed with the erasure of any links to, or copy or replication of, those personal data.
5/ Right to restrict the processing
You have the right to obtain from Harvestr a restriction of processing where one of the following applies: (i) the accuracy of the personal data is contested by you, for a period enabling Harvestr to verify the accuracy of the personal data; (ii) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; (iii) Harvestr no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; (iv) you have objected to processing pending the verification whether the legitimate grounds of Harvestr override those of the data subject.
Harvestr undertakes to communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We shall inform you about those recipients if you request it.
6/ Data portability
You have the right to receive your personal data that you have provided to Havestr, in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another company without hindrance from Harvestr. You have the right to have the personal data transmitted directly from Harvestr to another company, where technically feasible.
If you consider that Harvestr does not comply with its obligation in terms of data protection, you have the right to lodge a complaint with a supervisory authority, the relevant regulatory body being the CNIL (Commission Nationale de l’Informatique et des Libertés), to the following address: 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France.
In the event of any complaint, please contact us in priority: email@example.com or by mail to: Harvestr SAS, Attn: Valentin Berthomier, 5 avenue du Général De Gaulle 94160 Saint-Mandé, France.
You may at any time withdraw you consent as to the use of your personal date where we are relying on such consent to process your personal data. Please note that such withdrawal will not affect the lawfulness of any processing carried out before you withdrew your consent. If you withdraw your consent or fail to provide the requested personal data, we may not be able to provide you with whole or part of the service. We will advise you if this is the case at the time you withdraw your consent.
1/ Types of cookies used
The cookies used by Harvestr are intended to enable or facilitate communication, to enable the services requested by users to be supplied, to recognise users when they re-visit the site, to secure payments which users may make, to register the language spoken by users or other preferences necessary for the service requested to be supplied.
Harvestr also uses analytics and tracking tools to measure website and digital data to gain customer insights, to carry out analyses on browsing experience so as to improve content, and to send targeted advertisements.
2/ Cookie management
By default, cookies are not installed automatically (with the exception of those cookies needed to run the site and Harvestr’s services, and you are informed of their installation by a banner). In accordance with the regulations that apply, Harvestr will require your authorisation before implanting any other kind of cookie on your hard drive. To avoid being bothered by these routine requests for authorisation and to enjoy uninterrupted browsing, you can configure your computer to accept Harvestr cookies or we are able to remember your refusal or acceptance of certain cookies. By default, browsers accept all cookies.
Depending on the browser used by Users, the methods for deleting cookies are as follows:
On Internet Explorer
- Click the Tools button, then Internet Options.
- Under the General tab, under Navigation History, click Settings.
- Click the Show Files button.
- Select the cookies to refuse and click on delete.
- Click on the Browser Tools icon, select the Options menu.
- In the window that appears, choose “Privacy” and click on “Display cookies”.
- Select the cookies to refuse and click on delete.
- Click the Edit icon, select the Preferences menu.
- Click on Security and then on Show cookies.
- Select the cookies to refuse and click on delete.
On Google Chrome
- Click on the Tools icon, select the Options menu then click the Advanced Options tab.
- And access the “Confidentiality” section.
- Click on the “Show Cookies” button.
- Select the cookies to refuse and click on delete.
You can choose to decline acceptance of all cookies, but your ability to browse certain pages of the site may be reduced.
3/ Duration of cookies
Cookies are placed on the User’s terminal for a maximum period of 13 months from the date of the User’s consent.
After this period, consent will be re-obtained.
THIRD PARTY DATA
In the context of using our services, namely managing customer feedback and creating contact lists, Harvestr has access to the contact lists you create, as well as the subject and content of the messages stored in your account.
This data is stored on secure servers and only a limited number of people are authorised to access your messages, in particular for the purpose of providing support services.
You are easily able to recover your contact lists from your Harvestr account at any time, by clicking on the “export” button. You may also modify and or delete contacts at any time from your account.
In no case does Harvestr sell, share or rent out your contact lists to third parties, nor does it use them for any purposes other than those set forth in this policy. We will use the information from your contact lists only for legal requirements, to invoice and collect summaries for our own statistics and for the purposes of providing you with customer support services.
As creator of the messages and contact lists, you are considered the data controller within the meaning of the GDPR, and Harvestr is acting only as a data processor. In this capacity, you are responsible in particular for:
- making all the declarations necessary to the relative data protection authority,
- complying with all current regulations in force, including the data protection laws,
- obtaining the explicit consent of the persons concerned when collecting their personal data,
- ensuring your authority to use the personal data collected in accordance with the defined end purposes and refraining from any unauthorised use.
If a recipient of your emails sent via our services requests us to modify or delete his/her personal data, we will honor that request after proper verification and will inform you of it.
DATA RETENTION PERIODS
Harvestr collects your personal data for the purpose of carrying out its contractual obligations as well as information about how and when you use our services and we retain this data in active databases, log files or other types of files so long as you use our services.
Harvestr only stores your data for the time needed to provide to you our services, and in no event no longer than 3 months after closing your account (unless otherwise required by law). You are able to access your personal data for as long as you hold an active account with us and for a period that varies depending on the type of data concerned. Your event data (statistics, for example), will be deleted every 13 months during active use of your account. Other data may be deleted at any time during active use of your account in accordance with the provisions set forth above.
LOCATION OF DATA STORAGE AND TRANSFERS
The host servers on which Harvestr processes and stores its databases are located exclusively within the European Union and in the United Kingdom.
Harvestr will inform you immediately, to the extent we are legally authorised to do so, in case of any application or order originating from an administrative or judicial authority relating to your personal data.
In order to perform our services, we may transfer some of your Personal Data to third party service providers located or using servers located outside the European Union (the “EU”) and the European Economic Area (the “EEA”). In such a case, we make sure that:
- they are located in a country considered having an adequate level of protection by the European Union in terms of personal data or,
- if located in the United States:
- they are registered in the “Privacy Shield” register and that they comply with its provisions or,
- they abide by contractual provisions ensuring an equivalent level of protection of your Personal Data (such as standard contractual clauses established by the European Commission).
Within the framework of its services, Harvestr attributes the very highest importance to the security and integrity of its customers’ personal data.
Thus and in accordance with the GDPR, Harvestr undertakes to take all pertinent precautions in order to preserve the security of the data and, in particular, to protect them against any accidental or unlawful destruction, accidental loss, corruption, unauthorised circulation or access, as well as against any other form of unlawful processing or disclosure to unauthorised persons.
To this end, Harvestr implements industry standard security measures to protect personal data from unauthorised disclosure. In using industry recommended methods of encoding, Harvestr takes the measures necessary to protect information connected with payments and credit cards.
Harvestr undertakes to put in place the following organisational and technical safety measures: (i) means allowing to ensure the confidentiality (data pseudonymisation, encryption, etc.), the integrity, availability and permanent resiliency of the processing systems and services; (ii) means allowing to restore the availability of the personal data and access to such data within an appropriate timeframe in the event of material or technical issue; (iii) process allowing to regularly test, analyse and evaluate the efficiency of the technical and organizational safety in place to ensure the safety of the data processing, (iv) only make the personal data available to its officers duly authorised on the basis of their functions and role, to the extent strictly necessary to the due performance of their functions (need to know basis).
Such measures shall comply with the GDPR provisions.
Harvestr shall be responsible for the compliance with these provisions and more generally the GDPR by its employees and affiliates (and their employees).
Moreover, in order to avoid in particular all unauthorised access, to guarantee accuracy and the proper use of the data, Harvestr has put the appropriate electronic, physical and managerial procedures in place with a view to safeguarding and preserving the data gathered through its services.
Nothwithstanding this, there is no absolute safety from piracy or hackers. That is why in the event a breach of security were to affect you, Harvestr undertakes to inform you thereof without undue delay (that cannot exceed 48 hours as from our knowledge of the breach) and to use its best efforts to take all possible measures to neutralise the intrusion and minimise the impacts. The notification will be accompanied by any appropriate documentation to allow, if necessary, the notification to be made to any regulation body. This notification will describe in clear and plain language the nature of the personal data breach and at least (i) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects involved and the categories and approximate number of personal data records concerned; (ii) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (iii) describe the likely consequences of the personal data breach; and (iv) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
We undertake to notify the competent supervisory authority (the CNIL) of the personal data breaches without undue delay and, where feasible, not later than 72 hours after having become aware of them, unless the breach in question is unlikely to result in a risk to the rights and freedoms of natural persons.
You should keep in mind that any user, customer or hacker who discovers and takes advantage of a breach in security renders him or herself liable to criminal prosecution and that Harvestr will take all measures, including filing a complaint and/or bringing court action, to preserve the data and the rights of its users and of itself and to limit the impacts.
Where we have given you (or where you have chosen) a password that enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
If you have questions, you can email us and our Data Protection Officer directly at: firstname.lastname@example.org or by mail to: Harvestr SAS, Attn: Valentin Berthomier, 5 avenue du Général De Gaulle 94160 Saint-Mandé, France