Privacy Policy
1. Who Are We ?
This Policy informs you of Smart Tribune’s commitments regarding the protection of personal data.
In relation to the personal data processing activities described herein, Smart Tribune (whose legal entity name is JCS WEB), a simplified joint-stock company located at 19 rue du Quatre Septembre, 75002 Paris, acts as the Data Controller.
As Smart Tribune is committed to protecting, respecting, and maintaining the confidentiality of your personal data, a dedicated email address has been set up for any related request : rgpd@smart-tribune.com.
2. What Personal Data Is Processed and For What Purposes ?
2.1 Types of Personal Data Collected
Smart Tribune’s Solutions are primarily designed for e-commerce websites and are therefore not intended to collect sensitive data. However, as the Solution includes a free-text input field, it may process sensitive data provided directly by the visitor. Smart Tribune assists its clients in implementing safeguards to ensure only necessary data is collected.
Smart Tribune collects and processes personal data related to you and your use of our Services. The data is categorized as follows :
Client :
- Civil status
- Identification data (name, surname, company, professional contact details, email address, phone number, etc.)
Financial, billing, and payment information (payments, refunds) - Identifiers, logs
- Any other information shared with us in the context of your client relationship.
User of the Smart Tribune Solution :
- Data related to the client’s website visitors (unique visitor ID, IP address, technical data, browsing data, etc.)
- Data related to chat interactions (conversation content, number of chats, duration, date, satisfaction survey response, if any)
- Data related to client employees using the solution (name, surname, alias, username, job title at the client company, login data, logs)
- Any other information shared with us through use of the Solution.
Prospect :
- Civil status
- Identification data (name, surname, job title, email address, etc.)
- Any other information shared in the context of your interest in our Solutions.
User of the Smart Tribune Website :
- Strictly necessary cookies
- Functional cookies
- Performance cookies
- Marketing cookies.
2.2 Purposes of Data Processing
Data processing by Smart Tribune is carried out for the following purposes :
For our Clients :
- To provide the requested Services under the Subscription Agreement (creation, configuration, and maintenance of Smart Tribune Solutions)
To assist you in using the Services - To contact you with invitations to webinars, updates on features and developments, newsletters, and other marketing communications
- To manage our customer relationship with you (contracts, invoices, etc.)
- To handle unpaid invoices, disputes or pre-litigation matters, respond to public authority requests, and combat money laundering or terrorism financing.
For users of the Solution :
- To create an archive record for legal purposes, including dispute and pre-litigation management
- To provide reliable and improved services
- To develop new services and/or features
- To create new services involving the use of artificial intelligence models, provided that personal data may be used for training the AI model.
For our prospects :
- To contact you for a demonstration of our Solutions and to send commercial communications.
For Smart Tribune Website Users :
- Strictly necessary cookies: Ensure proper functioning of the Services
Functional cookies: Store previously entered information and personalize/optimize your experience - Performance cookies: Help us understand how the Services are used and report usage anonymously
- Marketing cookies: Track usage of the Services to improve user experience.
2.3 Legal Bases for Data Processing
We only process personal data where at least one of the following conditions is met :
- You have given your consent for the processing operation
- A legitimate interest exists for Smart Tribune or a third party to justify the processing
- The execution of a contract binding us to you requires the processing
- We are subject to legal or regulatory obligations that require the processing.
3. Sharing Your Data with Third Parties
The personal data we collect, along with any subsequently gathered data, is intended for our use as the Data Controller.
In connection with the use of our Services, some of your personal data may be processed by third parties for the purposes outlined above. When sharing data with third parties, we ensure they provide the same level of protection and legal compliance as we do.
The categories of third parties with whom we may share your data include:
- Smart Tribune personnel (relevant teams such as HR, marketing, accounting, etc.)
- Our Processors, which fall into two categories:
- Service providers, who process personal data on our behalf to help us deliver the Services and information you’ve requested or that we believe may interest you
- Specialist partners and service providers, including system integrators, software publishers, and developers, to enable them to deliver Services you have requested or may find of interest
- Credit agencies, anti-fraud entities, governmental authorities, or any other third party as required to meet our legal obligations and protect our business.
For more information regarding the processing terms between Smart Tribune and its Processors, please refer to Appendix 1.
4. Hosting of Your Personal Data
Your data is hosted on Amazon Web Services. We also have partnerships with Microsoft Azure, OVH, WPServeur, and Hetzner. The data is stored on servers located within the European Union.
In order to provide the Services, we may transfer some of your personal data to third-party service providers located in, or using servers located in, countries outside the European Union (“EU”) and the European Economic Area (“EEA”). In such cases, we ensure that:
- The country in which the recipient is located has been recognized by the European Commission as offering an adequate level of protection for personal data, or
- If the recipient is located in the United States or in another country outside the EEA, they comply with contractual provisions that ensure an equivalent level of protection (such as the Standard Contractual Clauses approved by the European Commission).
5. Data Retention Periods
We retain your personal data only for as long as necessary for the purposes for which it was collected. Accordingly, our data retention policy is organized as follows:
- Clients and suppliers: Legal retention period of 5 years, extended by the duration of the contract
- Accounting documents: 10 years
- Prospects: 3 years from the last interaction
- Cookies: 13 months from consent
- Newsletters: Until unsubscription
- Webinars: Duration of the webinar organization + 3 years
- Job applicants: 2 years after a rejection decision
- Any other case: For as long as necessary to comply with legal or regulatory obligations applicable to Smart Tribune.
6. Your Rights and How to Exercise Them
The rights granted to you under data protection laws are detailed below. For any questions regarding your personal data or to exercise one of your rights, you may contact us at :
📧 rgpd@smart-tribune.com
📬 Smart Tribune, 19 rue du Quatre Septembre, 75002 Paris, France
In accordance with applicable regulations, you must clearly state your full name, the address where you wish to receive a response, and include a copy of an identity document bearing your signature.
As a rule, you can exercise all your rights free of charge. However, for the right of access, a reasonable fee based on administrative costs may be charged for any additional copies of the data requested.
Your Right to Information
You are not entitled to request information already provided to you. However, Smart Tribune will always notify you by email or post if it cannot comply with your request.
Please note that failure to provide or the modification of your personal data may affect the processing of certain requests in the context of fulfilling contractual obligations. Your request to exercise your rights will be retained for record-keeping purposes.
By accepting this notice, you acknowledge being informed of the purposes, legal basis, legitimate interests, recipients or categories of recipients with whom your personal data is shared, and any potential transfer to a third country or international organization.
Should we process your personal data for purposes other than those initially stated, you will be informed of these new purposes.
Your Right of Access and Rectification
You have the right to access your personal data and request its rectification. This includes:
- Confirmation as to whether your personal data is being processed ;
- Access to your personal data and the following information :
- Processing purposes
Categories of personal data involved - Recipients or categories of recipients, including international organizations, to whom personal data has been or will be disclosed
- Where possible, the intended data retention period or the criteria used to determine that period
The existence of rights to rectification, erasure, restriction of processing, or objection to processing - The right to lodge a complaint with a supervisory authority
- Information about the source of the data (when not collected directly from you)
The existence of automated decision-making, including profiling, and relevant information about the underlying logic and consequences for you.
- Processing purposes
You may request that your data be rectified, completed, or updated if it is inaccurate, incomplete, equivocal, or outdated.
Your Right to Erasure
You may request the erasure of your personal data where one of the following conditions is met :
- The data is no longer necessary for the purposes for which it was collected or otherwise processed
- You withdraw your previously given consent
- You object to the processing and there is no overriding legal basis for continuing it
- The data has been unlawfully processed
- The data was collected from a child under the age of 16 in connection with an offer of information society services
However, this right does not apply where retention is necessary to comply with legal or regulatory obligations, or for the establishment, exercise, or defense of legal claims.
Your Right to Restrict Processing
You may request the restriction of processing of your personal data in the cases provided for by applicable legislation.
Your Right to Object to Processing
You may object to the processing of your personal data where the processing is based on the legitimate interest of the controller or is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
Your Right to Data Portability
Since May 25, 2018, you have the right to data portability. This right applies to:
- Personal data concerning you, excluding anonymized or third-party data
- Declarative and operational personal data as previously described
- Personal data that does not infringe on the rights and freedoms of others, including data protected by trade secrets
This right is limited to processing based on your consent or a contract and only applies to personal data you have provided. It does not include derived or inferred data created by Smart Tribune.
Your Right to Withdraw Consent
Where the processing of your personal data is based on your consent, you may withdraw that consent at any time. This will not affect the lawfulness of processing carried out prior to the withdrawal.
Your Right to Lodge a Complaint
You may lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés) in France, without prejudice to any other administrative or judicial remedy.
Your Right to Set Post-Mortem Directives
You may provide instructions regarding the retention, deletion, and communication of your personal data after your death. These instructions may be registered with a trusted third party certified to enforce the wishes of the deceased in accordance with applicable legal requirements.
CONCLUSION
🤝 In summary, your personal data is collected and processed in order to :
- Allow you to subscribe to one of Smart Tribune’s solutions,
- Provide you with the Services requested under the Subscription Agreement (including the creation, configuration, and maintenance of your Smart Tribune Solutions),
- Assist you in your use of the Services,
- Invite you to our webinars and other client-related events,
- Contact you to keep you informed about our latest features and developments,
- Send you our newsletter and other commercial communications,
- Manage our customer relationship with you (contracts, invoicing, etc.).
In this context, if you choose not to provide us with your personal data, please note that this may result in our inability to deliver the Smart Tribune Solution, invite you to webinars, or send you the newsletter.
Appendix 1: Data Protection Agreement
Preamble
This Appendix applies to the processing of personal data carried out by Smart Tribune and the Processor in connection with the provision by Smart Tribune of a SaaS self-care service. This document constitutes an independent document intended to define the respective obligations of the Parties to ensure compliance with applicable data protection laws and privacy regulations.
1. Purpose
This Appendix aims to define the conditions under which the Processor agrees to carry out, on behalf of the Data Controller (Smart Tribune), the processing operations of personal data defined below, and the Processor’s obligations in this context.
As part of their contractual relationship, the Parties undertake to comply with the applicable data protection laws, particularly Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, applicable since 25 May 2018 (hereinafter the “General Data Protection Regulation” or “GDPR”).
2. Description of the Processing Subject to Subprocessing
The Processor will process, on behalf of the Data Controller, the personal data necessary to provide the Solution(s) ordered by the Client (self-care services).
2.1 Nature of Processing
The nature of the operations carried out on the data includes, in particular: collection, recording, organization, structuring, storage, adaptation, modification, consultation, anonymization, encryption.
2.2 Purpose of the Processing
The purpose(s) of the processing are: the design of the Solution by the Processor for the Client.
2.3 Categories of Data Subjects
The categories of data subjects include:
- Authorized personnel of the Data Controller: employees of the Data Controller or any individual authorized to use the solution or manage the commercial relationship with the Processor (procurement, billing, project management, etc.).
- End users (i.e., users of the Client’s websites using the Solution/application).
2.4 Types of Personal Data
The personal data processed are:
For the Data Controller’s personnel:
- Civil status,
- Identification data (name, first name, company, professional contact details, email address, phone number, etc.),
- Credentials, logs,
- Any other information shared with us in the context of the Client relationship.
For users:
- Data relating to visitors of the Client’s website (unique visitor ID, IP address, technical data, browsing data, etc.),
- Data relating to chat conversations (conversation content, number of chats, duration, date, satisfaction survey responses, where applicable),
- Data relating to the Client’s employees using the solution (name, first name, alias, username, role within the Client’s company, login data, logs),
- Any other information shared with us in connection with your use of the Solution.
For the performance of the service covered by this agreement, the Data Controller shall provide the Processor with the necessary information as set out in the special terms and conditions.
2.5 Duration of Processing
Unless otherwise agreed between the Parties, the duration of the processing depends on the performance of the Smart Tribune service (including the Subscription period).
3. Obligations of the Processor towards the Controller
The Processor undertakes to:
- Process the data solely for the specific purpose(s) covered by the subcontracting arrangement.
- Process and host, for the entire duration of the Agreement and to the extent possible, the personal data in data centers located within the European Union.
- Process the data in accordance with the instructions provided by the Controller, as set out in the annex to this Agreement.
- If the Processor considers that an instruction constitutes a breach of the European data protection regulation or of any other Union or Member State data protection provision, the Processor shall immediately inform the Controller.
- Furthermore, if the Processor is required to transfer data to a third country or an international organization under Union or Member State law to which it is subject, it shall inform the Controller of this legal requirement before processing, unless the relevant law prohibits such notification on important grounds of public interest.
- Ensure the confidentiality of personal data processed under this Agreement. In particular, the Processor shall, as far as possible, anonymize and encrypt any data potentially provided by users that has not already been anonymized by the Controller.
- Ensure that persons authorized to process personal data under this Agreement are bound by confidentiality obligations or are subject to an appropriate statutory confidentiality duty and receive the necessary training on personal data protection.
- Incorporate data protection by design and by default principles into its tools, products, applications, or services.
- Provide the Client with the necessary assistance and information to carry out a data protection impact assessment, if required.
Subprocessing:
The Processor may engage another processor (hereinafter, the “Sub-processor”) to carry out specific processing activities.
In any event, the Processor shall remain solely responsible to the Controller for all obligations under this Annex.
It is the Processor’s responsibility to ensure that the Sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing complies with the requirements of the GDPR.
If the Sub-processor fails to fulfill its data protection obligations, the initial Processor shall remain fully liable to the Controller for the Sub-processor’s compliance with its obligations.
The Processor is free to update the list of Sub-processors, but must inform the Controller in advance and in writing of any intended changes concerning the addition or replacement of other Sub-processors. This notice must clearly indicate the subcontracted processing activities and the identity and contact details of the new Sub-processor.
The Controller shall have a minimum period of 8 (eight) calendar days from receipt of the information to raise any objections. The proposed subcontracting may only proceed if the Controller has not objected within the specified period.
4. Obligations of the Processor
The Processor undertakes to comply with the Regulation and shall generally ensure that the Data :
- Are processed lawfully, fairly, and transparently.
- Are collected for specified, explicit, and legitimate purposes.
- Are adequate, relevant, and limited to what is necessary in relation to the purposes pursued. Accordingly, the Processor undertakes to anonymize or pseudonymize the Data as much as possible within the scope of the Agreement.
- Are retained in a form allowing the identification of Data Subjects only for a period not exceeding what is necessary for the purposes pursued. Specifically, the Processor undertakes to provide the Sub-processor, and keep up to date for the duration of the Agreement, all necessary written information and instructions for the performance of the Processing activities (including a detailed description of the purposes, the associated retention periods, the types of Data to be processed, and the categories of Data Subjects).
- Where applicable, obtain the consent of Data Subjects for the processing of their data and inform them of their rights, as well as the fact that the Processor additionally undertakes, depending on the industry in which it operates — particularly if it is a regulated sector and/or if the Services involve or implement special categories of Data under the GDPR (such as health data, data of minors) — to inform the Sub-processor of the specific rules applicable to it in terms of the protection and security of such Data and to provide all useful written instructions and documentation for this purpose. The same applies if the Sub-processor is an administration, a public institution, an organization, or another public or equivalent legal entity.
The Processor also undertakes to prepare and update, if necessary, a data protection impact assessment in accordance with CNIL guidelines and to share it with the Sub-processor upon request.
Furthermore, if the Processor implements a chatbot, it undertakes to clearly and concisely include on the chatbot’s homepage a notice discouraging users from entering sensitive Data.
5. Security Measures
The Processor undertakes to ensure the security of personal data and to maintain their integrity and confidentiality.
To this end, the Processor agrees to design and implement all appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, but not limited to:
- pseudonymization and encryption of personal data,
- the means to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services,
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
6. Data Subject Information
It is the responsibility of the Controller to inform the data subjects of the processing operations at the time of data collection.
7. Exercise of Data Subjects’ Rights
It is reiterated that data subjects are free to exercise their rights with and against the Controller. The Parties undertake to cooperate with each other to enable prompt and effective handling of any request and to ensure a response is given to the data subject within the legal timeframe of one (1) month from receipt of the request.
Where possible, the Processor shall assist the Controller in fulfilling its obligation to respond to requests to exercise data subject rights (as referred to in Article 6 above).
When data subjects submit such requests directly to the Processor, and the request pertains solely to processing carried out on behalf of the Controller, the Processor undertakes to forward such requests as soon as received to: rgpd@smart-tribune.com.
Where a request is made to the Controller and the Controller is unable to respond without the assistance of the Processor, the Controller undertakes to promptly contact the Processor’s designated point of contact.
If the request is made to the Processor and does not specifically concern processing carried out on behalf of the Controller, the Processor may respond directly to the data subject without informing the Controller.
8. Personal Data Breach Notification
The Processor shall notify the Controller of any personal data breach without undue delay after becoming aware of it, and in accordance with the formal and substantive requirements of the GDPR, so as to allow the Controller to notify the competent supervisory authority.
The Controller is responsible for informing the data subjects without undue delay.
9. Data Return or Deletion
At the end of the Subscription, the Processor undertakes, at the Parties’ discretion, to:
- Destroy all personal data, or
- Return all personal data to the Controller, or
- Return the personal data to a sub-processor designated by the Controller.
The return must be accompanied by the destruction of all existing copies in the Processor’s information systems. If European Union or Member State law requires the retention of personal data, the Processor shall inform the Controller of this obligation.
The Processor undertakes to provide, upon request by the Controller, a certificate of destruction.
10. Recordkeeping
The Processor declares that it maintains a written record of all categories of processing activities carried out on behalf of the Controller, including:
- the name and contact details of the Controller on whose behalf it is acting, any sub-processors, and, where applicable, the Data Protection Officer;
- the categories of processing carried out on behalf of the Controller;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of such third country or organization, and, in the case of transfers referred to in Article 49(1)(2) of the GDPR, the documentation of suitable safeguards.
11. Documentation and Audit
The Processor shall make available to the Controller all documentation necessary to demonstrate compliance with all its obligations.
The Controller retains the right to conduct an annual audit of the Solution in order to verify the adequacy of the technical and organizational measures implemented by the Processor, subject to providing reasonable advance notice (no less than 10 business days), and conducting the audit during the Processor’s business hours.
Audit costs shall be borne by the Controller, and the Processor shall invoice the Controller for any human or machine resources used during the audit.
The results of such audits shall be subject to confidentiality obligations binding on both Parties.