1 • Who is the Data Controller?
The data controller is Wave, a simplified joint-stock company under French law, having its registered office located 65 rue de la Croix, 92000, Nanterre, France, registered with the trade and companies register of Nanterre under number 881 114 037. Should you have any question about your personal data, You may contact us at the following address: firstname.lastname@example.org.
2 • Who are the Data Subjects?
Wave may collect and process personal data from the following data subjects: “Prospect”, means any individual who is potentially interested in Wave Services; “Visitor”, means any individual who visits our Site; “Client”, means any individual who received a registration confirmation to the Wave Services by e-mail or by signing a separate agreement with Wave (as the case may be). “User” or “You”, means any of the data subjects mentioned hereinabove.
3 • What types of personal data is collected by Wave?
We consider that, as far as possible, Wave should coach You without knowing everything about You. We try to collect and process only the minimum amount of information we need from You to provide the Wave Services. That’s how Wave is designed. Most of the time, we collect personal data directly from You. As a Prospect or Visitor of our Site, we may collect the following personal data from You: Identification information: name, first name, e-mail address, request for information and/or documentation; Identification about your use of our Site: when you visit our Site, we may track, collect and aggregate information indicating among other things, which pages of our Site you visited, the order in which you visited them, when you visited them and which hyperlinks you clicked (if any). In connection with our collecting of such information, we may also log the IP address, operating system and browser software used by You during your interaction with our Site. We may also collect information by using cookies when You visit our Site. As a Client of Wave, there are three (3) types of information that You will give us access to, and only part of this information is personal data within the meaning of the Data Protection Laws: Identification and billing information: personal data needed for registration and payment of the Wave Services your name, first name, address, e-mail address, company name, payment info, IP address, operating system, browser software used by You during your interaction with our Site and/or Platform, your login data (to access your personal user account) to the Platform, information collected through cookies when You visit our Site and/or Platform Public contextual information about your company: funding stage, industry, number of employees, reputation, etc. We collect this public information from the web, from third parties or from You if You voluntarily share it with us; In the latter case, please note that You must prevent yourself from providing Wave with information about your company which is not publicly official or which is (or should be) confidential. Before providing Wave with information about your company, please ensure that You are allowed to do so. Contextual information about You or your company for your coaching: your position within the company, number of employees under your management (if any) and/or within your service/department/business unit, areas of development, objectives, professional context, how You feel, etc. You share this information voluntarily during the coaching process via your e-mails, entries in the journal, form answers, or any documents that You want to share with us. We do our best to pseudonymize as much information as possible during the provision of the Services, to keep it confidential and secure. The contextual information about You or your company for your coaching, as defined hereinabove, is referred to as your “Coaching Story”. The public contextual information about your company, as defined herinabove, is referred to as your “Company Public Data” Your Coaching Story refers to the data we collect to analyze your profile and your needs and provide You with our Wave Services. The term “Data” refers to your “Identification and billing information”, your “Company Public Data” and your “Coaching Story”.
4 • Our key principles and ethical commitment
5 • What are the purposes and legal basis of collecting and processing Your personal data?
6 • Who do we share your personal data with?
7 • How do we keep your personal data secure?
Your Data (including your personal data) is kept in a secure environment. Your Data is encrypted in transit (i.e. while it goes from one server to another during its processing). Encryption is a process that scrambles the Data. To unscramble the Data and be able to understand it, one needs a specific key that only very select processes have. Encryption ensures that if the data is stolen, it cannot be understood unless the thief has the proper key. To ensure the security of your Data, we also use the following measures: we have set up firewalls and strict network security, regular backups of our encrypted databases, regular software updates to apply security patches. Most of all, data security is down to our own training. All employees are trained on the importance of data confidentiality, and on the efforts we make for our processes to be robust and compliant with Data Protection Laws. We guarantee the existence of adequate levels of protection in accordance with the applicable Data Protection Laws. However, a risk remains when the Internet is used to transfer personal data or other information. In the event of security breach or loss We will notify the French data protection supervising authority, the “Commission nationale de l'informatique et des libertés” (the “CNIL”), and/or the Person Concerned, as the case may be, of any violations of personal data. You can contact us with any questions or requests regarding these measures.
8 • How long does Wave keep your personal data ?
We keep your personal data for as long as necessary to provide You with our coaching services. You can get access to your journal and the content You shared with us during the Wave Services at any time and within one (1) calendar year following the end of your last coaching wave. To download the content You shared with us or the content from your personal user account, please send a request to our DPO at email@example.com. Then, once the coaching program is over, we will keep your personal data: (i) for commercial purposes (in case you would like to initiate a new “coaching wave”): for a maximum period of one (1) year after the last coaching program has ended; in a pseudonymized format: in our active database: Your personal data is easily accessible in our immediate working environment to people in charge of their processing; (ii) for legal purposes (contractual liability in case of litigation and in accordance with legal and regulatory obligations applicable to Wave) and administrative purposes (e.g., for invoicing data, in accordance with the French Code of Commerce): for a period of ten (10) years; subject to intermediate archiving; (iii) for statistics and machine learning purposes: Indefinitely; in an anonymized format: the anonymization process is irreversible – Wave can no longer identify You; Wave keeps your anonymized Data permanently to improve its Services. Information relative to a Prospect will be kept for three (3) years after the date of the last communication with the Prospect, as per the CNIL’s recommendation. Navigation data will be kept for a maximum period of thirteen (13) months.
9 • What are your rights?
Wave would like to make sure you are fully aware of all your data protection rights. As per the Data Protection Laws, You have the following rights: Right to Access – you have the right to request Wave confirmation of whether we process personal data relating to you, and if so, to request a copy of that personal data; Right to Rectification – you have the right to request Wave that we rectify or update any personal data that is inaccurate, incomplete or outdated; Right to Erasure – you have the right to request that we erase your personal data in certain circumstances, such as where we collected personal data on the basis of your consent and you withdraw your consent; In some cases, however, it is not possible to erase personal data, for example, when we are legally obliged to store data, or when the removal of the data would hinder your ongoing training. We will therefore assess whether we can meet the request on a case by case basis. Right to Restriction of Processing – you have the right to request that we restrict the use of your personal data in certain circumstances, such as while we consider another request that you have submitted, for example a request that we update your personal data; Right to Object to Processing – you have the right to object to the processing of your personal data by giving us reasons pertaining to your specific situation. However, in some cases, if you object to the processing of your personal data by us, we might not be able to provide you with Wave Services. We will therefore assess whether we can meet the request on a case by case basis. Right to Withdraw Consent - where you have given us consent to process your personal data, you have the right to withdraw your consent; Right to Data Portability – you have the right to request that we provide a copy of your personal data to you in a structured, commonly used and machine readable format in certain circumstances. In any case, we may ask you to identify yourself first (e.g. by providing us with a copy of your ID card or passport) before we process your request. Upon receipt of your request, Wave will reply within thirty (30) calendar days. Should you wish to lodge a complaint or if you feel that Wave has not addressed your concern in a satisfactory manner, you may contact the French Data Protection Authority (CNIL) via the following URL: https://www.cnil.fr/fr/adresser-une-plainte.
10 • How can you contact us?
To exercise your rights as set out above or for any request regarding the use of Your personal data by Wave, please contact our DPO by (i) email at firstname.lastname@example.org or (ii) writing to us at the relevant address set out in “Who is the Data Controller?”