Privacy policy

Fenritec
French SAS company with a share capital of €30,000

Address
3 Allée des Lilas
54650 Saulnes, France

SIREN: 894 082 031 RCS Val de Briey

1. Glossary

  • Client: Legal or natural person registered in Fenritec’s information systems.
  • Contract: Any formal or informal agreement, including this Charter.
  • Personal Data: Information about an identifiable person, as defined by data protection laws (including metadata).
  • Data Subject: The person to whom Personal Data relates.
  • Service: Work carried out by the Service Provider for the Client under the Contract.
  • Parties: The Client and the Service Provider.
  • Service Provider: Entity processing Personal Data in relation to the Contract.
  • Regulations: All applicable French laws on data protection, including the amended “Informatique et Libertés” law, the GDPR, and related texts.
  • GDPR: EU Regulation 2016/679 on data protection, effective May 25, 2018.
  • Processing: Any operation on Personal Data, including collection, use, disclosure, deletion, etc.
  • Personal Data Breach: A security breach causing accidental or unlawful destruction, loss, or unauthorized access to Personal Data.

2. Purpose

This Charter defines how Fenritec may process Personal Data as part of fulfilling a Contract, whether data comes from the Client, third parties, or the Data Subjects directly.

It becomes effective upon the Client’s registration or access to Personal Data and remains valid until all data is permanently deleted or otherwise agreed in writing.

In case of conflict, this Charter overrides any other agreements relating to data processing.

The Parties agree to comply with applicable data protection laws, particularly the GDPR.

3. Purpose Limitation

Fenritec only processes data for purposes defined in the Contract. It ensures its staff and subcontractors comply with this Charter.

Hosting providers (as of document date):

  • OVH S.A.S., RCS Lille Métropole 424 761 419
  • Scaleway S.A.S., RCS Paris 433 115 904

Fenritec may add EU-based providers subject to GDPR, with Client notification.

4. Personal Data Use Rules

4.1 Compliance

Fenritec:

  • Acknowledges and follows current regulations.
  • Has appointed a DPO (as of July 21, 2021: Mr. Nicolas Philippe Schwartz).
  • Maintains a contact form and a processing register.

4.2 Processing Purpose

Use of Personal Data outside the agreed scope is prohibited.

4.3 Confidentiality

Fenritec commits not to:

  • Copy or disclose data unless necessary or legally required.
  • Transfer, sell, rent, or share data with third parties without proper basis.

4.4 Integrity & Security

Security Measures

Fenritec implements state-of-the-art protections, including:

  • Encryption, pseudonymization
  • System resilience and backup recovery
  • Secure interfaces and data access
  • Breach reporting to CNIL within 72 hours

Controls

Clients may audit Fenritec via:

  • Questionnaires: Responded within 30 calendar days
  • On-site audits: With 30-day notice, once per year
  • Penetration tests: By mutual agreement

4.5 Data Transfers

No Personal Data may be processed or stored outside the EU without Client’s express consent. Otherwise, immediate contract termination is allowed.

4.6 Retention

Data is retained only as necessary:

  • User logs: 3 months active, 1-year archive
  • Billing info: 10 years
  • Deleted files (FDrive): Recoverable for 7 days to 1 month
  • Login data: Deleted 3 months after request, available to authorities for 1 year

Upon contract end or request, data is deleted unless required by law. Destruction certificate provided within 7 calendar days.

4.7 Data Return

Clients may request all data and related documentation at any time.

5. Notification Obligations

5.1 If unable to follow Client’s instructions

Fenritec must inform the Client immediately.

5.2 If Client’s instructions violate law

Fenritec must notify the Client right away.

5.3 In Case of Breach

Fenritec must notify the Client without delay, no later than 72 hours, with all required documentation.

5.4 On Authority Request

If contacted by authorities, Fenritec must:

  • Inform the Client within 48 hours
  • Obtain the Client’s consent before sharing data

It must also report:

  • Any audits by public authorities
  • Any requests or complaints from data subjects
  • Any penalties affecting data processing

6. Client Support & Collaboration

Fenritec assists the Client with:

  • Data Protection Impact Assessments
  • Responding to authority inquiries
  • Handling data subject requests (within 5 working days)
  • Managing breaches or compliance procedures

Fenritec will forward any data subject requests it receives by the next business day.

Conformity with a code of conduct or certification does not replace obligations under this Charter.