Privacy Policy

Latest update: 6 November 2023
You can read the previous version here

At Yousign, we believe trust is essential. So, to maintain it, we feel it is important to help you understand what we do to protect your Personal Data.

When you use our Website, access our Platform or use our Services, we may collect Personal Data about you in our capacity as Controller.

The aim of this Privacy Policy is to help you understand what we do to protect these data. 

We are committed to compliance with European Personal Data protection regulations, including the GDPR. For this purpose, we have a dedicated team, comprising a Data Protection Officer, a legal team and a security team. 

Please note that all terms written with a capital letter not defined in this Privacy Policy will have the meaning given to them here

1. Who is the Controller?

Yousign SAS, Rue de Suède Avenue Pierre Berthelot, 14000 Caen, France.

For more details, please consult the Legal Notice.

2. What Personal Data do we collect?

When you use our Website and our Platform, you may communicate information, either directly or indirectly, some of which could identify you, either directly or indirectly, and which is therefore classed as Personal Data.

This information will contain data in the following categories, in particular:

  • Identification data such as your last name and first name(s), email address, phone number, User name on the Platform, the technical credentials assigned to you and, if a phone or video recording is made, your voice and image;
  • ID data such as videos and/or images of your ID document and of your face (if you are a signer for the Advanced or Qualified Electronic Signature) or a scanned copy of your ID document (if you are a legal representative for the advanced Electronic Seal);
  • Extracted ID data such as your first name, last name, birth date, place of birth, nationality, ID document validity and other ID related information extracted from your ID document (if you are a signer for the Advanced or Qualified Electronic Signature);
  • Data about your professional activities such as your job title, your sector of activity, the name and size of your business, and your intended use of our Services;
  • Transaction data such as your credit card number and bank details, that are used to process the payment for paying plans;
  • Connection and usage data such as your IP address, browser type and version, the operating system used, pages visited and time spent, actions carried out and settings selected, as well as the date and time of your visit.

Where your Personal Data is collected directly, you will be informed whether certain data must be completed or are optional. It may not be possible to complete your request if the mandatory information is not completed.

Some of these Personal Data are collected using cookies or trackers on our Website or Platform. To find out more, you can view our Cookies Policy at any time.

3. How do we collect your Personal Data? 

The Personal Data processed by Yousign is collected through various channels.

  • Personal Data communicated directly by you. Yousign may process the Personal Data that you provide to us directly (i) when creating your Corporate/User account or when using the Services, (ii) via contact forms or any other document available online on the Website or provided during external events, or (iii) when you are in phone contact with Yousign.
  • Personal Data collected from public sources. Yousign may use publicly available Personal Data. 
  • Personal Data collected from third parties. Yousign may use the services of specialist service providers to access up-to-date databases.
  • Personal Data collected automatically when you use the Website and/or Platform. Yousign may collect your Personal Data to establish visitor statistics for our Website and/or Platform and to carry out targeted advertising campaigns. 

4. On what legal bases, for what purposes and for how long do we retain your Personal Data?

We collect and process your Personal Data in accordance with the GDPR and solely on the following legal bases:

  • Consent: you have expressly consented to the processing of your Personal Data;
  • Contract: processing is necessary for the performance or preparation of a contract entered into with you;
  • Statutory obligation: processing is a legal requirement;
  • Legitimate interest: processing is necessary for the pursuit of our legitimate interests, in strict compliance with your rights.

We store your Personal Data for a limited time, as necessary for the purpose of processing. A summary can be found in the following table.

Processing

Purposes

Data category Legal basis

 

Retention period

Management of Subscriptions

Creation, management and deletion of Subscriber/User accounts

Identification data, Professional activity data, Transaction data, Connection and usage data

Contract

If you are using a paying or free Service, data related to the subscription is retained throughout the period of the contractual relationship, plus five (5) years from the end of the term.

If you are using a paying Service, data related to signature requests and Documents are retained until the end of the contractual relationship.

If you are using a free Service, data related to signature requests and Documents are retained until you cancel your User Account or up to 2 years after the last activity on the User Account.

Customer service follow-up

Management of requests for information and technical support services

Identification data, Connection and usage data

Contract

Data is retained throughout the period of the contractual relationship, plus five (5) years from the end of the term.

Satisfaction surveys

Identification data

Legitimate interest

Data is retained throughout the period of the commercial relationship, plus two (2) years from the end of the term.

Customer testimonials

Identification data, Professional activity data

Consent

Data is retained for as long as necessary for the testimonial or until consent is withdrawn.

Evaluation and improvement of performance of the Services/Platform/Website

Connection and usage data

Legitimate interest

Connection logs: six (6) months from the date of connection

IP address: one (1) year from the date of recording

Sending invitations to events

Identification data

Legitimate interest

 

Data for events is retained throughout the period of the event, plus six (6) months, or until objection

Quality study and product testing

Identification data, Professional activity data

Consent

Data is retained for 1 year or until consent is withdrawn.

Sending emails with information about product updates

Identification data

Legitimate interest

Data is retained throughout the period of the contractual relationship.

Accounting records

Management of Subscriptions invoicing

Identification data, Professional activity data, Transaction data

Statutory

obligation

Data is retained throughout the period of the contractual relationship.

In addition, your data is archived for evidential purposes for a period of ten (10) years from the end of the contractual relationship.

Staff training

Yousign refresher training using one-off recordings and listening back to phone or video calls

Identification data

Legitimate interest

Data is retained for six (6) months from the date of recording or until objection.

Direct marketing activities

Creation and enhancement of a professional prospects file and sending out communications

Identification data, Professional activity data

Legitimate interest

Data is retained for three (3) years from the most recent contact.

Sending information (via email or other forms of communication) about similar products and Services to Subscribers

Identification data, Professional activity data

Legitimate interest

Data is retained for three (3) years from the time the last communication is sent or until objection.

Sending information (via email or other forms of communication) about new products and Services to prospects, Subscribers or Individuals

Identification data, Professional activity data

Consent

Data is retained for three (3) years from the time the last communication is sent or until consent is withdrawn.

Transactional communication

Sending information (via email or other forms of communication) necessary for the performance of the Contract

Identification data, Professional activity data, Transaction data, Connection and usage data

Contract

Data is retained throughout the period of the contractual relationship and up to five (5) years from the end of the Contract.

Identity verification

Signer identity verification for the issuance of a certificate for the Advanced and Qualified Electronic Signature

ID data,

Extracted ID data

Statutory obligation

Data is retained for 3 months after the identity verification.

Legal representative and certificate holder identity verifications for the issuance of a certificate for the advanced Electronic Seal

Identification data,

ID data

Statutory obligation

Data is retained for 7 years as from the end of the validity of the certificate.

Signer identity (wallet) management

Creation and management of the signer identity (wallet) for the Qualified Electronic Signature

Extracted ID data

Contract

Data is retained for a maximum of 3 years from the creation of the signer identity or until the signer identity is revoked.

Management of complaints and disputes

Management of requests to exercise rights

Identification data

Statutory obligation

If we ask you for an identity document, we only retain it for the time it takes to verify it. Once the verification is complete, the document is destroyed.

When you exercise your rights with Yousign: we retain this information for 3 years from the date of your request to exercise your rights.

Preventing and combating IT fraud

Connection and usage data

 

Legitimate interest

Connection logs: 6 months from the date of connection

IP address: one (1) year from the date of recording

Managing and preventing contractual disputes

Identification data, Professional activity data, Transaction data, Connection and usage data

Statutory obligation

Data is retained for the applicable statutory period of limitation, i.e. five (5) years after the end of the Contract.

Management of legal disputes related to identity verification for the Advanced and Qualified Electronic Signature

ID data,

Extracted ID data

 

Statutory obligation

Data is retained for 6 years as from the identity verification for both the Advanced and the Qualified Electronic Signature. For the Qualified Electronic Signature, the data is retained for 3 months from the identity verification if, as the case may be, the signer identity has not been verified.

Evidence management of the eSignature process in case of litigation for the Advanced and Qualified Electronic Signature

Extracted ID data

Statutory obligation

Data is retained for 7 years as from the end of the validity of the certificate.

5. Who receives your Personal Data? 

The Personal Data of our Visitors and Users/Subscribers is strictly confidential. They may be processed by employees of Yousign SAS and its subsidiaries, within the limits of their respective authorisations, solely for the purposes set out in this Policy.

Unless we are bound by a statutory, accounting or judicial obligation, we will not share your Personal Data in any way whatsoever with third parties other than:

  • Our hosting providers, for the purpose of database maintenance and hosting services;
  • Our service providers, processors (for our CRM tool, mailshot provider and recruitment platform) and partners for the purpose of accessing the services requested, completing a transaction or responding to your requests for assistance and information.  

6. Are your data likely to be transferred outside the European Union?

The infrastructure that supports the Yousign Platform is located in France. However, if necessary, we may need to transfer your Personal Data to service providers operating outside the European Union. In this case, your data is transferred securely as follows:

  • either data is transferred to a country deemed to offer an adequate level of protection according to a decision by the European Commission;
  • or we have entered into a specific contract with our Processors governing transfers of your data outside the European Union, on the basis of Standard Contractual Clauses between a Controller and a Processor approved by the European Commission;
  • or we rely on the appropriate guarantees provided for by the applicable regulations. 

7. What steps are taken to protect your Personal Data? 

The steps we take use a risk-based approach focused on protecting the confidentiality, integrity and availability of your Personal Data. The security measures implemented may be organisational or technical and are described on the Security page.

Where we use a service provider working as a Processor on our behalf, we again adopt a risk-based approach to ensure Yousign’s security objectives are aligned with the service provider, prior to communicating any of your Personal Data.

8. What are your rights with regard to your Personal Data?

Yousign guarantees that you are able to exercise all the rights granted to you by the regulations. You can therefore:

  • Access your Personal Data;
  • Rectify any inaccurate Personal Data concerning you;
  • Have your Personal Data erased;
  • Restrict our Processing of your Personal Data;
  • Withdraw your consent for the Processing of your Personal Data;
  • Object to the Processing of your Personal Data;
  • Obtain a copy of your Personal Data (right to data portability); 
  • Indicate instructions for the retention, erasure and communication of your Personal Data after your death.

You may exercise these rights by completing the form available here. We may ask you to provide additional information or documents to prove your identity when doing so. 

You may also access the Personal Data concerning you at any time by logging in to your User Account and amending them in your profile settings. 

If you are not satisfied with the response you receive, you can file a complaint concerning the collection and use of your Personal Data with the relevant supervisory authority. In France, you can contact the Commission nationale de l’informatique et des libertés (CNIL) via its website at: http://www.cnil.fr.

9. Amendments to this Privacy Policy

We may amend this Policy at any time to introduce regulatory, case-law or technical changes that improve the level of protection of your Personal Data.

For minor amendments, we will change the “Updated on” date at the top of the page, indicating the date on which the amendments were made. Conversely, in the case of substantial amendments to this Policy (in relation to the purposes of processing, Personal Data collected, the exercise of rights or the transfer of Personal Data), we will inform you by all means, including but not limited to email, within a minimum of thirty (30) days before the effective date of the changes. Any access to and use of the Website and the Services after this period will be subject to the terms of the new Policy.

We invite you to check this page regularly for any amendments or updates to our Privacy Policy.

10. Children’s privacy

Our Services are not designed for and are not marketed to people under the age of 18 or such other age designated by applicable law (the “underaged”). We do not knowingly collect or ask for personal data from the underaged, nor do we allow the underaged to use our Services. If you are underage, please do not use our Services or send us your personal data.

11. Contact us

Please see our GDPR page or Help Centre for any questions you may have about this Policy or for any requests relating to your Personal Data. 

You are also welcome to contact us by completing the form available here.