When you use the getreflect.io website (hereinafter the "Site"), we may collect personal data about you. The purpose of this policy is to inform you about the ways in which we process such data.
1. Data controller
Reflect, a simplified joint stock company RCS n° Registered office at 3 Rue Villebois-Mareuil, 75017 Paris, FRANCE (hereinafter referred to as "We")
2. What is the purpose of the data collected
Your data is processed to meet one or more purposes. Each purpose is associated with a legal basis, the list of which is given below. On the basis of the execution of pre-contractual measures taken at your request and/or the execution of the contract you have signed, we implement processing for the following purposes: - Providing you with access to a demonstration of our tool; - Enabling you to deposit your documents in our tool directly; - Constituting a file of clients and prospects; On the basis of our legitimate interest in developing and promoting our activity, we implement processing for the following purposes: - To answer your requests for information; Based on the respect of our legal and statutory obligations, we implement processing with the following aims: - The respect of the regulation applicable to our activity; - The management of the requests of exercise of the rights. Based on your consent, we implement processing for the following purposes: - To send you newsletters, solicitations and promotional messages
3. What data do we collect
Reflect collects and processes the following data: - Employee personal data (including, but not limited to, name, age, gender, job title, salary and evaluation score); - Customer organizational data (including, but not limited to, reporting lines, succession plans, cost centers, business units and legal entities). Customers may add custom data elements that are not part of our standard data model (e.g., languages spoken by an employee), but Reflect will decline to process special categories of data as specified by the GDPR (e.g., religion, sexual orientation).
4. Legal framework of the data
Article 1 - PROTECTION OF YOUR DATA The terms and expressions "Data Controller", "Subcontractors" "Processing", "Personal Data", used in this Article, have the meaning given to them by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("GDPR"). Obligations of the Client The Client, as the Data Controller, guarantees to the Service Provider that the Processing in question meets the requirements of the regulations, in particular that the Personal Data is processed in a lawful, fair and transparent manner, that it has been collected for specific, explicit and legitimate purposes and that the information required from the persons concerned by the Processing has been provided at the time of collection of the said data. The Client undertakes to document, in writing, any instructions concerning the Processing of Personal Data by the Service Provider. Such instructions are set forth in this Article and in Appendix 1. Any other instructions, not expressly referred to in this Article and in Appendix 1, shall be documented in writing by the Client and addressed to the Service Provider, who undertakes to comply with them. The Client authorizes the Service Provider to enter into standard contractual clauses on its behalf, where necessary. Provider's obligations It is expressly agreed that the Service Provider: - processes Personal Data only for the purpose(s) that are the subject of the subcontracting; - may only process Personal Data on the documented instructions of the Client, including with regard to the location of the hosting and transfers to third countries; - informs the Customer before the start of the Processing if the Service Provider is required to transfer Personal Data to a third country or international organization, under the law of the Union or the law of the Member State to which it is subject; this obligation does not apply if the law concerned prohibits such information for important reasons of public interest; - informs the Client immediately if the Service Provider considers that an instruction given by the Client constitutes a violation of the regulations concerning the protection of Personal Data; - guarantees the confidentiality of personal data processed within the framework of the Contract; - ensures, in this respect, that the persons authorized to process the Personal Data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality; - takes into account, with regard to the services that it carries out on behalf of the Customer, the principles of data protection from the design and by default; - may subcontract all or part of the processing activities carried out on behalf of the Client, subject to having informed the Client in advance, and in the absence of opposition from the latter within 15 days of having received this information; - must ensure that its own Subcontractor complies with the obligations of the Contract and that this Subcontractor presents the same sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the Processing meets the requirements of the regulations on the protection of personal Data; - helps the Customer, through appropriate technical and organizational measures, to the fullest extent possible and under financial conditions to be determined between the Parties, to fulfill its obligation to comply with requests from data subjects relating to their rights (rights of access, rectification, erasure and opposition, to limit processing, to portability, not to be subject to an automated individual decision) ; In this respect, in the event that the Service Provider receives such a request directly, it is agreed that the Service Provider will transmit the request to the Client, who will be responsible for responding to it within the time limits provided for by the regulations; - assists the Client, under financial conditions to be determined between the Parties, in carrying out impact analyses relating to data protection, in communicating and notifying data breaches, in carrying out prior consultation with the supervisory authority and in implementing its own appropriate technical and organizational measures to guarantee a level of security adapted to the risk; - implement the above-mentioned security measures, it being specified that the Customer may be required to take actions so that some of the said measures can be effective, in particular with regard to tracing access to personal data; - according to the choice of the Customer, destroys all the personal data or returns them to the Customer at the end of the service or to its new Subcontractor, it being specified that the return of the said data must be accompanied by the destruction by the Service Provider of all existing copies in the latter's information systems; - make available to the Client all information necessary to demonstrate compliance with its obligations and to allow audits, including inspections, to be carried out by the Client or an auditor chosen by the latter, and contribute to these audits under the conditions set out below. Audit The Customer, during the performance of the Agreement, up to a limit of three (3) times per contractual year, shall have the possibility of carrying out an audit at its own expense and under its responsibility for the purpose of verifying the compliance of the subcontracting services carried out by the Service Provider on behalf of the Customer. This audit is notified by the Customer to the Service Provider by registered letter with acknowledgement of receipt detailing the documents requested and, if applicable, the protocol that will be carried out, the methods used and the data audited, thirty (30) working days before the planned date of its implementation. It is expressly agreed between the Parties that preference shall be given, as far as possible, to an audit based on documents and that an on-site audit shall be scheduled if the elements made available by the Service Provider do not prove sufficient to demonstrate compliance with its obligations under this clause. In this second case, the Client shall assume the additional costs resulting, in particular, from the need to reinforce the staff to allow the audit to be carried out and the continuity of the Provider's activity. The audit is carried out by the Client or by a third party designated by the Client, on the triple condition that this third party is not a direct or indirect competitor of the Service Provider, that it is subject to professional secrecy and that it has concluded a confidentiality agreement. It is also understood that this audit process excludes any communication of documents of a financial or accounting nature or relating to the Service Provider's relations with other clients. The results of the audit will be subject to a contradictory debate and validation by the Parties. The costs of the audit shall be borne by the Customer, as well as any expenses incurred and time spent by the Service Provider
5. Cookie Policy
Cookies that can be deposited without consent Certain Cookies do not require your consent, such as: - Technical and functional Cookies that are necessary for the operation of the Site - certain audience measurement Cookies or Cookies that allow different versions of the Site to be tested for the purpose of optimizing editorial choices. Acceptance or refusal of Cookies subject to your express consent All other Cookies require your consent. These are advertising Cookies, social network Cookies, content personalization Cookies and certain audience analysis Cookies. You can freely choose to accept or refuse the use of these Cookies. You can accept or refuse these Cookies during your first navigation on the Site. Your choices to accept or refuse Cookies will be kept for a period of six (6) months.