The aim of this Policy is to inform users (the Users) of the reflek.io website (the Website) what kind of personal data may be processed on the Website; further, it informs the Users about processing purposes and the manner of using the data, and about related rights available to the Users. A personal data controller (the Controller) protects the Users' privacy and ensures security of data provided by the Users. The Controller complies with personal data processing rules and applies technical and organisational measures which guarantee that the data are secure and processed as prescribed by law. The Users' personal data are always processed in conformity with applicable laws, including in particular pursuant to the Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the GDPR). The personal data may be processed in the Users' cookies, in line with rules laid down in the Cookies Policy.
Who is the controler?
The Controller is reflek.io with registered office in Paris (75008), France, 37-39 rue de Surène, 890 140 486 R.C.S. Créteil. Contact address: dpo@reflek.io. Data subjects can contact the Controller also otherwise as preferred, including verbally and in writing.
Purposes of, and a legal basis for, the processing:
- to provide the Services:
Some of the Services might require the submission of personal data. In such a case, the personal data are processed in order to carry out activities, at the User's request, prior to the conclusion of an agreement, and to perform an agreement, which applies also to the Newsletter Service (Art. 6.1.b of the GDPR). Without the personal data, it will not be possible to render some Services for the User;
- in order to exchange e-mail correspondence:
The personal data are processed in order to communicate with the User (Art. 6.1.f of the GDPR). The personal data are provided on a voluntary basis but the provision thereof is necessary to receive a reply from the Controller. In such a case, the personal data are processed due to the Controller's legitimate interests. The Controller's legitimate interest consists in communicating with an individual who requests of the Controller to provide an answer. As its legitimate interests, pursuant to Art. 6.1.f of the GDPR, the Controller also considers: pursuit of and protection against claims, fraud prevention, statistics and analytics, ensuring ICT environment security, application of internal control systems, and in some cases also direct marketing of own services.
Personal data recipients
The personal data may be processed also by the Controller's other service providers rendering, among others, financial settlements, legal, advisory, consulting, archiving and IT services. The Users' data will not be shared with any third parties, unless this proves necessary and the User consents thereto or a data disclosure obligation results from mandatory rules of law, a final and non-appealable court judgment or a final decision of a relevant body. The Controller does not transfer any data to third countries outside the EEA, yet in some cases Webflow, Inc. (which, as a rule, processes data in the EEA) may transfer the personal data to the USA on terms specified in its Privacy Statement. In such a case, the data may be transferred exclusively in compliance with the GDPR requirements.
What does profiling involve and are any data on the Website subject to profiling?
Profiling consists in any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's work performance, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning the data subject or similarly significantly affects the data subject. The Controller does not profile the User's data.
How can personal data be changed?
The User has the right of access to content of their personal data and the right of rectification and erasure of the personal data, the right to restrict processing of the data and the right to data portability. The User has the right to object to processing of the personal data, which involves especially the profiling. To this end, the User can contact the Controller at an e-mail address: contact@reflek.io. The User can contact the Controller also otherwise as preferred, including verbally and in writing. As for cookies, the User can make relevant changes on their own, in accordance with rules laid down in the Cookies Policy.
How does the Controller protect the personal data?
The Controller protects the Users' data against unauthorised access, disclosure, change or destruction. In particular, the Controller makes use of data encryption, physical security measures and verification in IT systems. Further, the Controller uses anti-virus software and firewalls. The Users' data may be accessed exclusively by authorised individuals bound by confidentiality and by subcontractors that have entered into personal data sub-processing agreements with the Controller and satisfy security criteria set forth therein.
How long will the personal data be processed?
The Users' data shall be processed for as long as the Users use the Website. In case of the provision of the Services, the personal data shall be processed for as long as the Services are provided. In case of e-mail correspondence, the personal data shall be processed for a period necessary to provide the User with an answer. To a limited extent, the personal data may also be processed upon the lapse of the indicated terms, until any potential claims are time-barred or for as long as possible or required in compliance with applicable laws, e.g. for statistical purposes. Upon the lapse of a processing period, the personal data are permanently deleted or anonymised.
Other data processing related rights of the Users
The Users have the right to file a complaint with the President of the Personal Data Protection Office if they consider that their personal data are processed in breach of mandatory rules of law.
This Policy shall apply upon its publication on the Website.