Privacy Policy

LivinFrance Privacy Policy

General

The Eden Initiative company (Operator of the LivinFrance service), in its capacity as data controller, attaches the greatest importance to the respect and protection of your personal data.

The purpose of this privacy policy is to inform you about the purposes and methods of processing the data that you may provide to us through our web application livin-france.com (hereinafter "the App"), accessible from the website https://www.livin-France.com or https://livin-france.com/ECOLE/register (hereinafter "the Site"), or through our "Call centre".

ECOLE -> is a URL customisation that we offer to our partner schools and universities This document also sets out your rights in relation to the data we hold about you. If you have any queries, please contact our Data Protection Ofﬁcer, whose details are set out below.

Eden Initiative will hereafter be referred to as "LivinFrance", "we" or "us".

Identity of the Data Controller and Data Protection Ofﬁcer

The person in charge of processing users' personal data collected via the above-mentioned Site and App is: Eden Initiative, a simpliﬁed joint stock company (SAS), with a capital of 4,200 euros, whose registered ofﬁce is located at 185 BD Vauban in Lille, 59000, SIREN number (812904928), represented by Mr Antoine Trannoy, Data Protection Ofﬁcer (or "DPO"), email: Antoinel@LivinFrance.com

Competent supervisory authorities

The competent supervisory authority is, as appropriate :

France : Commission nationale de l'informatique et des libertés (CNIL); 3 place de Fontenoy 75007 PARIS, tel: +33153732222

For any information relating to your personal data, you can contact the Data Controller or the DPO at the postal address indicated above, or by email at the following address

Hello@LivinFrance.com, for the Data Controller Antoine@LivinFrance.com, for the Data Protection Ofﬁcer (DPO)

Data collected

What personal data do we collect?

When do we collect your personal data?

Personal data (also known as personal data) refers to any information relating to a natural person from which that person can be identiﬁed, directly or indirectly, such as his or her ﬁrst and last name, e-mail address or telephone number.

In the course of our business, we may collect your personal data when :

you engage in a contract subscription or termination (energy, internet box, mobile, insurance, AVI or other services) on our Web App or via our Call centre;

you browse our Site and/or App and use our services (CAF, VISA, CVEC, health insurance);

you browse our Site and/or App and complete the my account section

you contact our customer service directly, by phone, email, post or online chat.

We may also receive information from third parties, in this case our partners, when you enter into a contract with one of them through us (for example, to conﬁrm that the contract has been taken into account and validated).

The collection of your data by our services is a prerequisite for the conclusion of contracts with our partners (energy, telephone and internet suppliers, insurers, other service providers). You have the right to refuse to provide the information requested. However, this may compromise the processing of your requests relating to the services offered by the Data Controller.

Where certain information is required to access speciﬁc features of the Site or App, the form will indicate the mandatory nature of the information at the time of entry.

Data that you transmit directly to us

The personal data we collect is essentially the information you provide directly to us when you initiate a subscription (or termination) process on our App or by phone via our Call centre. This data includes:

The identiﬁcation data necessary to create an online user account: surname, ﬁrst name, nationality, email address, telephone number;

The data required to qualify your needs and obtain quotes and comparison information (for an energy contract, for example, we need to know the type of energy you need, the operation of your equipment to estimate your consumption, the type of accommodation you occupy or the desired start date of the subscription);

The data required to subscribe to the offers you select (in particular, information relating to payment (credit card number, cryptogram, expiry date) when you agree to us proceeding on your behalf to the payment of a subscribed offer);

Proof of identity, in the event of a request for access, rectiﬁcation, deletion, limitation or portability of your data.

Other personal documents to help with the constitution of the ﬁle (for example, to open your CAF account, we need your IBAN, original birth certiﬁcate in French, a copy of your identity card or passport, and proof of health cover) [a]

Please note that our telephone experts, duly authorised for this purpose, may collect, on a complementary basis, certain personal data concerning you, other than those expressly provided for in the ﬁelds of the forms of the various courses, by taking notes in a free ﬁeld of our CRM provided for this purpose, only when this is strictly necessary for the processing of your requests. The content of this ﬁeld is automatically and irreversibly destroyed 3 months after it is entered. You have the right to speciﬁcally object to this processing and can contact our Data Protection Ofﬁcer at the above-mentioned addresses.

Data that you transmit to us indirectly

When you enter into a contract with one of our partners (e.g. energy supplier, internet box provider, insurance company, etc.) through us, that partner may share information about the contract with us.

The data we collect automatically

In addition to the information you provide directly, we collect a certain amount of data relating to your connection, your navigation and your interaction with our services.

Login and browsing data on our Site and App: we collect, through cookies (see Cookies below), information about how you interact with our content/features which helps us to optimise the user experience and the offering we provide to our visitors.

Customer Service interaction data: when you contact us by telephone, post, email or via our chat facility. We may retain the date, reason for your enquiry and the content of your interaction with Customer Services to ensure effective follow-up of your needs. If you contact us by telephone, please note that your call may be recorded for training purposes and to improve our services.

2.5 Telephone records

In order to improve the quality of the user experience delivered by our call centre, to optimise the training of our operators in this respect, and to evaluate them, your calls may be recorded. This recording is not systematic. The recordings are kept for a period that cannot exceed six months. You may, if you wish, object to this processing by contacting our DPO at the above address.

Purpose of the processing

How do we use the data we collect?

We only process your personal data where we have a relevant legal basis for doing so. Depending on the purpose of the processing, we may process personal data in accordance with the following a contractual or pre-contractual necessity for the purposes of the legitimate interests pursued by Eden Initiative, namely :

our legitimate economic and commercial interest

improving our offer training and evaluation of our employees

compliance with a legal obligation

Recipients of the data

Who are the recipients of the data we collect? Why do we give them this information? We strive to treat your personal data as private and conﬁdential.

The data collected or processed during the use of our services are intended for the entities of LivinFrance, more precisely for the persons authorized and authorized internally to have knowledge of them for the purposes of the above-mentioned processing.

This data may also be used for :

to our partners provided the student is the initiator (energy, telephone/internet access providers, insurers and other service providers) to validate and activate any contracts you may take out with them through us

your school, only if you have registered via a partner school registration page such as "https://livin-france.com/ECOLE/register", usually the school itself will have sent you their "Partner Registration URL". [b]

Apart from the cases listed above, your personal data may only be disclosed in accordance with a law, regulation or decision of a competent regulatory or judicial authority or, if necessary, for the purposes of the Data Controller to protect your rights and interests.

How long we keep your data

How long do we keep your personal data?

Your data is kept in an active database for a period of 3 years from the date of your last activity on the App (subscription to a contract, connection) or via our Call centre (incoming call), or from the closing of your user account.

We may retain certain personal data for a longer period of time, including after your account has been closed, to fulﬁl our legal retention obligations or those of our partners and to defend or enforce our rights. After the expiry of the 3-year period mentioned above, your data may be archived for 5 years in a dedicated archive, with restricted access. This data, which is kept as evidence, is kept in its entirety, taking into account the purposes for which it was collected.

The transfer to the intermediate storage base is irreversible and the data stored there can no longer be re-entered into the active base.

This data is concomitantly transferred to our Big Data platform for statistical purposes. This data, which is 100% anonymised, in an irreversible manner, at the end of the 3-year period mentioned above, is useful to us for drawing up statistics on the development and performance of our activity.

Some personal data are subject to a shorter retention period, which may not exceed :

3 months from the date of entry for notes entered manually by our call centre operators

6 months for audio recordings of telephone conversations via our call centre

1 year for identity documents

13 months from the date of deposit for cookies

Data security

What security measures are applied to your data?

The security of your personal data is important to us. Because we want you to use our services with conﬁdence, we are committed to ensuring the protection of the data you entrust to us. We have put in place physical, technical and organisational measures to ensure that your personal data is protected against unauthorised access, accidental loss, destruction or damage.

We use ﬁrewalls to prevent unauthorised access to your information.

For enhanced security, our server operates in HTTPS (encryption of data using an algorithm that only the recipient can read), basic passwords are encrypted with a sha256 algorithm. Routes are protected so that they only respond to the user who has made the request (and veriﬁed rights, if necessary) and calls are protected via CSRF. Personal ﬁles are stored on an amazon S3 server, managing a policy of time-limited access rights and rights veriﬁcation. In addition, access to the production databases is controlled and secured (IP ﬁltering, access management policy) and the access keys to the computer servers are themselves encrypted and their access is logged.

Concerning payment data: we do not store any credit card data. We delegate the secure processing of this data to Stripe, a certiﬁed payment intermediary.

Several speciﬁc procedures have been put in place within our internal organisation to optimise the security of your data and minimise the risk of disclosure:

The appointment of a Technical Data Security Ofﬁcer, whose responsibilities include regularly auditing the effectiveness of the procedures in place

Raising awareness and training our staff on their obligations regarding the protection of personal data.

Notiﬁcation of data breaches to the CNIL within 48 hours

Conducting a data protection impact assessment - scheduled once a year

Your rights

What are your rights regarding your personal data?

In accordance with the provisions of Articles 38 to 40 of Law No. 78-17 of 6 January 1978, as amended, relating to information technology, ﬁles and freedoms, and Articles 15 to 22 of Regulation No. 2016/679/EU of the European Parliament and of the Council of 27 April 2016, on the General Data Protection Regulation (GDPR), you have a number of rights concerning the personal data we hold about you.

In order to exercise these rights, we invite you to contact the Data Controller or the Data Protection Ofﬁcer directly, by post or by email, at the above addresses.

For security reasons and to avoid fraudulent applications, this application must be accompanied by proof of identity. Once the application has been processed, this proof of identity will be destroyed.

The right to be informed

You have the right to be informed in a clear, transparent and understandable way about how we collect and process your personal data and about your rights regarding this data. That is the purpose of this privacy policy!

The right of access and communication of data

You have the right to access your personal data that is processed by us. If you wish to access the information we hold about you, please contact the Data Controller or the Data Protection Ofﬁcer at the above addresses. For any request made electronically, we will provide you with a copy of the data in a commonly used electronic form, unless you request otherwise. The Controller is entitled to charge a reasonable fee to cover administrative costs for any additional copies and/or to object to requests which are manifestly unreasonable in number, repetition or systematicity. To help you in your approach, the National Commission for Information Technology and Civil Liberties (CNIL) provides you with a model letter at the following address:

https//www.cnil.fr/fr/modele/courrier/exercer-son-droit-dacces

The right of rectiﬁcation

You have the right to obtain the rectiﬁcation and/or updating of personal data concerning you that we hold if such data is inaccurate, incomplete, ambiguous or out of date.

To help you in your approach, the Commission nationale de l'informatique et des libertés (CNIL) provides you with a model letter at the following address: https://www.cnil.fr/fr/modele/courrier/rectiﬁer-des-donnees-inexactes-obsoletes-ou-perime es

The right of deletion

Also known as the "right to be forgotten". You have the right to ask us to delete the personal information we hold about you. To help you in your request, the French National Commission for Information Technology and Civil Liberties (CNIL) provides you with a model letter at the following address:

https://www.cnil.fr/fr/modele/courrier/supprimer-des-informations-vous-concernant-dun-sit e-internet

The right to restrict processing

You have the right to obtain a restriction on the processing of your personal data in the following situations:

you challenge the accuracy of your Personal Data for the period of time necessary for us to verify the accuracy of your Personal Data; and/or

in the event of unlawful processing by us and you request a restriction on their use rather than erasure; and/or

we no longer need the personal data for the purposes of the processing, but they are still necessary for the establishment, exercise or defence of legal claims; and/or

if you exercise your right to object during the period of veriﬁcation as to whether the legitimate reasons we are pursuing override yours.

Where the processing of your personal data is subject to restriction, the Controller may, with the exception of storage, process your personal data only with your consent or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or on important Union or Member State public interest grounds.

The right to object to the processing

You have the right to object, on legitimate grounds relating to your particular situation, to the processing of your personal data, unless we can demonstrate that such processing is justiﬁed by compelling legitimate grounds which override your grounds.

In particular, you have the right to object, free of charge, to the use of your data for canvassing purposes, in particular commercial canvassing by us or by a third party.

The right to data portability

You have the right to obtain the personal data you have provided to us in a structured, commonly used and machine-readable format, so that you can re-use it for your own purposes by passing it on to another data controller yourself.

The right to withdraw consent

Where processing is based on your consent, you have the right to withdraw your consent at any time, without prejudice to the lawfulness of the processing based on consent carried out prior to the withdrawal of consent. To do so, simply contact us at the above address.

The right to object to telephone solicitation

We may contact you by telephone to ﬁnalise a contract you have entered into with us, either by telephone or directly on our website, or to offer you a service similar to the one(s) you have already entered into with us (provided you have given us your telephone number). You have the right to object to your personal data being processed by telephone.

Since 1 June 2016, the government has set up a free telephone opposition list for consumers, which can be accessed at www.bloctel.gouv.fr

The right to determine instructions concerning the processing of your data after your death

You have the right to determine instructions regarding the retention, deletion and communication of your personal data after your death. In order to deﬁne these instructions, we invite you to contact our Data Protection Ofﬁcer at the above address.

The right to lodge a complaint with the competent supervisory authority

You have the right to lodge a complaint about the way we handle or process your data with the relevant national supervisory authority (see 1.2).

Time limits for processing rights and notiﬁcation

We undertake to respond to your requests within a reasonable period of time, which shall not exceed 1 month from the receipt of your request, and to notify you of any operations carried out by our services in accordance with your requests.

Closing your user account

If you close your user account, we will in principle keep your personal data for a period which may not exceed 3 years. However, you have the right to object to this processing by exercising your right to erasure in the manner described above.

Data transfer

Eden Initiative complies with the strict rules established by the General Data Protection Regulation (GDPR) of the European Union regarding data transfer. The company does not transfer personal data outside the European Union, which means that all personal information collected and processed by the company remains within the EU zone and is subject to the protection of European data protection legislation. Eden Initiative is committed to continuing to comply with these strict rules and to protect the personal data of its customers and users in accordance with the regulations in force in the European Union.

Updating the privacy policy

We may change this privacy policy from time to time. The date on which the latest revisions were made will appear in this article. All changes will be effective upon posting.

We will be sure to let you know if we do so, either by email to the email address you have provided, or by posting a notiﬁcation directly on our Site and Application.

We invite you to consult this document regularly in order to be aware of the most recent version.

This privacy policy was last updated on 31 March 2021.