This Privacy Policy enters into force :
> on the date of publication (30 March 2023) for all data subjects who have subscribed to the Yousign services or use the Yousign Services as from 30 March 2023
> on 2 May 2023 for all data subjects who subscribed to Yousign services or used Yousign services before 30 March 2023.
For more information on the update, follow this link.
You can read the previous version here.

Latest update: 30 March 2023

At Yousign, we believe trust is essential. So, to maintain it, we feel it is important to help you understand what we do to protect your Personal Data.

When you use our Website, access our Platform or use our Services, we may collect Personal Data about you in our capacity as Controller.

The aim of this Privacy Policy is to help you understand what we do to protect these data.

We are committed to compliance with European Personal Data protection regulations, including the GDPR. For this purpose, we have a dedicated team, comprising a Data Protection Officer, a legal team and a security team.

Please note that all terms written with a capital letter not defined in this Privacy Policy will have the meaning given to them here.

1. Who is the Controller?

Yousign SAS, Rue de Suède Avenue Pierre Berthelot, 14000 Caen, France.

For more details, please consult the Legal Notice.

2. What Personal Data do we collect?

When you use our Website and our Platform, you may communicate information, either directly or indirectly, some of which could identify you, either directly or indirectly, and which is therefore classed as Personal Data.

This information will contain data in the following categories, in particular:

Identification data such as your last name and first name(s), email address, phone number, User name on the Platform, the technical credentials assigned to you and, if a phone or video recording is made, your voice;
Data about your professional activities such as your job title, your sector of activity, the name and size of your business, and your use of our Services;
Transaction data such as your credit card number and bank details;
Connection and usage data such as your IP address, browser type and version, the operating system used, pages visited and time spent, actions carried out and settings selected, as well as the date and time of your visit.

Where your Personal Data is collected directly, you will be informed whether certain data must be completed or are optional. It may not be possible to complete your request if the mandatory information is not completed.

Some of these Personal Data are collected using cookies or trackers on our Website or Platform. To find out more, you can view our Cookies Policy at any time.

3. How do we collect your Personal Data?

The Personal Data processed by Yousign is collected through various channels.

Personal Data communicated directly by you. Yousign may process the Personal Data that you provide to us directly (i) when creating your Corporate/User account or when using the Services, (ii) via contact forms or any other document available online on the Website or provided during external events, or (iii) when you are in phone contact with Yousign.
Personal Data collected from public sources. Yousign may use publicly available Personal Data.
Personal Data collected from third parties. Yousign may use the services of specialist service providers to access up-to-date databases.
Personal Data collected automatically when you use the Website and/or Platform. Yousign may collect your Personal Data to establish visitor statistics for our Website and/or Platform and to carry out targeted advertising campaigns.

4. On what legal bases, for what purposes and for how long do we retain your Personal Data?

We collect and process your Personal Data in accordance with the GDPR and solely on the following legal bases:

Consent: you have expressly consented to the processing of your Personal Data;
Contract: processing is necessary for the performance or preparation of a contract entered into with you;
Statutory obligation: processing is a legal requirement;
Legitimate interest: processing is necessary for the pursuit of our legitimate interests, in strict compliance with your rights.

We store your Personal Data for a limited time, as necessary for the purpose of processing. A summary can be found in the following table.

Activity	Purposes	Data category	Legal basis	Retention period
Management of Subscriptions	Creation, management and deletion of Subscriber/User accounts	Identification data, Professional activity data, Transaction data, Connection and usage data	Contract	Data is retained throughout the period of the contractual relationship, plus five (5) years from the end of the term.
Customer service follow-up	Management of requests for information and technical support services	Identification data, Connection and usage data	Contract	Data is retained throughout the period of the contractual relationship, plus five (5) years from the end of the term.
Customer service follow-up	Satisfaction surveys	Identification data	Legitimate interest	Data is retained throughout the period of the commercial relationship, plus two (2) years from the end of the term.
Customer service follow-up	Evaluation and improvement of performance of the Services/Platform/Website	Connection and usage data	Legitimate interest	Connection logs: six (6) months from the date of connection IP address: one (1) year from the date of recording
Customer service follow-up	Sending invitations to events, competitions and sponsorship	Identification data	Legitimate interest	Data for events and competitions is retained throughout the period of the event and/or competition, plus six (6) months or, if earlier, until consent is withdrawn. Sponsorship data is retained throughout the period of processing the sponsorship.
Customer service follow-up	Sending emails with information about product updates	Identification data	Legitimate interest	Data is retained throughout the period of the contractual relationship.
Accounting records	Management of Subscriptions invoicing	Identification data, Professional activity data, Transaction data	Statutory obligation	Data is retained throughout the period of the contractual relationship. In addition, your data is archived for evidential purposes for a period of ten (10) years from the end of the contractual relationship.
Subscriber/User optional studies	Quality study and product testing	Identification data, Professional activity data	Consent	Data is retained for 1 year or until consent is withdrawn.
Staff training	Yousign refresher training using one-off recordings and listening back to phone calls	Identification data	Consent	Data is retained for six (6) months from the date of recording.
Direct marketing activities	Creation and enhancement of a prospects file and sending out communications	Identification data, Professional activity data	Legitimate interest	Data is retained for a period of three (3) years from the most recent contact.
Direct marketing activities	Sending invitations to events and competitions	Identification data, Professional activity data	Consent	Data is retained for 6 months or, if earlier, until consent is withdrawn.
Direct marketing activities	Sending emails with information about new products/Services	Identification data	Legitimate interest	Data is retained for three (3) years from the time the email is sent or until objection.
Management of complaints and disputes	Management of requests to exercise rights	Identification data	Statutory obligation	If we ask you for an identity document, we only retain it for the time it takes to verify it. Once the verification is complete, the document is destroyed. When you exercise your rights with Yousign: we retain this information for 3 years from the date of your request to exercise your rights.
Management of complaints and disputes	Preventing and combating IT fraud	Connection and usage data	Legitimate interest	Connection logs: 6 months from the date of connection IP address: one (1) year from the date of recording
Management of complaints and disputes	Retention of necessary data to prevent any disputes	Identification data, Professional activity data, Transaction data, Connection and usage data	Statutory obligation	Data is retained for the statutory period of limitation, i.e. five (5) years.

5. Who receives your Personal Data?

The Personal Data of our Visitors and Users/Subscribers is strictly confidential. They may be processed by employees of Yousign SAS and its subsidiaries, within the limits of their respective authorisations, solely for the purposes set out in this Policy.

Unless we are bound by a statutory, accounting or judicial obligation, we will not share your Personal Data in any way whatsoever with third parties other than:

Our hosting providers, for the purpose of database maintenance and hosting services;
Our service providers, processors (for our CRM tool, mailshot provider and recruitment platform) and partners for the purpose of accessing the services requested, completing a transaction or responding to your requests for assistance and information.

Yousign has a list of recipients available to our Visitors/Users/Subscribers at all times and communicates it to them on request.

6. Are your data likely to be transferred outside the European Union?

The infrastructure that supports the Yousign Platform is located in France. However, if necessary, we may need to transfer your Personal Data to service providers operating outside the European Union. In this case, your data is transferred securely as follows:

either data is transferred to a country deemed to offer an adequate level of protection according to a decision by the European Commission;
or we have entered into a specific contract with our Processors governing transfers of your data outside the European Union, on the basis of Standard Contractual Clauses between a Controller and a Processor approved by the European Commission;
or we rely on the appropriate guarantees provided for by the applicable regulations.

7. What steps are taken to protect your Personal Data?

The steps we take use a risk-based approach focused on protecting the confidentiality, integrity and availability of your Personal Data. The security measures implemented may be organisational or technical and are described on the Security page.

Where we use a service provider working as a Processor on our behalf, we again adopt a risk-based approach to ensure Yousign’s security objectives are aligned with the service provider, prior to communicating any of your Personal Data.

8. What are your rights with regard to your Personal Data?

Yousign guarantees that you are able to exercise all the rights granted to you by the regulations. You can therefore:

Access your Personal Data;
Rectify any inaccurate Personal Data concerning you;
Have your Personal Data erased;
Restrict our Processing of your Personal Data;
Withdraw your consent for the Processing of your Personal Data;
Object to the Processing of your Personal Data;
Obtain a copy of your Personal Data (right to data portability);
Indicate instructions for the retention, erasure and communication of your Personal Data after your death.

You may exercise these rights by completing the form available here. We may ask you to provide additional information or documents to prove your identity when doing so.

You may also access the Personal Data concerning you at any time by logging in to your customer account and amending them in your profile settings.

If you are not satisfied with the response you receive, you can file a complaint concerning the collection and use of your Personal Data with the relevant supervisory authority. In France, you can contact the Commission nationale de l’informatique et des libertés (CNIL) via its website at: https://www.cnil.fr.

9. Amendments to this Privacy Policy

We may amend this Policy at any time to introduce regulatory, case-law or technical changes that improve the level of protection of your Personal Data.

For minor amendments, we will change the “Updated on” date at the top of the page, indicating the date on which the amendments were made. Conversely, in the case of substantial amendments to this Policy (in relation to the purposes of processing, Personal Data collected, the exercise of rights or the transfer of Personal Data), we will inform you by all means, including but not limited to email, within a minimum of thirty (30) days before the effective date of the changes. Any access to and use of the Website and the Services after this period will be subject to the terms of the new Policy.

We invite you to check this page regularly for any amendments or updates to our Privacy Policy.

10. Contact us

Please see our GDPR page or Help Center for any questions you may have about this Policy or for any requests relating to your Personal Data.

You are also welcome to contact us by completing the form available here.

About our Privacy Policy update

We have updated our Privacy Policy. Below, for your information only, is a summary of the changes that have been made to our Privacy Policy. We encourage you to read the text of our Privacy Policy in its entirety.

General updates

We have consolidated all relevant legal documentation into a single online page to ensure better navigation and understanding of our legal documentation.
We have implemented a versioning of our Privacy Policy to allow anyone to see the different versions of the legal documentation in a transparent manner.

Updates to our Privacy Policy

We have clarified how Personal Data is collected and detailed the categories of Personal Data involved for greater transparency.
We have detailed our Processing activities in a table for better reading and understanding and for greater transparency.
We have simplified the way in which data subjects can exercise their rights relating to the protection of their personal data through the implementation of a form to exercise their rights.
We have extracted the cookies clauses previously contained in the text of the Privacy Policy into a separate Cookie Policy.

Set up of a separate Cookie Policy

We have detailed the definitions of the different categories of cookies used for greater transparency.
We have added the link to the cookie manager to make it easier to change cookie preferences.
We have displayed the browser settings to make it easier to manage consent.

Questions

Do you have questions about the changes to our new Privacy Policy? Please ask them via the form available here.