Last updated on 6 April 2021

NotMe SAS, having its registered office at 18 rue Boissière, 75116 Paris, France, (hereinafter “NotMe” or “we“) attaches great importance to the protection and respect of your privacy.

This privacy policy aims to inform you, in accordance with Regulation No. 2016-679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR“):

  • Practices of NotMe regarding the collection, use and sharing of information you may provide us with through our website (hereinafter the “Website“) and which we process on our own behalf;
  • The processing of your data that our customer is required to carry out, namely your employer (hereinafter the “Customer“), on its own behalf, when making available the #NotMe mobile application (hereinafter the “Application“).

The purpose of this document is to inform you of the categories of personal data that may be collected or held about you, how this data is used, the persons with whom the data is shared, how your data is protected and the rights you have to your personal data.

1. Glossary

Personal Data: means any information relating directly or indirectly to a natural person.

Sensitive Data: means any Personal Data that reveals the Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health status, sexual orientation, genetic or biometric data or elements of the data subject’s sex life.

Data Subject: means the natural person whose Personal Data is processed, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more elements specific to the person’s physical, physiological, genetic, psychological, economic, cultural or social identity;

Regulation: means the amended French Data Protection Act 78-17 of 6 January 1978, the GDPR and any regulations in force concerning the protection of Personal Data.

Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing; where the purposes and means of such Processing are determined by European Union or Member State law, the controller may be appointed or the specific criteria for its appointment may be provided for by European Union law or by the law of a Member State.

Terminal: means the hardware equipment (computer, tablet, smartphone, phone) that you use to visit or see the Website or Application.

Processing: means the collection, recording, organisation, structuring, retention, adaptation, modification, extraction, consultation, use or any other form of provision, reconciliation or interconnection, limitation, erasure and destruction.

User: means the person browsing the Website and/or the Application.

These definitions are capitalised and are used both in singular and plural form.

2. What is the scope of the Privacy Policy?

This Privacy Policy is intended for all Users.

Consequently, accessing and browsing the Website and the Application means that you have accepted all the terms of the Privacy Policy, and therefore the collection and use of your Personal Data.

3. Who are the parties involved in the protection of Personal Data within the Website and the Application?

It is necessary to distinguish the following two situations:

  • All User Personal Data collected via the Website is processed by NotMe, a simplified joint stock company with its registered office at 18, rue Boissière – 75016 Paris, in its capacity as Personal Data Controller.
  • You can contact NotMe by writing to the following address NotMe – 18 rue Boissière, 75116 Paris, France or by sending an e-mail to [email protected].
  • All User Personal Data collected via the Application is processed on behalf of the Customer, in its capacity as Data Controller.
  • It is recalled that, as the Customer is your employer, you will find the identity and contact details of the Customer in your employment contract.
4. What is the nature of the Personal Data processed, what are the Purposes of Processing and the retention period of Personal Data?

The Data Controller shall take into account the principles of data minimisation, data protection by design and data protection by default. Accordingly, it shall only collect information that is relevant, adequate and limited to what is necessary for the purposes for which it is processed.

  • What is the nature of the Personal Data processed by NotMe via the Website, what are the Purposes of Processing and the retention period of Personal Data?

Personal Data is collected when you request a demonstration from NotMe and when you contact NotMe via the IT ChatBot.

When completing entry fields on a form, the mandatory nature of a response is indicated by using an asterisk (*) at the end of the question. The lack of response to a question identified by an asterisk prevents the processing of your request.

When you choose to spontaneously send your Personal Data to NotMe, without the latter having requested it, you expressly consent to the collection of Personal Data and you undertake to assume full responsibility for the Personal Data transmitted.

5. The data necessary to request a demonstration of the Application

NotMe collects and processes the first name, last name, email, telephone number and name of the User’s company requesting demonstration on the Website or the Application.

The purpose of this Processing is to manage User requests. It allows NotMe to receive demonstration requests and to establish a history of requests and responses.

NotMe retains your Personal Data for the time necessary to accomplish the purposes pursued, subject to legal archiving possibilities, obligations to retain certain Personal Data and/or anonymisation.

The Personal Data collected when requesting a demonstration of the Application is retained for a period of three (3) years from its collection.

6. Data relating to the IT ChatBot

NotMe may collect personal data that is sent by the User when using the IT ChatBot. Such data concerns the first name, last name, email and name of the user’s company.

The purpose of such Processing is to receive requests from Users and to manage the answers to be provided.

The Personal Data collected when requesting a demonstration of the IT ChatBot is retained for a period of three (3) years from its collection.

7. Connection data

NotMe automatically collects User login data. These data include date, time of login and/or browsing, browser type, hardware used, entry and exit page, URL, number of clicks, pages viewed and their order, time spent on specific pages, browser language, IP address.

The purpose of this Processing is the analytical management of NotMe’s business.

The connection data collected by NotMe is kept for twelve (12) months from collection.

  • What is the nature of the Personal Data processed by the Customer via the Application, what are the Purposes of Processing and the retention period of Personal Data?

i. Processing 1: When you create an account on the Application, Personal Identification Data is collected and processed, namely your full name, phone number, email address, function and name of the employer.

This Personal Data is necessary for the proper functioning of the Application and the provision of this service.

The purpose of this collection is based on User account management.

The Customer retains your Personal Data for the time you have access to the Application, i.e., for the period you are employees of the Customer.

ii. Processing 2: When you make a report on the Application, in accordance with the Terms and Conditions of Use of the Application, you must ensure that you only communicate the relevant Personal Data necessary for the processing of the report, in accordance with the principle of minimisation imposed by the Regulations.

We invite you to be particularly vigilant regarding the transmission, via the Application, of Sensitive Data.

In processing reports made through the Application, the Customer may be required to process:

  • Personal Data about you (full name, position and possibly other Personal Data communicated, including Sensitive Data); and
  • Personal Data relating to the person who is the subject of a report (full name, function and possibly other Personal Data communicated, including Sensitive Data). 

The Customer undertakes not to process Personal Data transmitted in a report when it is not relevant and necessary.

The collection of such Personal Data is optional.

The purpose of such Processing is based on the processing of the reports made.

The Customer retains the Personal Data relating to a report as follows:

  • The Personal Data that does not fall within the scope of the Application’s system and in particular Sensitive Data that does not allow the establishment, exercise or defence of a legal claim is deleted immediately;
  • The Personal Data is deleted two (2) months after verification if no further action is taken;
  • The Personal Data shall be retained until the end of the investigation in the event that action is taken with regard to the report.
  • What is the legal basis for the Processing?
  • What is the legal basis for NotMe’s Processing?

The Processing carried out by NotMe is based on Article 6.1.a GDPR, namely the consent of the User.

  • What is the legal basis for the Customer’s Processing?

The Processing carried out by the Customer is based on Article 6.1.c of the GDPR, namely compliance with a legal obligation to which the data controller is subject.

In fact, the Application allows the Customer to comply with the obligations imposed on employers under Article 8 of the Law on Transparency, Combating Corruption and Modernization of Economic Life, known as the Sapin Law 2.

When the Customer processes Sensitive Data, the Processing of Sensitive Data is based on Article 9.2.f of GDPR, namely the establishment, exercise or defence of a legal claim.

8. Who are the recipients of your Personal Data?

Only the persons who need to access Personal Data are recipients of such data.

More specifically, only the persons authorised under their duties and functions may access the Personal Data. With regard to the Customer, these are persons specifically entrusted by the Customer with managing alerts, who have undertaken to respect the confidentiality of the data.

In addition, Personal Data may be communicated within the company group to which the Customer belongs only if such communication is necessary solely for the purposes of checking or processing the alert.

The Data Controller’s subcontractors and technical service providers may have access to the Personal Data. With regard to the Personal Data collected during the report (Processing 2) by the Customer, only the hosting company collects Personal Data.

These third parties shall be sent only the Personal Data they need in order to perform their services, and it is required that they do not use your Personal Data for any other purpose.

These third parties only act in accordance with our instructions and are contractually obliged to ensure a level of security and confidentiality of your Personal Data that is the same as that we guarantee you, in accordance with the GDPR.

In some cases and in accordance with the Regulations, Personal Data may be transmitted to the competent authorities on request and in particular to public bodies, judicial officers, ministerial officers, bodies responsible for debt collection, exclusively to meet legal obligations, as well as in the case of the search for perpetrators of offences committed on the Internet.

In addition, in the event of a reorganisation, merger, sale, joint venture or other transfer or assignment of all or part of our business, NotMe may disclose or transfer your Personal Data to the transferee.

9. How is the security of Personal Data ensured?

The Data Controller undertakes, in the context of its activities and in accordance with the Regulations, to ensure the protection, confidentiality and security of Personal Data.

The Data Controller shall take the necessary precautions taking into account the state of knowledge, implementation costs and the nature, scope, context and purposes of the Processing and the likelihood of each risk to protect the security and confidentiality of the Personal Data you provide it with and in particular to prevent it from being distorted, damaged or disclosed to third parties (unless you agree).

Consequently, the Data Controller shall implement all technical, logical, physical and organisational measures to ensure a level of security appropriate to the risk and to prevent any loss, alteration, disclosure of Personal Data or access to unauthorised third parties.

In the event of a Personal Data breach and in accordance with the Regulations, the Data Controller undertakes to notify the CNIL (French Data Protection Authority).

10. Is the Personal Data transferred outside the European Union?

For the purposes mentioned above, Personal Data is not transferred to a country outside the European Union.

11. What are your Rights?

The Data Controller informs you that you benefit, under the terms and conditions set out in the Regulations, from:

  • A right to information: You have the right to receive clear, transparent and easily understandable information about how we use your information and on your rights.
  • Right of access: you have access to the Personal Data about you that the Data Controller holds and processes.
  • Right of rectification: You have the right to ask the Data Controller to correct your information in the event of errors or inaccuracies.

The right of rectification that you have in respect of the Customer must not, in particular, allow the information contained in the alert or collected during investigation to be amended retroactively. Its exercise, when admitted, shall not make impossible the reconstruction of the timeline of any changes to important elements of the report.

Therefore, this right can only be exercised to rectify factual data, the material accuracy of which can be verified by the Customer, on the basis of evidence, without the replacement or deletion of the initially collected data, even when it is incorrect.

  • A right to restriction of processing: right to ask the Data Controller to ensure that some of your Personal Data are not stored for future processing when:
  • You dispute the accuracy of your Personal Data;
  • You consider and can establish that the Processing of Personal Data is unlawful and you oppose the erasure of Personal Data and require restriction of Processing instead;
  • The Data Controller no longer needs your Personal Data but it is still necessary for you to establish, exercise or defend legal claims;
  • Right to erasure: subject to the exceptions provided by the Regulations, the right to obtain from the Data Controller the erasure of your Personal Data, where one of the following applies:
  • Your Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • You wish to withdraw your consent on which the Processing of your Personal Data was based and there is no other basis justifying such processing;
  • You object to the Processing and there are no compelling legitimate grounds for the Processing or you oppose the sending of commercial offers;
  • You consider and can establish that your Personal Data has been unlawfully Processed;
  • Your Personal Data must be deleted under a legal obligation.
  • A right to the portability of your data: where the Processing is based on your consent, you have the right to receive from the Data Controller the Personal Data concerning you in a structured, commonly used format, and to transmit such Personal Data to another data controller without the Data Controller preventing you from doing so.

Where technically feasible, you may request that such Personal Data be transmitted directly by the Data Controller to another data controller.

  • A right to withdraw consent: where the Processing is based on your consent, you have the right to withdraw your consent at any time, without NotMe being able to object to it.
  • A right to decide on the fate of your Personal Data after your death: Lastly, you have the right to organise the fate of your Personal Data after death by adopting general or specific guidelines. The Data Controller undertakes to comply with these guidelines. In the absence of guidelines, the Data Controller acknowledges that the heirs may exercise certain rights, in particular the right of access, if it is necessary for the settlement of the estate of the deceased; and the right to object to the closure of the deceased person’s user accounts and object to the Processing of their data.

You may exercise your rights with NotMe (at one of the following addresses: [email protected] or NotMe 18, rue Boissiere, 75116 Paris, France) or with the Customer, whose contact details can be found in your employment contract, depending on the entity that holds the capacity of Data Controller.

If, despite the Data Controller’s efforts to protect the confidentiality of your Personal Data, you consider yourself a victim of a breach of the Regulations, you may submit a complaint to the National Data Protection Authority: Commission Nationale de l’Informatique et des Libertés (CNIL), 3, place de Fontenoy – TSA 80715 -75334 Paris CEDEX 07 (01 53 73 22 22 – www.cnil.fr). You also have the right to seek redress from the competent courts if you consider that we have not respected your rights.

12. How to be informed of a change to our privacy policy?

The Data Controller reserves the right to change its Privacy Policy. Any changes to the Privacy Policy will be posted on the Website and the Application. We invite you to review the Privacy Policy on a regular basis.

COOKIE POLICY

Last updated on 6 April 2021

1. What is a “cookie”?

A cookie is a tracker likely to be stored on your device (computer, tablet, or smartphone) when using the Website. It makes it possible to recognise the terminal in question whenever the latter accesses digital content containing cookies of the same issuer, and according to the cookie, to collect additional information, not directly identifying information, about your behaviour on the Website.

2. Who uses cookies?

NotMe, a simplified joint-stock company with its registered office at 18, rue Boissière – 75116 Paris is likely to place cookies via the Website.

Only the person on whose behalf the cookie is issued is responsible for its use and for the data it collects through it.

3. Are cookies used as part of the Application?

The following Cookies are used:

  • User cookies: session cookies used to keep track of the information entered by the User when the User completes online forms on multiple pages;
  • Authentication cookies: cookies used to identify the User during successive visits. This type of cookie remembers the User’s authentication means (username and password);
  • User-centric security cookies: cookies used to detect several unsuccessful attempts to connect to the Website;
  • Social plug-in cookies: third party cookies to track Users whether or not they are members of the social network to which these cookies are attached, either in order to offer them services that may be considered expressly requested by their members, or for other purposes such as behavioural, analytic advertising or market research.
4. How to control cookies?

You can express your choices regarding the placement or not of cookies on the Website through the banner that appears on your first visit, you will need to restate it at each connection if you are in private browsing or at the next connection if you have deleted your pre-existing cookies. You can choose whether or not to consent to cookies by purpose. This choice can be changed at any time by stating it again by clicking here https://not-me.com/en/?banner=true.  

The cookie is stored for a maximum period of thirteen (13) months.

If you do not consent to the storage of cookies or have deleted them, your browsing and experience on the Website may be limited.

No liability is accepted for the consequences related to the reduced functionality resulting from the absence of consent to cookies and the inability to save or view the cookies necessary for the operation of the website due to your choice.

Request a Demo

Request a Demo