re
Bop

use of reBop’s Website and ServicesPrivacy Policy

Effective Date: July 14th, 2021

1. PREAMBLE AND PURPOSE

reBop, as part of the management of its website accessible at rebop.io (the “Website”), processes personal data of the following data subjects (the “Data Subjects”): (i) Website visitors; (ii) prospective users; (iii) clients’ users.

reBop undertakes to process the personal data of the Data Subjects in compliance with the applicable regulations, and in particular the Regulation n°2016/679 (EU) of 27 April 2016 known as the General Data Protection Regulation (“GDPR”), the Data Protection Act of 6 January 1978 in its updated version (together, the “Applicable Regulations”).

In this respect, reBop undertakes to comply with obligation of transparency and information regarding Data Subjects by making this privacy policy available to Data Subjects, to inform them on the characteristics of the personal data processing carried out by reBop in the context of the use of the Website and its services, and regarding their rights.

2. DEFINITIONS

Terms beginning with a capital letter are either defined herein or have the meaning given to them by the Applicable Regulations, and in particular the GDPR, such as “Personal Data”, “Processing”, “Data Subjects”, “Controller”, “Processor”, “Recipient” or “Data Breach”.

3. IDENTITY OF THE DATA CONTROLLER

reBop, a simplified joint stock company (“société par actions simplifiée”) registered at the Paris Trade and Companies Register under the number 892 923 731, having a registered office located at 3 rue de Teheran 75008 Paris, acts as Controller with regard to the processing of Data Subjects’ Personal Data.

4. CHARACTERISTICS OF THE PROCESSING

The Processing implemented by reBop from the Data Subjects’ Data are presented in the following tables.

4.1 Contact reBop by email

Purpose of the processingTo allow Data Subjects to contact reBop on various subjects relating to the company and the services provided, or to contact sales and support teams.
Legal basis for processingreBop’s legitimate interest in facilitating contact, communication and, where appropriate, the beginning of commercial relations, especially since the Data Subject necessarily expects his/her Personal Data to be processed for this purpose when contacting reBop.
Category of Data SubjectsreBop clients and prospective users, and any users of the Website
Category of Personal Data
  • identity data (surname, first name)
  • contact data (email address, phone number)
  • any other data that may be communicated by the Data Subject in his/her email
Duration of Processing
  • Personal data relating to prospective user are stored for a period of 3 years from the last contact with the prospective user
  • Personal data relating to clients’ users are stored for a period of 3 years from the end of the commercial relationship for prospective commercial purposes

4.2 Newsletter

Purpose of the processing
  • Provide information to Data Subjects on the services provided by reBop
  • Subscription management
  • Management of emails
Legal basis for processingreBop’s and the Data Subject’s legitimate interest in providing information on its services to prospects and clients.
Category of Data SubjectsPeople who subscribed to the reBop newsletter
Category of Personal Data
  • contact details (email address)
  • connection data (traces, logs)
Duration of Processing

Retention of the email address as long as the data subject does not unsubscribe (via the unsubscribe link integrated into the emails)

4.3 Access dedicated to clients on the Website

Purpose of the processing
  • Provide real-time digital certificates monitoring
  • Send alert on expiration, suspension or revocation events
Legal basis for processingreBop’s and the clients’ legitimate interest in providing the platform and its related services.
Category of Data SubjectsreBop’s client personnel
Category of Personal Data
  • identity data (surname, first name)
  • contact details (email address)
  • photography
  • connection data (traces, logs)
Duration of Processing

Personal data relating to clients are stored for a period of 5 years from the end of the commercial relationship.

4.4 Management of possible disputes, litigation and pre-litigation

Purpose of the processing
  • Retaining evidence for a possible dispute
  • Management of exchanges in the event of a dispute
  • Drafting the necessary documents in case of litigation or pre-litigation.
Legal basis for processingreBop’s legitimate interest in organizing its defense in the context of a dispute by providing evidence and drafting all necessary documentation, which will necessarily include some of the Data Subject’s personal information. This legitimate interest is balanced against the rights and freedoms of the Data Subject, who has the right exercise his/her defence in the context of the litigation
Category of Data SubjectsreBop clients and prospective clients, and any other person having access to the Website
Category of Personal Data

All of the above-mentioned Data as soon as they are necessary for the management of the dispute.

Duration of Processing

Retention throughout the duration of the dispute and until (i) signature of the settlement agreement (pre-litigation) or (ii) exhaustion of the means of appeal (litigation).

5. RECIPIENTS OF THE PERSONAL DATA

reBop may disclose the Personal Data of Data Subjects to authorized Recipients subject to an appropriate obligation of confidentiality, which may be internal or external as appropriate:

  • Internal Recipients are all reBop staff members whose duties, functions and missions justify that they access the Personal Data of Data Subjects (e.g. commercial department, marketing department, client relations department and prospect) for the sole purposes set out in this privacy policy and within the framework of the technical and organizational measures implemented by reBop aiming at ensuring the confidentiality and security of the Personal Data;
  • The external Recipients are:
    • The service providers or Processors that reBop may use in the context of the Processing (e.g. hosting provider);
    • Entities in charge of reBop’s consulting, auditing and financial control (auditor, lawyer);
    • Administrative or judicial authorities within the scope of their powers or any recipient designated by and administrative or court decision or the law;
    • In the event of an acquisition, fund raising, of reBop, sell or transfer of reBop’s business or assets by any means whatsoever, including by merger or sale of reBop, the potential buyers/beneficiary(ies), and their advisors as part of an audit prior to the transaction and following the buyer / beneficiary following the transaction.

6. DATA SUBJECTS’ RIGHTS

1. STATEMENT OF RIGHTS

In accordance with the applicable Regulations, Data Subjects have the following rights with respect to their personal data:

  • A right to ask reBop for confirmation that data concerning them is being processed, to obtain information on the characteristics of such Processing, to access such data and to request a copy;
  • A right to rectify or complete any data concerning them that is incorrect or obsolete;
  • A right to withdraw their consent at any time provided that the Processing is exclusively based on this legal basis;
  • A right to object to the Processing of their Personal Data for reasons relating to their particular situation and to obtain their deletion, in which case reBop will grant this request unless the Processing is justified by legitimate and compelling reasons;
  • A right to obtain the limitation of the Processing temporarily in case of a request for rectification or opposition on legitimate grounds while reBop analyses the request, which in practice means that the Personal Data is kept, but reBop cannot process it;
  • A right to Data portability, i.e. a right to obtain from reBop the restitution of the Personal Data they have communicated in a format of common use when the Processing is automated and based on consent or on the execution of a contract;
  • A right to formulate instructions relating to the Processing of their data after their death and to ask reBop to retain, delete or communicate their data to an expressly designated third party, it being specified that once reBop has knowledge of the death of a Data Subject and in the absence of instructions from him or her, it undertakes to destroy his or her Personal Data, unless its retention is necessary for evidential purposes or to meet a legal obligation;
  • Data Subjects may also ask the CNIL any questions or lodge a complaint with the CNIL.

2. HOW TO EXERCISE YOUR RIGHTS

If a Data Subject wishes to exercise any of the above rights, he or she may contact reBop:

  • by mail: reBop - GDPR rights exercise request - 3 rue de Teheran 75008 Paris France; or
  • by email: privacy [at] rebop.io

The Data Subject’s request must come exclusively from the concerned Data Subject (unless a mandate is given to a third party in due form) and be as clear and exhaustive as possible in order to allow reBop to respond as soon as possible, between one and three months depending on its level of complexity.

reBop may ask the Data Subject to complete his/her request if it is not sufficiently precise, if the right he/she wishes to exercise is not easily identifiable or if he/she is unable to establish his/her identity, in which case reBop may ask him/her to provide additional information and in particular proof of identity, which will be deleted as soon as possible after verification of his/her identity.

In addition, reBop will not be obliged to respond to the Data Subject’s request if it is manifestly unfounded or excessive, and in particular if it formulates repetitive requests or requests that are too complex to process, which would have the purpose or effect of destabilizing reBop’s activities.

7. SECURITY

reBop implements the technical and organizational security measures it deems appropriate to preserve the confidentiality and security of the Personal Data it processes, aimed at preventing their unauthorized destruction, loss, alteration or disclosure.

When reBop uses processors, i.e. service providers to whom it has delegated all or part of a Processing and who process the Personal Data of the Data Subjects in accordance with its instructions, reBop undertakes to request that they comply with and implement security measures similar to those reBop implements to protect Personal Data and to have the right to carry out an audit of them in order to ensure that their obligations are complied with.

In the event of a Data Breach, reBop undertakes to notify the CNIL as provided under the Applicable Regulations and, if such breach presents a high risk to the Data Subjects, to notify them and to provide them with the necessary information and recommendations, if necessary.

8. DATA TRANSFERS OUTSIDE THE EUROPEAN UNION

For the purposes of its activity, reBop may transfer certain Personal Data outside the European Union, in the event that, for example, reBop uses a Processor with data centers located outside the European Union.

If the country receiving the Personal Data does not benefit from an adequacy decision by the European Commission and does not present an adequate level of data protection, reBop makes the following commitments:

  • Adopt appropriate data protection safeguards, including sign and apply the latest version of the European Commission’s Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council or any future version;
  • Assess the data protection legislation of the receiving country and, should this assessment show that the legislation compromises the effectiveness of the standard contractual clauses, adopt additional protection and security measures in order to protect the Personal Data transferred.

9. UPDATING OF THIS POLICY

reBop may modify, complete or update this policy at any time to take into account legal, regulatory and/or case law developments, a change in the characteristics of the Processes or the implementation of a new Process.