Privacy policy

Subject

This Policy is established by the company as the data controller:

Kaptalia Monitoring – SAS established under the number SIREN 522 889 708, headquartered at 12 rue Henri Becquerel – Bâtiment Piren – 56000 Vannes.

Hereinafter referred to as “controller”.

The purpose of this policy is to inform website visitors:

www.kaptalia.com

(Hereinafter referred to as the “website”) of how the data is collected and processed by the controller.

This policy is in line with the wish of the controller to act in full transparency, in compliance with its national provisions and the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

(Hereinafter referred to as the “General Data Protection Regulation”).

The controller pays particular attention to the protection of the privacy of its users and therefore undertakes to take the reasonable precautions required to protect the personal data collected from loss, theft, disclosure or unauthorized use.

“Personal Data” is defined as all personal data relating to the user, that is, any information that directly or indirectly identifies the user as a natural person.

If the user wishes to react to any of the practices described below, he can contact the data controller at the postal address or email address specified in the “contact data” section of this Policy.

What data are we collecting?

The controller collects and processes the following personal data on users in accordance with the terms and principles described below:

Its domain (automatically detected by the data controller’s server), including the dynamic IP address.
Its email address if the user has previously revealed it, for example by sending messages or questions about the dedicated services, or by contacting the controller by email or via the contact form.
All information concerning the pages that the user has consulted on the site.

The controller may also have to collect non-personal data. These data are described as non-personal data because they do not allow to directly or indirectly identify a particular person. They may therefore be used for any purpose whatsoever, for example to improve the website, the products and services offered or the advertisements of the controller.

In the event that non-personal data would be combined with personal data, so that an identification of the data subjects would be possible, these data will be processed as personal data until their reconciliation with a particular person is made impossible.

Collection/Processing Methods

The controller may process personal data in the following manner:

Contact form.
Cookies.

Categories of data collected, purposes, legal bases for processing and retention period

Personal data is only collected and processed for the purposes mentioned below:

Processing

Data category

Purposes

Legal bases

Shelf life

Contact form for Internet users

Company name, Last name, first name, company, position, postal address, telephone number, fax, email, comment

Responding to Internet users’ requests

Legal basis is the legitimate interest in providing follow-up to Internet users.

– 3 years from the last contact with the user.

– Mandatory request to the Internet user to extend the retention period of the collected data by 3 years.

Cookies

IP and connection data

– operation of the site

– audience analysis

– conversion tracking

Legal basis is consent

Up to 13 months

The controller may be required to perform processing that is not yet provided for in this Policy. In this case, he will contact the user before reusing his personal data, in order to let him know the changes and give him the possibility, if necessary, to refuse this reuse.

Recipients of data and disclosure to third parties

Internal Recipients:

The recipients of the data are only the personnel authorised by the co-controllers, in charge of security and commercial relations and development.

Third parties	Transmitted data
One&one (web host)	Data stored on the site server.

Recipients of data and disclosure to third parties

Internal Recipients:

The recipients of the data are only the personnel authorised by the co-controllers, in charge of security and commercial relations and development.

In the event that the data are disclosed to third parties for direct marketing or commercial prospecting purposes, the user will be informed beforehand so that he can choose to accept the transfer of his data to third parties.

As long as this transfer is based on the user’s consent, the user may, at any time, withdraw his consent for this specific purpose.

The controller complies with the legal and regulatory provisions in force and will in all cases ensure that its partners, agents, subcontractors or other third parties having access to this personal data comply with this Policy.

The controller shall disclose the personal data of the user in the event that a law, judicial procedure or an order of a public authority makes such disclosure necessary.

Enforcement

For all the rights listed below, the data controller reserves the right to verify the identity of the user for the application of the rights listed below.

This request for additional information will be made within one month of the user’s submission of the request.

Data access and copying

The user may obtain the written communication or a copy of the personal data collected about him free of charge.

The controller may charge a reasonable fee based on administrative costs for any additional copies requested by the user.

When the user makes such a request electronically, the information shall be provided in a commonly used electronic form, unless the user requests otherwise.

Unless otherwise provided for in the General Data Protection Regulation, a copy of the data shall be communicated to the user no later than one month after receipt of the request.

Right to withdraw consent

For all processing based on consent, in this case cookies, the data subject has the right to withdraw his consent at any time, including directly at the bottom of the email.

Right of rectification

The user may obtain free of charge, as soon as possible and at the latest within one month, the rectification of his personal data which are inaccurate, incomplete or irrelevant, as well as the completion thereof if they prove incomplete.

Sauf exception prévue par le règlement général sur la protection des données, la demande d’application du droit à la rectification est traitée dans le mois de l’introduction de celle-ci.

Right to object to processing

The user may at any time, for reasons relating to his particular situation, object to the processing of his personal data free of charge, except where:

The processing is necessary for the performance of a mission of public interest or falling within the exercise of public authority of which the controller would be invested;
The processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, unless the interests or fundamental freedoms and rights of the data subject which require the protection of personal data prevail (especially where the person concerned is a child).

The controller may refuse to implement the right of opposition of the user when he establishes the existence of compelling and legitimate grounds justifying the processing, which take precedence over the interests or rights and freedoms of the user, or for the establishment, exercise or defence of a right in court. In the event of a dispute, the user may lodge a complaint in accordance with the “complaint” section of this Policy.

The user may also, at any time, object, without justification and free of charge, to the processing of personal data concerning him when his data are collected for commercial prospecting purposes (including profiling).

Where personal data are processed for scientific or historical research or statistical purposes in accordance with the General Data Protection Regulation, the user has the right to object, for reasons relating to its particular situation, the processing of personal data concerning it, unless the processing is necessary for the performance of a public interest mission.

Except as provided for in the General Data Protection Regulation, the controller is required to respond to the user’s request as soon as possible and at the latest within one month and to give reasons for its response when it intends not to respond to such a request.

Right to limitation of treatment

The user may obtain a restriction on the processing of his personal data in the following cases:

When the user disputes the accuracy of a data and only the time that the controller can control it;
When the processing is unlawful and the user prefers to limit the processing to erasure;
When, although no longer necessary for the pursuit of the purposes of processing, the user needs it for the recognition, exercise or defense of his rights in court;
During the time necessary for the examination of the merits of an opposition application submitted by the user, in other words, the time taken by the controller to verify the balance of interests between the controller’s legitimate interests and those of the user.

The controller will inform the user when the processing limitation is lifted.

Right to erasure (right to be forgotten)

The user can obtain the erasure of personal data concerning him, when one of the following reasons applies:

The data are no longer necessary for the purposes of the processing;
The user has withdrawn his consent to the processing of his data and there is no other legal basis for the processing;
The user objects to the processing and there is no compelling legitimate reason for the processing and/or the user exercises his or her specific right of opposition in direct marketing (including profiling);
Personal data has been illegally processed;
Personal data must be deleted to comply with a legal obligation (under Union or Member State law) to which the controller is subject;
Personal data have been collected as part of the provision of information society services for children.

Data erasure is not applicable in the following cases:

Where processing is necessary for the exercise of the right to freedom of expression and information;
Where processing is necessary to comply with a legal obligation that requires treatment under Union law or the law of the Member State to which the controller is subject, or to carry out a mission of public interest or falling within the exercise of public authority of which the person responsible is invested;
Where treatment is necessary for reasons of public interest in the field of public health;
Where processing is necessary for archival purposes in the public interest, for the purposes of scientific or historical research or statistical purposes and in so far as the right to erasure is likely to render impossible or seriously jeopardise the achievement of the objectives of the processing in question;
Where processing is necessary for the establishment, exercise or defence of legal rights.

Right to “data portability”

The user may at any time request to receive his personal data free of charge in a structured, commonly used and machine-readable format, with a view to transmitting it to another controller, where:

Data processing is performed using automated processes; and when
The processing is based on the user’s consent or on a contract between the user and the controller.

Under the same conditions and under the same procedures, the user has the right to obtain from the controller that the personal data concerning him are transmitted directly to another controller of the personal data, as far as technically possible.

The right to data portability does not apply to the processing that is necessary for the performance of a mission of public interest or falling within the exercise of public authority by which the controller would be entrusted.

Security

The controller shall implement the appropriate technical and organisational measures to ensure a level of security of the processing and the data collected with regard to the risks presented by the processing and the nature of the data to be protected, adapted to the risk. It shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing and the risks to the rights and freedoms of users.

The controller has put in place appropriate security measures to protect and avoid the loss, misuse or alteration of the information received on the website.

In the event that the personal data that the controller controls has to be compromised, it will act quickly to identify the cause of this breach and take appropriate remedial measures.

The data controller shall inform the user of this incident if required by law.

Complaint and Complaint

If the user wishes to react to any of the practices described in this Policy, it is advisable to contact the data controller directly.

The user can also lodge a complaint with his national supervisory authority, you can send a complaint online to the CNIL or by post:

Commission nationale de l’informatique et des libertés (CNIL)

3 Place de Fontenoy – TSA 80715 – 75334 Paris cedex 07 – France

Phone: +33 1 53 73 22 22

In addition, the user may lodge a complaint with the competent national courts.

Contact data

For any questions and/or complaints related to this Policy, the user may contact the data controller at the following email address: , or by post at:

KAPTALIA

12 rue Henri Becquerel - Bâtiment Piren - 56000 Vannes - France

Change

The controller reserves the right to change the provisions of this Policy at any time. The changes will be published directly on the website of the controller.

Applicable law and jurisdiction

This Policy is governed by the national law of the place of principal establishment of the controller.

Any dispute relating to the interpretation or enforcement of this Policy will be submitted to the courts of that national law.

This version of the Policy is dated 04/12/2023.