Privacy Policy

1. Who Are We ?

This Policy informs you of Smart Tribune’s commitments regarding the protection of personal data.

In relation to the personal data processing activities described herein, Smart Tribune (whose legal entity name is JCS WEB), a simplified joint-stock company located at 19 rue du Quatre Septembre, 75002 Paris, acts as the Data Controller.

As Smart Tribune is committed to protecting, respecting, and maintaining the confidentiality of your personal data, a dedicated email address has been set up for any related request : rgpd@smart-tribune.com.

 

2. What Personal Data Is Processed and For What Purposes ?

2.1 Types of Personal Data Collected

Smart Tribune’s Solutions are primarily designed for e-commerce websites and are therefore not intended to collect sensitive data. However, as the Solution includes a free-text input field, it may process sensitive data provided directly by the visitor. Smart Tribune assists its clients in implementing safeguards to ensure only necessary data is collected.

Smart Tribune collects and processes personal data related to you and your use of our Services. The data is categorized as follows :

Client

 

User of the Smart Tribune Solution

Prospect

 

User of the Smart Tribune Website

 

2.2 Purposes of Data Processing

Data processing by Smart Tribune is carried out for the following purposes :

 

For our Clients

For users of the Solution :

For our prospects : 

 

For Smart Tribune Website Users

 

 2.3 Legal Bases for Data Processing

We only process personal data where at least one of the following conditions is met :

 

3. Sharing Your Data with Third Parties

The personal data we collect, along with any subsequently gathered data, is intended for our use as the Data Controller.

In connection with the use of our Services, some of your personal data may be processed by third parties for the purposes outlined above. When sharing data with third parties, we ensure they provide the same level of protection and legal compliance as we do.

The categories of third parties with whom we may share your data include:

For more information regarding the processing terms between Smart Tribune and its Processors, please refer to Appendix 1.

 

4. Hosting of Your Personal Data

Your data is hosted on Amazon Web Services. We also have partnerships with Microsoft Azure, OVH, WPServeur, and Hetzner. The data is stored on servers located within the European Union.

In order to provide the Services, we may transfer some of your personal data to third-party service providers located in, or using servers located in, countries outside the European Union (“EU”) and the European Economic Area (“EEA”). In such cases, we ensure that:

 

5. Data Retention Periods

We retain your personal data only for as long as necessary for the purposes for which it was collected. Accordingly, our data retention policy is organized as follows:

 

6. Your Rights and How to Exercise Them 

The rights granted to you under data protection laws are detailed below. For any questions regarding your personal data or to exercise one of your rights, you may contact us at :

 📧 rgpd@smart-tribune.com
📬 Smart Tribune, 19 rue du Quatre Septembre, 75002 Paris, France

In accordance with applicable regulations, you must clearly state your full name, the address where you wish to receive a response, and include a copy of an identity document bearing your signature.

As a rule, you can exercise all your rights free of charge. However, for the right of access, a reasonable fee based on administrative costs may be charged for any additional copies of the data requested. 

 

Your Right to Information

You are not entitled to request information already provided to you. However, Smart Tribune will always notify you by email or post if it cannot comply with your request.

Please note that failure to provide or the modification of your personal data may affect the processing of certain requests in the context of fulfilling contractual obligations. Your request to exercise your rights will be retained for record-keeping purposes.

By accepting this notice, you acknowledge being informed of the purposes, legal basis, legitimate interests, recipients or categories of recipients with whom your personal data is shared, and any potential transfer to a third country or international organization.

Should we process your personal data for purposes other than those initially stated, you will be informed of these new purposes.

 

Your Right of Access and Rectification

You have the right to access your personal data and request its rectification. This includes:

You may request that your data be rectified, completed, or updated if it is inaccurate, incomplete, equivocal, or outdated.

 

Your Right to Erasure

You may request the erasure of your personal data where one of the following conditions is met :

However, this right does not apply where retention is necessary to comply with legal or regulatory obligations, or for the establishment, exercise, or defense of legal claims.

 

Your Right to Restrict Processing

You may request the restriction of processing of your personal data in the cases provided for by applicable legislation.

 

Your Right to Object to Processing

You may object to the processing of your personal data where the processing is based on the legitimate interest of the controller or is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

 

Your Right to Data Portability

Since May 25, 2018, you have the right to data portability. This right applies to:

This right is limited to processing based on your consent or a contract and only applies to personal data you have provided. It does not include derived or inferred data created by Smart Tribune.

 

Your Right to Withdraw Consent

Where the processing of your personal data is based on your consent, you may withdraw that consent at any time. This will not affect the lawfulness of processing carried out prior to the withdrawal.

 

Your Right to Lodge a Complaint

You may lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés) in France, without prejudice to any other administrative or judicial remedy.

 

Your Right to Set Post-Mortem Directives

You may provide instructions regarding the retention, deletion, and communication of your personal data after your death. These instructions may be registered with a trusted third party certified to enforce the wishes of the deceased in accordance with applicable legal requirements.

 

CONCLUSION

 

🤝 In summary, your personal data is collected and processed in order to :

In this context, if you choose not to provide us with your personal data, please note that this may result in our inability to deliver the Smart Tribune Solution, invite you to webinars, or send you the newsletter.

 

Appendix 1: Data Protection Agreement

 

Preamble
This Appendix applies to the processing of personal data carried out by Smart Tribune and the Processor in connection with the provision by Smart Tribune of a SaaS self-care service. This document constitutes an independent document intended to define the respective obligations of the Parties to ensure compliance with applicable data protection laws and privacy regulations.

1. Purpose

This Appendix aims to define the conditions under which the Processor agrees to carry out, on behalf of the Data Controller (Smart Tribune), the processing operations of personal data defined below, and the Processor’s obligations in this context.

As part of their contractual relationship, the Parties undertake to comply with the applicable data protection laws, particularly Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, applicable since 25 May 2018 (hereinafter the “General Data Protection Regulation” or “GDPR”).

2. Description of the Processing Subject to Subprocessing

The Processor will process, on behalf of the Data Controller, the personal data necessary to provide the Solution(s) ordered by the Client (self-care services).

2.1  Nature of Processing
The nature of the operations carried out on the data includes, in particular: collection, recording, organization, structuring, storage, adaptation, modification, consultation, anonymization, encryption.

2.2  Purpose of the Processing
The purpose(s) of the processing are: the design of the Solution by the Processor for the Client.

2.3  Categories of Data Subjects
The categories of data subjects include:

2.4 Types of Personal Data

The personal data processed are:

For the Data Controller’s personnel:

For users:

For the performance of the service covered by this agreement, the Data Controller shall provide the Processor with the necessary information as set out in the special terms and conditions.

2.5 Duration of Processing

Unless otherwise agreed between the Parties, the duration of the processing depends on the performance of the Smart Tribune service (including the Subscription period).

3. Obligations of the Processor towards the Controller

The Processor undertakes to:

Subprocessing:
The Processor may engage another processor (hereinafter, the “Sub-processor”) to carry out specific processing activities.

In any event, the Processor shall remain solely responsible to the Controller for all obligations under this Annex.

It is the Processor’s responsibility to ensure that the Sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing complies with the requirements of the GDPR.

If the Sub-processor fails to fulfill its data protection obligations, the initial Processor shall remain fully liable to the Controller for the Sub-processor’s compliance with its obligations.

The Processor is free to update the list of Sub-processors, but must inform the Controller in advance and in writing of any intended changes concerning the addition or replacement of other Sub-processors. This notice must clearly indicate the subcontracted processing activities and the identity and contact details of the new Sub-processor.

The Controller shall have a minimum period of 8 (eight) calendar days from receipt of the information to raise any objections. The proposed subcontracting may only proceed if the Controller has not objected within the specified period.

 

 4. Obligations of the Processor

The Processor undertakes to comply with the Regulation and shall generally ensure that the Data :

The Processor also undertakes to prepare and update, if necessary, a data protection impact assessment in accordance with CNIL guidelines and to share it with the Sub-processor upon request.

Furthermore, if the Processor implements a chatbot, it undertakes to clearly and concisely include on the chatbot’s homepage a notice discouraging users from entering sensitive Data.

 

5. Security Measures

The Processor undertakes to ensure the security of personal data and to maintain their integrity and confidentiality.

 

To this end, the Processor agrees to design and implement all appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, but not limited to:

6. Data Subject Information

It is the responsibility of the Controller to inform the data subjects of the processing operations at the time of data collection.

 7. Exercise of Data Subjects’ Rights

It is reiterated that data subjects are free to exercise their rights with and against the Controller. The Parties undertake to cooperate with each other to enable prompt and effective handling of any request and to ensure a response is given to the data subject within the legal timeframe of one (1) month from receipt of the request.

Where possible, the Processor shall assist the Controller in fulfilling its obligation to respond to requests to exercise data subject rights (as referred to in Article 6 above).

When data subjects submit such requests directly to the Processor, and the request pertains solely to processing carried out on behalf of the Controller, the Processor undertakes to forward such requests as soon as received to: rgpd@smart-tribune.com.

Where a request is made to the Controller and the Controller is unable to respond without the assistance of the Processor, the Controller undertakes to promptly contact the Processor’s designated point of contact.

If the request is made to the Processor and does not specifically concern processing carried out on behalf of the Controller, the Processor may respond directly to the data subject without informing the Controller.

8. Personal Data Breach Notification

The Processor shall notify the Controller of any personal data breach without undue delay after becoming aware of it, and in accordance with the formal and substantive requirements of the GDPR, so as to allow the Controller to notify the competent supervisory authority.
The Controller is responsible for informing the data subjects without undue delay.

 9. Data Return or Deletion

At the end of the Subscription, the Processor undertakes, at the Parties’ discretion, to:

The return must be accompanied by the destruction of all existing copies in the Processor’s information systems. If European Union or Member State law requires the retention of personal data, the Processor shall inform the Controller of this obligation.

The Processor undertakes to provide, upon request by the Controller, a certificate of destruction.

10. Recordkeeping

The Processor declares that it maintains a written record of all categories of processing activities carried out on behalf of the Controller, including:

11. Documentation and Audit

The Processor shall make available to the Controller all documentation necessary to demonstrate compliance with all its obligations.

The Controller retains the right to conduct an annual audit of the Solution in order to verify the adequacy of the technical and organizational measures implemented by the Processor, subject to providing reasonable advance notice (no less than 10 business days), and conducting the audit during the Processor’s business hours.

Audit costs shall be borne by the Controller, and the Processor shall invoice the Controller for any human or machine resources used during the audit.

The results of such audits shall be subject to confidentiality obligations binding on both Parties.