Privacy Policy

The present Data Protection Policy delineates how Vancelian collects and processes your personal data via the Vancelian websites and application referenced herein.

Vancelian encompasses an ecosystem comprising Vancelian websites (inclusive of domain names such as, but not limited to, www.vancelian.com), mobile applications, clients, and stakeholders.

This Data Protection Policy is applicable to all personal data processing activities undertaken across Vancelian platforms, websites, and departments.

Should you be a client or user of our services, this Data Protection Policy is applicable in conjunction with the terms of business and other contractual documents, inclusive of, but not limited to, agreements we may have with you.

In the event you are not a stakeholder, client, or user of our services but utilize our website, this Data Protection Policy equally pertains to you, alongside our Cookie Policy.

Consequently, this Policy should be read collectively with our Cookie Policy, which furnishes supplementary particulars regarding our utilization of cookies on the website.

***

1. WHO ARE WE AND WHAT IS OUR ROLE IN THE PROCESSING OF PERSONAL DATA ?

Automata France SAS (also referred to as "the company" or "we" in this policy) is a simplified joint-stock company with its registered office located at 240 rue Evariste Galois, 06410 Biot, Sophia Antipolis, registered in the Trade and Companies Register under the number 902 498 617 00023 (whose intra-community VAT number is: FR47 902 498 617).

The company Automata France operates under the commercial name "VANCELIAN".

The company operates the website accessible to the public at the following URL (hereinafter referred to as the "Site"): https://www.vancelian.com. This Site aims to:

• Provide users with information to discover the company's activities and services offered, as well as its news (events, publications, etc.);
• Offer features and/or information that allow users to contact the company and present the services offered by the company, the projects completed by it and those upcoming, or the team working on these projects;
• Provide users with an online account and various associated services as detailed within our general terms and conditions : https://www.vancelian.com/terms-conditions-vancelian-platform/ 

The company also administers pages that showcase its activities and allow it to publish content on social networks and interact with internet users (notably on Facebook, Instagram, YouTube, and LinkedIn).

During your navigation and interactions on the Site, on the pages managed by the company on social networks, or, more generally, during your interactions or exchanges with the company, it may collect and process Personal Data concerning you, for the management of the activities it carries out and on its own behalf, in its capacity as Data Controller, whether you are a customer, prospect, contact, internet user, candidate, supplier, service provider, or partner, potential or current (also referred to as "you" or "the concerned Person(s)" or "user(s)" in this policy).

In this context, the company applies the principles defined by legal and regulatory provisions in the field of Personal Data protection, particularly in Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data (General Data Protection Regulation, "GDPR"), as well as the law no. 78-17 of 6 January 1978 on Information Technology, Data Files, and Civil Liberties (known as the "Information Technology and Liberties Law") and its implementing decrees.

2. WHAT ARE THE METHODS FOR COLLECTING YOUR PERSONAL DATA ?

2.1     Your Personal Data is collected either directly from you or indirectly from third parties.

2.1.1     Indeed, your Personal Data is particularly collected or processed in whole or in part during your navigation on the Site, your interactions with the Site, and when you enter information into data collection forms that may be present there, but also more generally within the framework of requests that you may send to the company by any means at your convenience, your relationship and your exchanges with the company, and when you share content from the Site using "share buttons" on social networks that may be offered on our Site, or during your navigation on one of the company's pages on social networks.

Generally, your Personal Data is thus directly collected from you in the aforementioned cases.

2.1.2     However, your Personal Data may also be collected through third parties (i.e. indirect collection from third parties).

Indeed, the Personal Data that we collect and process about you may possibly be gathered or enriched by us, particularly for the purpose of conducting commercial operations, communication, solicitation, prospecting, or marketing, using other sources of information (social networks, so-called "public" information, websites, file rentals, etc.).

Similarly, your Personal Data may be transmitted to us by other staff members/contacts within your company or through third parties in certain situations.

Moreover, specifically concerning Personal Data processed in the context of our recruitment operations (for employment or an internship), we use the information you provide us (e.g., form completed for this purpose or generally information mentioned in your CV) that we integrate into our candidate database (CV library). However, we may also approach third parties (for example, recruitment agencies, previous employers, internship supervisors, or clients with whom you have worked on previous missions) or use other sources of information (in particular professional social networks, recruitment firms, or specialized recruitment websites) to collect information about you for the evaluation of your application or your professional profile. Furthermore, even without a candidacy from you, we may, particularly in the context of our monitoring and active search for professional profiles that may match our job vacancies, collect Personal Data from third parties (for example, recruitment agencies or "headhunters") or use other sources of information (in particular professional social networks or specialized recruitment websites) to collect information about you with the aim of proposing that you apply for one of our job offers.

2.2     Furthermore, in general, you are informed that as a principle:

• if the Processing of your Personal Data is necessary for compliance with our legal or regulatory obligations, the collection of said Data is mandatory;
• if the Processing of your Personal Data is subject to your consent, the communication of said Data to us is entirely optional (it being specified that the lack of communication could, however, prevent us from implementing the concerned Processing at least in certain cases);
• if the Processing of your Personal Data is necessary for the execution of a contract or pre-contractual measures taken at your request, the communication of said Data is necessary for pursuing this purpose, and the company could, in the absence of communication of these Data, be prevented from performing its contractual obligations or the aforementioned pre-contractual measures;
• if the Processing of your Personal Data is based on the pursuit of our legitimate interests, the communication of said Data is necessary for pursuing this purpose, and the lack of communication of your Data could prevent us from implementing the concerned Processing or hinder it. For example, without the provision of information that would be necessary to respond to a request from you (request for information, etc.), your request related to this collection of Personal Data might not be able to be processed or its processing delayed.

Special case: if data collection forms for Personal Data (for example, forms integrated on the Site or within our pages on social networks, or any data collection form in whatever format that we might make available to you to collect information about you) involve the entry of mandatory Personal Data for the implementation of the associated Processing, you will be informed on the form and it will be specified the possible consequences of a failure to communicate these details. Otherwise, the requested information is optional. In the absence of a specific form, the mandatory data for the pursued purposes will be indicated to you, it being specified that data not indicated as mandatory is, of course, optional.

2.3     Apart from specific legal obligations, or contrary details in this policy, we do not collect "special" Personal Data, that is, data that would reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, nor genetic data, nor data concerning health or data concerning a natural person's sex life or sexual orientation.

2.4     Personal Data of minors or protected adults: we only offer our services to adults with legal capacity. Therefore, in general, the use of the Site and the company's dedicated pages on social networks is reserved for adults with legal capacity, the company cannot in any case be 
held liable for the use of the Site or its pages on social networks by minors or those who lack legal capacity, and therefore for any consequences that may result from this, particularly in terms of the Processing of their Personal Data.

3. WHAT DATA IS COLLECTED, FOR WHAT PROCESSING PURPOSES, AND FOR WHAT DURATIONS ?

3.1     Management, processing, and monitoring of information requests and exchanges with our users, via or through the Site or the company's social media pages, or by any other means, and more generally the company's relations with its contacts in a broad sense

We may collect, use, store, and transfer different types of Personal Data about you as follows:

• Identity Data.
• Contact Data.
• Financial Data.
• Transaction Data.
• Device Data.
• Content Data.
• Profile Data.
• Usage Data.
• Marketing and Communications Data.
• Location Data.
• Biometric Data.

For your information, we also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but are not considered personal data by law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific feature of the application. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

3.2     Management of our relationships with our partners including our current or potential providers and suppliers:

Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers, and affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility for these policies or for personal data that may be collected through these websites or services, such as Contact and Location Data. Please check these policies before you submit any personal data to these websites or use these services.

• The purpose of this Processing is to seek new partners, manage, monitor, and respond to partner requests, quotes or proposals for services, as well as the management of partners and/or our relations with them, including particularly the management and monitoring of the execution of contracts, orders/services entrusted, deliveries, invoices, payments and transactions, associated accounting, and especially the management and monitoring of partner accounts, the broader partner relationship, and any potential claims or disputes.
• On this occasion, we collect the following elements: identity (title, first and last name), contact details (email address, postal address, phone number, etc.), information on partnership requests, quotes and proposals for services/performances/contracts, data related to payments and means of payment, transaction data, data related to contract and relationship tracking, invoice data.
• The duration of data retention is related to the duration of the pre-contractual (for potential partners), contractual or commercial relationship (for current partners) with the company.

3.3     Compliance with legal and regulatory obligations (including accounting, tax, and administrative obligations) related to the execution of contracts concluded by the company, and more generally to the company's activities:

• In order to comply with the various legal or regulatory obligations that may be incumbent upon us (including accounting, tax, administrative obligations, anti-money laundering and counter-terrorism financing (KYC and/or KYT), etc.) resulting from the execution of contracts for which we are a party and more generally from our activity, we process the Personal Data of our contacts (including but not limited to our clients, investors, partners, etc.) for the pursuit of this purpose, but also for the monitoring of our accounting and financial and budgetary situation (including particularly general and analytical accounting, representation and monitoring of asset fluctuations, or the determination of our financial and budgetary position, etc.).
• On this occasion, we collect the following elements: identity (title, first and last name), contact details (postal address, phone number, email address), photograph, nationality, payment and means of payment data, transaction data, contract and relationship tracking data, invoice data. We also use your IP address which can determine your geolocation for monitoring, fraud prevention, and detection, as well as activities related to compliance with our internal procedures.
• The duration of data retention is related to the duration of the current accounting or tax year plus six months; 5 years from the end of the business relationship or the transactions concerned concerning obligations related to anti-money laundering and counter-terrorism financing.

3.4.    Email Communications:

• We may process the Personal Data of our clients, prospects, and more broadly our contacts for the purpose of conducting our commercial operations, communications, loyalty-building, or marketing (including technical operations of segmentation, targeting, etc.) via email. This particularly includes sending them certain information for these purposes by such means (namely: email, SMS), such as propositions for products and services that may be of interest to them, information about our news and/or activities (for example, newsletters), other informational or promotional documents, or even studies, surveys, promotions, or satisfaction inquiries. We may also analyze the performance of our prospecting campaigns using tracking information related to your actions regarding the emails we send.
• On these occasions, we collect the following elements: identity, email address, data related to actions taken within the emails (openings, clicks, etc.).
• The duration of data retention is three years from the collection of the Personal Data or the end of our relationship, or from the last contact made by the concerned Person to us (for example, for a client, from the time of a transaction or the use/execution of a service, the end of a service provision contract or the general terms and conditions that bind us, or the last contact made by the client, and for a prospect, from the last contact made by them (online request, email or postal correspondence, telephone call, or even a click in an email addressed to them by the company, etc.)).

3.5 Creating a VANCELIAN Account via the Application

We may collect your personal data when you decide to create an account via our mobile application named "VANCELIAN." 

On this occasion, we collect the following information: 

• identity (name, first name, title, date of birth), 
• contact details (postal address, phone number, email address), 
• nationality, 
• and financial information.

Your biometric data is also collected (via a video) for identity verification purposes in accordance with Articles L.561-5 and following of the Monetary and Financial Code. This identity verification is carried out by our subcontractor, the company ONFIDO, which receives your data for this purpose.

Your personal data is retained until the closure of your account, except for those necessary to comply with legal and regulatory obligations (see point 3.3 of this policy).

4. COOKIES

The company utilizes "cookies" within the application. Cookies are small files containing textual information. Cookies are stored on your mobile device only when you consent to the placement of cookies when prompted during the use of our App.

For further information, please read our cookie policy available on our website: https://www.vancelian.com/cookie-policy/

5. HOW WE USE YOUR PERSONAL DATA

We will only use your personal data when the GDPR and the legislation of the EU member state to which we are subject permit us to do so. Most commonly, we will use your personal data in the following circumstances:

• When we need to comply with a legal or regulatory obligation.
• When we need to perform a contract we are about to enter into or have entered into with you.
• When it is necessary for our legitimate interests (or those of a third party) and your fundamental interests and rights do not override those interests.
• When you have given your consent prior to the processing.

6. PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA

Use of Your Personal Data

When the processing of personal data is carried out on behalf of the Company, we enter into a separate contract with the processor regarding this processing. This contract constitutes a commitment to GDPR compliance and provides adequate contractual guarantees for the implementation of appropriate technical and organizational measures, which ensure the protection of your rights.

Regarding the transfer of personal data to recipients outside our corporate group, we only transmit data to third parties when required by law, necessary for the performance of the contract, or when you have consented to the transfer. Under these conditions, the third-party recipients of personal data may include:

• Public authorities and institutions (for example, Organismo Agenti e Mediatori, the Central Bank and Financial Services Authority of Ireland, European Central Bank, Financial Authorities, or Law Enforcement Agencies). More information is available on institutional websites.
• Other credit and financial services institutions or similar entities, to whom we transmit personal data necessary for the performance and processing of business relations.
• Other companies within our group for risk control due to legal or official obligations.
• Service providers processing personal data on behalf of our company. These may be service providers who offer services on our behalf, such as identity verification services, web hosting, data analysis, marketing services, information technology and related infrastructure services, customer service, email delivery, and audit services. These service providers may need access to personal data to perform their services.

We authorize these service providers to use or disclose personal data only to provide services on our behalf or to comply with legal requirements. We contractually require these service providers to protect the security and confidentiality of personal data they process on our behalf. Our service providers acting as processors are primarily based within the EU..

7. INTERNATIONAL TRANSFERS

Some of our external third parties are based outside the European Economic Area (EEA), so their processing of your personal data will involve a transfer of data outside the EEA.

When we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by implementing the following safeguard: when we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For more details, see European Commission: Standard Contractual Clauses for data transfers between EU and non-EU countries.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

8. DATA SECURITY

We recognize the importance of protecting and managing your personal data. All personal data that we process is treated with the utmost care and security. This section outlines some of the security measures we have put in place.

We use a range of physical and technical measures to ensure the security of your personal data and to prevent unauthorized access, use, or disclosure:

• Electronic data and databases are stored on secure computer systems with control over information access by physical and electronic means,
• Our staff receives training on data protection and information security,
• We have detailed our policy on data security and protection which staff is required to follow when processing your personal data.

Although we take all reasonable steps to ensure that your personal data is protected against unauthorized access, we cannot guarantee that it will be secure during transmission by you to our application, our website, or other services. We will take all reasonable steps to ensure that all your personal data is protected against unauthorized access and is aligned with our privacy policy.

As no system can be considered 100% secure, we cannot guarantee the security of the personal data you provide to us.

All payment transactions made by us or by the third-party payment processing service provider we have chosen will be encrypted using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) technology. When we have given you (or when you have chosen) a password that enables you to access certain parts of our website or App, you are responsible for keeping this password confidential.

We ask you not to share your personal data or password with anyone.

9. DATA RETENTION

The law requires us to retain basic information about our customers (including Contact, Identity, Financial, and Transaction data) for ten years after they cease being customers for tax purposes.

In certain conditions, you can ask us to erase your data: see Your rights below for further information.

In some circumstances, we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

10. YOUR RIGHTS

In certain circumstances, you have the following rights under data protection laws in relation to your personal data:

• Right to withdraw consent,
• Right of access,
• Right to rectification,
• Right to erasure,
• Right to restrict processing,
• Right to object, and
• Right to data portability.

Please note: the exercise of these rights is nevertheless limited with respect to Personal Data that would be necessary for the operation of said blockchains (cf. notably the Data retained/stored within the blockchains used in the management, monitoring, and processing of digital asset operations). Indeed, these Data necessary for the operation of the blockchains are neither modifiable nor erasable for the life of the concerned blockchain. Moreover, the retention/storage of these Data in said blockchains is not the responsibility of Automata France which neither manages nor controls said blockchains, and therefore has no power of determination nor control over the Processing of Personal Data that may be implemented within said blockchains, nor to reflect the exercise by the concerned Persons of their rights with respect to said blockchains.

For any other request, you can contact us:

• by mail: 240 rue Evariste Galois, 06410, Biot, Sophia Antipolis
• by Email: mydata@vancelian.com

In any case, in the event of reasonable doubt as to the identity of the person submitting such a request to exercise their rights, the company may always request that additional information necessary to confirm the identity of the Concerned Person be provided and may request, where the situation requires it, a photocopy of an identity document bearing the holder's signature. In such a case, the aforementioned response times will be suspended pending receipt of the necessary additional information to identify the Concerned Person.

In the event of receiving such a request, it will be answered as soon as possible and in any event within a maximum period of one month from receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests received, in which case the requester will be informed.

The request may be submitted by the Data Subject or by a person specially authorized for this purpose by the Data Subject, provided that the authorized person justifies their own identity and that of the principal, the authorization itself, as well as its specific duration and purpose. The authorization must also specify whether the authorized agent can receive the response.

Furthermore, you always have the right to lodge a complaint with the competent supervisory authority (in France, this is the National Commission on Informatics and Liberty known as "CNIL": 3 Place de Fontenoy - TSA 80715 – 75334 Paris cedex 07; tel.: 01 53 73 22 22) if you believe that the processing of your Personal Data is not carried out in accordance with the legal and regulatory provisions concerning the protection of Personal Data.

To understand your rights, you may also refer to the explanations provided by the CNIL here: https://www.cnil.fr/fr/les-droits-pour-maitriser-vos-donnees-personnelles.

11. CAN THIS DATA PROTECTION POLICY BE MODIFIED ?

11.1     This Data Protection Policy is subject to change at any time, which will take effect on the date of publication of the corresponding update.

11.2     Indeed, in the case of modification, the new Data Protection Policy will be posted on the Site in the dedicated section. Moreover, all forms for the collection of Personal Data that may appear on our Site provide a link to this policy.

11.3     We therefore invite you to consult it regularly.

12. WHAT IS THE SITE'S POLICY ON COOKIE MANAGEMENT ?

12.1     Cookies and other trackers or similar technologies may be installed and/or read in your browser or terminal during your visit to the Site.

12.2     Click here to access our "cookie management policy," which is also accessible via a link embedded in the footer of all pages of the Site.

Date of the last update: October 21, 2024

GLOSSARY

Legal basis

Consent means the processing of your personal data when you have signified your agreement by a declaration or a clear acceptance of the processing for a specific purpose. Consent is only valid if it is a free, specific, informed and unambiguous indication of what you want. You may withdraw your consent at any time by contacting us.

Legitimate interest our company's interest in conducting and managing our business to enable us to offer you the best service/product and the best and safest experience. We take care to consider and balance any potential impact on you (both positive and negative) and your rights before processing your personal data as part of our legitimate interests. We do not use your personal data for activities where the impact on you outweighs our interests (unless we have your consent or are required or permitted to do so by law). You can find out more about how we assess our legitimate interests against the potential impact on you in relation to specific activities by contacting us at

Contract performance The processing of your data is necessary for the performance of a contract to which you are a party or to take measures at your request prior to the conclusion of such a contract.

Complying with a legal obligation means processing your personal data where this is necessary to comply with a legal obligation to which we are subject.

Description of the categories of personal data

• Identity data: first name, last name, maiden name, user name or similar identifier, marital status, title, date of birth, gender
• Contact data: billing address, delivery address, e-mail address and telephone numbers.
• Financial data: bank account and payment card details.
• Transaction data: includes details of payments made to and by you, as well as details of in-App purchases.
• Device data: includes the type of mobile device you use, a unique device identifier (for example, the IMEI number of your device, the MAC address of the device's wireless network interface or the cell phone number used by the device), mobile network information, your mobile operating system, IP addresses, the type of mobile browser you use, time zone setting.
• Content data: includes information stored on your device, including connection information.
• Profile data: includes your username and password, in-app purchase history, interests, preferences, comments and survey responses.
• Usage Data: includes details of your use of any of our Apps or your visits to any of our sites, including, but not limited to, traffic and other communication data, whether required for our own billing purposes or otherwise, and the resources you access.
• Marketing and communication data includes your preferences for receiving advertising messages from us and our third parties, as well as your communication preferences.
• Location data: includes your geolocation revealed by your IP address.
• Biometric data: Facial recognition and image data to verify your identity. We will review photos of your face to confirm that a relevant photo ID belongs to you. We use automated identity verification technology that uses the distinctive physiological features of your face (known as <u>biometric identifiers</u>) to match photos of your face with the photo on the identity document.