Privacy Policy - General Data Protection Regulation (GDPR)
Introduction
As part of its activity, Black Sequoia (hereinafter “the Company”) is required to process personal data.
This Confidentiality and Data Management Policy (hereinafter “the Policy”) informs you of the way in which the Company collects and processes your personal data.
We invite you to read it carefully.
The Policy applies to all users whose personal data is collected by the Company. These are visitors to the Company's websites, customers, suppliers and service providers (hereinafter the "Holders"). The Policy deals with the way and the purposes for which the Company collects, uses and communicates this personal data.
Personal data (hereinafter the “Data”) is to be understood to mean any information relating to an identified or identifiable physical person.
We attach particular importance to the protection of the Data that you entrust to us, Black Sequoia is committed to respecting your privacy.
This Policy complies with the requirements of applicable privacy laws, including:
the law n ° 78-17 of 6th January 1978 relating to data processing, files and amended freedom
The General Data Protection Regulation n ° 2016/679 came into force on 25th May 2018.
Article 1. Data Processing Management
The data controller mentioned in this document is Black Sequoia, SAS with a capital of €300 000, registered with the RCS under the number 80511204200033, whose head office is located at 18 rue du Manoir de Servigné, 35000 Rennes, France, headed by its Chairman.
Article 2. Data Processing
All Data provided to the Company by the Holder is treated with the utmost confidentiality.
The Data collected is for the Company’s activity and is strictly limited to the teams needing to have knowledge of it.
In all cases, we limit ourselves to collecting and processing relevant, adequate, non-excessive and strictly necessary data to fulfill the purposes stated below.
Beyond the retention periods mentioned below, the Data may be anonymised and kept for exclusively statistical purposes and will not give rise to use of any kind.
The activities described above are not used to conduct profiling likely to reveal so-called sensitive Personal Data such as racial or ethnic origins, philosophical, political, union, religious opinions, sex life or health.
2.1. Nature of the collected Data, purposes of processing and retention periods
Data collected from Account Holders of the Company:
The following Data is collected when customers complete the “Customer Form”:
Last name, First Name,
Mobile number, email address,
Delivery address
Billing address
Date of birth (optional)
Male / Female
The Data collected is necessary for carrying out online sales, customer records and customer relations monitoring.
The recipients of the Data are authorised employees of the Company, our service providers in particular Tipimail and La Poste and GLS carriers.
Black Sequoia uses AFFILAE and Trustpilot services.
AFFILAE is an affiliate service involved in the online ordering process. This service collects information on the contents of the basket and the order reference.
Truspilot is a review management service to which this Data may be transmitted. After an order, the Customer Holder receives an email inviting him to leave a review. However, the Customer Account Holder is under no obligation to share their opinion.
This Data is kept for a period of 5 years from the end of the calendar year following the last contract with the customer.
Data collected from the Company's supplier or service providers:
The following Data is collected by the Company as part of its partnership with suppliers and service providers:
Last name, First Name,
Mobile number, email address,
Professional situation.
This Data is used to establish a list of suppliers and service providers with which the Company is likely to work.
The recipients of the Data are all of the Company’s staff.
This Data is kept for a period of 5 years from the end of the calendar year following the last partnership with the supplier or service provider.
Data collected from Holders applying for a job, an internship or a work-study program:
The following Data is collected by the Company when jobseekers send their CV and cover letter to apply for a job, an internship or for a work-study position:
Name, first name, title, date of birth, nationality,
Postal address, email address, telephone number,
Professional situation, training, qualifications,
Photograph.
This Data is necessary to identify job seekers and allow management to assess their applications.
The recipients of the Data are the Company’s managing directors.
This Data is kept for a period of 1 year following the end of the calendar year during which it is collected.
Data collected from User Holders of the Contact form on the website:
The following Data is collected by the Company when the User of the website completes the Contact form:
E-mail address
This Data is necessary to identify the User wishing to receive information via the online form.
The recipients of this data are Company employees with access to messages.
This Data is kept for a period of 1 year following the end of the calendar during which the last contact was made.
2.2. Lawful processing bases
The lawful processing bases, which may be different depending on the data processed are:
Legitimate interest
This is the lawful processing base when the Company collects Data to respond to messages from website visitors. This is also the case when the Company collects Data from its suppliers or service providers for the needs of a potential future project.
Execution of the contract
This is the lawful processing base when the Company collects Data from buyers, suppliers or service providers so as to fulfill a contract or pre-contractual measures. This is also the case when the Company collects the Data included in applicants’ CVs and cover letters when the Company is considering a potential contract.
Consent
In certain circumstances, and in particular when the lawful base mentioned above does not apply, we are required to obtain your consent to process your data
2.3. Data communicated to third parties
The processing of collected personal data is strictly confidential.
The Company does not transmit any personal data to third parties likely to use it for their own purposes, for commercial or advertising purposes in particular, without having requested the Holder’s consent.
The Company may provide access of certain personal data to third-party partners in a secure manner to ensure the successful execution of the services it offers. These third-party partners are, in particular, the Company's IT service providers, the accountant and transporters such as La Poste or GSL.
The Company implements procedures ensuring that the third parties that it authorises to access Personal Data, including any subcontractors, respect and preserve the confidentiality and security of Personal Data.
The Company is committed to making its subcontractor(s) respect the same obligations as those set out herein so that confidentiality, security and data integrity of the said data cannot be transferred or rented to a third party whether it be free or not, nor used for purposes other than those defined in this Policy.
Article 3. Data recipients
The Data collected is only accessible by Company employees.
The Data is hosted on dedicated and protected servers.
With the Holder’s authorisation the Data may be transmitted to the Company’s partners.
Article 4. Holders Rights
Article 4.1. The Nature of Holders' rights
In accordance with laws relating to the protection of personal data in force, in particular the General Data Protection Regulations and the French laws transposing them, any Account Holder has the following rights:
The Holder may oppose the processing of their personal data for legitimate reasons
The Holder has a right of access to their own personal data
They may rectify, update and/or delete their own personal data
They may request the portability of his data
They may request the limitation of their data processed
They may communicate instructions relating to the retention, deletion and the communication of their personal data after his death (post-mortem instructions)
They may also, when this is the legal basis for the processing, withdraw their personal data processing consent at any time.
Article 4.2. Exercise of the Holders' rights
At any time, the Holder may exercise their rights by sending their request, including their surname, first name, postal and electronic address and a copy of both sides of their identity card either:
By e-mail to: hello@jaloo.uk
By post to the following address:
GDPR manager
Black Sequoia
18 rue du Manoir de Servigné
35000 RENNES
FRANCE
A will be given within one month of receipt of the request, this period may be extended by two months in the event of a complex request.
At any time the Account Holder may ask the Company to no longer receive information by email.
Finally, the Holder may make a complaint to the competent authority, namely the CNIL concerning French territory.
Article 5. Transfer of data collected outside the European Union
The Data collected through the website contact form and the Data collected in the context of recruiting employees, interns or work-study students are hosted on Gmail's email servers which may be located in the United States. Gmail complies with the Privacy Shield framework, which makes it possible to maintain a level of security for the data collected at least equal to the level required by European personal data regulations.
Data that is not processed by email is hosted in France.
In the event that the products are delivered outside of the European Union, the data necessary for the delivery may be, because of this, transferred outside of the European Union by the carrier.