Privacy Policy
Latest update: 15 November 2024
You can read the previous version here
At Yousign, we believe trust is essential. To maintain it, we think it's important to help you understand what we do to protect your personal data.
When you use our Website, access our Platform or use our Services, we may collect in our capacity as Controller Personal Data about you.
In this context, we are committed to compliance with European Personal Data protection regulations, including the GDPR. For this purpose, we have a dedicated team, comprising a data protection officer, a legal team and a security team.
Please note that all terms capitalized but not defined in this Privacy Policy will have the meaning given to them here.
1. Who is the Controller?
Yousign SAS, Rue de Suède Avenue Pierre Berthelot, 14000 Caen, France.
For more details, please consult the Legal Notice.
2. What Personal Data do we collect?
When you use our Website and our Platform, you may communicate information, either directly or indirectly, some of which could identify you, either directly or indirectly, and which is therefore classed as Personal Data.
This information will contain data in the following categories, in particular:
- Identification and/ or contact data such as your last name and first name(s), postal address, email address, phone number, User name on the Platform, the technical credentials assigned to you and, if a phone or video recording is made, your voice and image;
- ID data such as videos and/or images of your ID document and of your face (e.g. if you are a signer for the Advanced or Qualified Electronic Signature) or a scanned copy of your ID document (e.g. if you are a legal representative making an advanced Electronic Seal);
- Extracted ID data such as your first name, last name, birth date, place of birth, nationality, ID document validity and other ID related information extracted from your ID document notably the the document's digital identifier, the type of document, the expiration date, the MRZ, the country of issue, the ID document validity statute (e.g. if you are a signer for the Advanced or Qualified Electronic Signature);
- Data about your professional activities such as your job title, your sector of activity, the name and size of your business, and your intended use of our Services;
- Transaction data such as your credit card number and bank details, that are used to make the payment of your subscriptions;
- Connection and usage data such as your IP address, browser type and version, the operating system used, pages visited and time spent, actions carried out and settings selected, API tokens and keys, as well as the date and time of your actions;
- Signature data such as the digital identifier of signed documents, signature requests, certificate and hash data and all associated metadata.
Where your Personal Data is collected directly, you will be informed whether certain data must be completed or are optional. It may not be possible to complete your request if the mandatory information is not completed.
Some of this Personal Data is collected using cookies or trackers on our Website or Platform. To find out more, you can view our Cookies Policy at any time.
3. How do we collect your Personal Data?
The Personal Data processed by Yousign is collected through various channels.
- Personal Data communicated directly by you. Yousign may process the Personal Data that you provide to us directly (i) when creating your Corporate/User account or when using the Services, (ii) via contact forms or any other document available online on the Website or provided during external events, or (iii) when you are in contact with Yousign.
- Personal Data collected from public sources. Yousign may use publicly available Personal Data.
- Personal Data collected from third parties. Yousign may use the services of specialist service providers to access up-to-date databases.
- Personal Data collected automatically when you use the Website and/or Platform. Yousign may collect your Personal Data to establish visitor statistics for our Website and/or Platform and to carry out targeted advertising campaigns.
4. On what legal bases, for what purposes and for how long do we retain your Personal Data?
We collect and process your Personal Data in accordance with the GDPR and solely on the following legal bases:
- Consent: you have expressly consented to the processing of your Personal Data;
- Contract: processing is necessary for the performance or preparation of a contract;
- Statutory obligation: processing is a legal requirement;
- Legitimate interest: processing is necessary for the pursuit of our legitimate interests, in strict compliance with your rights.
We store your Personal Data for a limited time, as necessary for the purpose of processing. A summary can be found in the following table.
Processing | Purposes | Data category | Legal basis | Retention period |
|---|---|---|---|---|
Management of Subscriptions | Setting up accounts / authentication / account activation / transactional communication / management of subscription life cycle and consumption tracking / invitation to create user account by the Subscriber | Identification and contact data, Professional activity data, Transaction data, Connection and usage data | Contract | Retention throughout the period of the contractual relationship, plus :
|
Invoicing management | Invoicing/ payment / payment check / debts recovery | Identification and contact data, Professional activity data, Transaction data | Contract | Duration of contractual relationship, plus ten (10) years from end of term |
Client support | client support/ technical debugging/ Fraud and complaint management | Identification and contact data, Professional activity data, Transaction data, Connection and usage data | Contract | Retention throughout the period of the contractual relationship, plus :
|
Statutory operations | Management of GDPR rights exercise requests/ Management of requests from authorities/ Management of security and data breaches/ fraud management/ litigation management | Identification and contact data, Professional activity data, Transaction data, Connection and usage data | Statutory obligation | for judicial requests: one (1) year after the request from the authority / for fraud management: six (6) years after the closing of the fraud file / GDPR request: five (5) years after the closing of the request / Litigation management: five (5) years (FR) or ten (10) years (DE/ITA) from the end of the contractual relationship If we ask you for proof of identity: we keep it only for the time needed to verify your identity. Once verification has been completed, the document is deleted. |
Create and manage a prospect/customer database | Identify prospects in yousign webinars | Identification and contact data, Professional activity data, Transaction data, Connection and usage data | Legitimate interest | Three (3) years after the last contact for prospects and contract duration for customers. If the legal basis is legitimate interest: or until an objection is raised If the legal basis is consent: or until consent is withdrawn |
Identify prospects at external events | Consent | |||
Identify prospects via platform (external or Yousign website) | Consent | |||
Scoring of prospects identified in webinars or external events | Legitimate interest | |||
Create and manage a prospect/ client database | FR: Legitimate interest (prospects) / Contract (Client) DE/ITA: Consent | |||
Data acquisition and enrichment (B2B) | Legitimate interest (FR) / Consent (DE/ITA) | |||
Lead routing | Legitimate interest | |||
Marketing actions and communication | Satisfaction survey | Identification and contact data, Professional activity data, Connection and usage data | Legitimate interest | Client: Data is retained for the duration of the commercial relationship Prospects: Three (3) years (FR) / two (2) years (ITA/DE) or until an objection is expressed (FR) |
Feedback management | Consent | Data is kept for as long as necessary to process the client's feedback, or until consent is withdrawn. | ||
E-mail notification of product updates | Identification and contact data | Legitimate interest | Duration of the contractual relationship or until an objection is expressed. | |
communication (by e-mail or other means) about similar products and services to Subscribers | Identification and contact data, Professional activity data, | Legitimate interest | Duration of the contractual relationship or until an objection is expressed. | |
communication (by email or other form of communication) about new products and Services to prospects, Subscribers or Individuals | Identification and contact data, Professional activity data | Consent | Client: Duration of contractual relationship Prospect: three (3) years from the sending of the last communications (2 years ITA/DE) or until withdrawal of consent | |
Mailing list creation | Identification and contact data | Legitimate interest (FR) / Consent (ITA/DE) | Client: Duration of contractual relationship or until an objection is expressed Prospect: three (3) years from the sending of the last communications (2 years ITA/DE) or until withdrawal of consent (if legal base is consent) or until an objection is expressed (if legal base is legitimate interest) | |
Managing unsubscribe lists | Identification and contact data | Statutory obligation | Three (3) years from unsubscribe request | |
Send invitations to events | Identification data | Legitimate interest | For events, data is retained for the duration of the event, plus a period of six (6) months, or until an objection is expressed | |
Analytics | Evaluation and improvement of Services/Platform/Site performance | Connection and usage data | Legitimate interest | For connection logs: six (6) months from the date of connection. For IP addresses: one (1) year from the day of registration. |
Internal reporting | Identification and contact data | Contract for clients / Legitimate interest for prospects | Client: Duration of contractual relationship Prospect: three (3) years from the last contact (2 years ITA/DE) or until an objection is expressed | |
Call recordings | internal training / product improvement/ customer satisfaction/market practices knowledge | Identification and contact data, Professional activity data | Legitimate interest | three (3) months after recording or until an objection is expressed |
Product testing | tester selection / improving functionalities and developing new products | Identification and contact data, Professional activity data | Legitimate interest | six (6) months after recording, recording is deleted |
Identity verification and certificate management | Signer identity verification for the issuance /renewal/revocation of a certificate | Identification and contact data, ID data, Extracted ID data | Statutory obligation | Data is retained for seven (7) years from the end of the validity of the certificate. |
Legal representative and certificate holder identity verifications for the issuance, renewal, revocation of a certificate for the Electronic Seal | Identification and contact data, ID data, Extracted ID data | Statutory obligation | Data is retained for seven (7) years from the end of the validity of the certificate. | |
Registration file for Advanced Electronic signature | Identification and contact data, ID data, Extracted ID data | Statutory obligation | registration file are retained during ten (10) years (FR/DE) and twenty (20) years (ITA) | |
ID Wallet :Creation and management of the signer identity | Extracted ID data | Contract | Data is retained for three (3) years from the creation of the signer identity plus five (5) years (FR) or ten (10) years (ITA/DE) | |
troubleshooting management | Identification and contact data, ID data, Extracted ID data | contract | ID data: data is retained for ninety (90) days from the ID verification Identification and contact data / extracted ID data: duration of the contrat. | |
Internal audit of Verif ID | Identification and contact data, ID data, Extracted ID data | Statutory obligation | ID data: data is retained for ninety (90) days from the ID verification Identification and contact data / extracted ID data: seven (7) years from the end of the validity of the certificate | |
Management of evidence of the identity verification in the event of litigation or fraud | Identification and contact data, ID data, Extracted ID data | Statutory obligation | Data is retained for six (6) years from verification of identity. For Qualified Electronic Signature, data is retained for three (3) months from identity verification, if the identity of the signatory cannot be verified. | |
Management of evidence of the electronic signature process in the event of litigation or fraud | Data mentioned in the audit trail / such as Identification and contact data, extracted ID data | Statutory obligation | Data is retained for ten (10) years from the date of signature. | |
Platform management | Authentication Management (SSO / OTP / login & password) | Identification and contact data, connection and usage data | Contract | Data is retained for the duration of the contractual relationship + five (5) years (FR) or ten (10) years (ITA/DE) |
Security threat management | Identification and contact data, connection and usage data | Statutory obligation | Data is retained for ten (10) years |
5. Who receives your Personal Data?
The Personal Data of our Visitors and Users/Subscribers is strictly confidential. They may be processed by employees of Yousign SAS and its subsidiaries, within the limits of their respective authorisations, solely for the purposes set out in this Policy.
Unless we are bound by a statutory, accounting or judicial obligation, we do not share your Personal Data with third parties other than:
- Our hosting providers, for the purpose of database maintenance and hosting services;
- Our service providers, processors (such as our CRM tool providers, mailshot provider) and partners for the purpose of accessing the services requested, completing a transaction or responding to your requests for assistance and information.
6. Are your data likely to be transferred outside the European Union?
The infrastructure that supports the Yousign Platform is located in France. However, if necessary, we may need to transfer your Personal Data to service providers operating outside the European Union. In this case, your data is transferred securely as follows:
- Data is transferred to a country deemed to offer an adequate level of protection according to a decision by the European Commission;
- We have entered into a specific contract with our Processors governing transfers of your data outside the European Union, on the basis of Standard Contractual Clauses approved by the European Commission;
- We rely on the appropriate guarantees provided for by the applicable regulations.
7. What steps are taken to protect your Personal Data?
The steps we take use a risk-based approach focused on protecting the confidentiality, integrity and availability of your Personal Data. The security measures implemented may be organisational or technical and are described on the Security page.
Where we use a service provider working as a Processor on our behalf, we again adopt a risk-based approach to ensure Yousign’s security objectives are aligned with the service provider, prior to communicating any of your Personal Data.
8. What are your rights with regard to your Personal Data?
Yousign guarantees that you are able to exercise all the rights granted to you by the regulations. You can therefore:
- Access your Personal Data;
- Rectify any inaccurate Personal Data concerning you;
- Have your Personal Data erased;
- Restrict our Processing of your Personal Data;
- Withdraw your consent for the Processing of your Personal Data;
- Object to the Processing of your Personal Data;
- Obtain a copy of your Personal Data (right to data portability);
- Indicate instructions for the retention, erasure and communication of your Personal Data after your death.
Yousign informs you that exceptions to the rights may exist concerning in particular :
- Rectification or deletion of proof files and remote identity verification results, as well as all the information required to generate the result.
- Access to data that has been processed automatically or manually, where its disclosure is likely to provide information on the nature of the checks carried out by the service and relating to the detection of identity theft.
You may exercise these rights by completing the form available here. We may ask you to provide additional information or documents to prove your identity when doing so.
You may also access the Personal Data concerning you at any time by logging in to your User Account and amending them in your profile settings.
If you are not satisfied with the response you receive, you can file a complaint concerning the collection and use of your Personal Data with the relevant supervisory authority. In France, you can contact the Commission nationale de l’informatique et des libertés (CNIL) via its website at: https://www.cnil.fr/en.
9. Amendments to this Privacy Policy
We may amend this Policy at any time to introduce regulatory, case-law or technical changes that improve the level of protection of your Personal Data.
For minor amendments, we will change the “Updated on” date at the top of the page, indicating the date on which the amendments were made. Conversely, in the case of substantial amendments to this Policy (in relation to the purposes of processing, Personal Data collected, the exercise of rights or the transfer of Personal Data), we will inform you by all means, including but not limited to email, within a minimum of thirty (30) days before the effective date of the changes. Any access to and use of the Website and the Services after this period will be subject to the terms of the new Policy.
We invite you to check this page regularly for any amendments or updates to our Privacy Policy.
10. Children’s privacy
Our Services are not designed for and are not marketed to people under the age of 18 or such other age designated by applicable law (the “underaged”). We do not knowingly collect or ask for personal data from the underaged, nor do we allow the underaged to use our Services. If you are underage, please do not use our Services or send us your personal data.
11. Contact us
Please see our GDPR page or Help Centre for any questions you may have about this Policy or for any requests relating to your Personal Data.
You are also welcome to contact us by completing the form available here.