POLICY ON PROTECTION OF USERS’ PERSONAL DATA

1. Definition and nature of personal data

When you use the Shine application (shine.fr), we may ask you for personal data relating to you so that you can use the services made available within the Application.

For the purposes of this policy, the term ‘personal data’ refers to all data that makes it possible to identify an individual, usually comprising your first names, your last name, your postal and email address, your phone numbers, copies of your personal identity documents, information pertaining to your line of business, information pertaining to the handling of your payment methods and your transactions within the Application, and any other information about you that you choose to communicate to us.

2. Purpose of this policy

The purpose of this policy is to tell you about the methods we use to gather your personal data, strictly respecting your rights in this matter.

For these purposes, we hereby draw your attention to the fact that in respect of the gathering and handling of your personal data we comply with the French Act n° 78-17 dated 6th January 1978 relating to computerised information, files and freedoms in its present form, referred to as ‘Computer technology and Freedoms’ [‘Informatique et Libertés’] as well as the regulation (EU) 2016/679 of 27th April 2016 (hereinafter referred to as the ‘GDPR’).

3. Identity of data gathering manager

The entity that is responsible for the gathering and handling of your personal data is the company SHINE, a simplified joint-stock company registered at the Trade and Business Registry of Bobigny under number 828 701 557 and headquartered at 12, rue Anselme – 93400 Saint-Ouen, France.

4. Appointed data protection officer

We have appointed a data protection officer, whose contact details are as follows: dpo@shine.fr.

5. Gathering of personal data

The legal basis of our gathering of your personal data is as follows:

  1. The legitimate interest when you willingly give us your personal data when you go to our website, the data then being gathered so that we are better able to respond to your requests for information about our Services
  2. Your consent relating to the audience analysis tools as set out in article 11
  3. This gathering of data being necessary for the contract that has been agreed to be executed when you use our Services in the Application.

Your personal data is gathered in order to achieve one or more of the following ends:

  1. To manage your access to certain services accessible within the Application, and for their use
  2. To carry out operations relating to customer management concerning contracts, orders, deliveries, invoices, loyalty programmes, and customer relationship management,
  3. To compile a file of signed-up members, users, customers and potential customers,
  4. To send out newsletters, requests and promotional messages. If you do not wish to receive these, then you have the option to make your wishes known on this matter when your data is being gathered
  5. To compile marketing statistics and figures on visits to our services,
  6. To organise competitions, prize draws and any other promotional initiatives other than online luck and gambling games, subject to the approval of the online games regulation authority,
  7. To manage reviews submitted by people on products, services or content,
  8. To manage any unpaid or disputed items relating to the use of our products and services
  9. To customise responses to your requests for information
  10. To comply with our legal and regulatory obligations.

When we gather your personal data, we will tell you whether certain data must compulsorily be given, or whether it is optional. Compulsory data is vital to the functioning of Services. As far as optional data is concerned, it is entirely up to you whether you give or do not give this information. We will also tell you what the consequences are of your declining to give a response.

6. Recipients of gathered data

Your personal data can be accessed by the staff of our company, the services tasked with managing it (in particular the auditor) and our sub-contractors.

Other potential recipients of your personal data are public authorities, exclusively for the purposes of responding to our legal obligations, court officers, ministerial officers and organisations whose purpose is to recover debts.

7. Transfer of personal data

Your personal data will not be transferred, rented out or exchanged to the benefit of any third party.

8. Duration of personal data retention

1. In relation to data relative to managing customers and potential customers:

Your data will not be retained for longer than is absolutely necessary to manage our business relationship with you. However, any data that makes it possible to establish evidence of a right or a contract that must be retained in respect of a legal obligation will be retained for the length of time set out in the legal instrument in force.

In relation to any initiative to do with canvassing for business that is targeted at customers, their data may be retained for a period of 3 (three) years starting from the end of the business relationship.

Personal data relating to seeking business, not related to customers, may be retained for a period of 3 (three) years starting from its gathering or from the most recent contact emanating from the initiative to seek business.

At the end of this 3 (three) period, we may get back in touch with you to find out if you wish to continue receiving business solicitations.

2. In relation to identity documents:

Where it involves exercising the right to access or change information, data relating to identity documents may be retained for the length of time set out in article 9 of the French Criminal Procedure Code, this being 1 (one) year. Where it involves the right to make an objection to the data then this data may be archived for the limitation period set out in article 8 of the French Criminal Procedure Code, this being 3 (three) years.

3. In relation to data relating to bank cards:

In our capacity as an agent of the electronic money institution TREEZOR, we manage the Mastercard bank card linked to your electronic money account, opened by them for the purposes of the payment service provided to you (hereinafter referred to as: the ‘Card’).

In order to meet the needs of this service, we may be the recipients of your personal data relating to your Card, which we gather and retain in the name of and on behalf of TREEZOR.

So that you can use the payment services provided by TREEZOR through the Application, your data relating to your Card will be retained for the duration of your subscription to the Application.

Data relating to the visual cryptogram or the CVV2, shown on your Card, is not stored.

Your personal data relating to your Card number may be retained in order to act as evidence in the event of any dispute arising in relation to a payment operation. This will be retained in the intermediate archives for the duration set out in article L 133-24 of the French Monetary and Financial Code, which in this case is 13 (thirteen) months following the date of the debit. This time period may be extended to 15 (fifteen) months in order to incorporate the potential for deferred payment card use.

4. In relation to the handling of lists of those objecting to receiving business canvassing communication:

Information enabling your right to object to be taken into account is kept for at least 3 (three) years starting from the exercising of the right to object.

5. In relation to cookies:

The duration of cookie retention set out in article 11 is 13 (thirteen) months.

9. Security

We hereby inform you that we avail ourselves of all useful precautions, organisational measures and techniques appropriate to preserving the security, integrity and confidentiality of your personal data, including in particular taking measures to ensure that the data is not distorted or damaged, and that non-authorised third parties have not accessed it. We also make use of securitised payment systems that are compliant with industry norms and with applicable regulations.

10. Hosting

We hereby inform you that your data is retained and stored for the duration of its retention on servers belonging to the company Google located in Belgium in the European Union.

Your data will be not the subject of any transfer at all outside the European Union for the purposes of the use of the services that we make available.

11. Cookies

Cookies are text files – often encrypted – that are stored in your browser. They are created when a user’s browser loads a given website: the site sends information to the browser, which then creates a text file. Every time the user goes back to the same site, the browser recovers this file and sends it to the website’s server.

Different cookies exist, and they do not all exist for the same reason:

➢ Technical cookies are used throughout your browsing session in order to facilitate and execute certain functions. A technical cookie may, for example, be used to remember the responses given in a form, or to remember a user’s preferences in relation to the language or presentation of a website where such options are available.

We use technical cookies.

➢ Social network cookies can be created by social platforms to enable website designers to share their site’s content on these platforms. These cookies may be used by social platforms to - among other things - track the web surfer’s browsing habits on the website concerned, whether or not they use these cookies.

We use social network cookies, and we tell you about this and will seek your prior consent. Where applicable, you have the option to deactivate these cookies.

➢ Advertising cookies can be used by not just the website being viewed by the user but also by other websites broadcasting advertisements, announcements, widgets or other elements on the page being displayed. These cookies can be used for - among other things - targeted advertising, meaning advertising that is selected according to the user’s browsing.

We do not use advertising cookies. However we will tell you if we do use them in the future and will seek your prior consent. Where applicable, you have the option to deactivate these cookies.

➢ We use Google Analytics. This is a statistical audience analysis tool that generates a cookie that makes it possible for us to measure the number of visits made within the Application, the number of page views, and visitor activity. Your IP address is also taken in order to determine the city from which you are connecting to the website. This cookie is only placed if you agree to it, and you may accept it or refuse it.

You are reminded that to all intents and purposes you may refuse the placing of cookies by configuring your browser to do so, though any such refusal could inhibit the proper functioning of the Application.

12. Access to your personal data

You have the right to be given information about and - where applicable – to correct or delete data about you via online access to your file, in line with the Computer Technology and Freedoms legislation and with GDPR. You may also make contact in the following ways:

  • by email at this address : legal@shine.fr
  • by post at this address: 12, rue Anselme – 93400 Saint-Ouen, France

You are hereby reminded that people whose data is collected on the basis of our legitimate interest in doing so – as referred to in article 5 – may withdraw their consent from the data about them being handled at any time. However, we may continue handling the data if there are legitimate reasons for doing so that prevail over your rights and freedoms, or if such handling is necessary in order to ascertain, exercise or defend our rights in law.

13. The right to set out instructions on data handling after your death

You have the right to set out instructions relating to the retention, the deletion and the communication of your personal data after your death.

These instructions may be general, meaning that they therefore encompass all of the personal data about you. If this is the case, then the instructions must be submitted to a trustworthy third party in the digital market that has been certificated by the French National Commission for Data Protection and Liberties the CNIL.

The instructions may also be specific to the data being handled by our company, and if this is the case then it is suggested that you send these instructions to us using the following contact details:

  • by email at this address: legal@shine.fr
  • by post at this address: 12, rue Anselme – 93400 Saint-Ouen, France

If you forward us these kinds of instructions, you give us your express consent that these instructions are retained, transmitted and executed in accordance with the methods set out in this policy document.

In your instructions, you can appoint a person to be responsible for their execution. This person will then be qualified to familiarise him or herself with the aforementioned instruc-tions after your death and ask us to carry them out. If nobody has been appointed, then your heirs will be qualified to familiarise themselves with your instructions upon your death and ask us to implement them.

You can change or revoke your instructions at any time by writing to us using the contact details given above.

14. Portability of your personal data

You have the right to personal data portability in respect of the data that you have submitted to us, it being understood that this refers to data that you have actively and consciously submitted as part of the access and usage of the services, as well as data generated by your activity within the confines of the usage of the services. You are reminded that this right does not cover data collected and handled on a legal basis other than the one linking us to the consent or execution of the contract.

This right can be exercised free of charge at any time, and in particular when you close your account on the Platform, in order to recover and retain your personal data.

For these purposes, we will send you your personal data by all means deemed to be useful in a standard open format currently in use and readable by machine, in line with industry practice.

15. Bringing a claim to a supervisory authority

You are also hereby informed that you have the right to bring a claim to a competent supervisory authority (the National Commission for Data Protection and Liberties for France [CNIL]) in the member State in which you habitually reside, work, or where the breach of your rights occurred if you consider that the way your personal data that is the subject of this Policy has been handled constitutes a breach of the applicable legal texts.

This measure may be exercised without prejudice to any other legal redress submitted to an administrative or legal jurisdiction, furthermore you also have the right to effective judicial or administrative redress if you consider that the way your personal data that is the subject of this Policy has been handled constitutes a breach of the applicable legal texts.

16. Handling limitations

You have the right to get a limitation on the handling of your personal data in the following cases:

  • for the duration of the verification that we undertake, when you are challenging the accuracy of your personal data
  • where the handling of this data is illicit and you wish to limit this handling rather than delete your data
  • where we no longer need your personal data but you wish it to be retained in order to exercise your rights
  • during the period of verification of legitimate motives, where you have objected to the handling of your personal data.

17. Modifications

We reserve the right, at our sole discretion, to partially or wholly change this Policy at any time. This changes will come into force from the publication of this new policy. Your use of the Application following the entry into force of these changes constitutes acknowledgement and acceptance of the new policy. The default position is that if you are not in agreement with this new policy, you should no longer access the Application.

18. Entry into force

This policy came into force on 25 May 2018.