Privacy Policy
Article 1 – Definitions
For the purposes of this Privacy Policy, the following terms, whether used in the singular or plural, will have the following meaning:
AYO17: AYO17 (trade name AYOLAB), a French “société par actions simplifiée” with a share capital of 48,472 euros, registered in the Register of Commerce and Companies of Paris (France) under the number 831 026 224, with registered office at 200 Avenue du Maine 75014 Paris, represented by ABISKO CONSEIL, president, a French limited liability company (“société à responsabilité limitée”) with a single partner, registered in the Register of Commerce and Companies of Paris under the number 830 512 745, itself represented by Mr. Christophe Le Houédec in his capacity as managing director. AYO17 publishes and operates the www.ayolab.com and app.ayolab.com sites.
Customer: any professional customer who has subscribed to the Services provided by AYO17.
Data Controller: any organization, person, or body that determines the purposes and means of processing Personal Data, controls the Data and is responsible for it, alone or jointly.
Data Processor: The person or entity processing Personal Data on behalf of the Data Controller. The Data Processor acts under the authority of the Data Controller and on the instruction of the latter.
General Data Protection Regulation or GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Are also covered by this definition any regulatory and/or legislative texts aiming at the implementation of the GDPR.
Personal Data or Data: Any information about an identified or unidentifiable individual. Under Article 4 -1 of the GDPR, personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural persona natural.
Personal Data includes data specific to an individual that, separately or when combined, can identify the data subject directly or indirectly.
Platform: the AYO17 software platform allowing Customers to access their personal space and the AYO17 Services.
Privacy Policy: This document, which contains Data protection rules for the access and use of the AYO17 Platform and the rights of users regarding Personal Data. The Privacy Policy is available in the AYO17 application as well as on www.ayolab.com and app.ayolab.com sites. Its acceptance by the user is a prerequisite for the use of AYO17 Services.
Services or AYO17 Services: access to a Software-as-a-Service solution that consists mainly in making available a platform operating automated and regular benchmarks through an innovative software solution enabling AYO17 to (i) record public information published on e-commerce websites worldwide, (ii) store it electronically, and (iii) makes it available to the Customer through a dedicated website, on a subscription basis.
Article 2 – Personal Data Protection
2.1 Principle
The collection and processing of Personal Data is necessary for the operation of the AYO17 Platform. For any processing of Personal Data carried out by AYO17, or by the Customer for the purposes of the operation of the AYO17 Platform, both parties will comply with the GDPR and related legislation.
AYO17 is committed to an ongoing approach to protecting the Data of users of its Services.
2.2 Data Controller, Data Processor
As part of the Platform’s operation:
1. For Personal Data provided by the Customer to AYO17 for the access of its employees and/or agents to the Services, the Data Controller is the Customer, and AYO17 is Data Processor on behalf of the Data Controller.
2. For personal data collected from users as part of (a) the creation of the user’s personal password, (b) user’s navigation on the site or in the Platform and (c) account usage metrics, traffic metrics and/or statistics relating to the use of the tool, the Data Controller is AYO17.
For any question relating to AYO17 Data protection, the user can reach Mr. François MISSLIN, at 200 Avenue du Maine 75014 Paris and at the following email address: [email protected]
2.3 General Responsibilities of the Customer as Data Controller
It is the responsibility of the Customer acting as Data Controller to ensure, in accordance with applicable laws and regulations, the collection of Personal Data concerning its employees and/or agents and their registration in the Platform, as well as the respect of the rights of each data subject.
As such, the Customer guarantees that all Personal Data transmitted to AYO17 has been collected in accordance with the applicable regulations and in particular that the Customer has validly obtained the consent of the persons concerned after fully informing them of their rights, the nature of the collected Data, the duration of retention of such Data, as well as the nature and purposes of the treatments that could be carried out on these Data.
2.4 General responsibility of AYO17 when acting as a Data Controller or Data Processor:
Whether acting as Data Controller or Data Processor, AYO17 takes steps to ensure the protection and confidentiality of the personal information it holds or processes, in accordance with legal and regulatory provisions.
2.4.1 Data Collection
Regarding Personal Data it collects, AYO17 undertakes to obtain the consent of its users and to allow them to object to the use of their Data for certain purposes, as soon as necessary.
When browsing the AYO17 site, users are informed of the purposes for which their Data is collected via the online data collection forms.
2.4.2 Necessity and Purpose of Data Collection
Need for collection
The user communicates certain Personal Data for the creation of her/his account in the AYO17 application and for accessing the Services.
The communication of this Personal Data is essential to access the Customer’s personal space and to the user’s navigation on the Platform.
Failing provision of the requested information, the user will not be able to benefit from the application and the AYO17 Services.
Purposes
Collection of Personal Data of users of the AYO17 Services has the following legal basis:
– AYO17’s legitimate interest in ensuring the smooth operation of the AYO17 application and allowing its access to the Customers;
– The necessity to collect the users’ consent when it is required by current regulations, especially with regard to cookies;
– AYO17’s legitimate interest in improving its Services and complying with its Customers needs.
Personal Data of AYO17 Platform’s users is mainly processed to allow their navigation and use of the AYO17 application.
2.4.3 Types of Data Processed
AYO17 is likely to process, as Data Processor on behalf of the Customer, all or part of the following Data:
– professional email address
– name of the corporate structure the user belongs to
– Customer account name and number
AYO17 is likely to process, as Data Controller:
– to enable navigation and use of the AYO17 application: login and usage data, business email and password.
– to prevent and combat computer fraud (spamming, hacking…): computer hardware used for navigation, IP address, password.
– for account usage metrics and traffic metrics and/or for conducting satisfaction surveys on AYO17 Services: IP address and/or email
2.5 Hosting – Security
2.5.1 Personal Data processed by AYO17 is hosted on servers located in Ireland (EU) by AWS (Amazon Web Services), which is committed to complying with the provisions of the GDPR. The AWS GDPR DPA also includes EU Model Clauses, which were approved by the European Union (EU) data protection authorities, known as the Article 29 Working Party. This means that AWS wishing customers to transfer personal data from the European Economic Area (EEA) to other countries can do so with the knowledge that their personal data on AWS will be given the same high level of protection it receives in the EEA.
2.5.2 AYO17, as well as the Customer when it is acting as Data Controller, also implements all technical and organizational measures to ensure the security of Personal Data processing and the confidentiality of Personal Data.
As such, both parties shall take all necessary precautions, given the nature of the Data and the risks presented by its processing, in order to preserve the security of the Data and, in particular, to prevent it from being distorted, damaged, or from being accessed to by unauthorized third parties (physical protection of premises, authentication processes with personal access and secured access via confidential logs and passwords, logins, encryption of certain data…).
Both parties are committed to:
– Process data only for the purposes of the Services and purposes listed in this Privacy Policy;
– Ensure the confidentiality of Personal Data processed as part of the project referred to herein;
– Ensure that persons authorized to process Personal Data for the purposes of the project: (i) undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality, (ii) receive the necessary training in the protection of Personal Data;
– Take into account principles of Data protection by design and Data protection by default, in terms of tools, products, applications or services;
– Introduce procedures to detect and respond to unauthorized appropriation or security breach affecting Personal Data when such data is in its possession or under its control;
– Only keep Personal Data in its records for the maximum period of time specified under article 2. 7 herein. At the end of this period, the Data will be either destroyed or anonymized as provided herein.
2.6 Transfer of Data within and outside the borders of the European Union
The user’s Personal Data may be processed by AYO17 subsidiaries and subcontractors (service providers), in absolute compliance with the above principle, exclusively in order to achieve the purposes of this Privacy Policy.
The persons who are likely to have access to users Data are primarily AYO17 customer services and/or other AYO17 employees or agents.
As far as the app.ayolab.com site is concerned, Personal Data is transferred :
– to the company Amazon Web Service (AWS) for hosting on servers located in Ireland (EU) (see article 2.5.1 above)
– to the company Amplitude Inc. , on servers located in the US for the purpose of collecting emails and account metrics for tracking purposes in order to improve customer success. Amplitude Inc. is committed to complying with the provisions of the GDPR and the standard contractual clauses issued by the European Commission on the protection of Personal Data.
– the users’ IP addresses are communicated to Cloudflare Inc. on servers located in the USA in order to provide additional security measures (Web Application Firewall). Cloudflare Inc. is also committed to complying with the provisions of the GDPR and the standard contractual clauses issued by the European Commission on the protection of Personal Data.
As far as the www.ayolab.com site is concerned: users’ IP addresses are communicated to our Google Analytics (USA) provider as well as Wp-Engine (which servers are located in Germany EU) and Cloudflare Inc. (USA); we use Google Analytics to get anonymized traffic metrics (origin, demographics, unique visitors) and Wp-engine to host the website as well as Cloudflare Inc. for providing additional security measures (Web Application Firewall).
2.7 Data retention period
Personal data is kept by AYO17 only for the time required for the purposes listed in article 2.4.2 above, in accordance with legal requirements, i.e. a maximum duration of three (3) years. At the end of this period, in the absence of renewal of the subscription to the Service, the Data will be anonymized in AYO17 records, and then destroyed after five (5) years .
2.8 Users rights
In accordance with the provisions of the law and the GDPR, users of the AYO17 Services have the following rights:
– right of access (Article 15 GDPR) and right to rectification and erasure (Articles 16 and 17 GDPR),
– right to lock or delete personal users’ data (Article 17 of the GDPR), where it is inaccurate, incomplete, equivocal, out of date, or where collection, use, communication or retention is prohibited, right to be forgotten;
– right to withdraw consent at any time (Article 13-2c GDPR)
– right to restrict the processing of user data (Article 18 GDPR)
– right to data portability (Article 20 GDPR)
– right to object to the processing of user data (Article 21 GDPR) and object automated individual decision-making including profiling (Articles 21 and 22 GDPR);
– right to define the fate of users’ Data after death.
For the exercise of any of the above mentioned rights, the user can contact Mr. François MISSLIN at : AYO17 – 200 Maine Avenue 75014 PARIS, or by email at: [email protected]
To this end, the user must indicate the Personal Data that he would like AYO17 to correct, update or delete, by identifying himself precisely with a copy of an identity document (identity card or passport).
Requests to delete Personal Data will be subject to the obligations imposed on AYO17 by law, including the retention or archiving of documents.
Where possible, AYO17 will assist the Customer in fulfilling its obligation to respond to requests of the data subjects for the exercise of their rights, with regard to Personal Data for which the Customer is the Data Controller. In the event that users apply to AYO17 for the exercise of their rights regarding such Data, AYO17 will e-mail these requests to the Client’s Data Protection Officer (DPO) or any other service designated by the Customer.
2.9 Register:
AYO17 will keep a record of processing operations performed as a Data Controller and/or as a Data Processor, including:
– the name and contact information of the Data Controller, Data Processor and DPO, if any,
– The types of processing performed on Data,
– if relevant, transfers of Personal Data to a third country or to an international organisation, including the identification of that third country or that international organisation and, in the case of transfers covered by Article 49, paragraph 1, 2° of the GDPR, documents attesting to the existence of appropriate security measures;
– where possible, a general description of technical and organizational security measures, including, among other things, as required:
1. encrypting Personal Data
2. Ways to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
3. Ways to restore the availability and access of Personal Data within an appropriate time frame in the event of a physical or technical incident;
4. a procedure to regularly test, analyze and evaluate the effectiveness of technical and organisational measures to ensure the safety of Data processing.
2.10 Cookies
We inform you that cookies can be installed automatically on the navigation software during your visits to the sites www.ayolab.com and app.ayolab.com.
A cookie is a data block containing information that is transferred to your computer’s hard drive.
Cookies implemented on www.ayolab.com and app.ayolab.com sites are primarily intended to enable the operation of these websites, to facilitate users navigation and/or to improve AYO Services.
These include:
– Operational cookies, allowing us to recognize you when you log in to use the Services, prevent fraudulent activities, and improve security;
– Tracking cookies (emails and/or IP addresses) allowing our providers Amplitude Inc. (for the site ayolab.com) or Google Analytics (for the site www.ayolab.com) to establish usage and traffic metrics and improve our Services, as mentioned in article 2.6 above.
When connecting to www.ayolab.com and app.ayolab.com sites, the user is informed of the existence of these cookies and has the option, by checking the boxes provided for this purpose, either to accept them, to refuse them, or to block some of them.
However, disabling all cookies can result in an impact on navigation.
Cookies not strictly necessary for the operation of the sites expire after a period of thirteen (13) months from the date of the user’s consent.
We draw your attention to the fact that third parties (such as providers of internet audience analytics services) may also use cookies, over which we have no control.