Privacy policy (RGPD)

Data protection and data security are top priorities for EXPEDY. We process and use personal data only to the extent necessary to provide our services to you.

Data privacy statement

We, EXPEDY published by AD TELA SAS domiciled at 9 rue du renard 76000 ROUEN. registered with the RCS ROUEN – SIRET: 83767873900025 – VAT: FR96837678739, are the operator of the expedy.fr , expedy.com, expedy.io websites, as well as the service provider of the EXPEDY iOS and Android App, including other services that are provided via the websites (e.g. expedy.fr/console). We are responsible for the collection, processing and use of personal data in accordance with all data protection legislation, in particular the General Data Protection Regulation (“GDPR”).

You, the customer, are the “controller” and EXPEDY, the service provider, is the “processor” on your behalf. We only use your data in accordance with data protection legislation. EXPEDY also has a Data Protection Officer (“DPO”) who can be contacted by post or e-mail at dpo@expedy.fr.

With this privacy policy, we want to tell you what personal data is collected and stored when you visit our website or use our services offered on the website. In addition, you will receive information on how we use your data and what rights you have regarding the use of your data. This data privacy statement also applies to access to and use of the EXPEDY application and other available services.

1. Data security

To protect your data, all the information you provide is encrypted using the TLS (Transport Layer Security) security standard. TLS is a secure, tested standard used, for example, in online banking. You can see this TLS-secured connection with the “s” after the “http” in the URL displayed in your browser (e.g. https://..), or from the padlock symbol in the browser tab.

We also take appropriate technical and organizational security measures to protect your data against random or deliberate manipulation, partial or complete loss, destruction and/or unauthorized access. To prevent data loss, we run a “mirrored” database configuration, which means that your data is always stored in two separate locations. In addition, we update and store data every hour in an off-site backup, and in line with our high-risk analysis, we constantly perform security tests on our infrastructure. Your password is stored via a secure encrypted process. We will never ask you for your password, neither by e-mail nor by phone. If you forget your password, we can reset it for you. Our security measures are continually improved in line with technological developments.

The personal data we collect is stored in a secure environment within the EU and treated confidentially. Access to this data is restricted to selected EXPEDY Group employees and suppliers. We always comply with legal data protection requirements.

We make every effort to secure your data in the best possible way, but we cannot guarantee the security of your data when it is transferred over the Internet. When data is transferred over the Internet, there is a certain risk that other people may access the data unlawfully. In other words, the security of your data transfer is your responsibility as the data controller.

2. The collection and storage of personal data, as well as the nature and purpose of their use

a) If you visit our website

You can visit the EXPEDY website without revealing your identity. Your browser only sends automatically collected information to our website servers. This information is temporarily stored in a document called a “log”. The following information is automatically collected and stored until it is automatically deleted:

• IP address of requesting computer
• Date and time of access
• Name and URL of consulted data
• Web site from which access is gained (reference URL),
• Browser used and, if necessary, your computer’s operating system and the name of your service provider

This data is collected and processed in order to enable the use of our website (login), to ensure the security and stability of our system and for the technical administration of the network infrastructure. We do not draw any conclusions about you as an individual.

In addition, we use cookies as well as web analysis and marketing tools. You can find more information on this subject in paragraphs 3 to 5.

b) If you register for our online services

To use these services, you must first register. In order to use our services to their full extent, it may be necessary to enter more personal data. For example, to create a legal invoice, it is necessary to enter your company’s name, address, invoice number and payment information, etc. We also use your name and contact details:

• To find out who our contractor is
• For the justification, structure, processing and changes to our contractual relationship with you, relating to the use of our services
• To check the plausibility of the data entered
• If necessary to contact you

c) If you subscribe to our newsletter

If you have agreed to receive our newsletter, we may use your email address to send you regular newsletters, as well as information about our services. In order to receive newsletters, we must first obtain your consent to accept these messages. This consent can be chosen at the time of registration. You may revoke your consent to receive such communications at any time, either on your account, by deactivating emails or by sending us an email to indicate that you no longer wish to receive such communications. You can also unsubscribe from newsletters at any time, for example by clicking on the unsubscribe link at the bottom of the newsletter. You can also send us an e-mail to support@expedy.fr

If you cancel your subscription to the newsletter, we will retain your e-mail address solely to ensure that you no longer receive these e-mails.

d) Developer, customer, supplier, accountant and team

With our services, you have the option of entering third-party data, giving third parties access to your account, connecting your account to third parties and offering third parties your own applications or using third-party applications. Of course, we also respect the confidentiality of data concerning third-party data, which we may access through your use of our service. Sometimes this may require a separate contract with you. If you think this is the case, please contact us.

In accordance with our terms and conditions, you are not permitted to share your login data with third parties, and you are obliged to treat your data with care. In addition, you are responsible for any third-party data you enter into EXPEDY. Please note that we have no influence on compliance with data protection and security standards outside our website, the EXPEDY application or the services we provide. In this case, you – or the third party to whom you have granted access to your data – are responsible.

3. Consent to data transfer

We pass on your personal data to third parties if you ask us to do so (when you generate a label with a carrier, for example), but only if you have given your explicit consent, or if there are obligations to do so.

EXPEDY may also, from time to time, require data to be shared with a sister company, for example to enable billing of your account with another EXPEDY entity. Data security is assured at all times. By registering with EXPEDY, you consent to the processing of your data.

You also give your explicit consent to the sharing of your data with third parties as necessary to provide you with our service.

We confirm that we only share your data with third parties who maintain a satisfactory level of data security, in accordance with the standards required under all data protection legislation.

In particular, where we share data with territories outside the EU / EEA or with a country not on the list approved by the European Commission, we ensure that we comply with all data security and confidentiality standards, to EU standards. We are required to make available, on request, evidence of – or references to – appropriate safeguards, and may do so following receipt of a request received by EXPEDY in writing or by e-mail.

You retain the right to withdraw your consent to the processing and/or sharing of your data at any time either by closing your account, which has immediate effect, or by contacting us to request closure, at which stage we will do so as soon as practicable, subject to feasibility. After termination of your relationship with EXPEDY, we will retain only the minimum data that we are required to hold to satisfy all legal requirements and only for the minimum period required.

If you have any questions concerning the processing of your personal data, or if you wish to make a request for access to the data, the Data Protection Officer can be contacted at dpo@expedy.fr or by writing to him at the address given above. If you are not satisfied, you have the right to lodge a complaint with the relevant data protection authority. EXPEDY will cooperate fully with any such investigation and will endeavor to satisfy all requests as far as possible. The competent authority for each country can be consulted on the European Commission website: http: //ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080[s4]

4. Cookies

Our website uses cookies. Cookies are small files, automatically created by your browser and stored on your device (laptop, tablet, smartphone, etc.) when you visit a page. Cookies do not harm your device, and they do not contain viruses, Trojans or other malware.

Cookies store information about your device. However, this does not mean that we receive detailed information about your identity.

The use of cookies is intended to create a more pleasant use of our services. Therefore, we use session cookies, to find out whether you have already visited unique pages of our website or whether you have already created a customer account. They will be deleted automatically by your browser once they expire.

For usage purposes, we use temporary cookies, stored on your device for a specific period of time. If you visit our website again to use our services, it will be recognized that you have visited our website before and what settings and actions you have performed, so that you do not have to perform them again.

We also use cookies to track website usage statistics and to optimize our offering (article 4.), as well as to show you specifically tailored information (article 5.). When you visit our website again, these cookies enable us to automatically recognize that you have visited us before. After a set period, cookies are automatically deleted.

Most browsers accept cookies automatically. You can configure your browser so that no cookies are saved on your computer, or so that a warning is always displayed before a new cookie is created.

However, please note that disabling cookies altogether may also limit the functionality of our website.

5. Web analysis

To design and optimize our sites on an ongoing basis, we use various web analysis services. As a result, we create anonymous user profiles and use cookies (chapter 4).

Below you will find more information about our web analytics services and other opt-out options:

a) Google Analytics

We use Google Analytics. This is a web analysis service provided by Google Inc. The information about your use of our website (including your IP address) collected via a cookie is transferred to a Google server in the USA and stored there. IP addresses are anonymized, so it is not possible to attribute them to you (IP masking). This information is used to analyze the use of our website, to create reports on website activities for us and to provide us with other services related to the use of our website and the Internet. Under no circumstances will the data you enter when using our service be merged with other data collected via Google.

Google will only transfer information to third parties if this is legally required or if third parties process the data on Google’s behalf.

We also use Google Optimize. This is a web analysis service by Google Inc, which is integrated into Google Analytics. Google Optimize enables us to carry out A/B and multi-variant tests. This enables us to find out which version of our website users prefer. You can prevent data collection by the cookie, as well as data processing by Google, by downloading and installing a browser add-on here. As an alternative to the browser, especially for browsers on mobile devices, you can prevent Google Analytics data collection by clicking on this link.

An opt-out cookie will be set, which prevents future data collection when visiting this site. The opt-out cookie is valid only in this browser and for our website, and will be stored on your device. If you delete the cookie from your browser, you will have to set the opt-out cookie again.

Further information on data protection in conjunction with Google Analytics can be found in the Google Analytics Help.

You can find out more about Google’s data protection policy here.

6. Targeting

We use Google Inc. targeting technologies (e.g. Doubleclick, AdSense, AdWords) on our website. These technologies enable us to deliver interest-based advertising to you. To this end, we collect and evaluate information about your user behavior on our website through the use of cookies.

Data collection and evaluation is carried out anonymously and does not allow us to identify you. In particular, we do not connect this information with your personal data. If you do not wish to receive interest-based advertising, you can prevent this by selecting the appropriate cookie settings in your browser.

You can change the display settings for interest-based advertising via the advertising settings manager.

You can find more information; as well as data privacy rules regarding advertising and Google here: Google privacy statement and terms of use.

7. Facebook targeting

As part of our advertising on Facebook, we use a pixel-based tracking mechanism. This is a web analytics service provided by Facebook Ireland Ltd. The information is used to track conversions from the Facebook platform.

This service is provided by Facebook Ireland Ltd. for which the Data Privacy Act of the European Union applies. We do not share any data you enter when using our service with Facebook.

See Facebook’s data protection information for more information about the purpose and scope of data collection, data processing and use by Facebook, and your privacy rights and options.

8. Information, correction, blocking, deletion

You have the right to be informed about the personal data you store and the right to rectify or modify incorrect data, as well as the right to block and delete it.

As the controller, you are responsible for the content you publish. You have the right to rectify, block or delete any of your data at any time. We may decide to delete the content you publish, at your request, but we maintain our right not to delete content already published or that we are obliged to maintain to meet legal requirements.

For more information about your personal data, about correcting erroneous data or blocking or deleting it, as well as for other questions about the use of your personal data, you can send an e-mail to support@expedy.fr.

Please note that if you delete your data, you will not be able to use our service in full or at all.

9. Changes to this privacy statement

This data privacy statement is currently effective and was updated in July 2018.

Due to the development of the website, the EXPEDY application or any other EXPEDY service, or due to changes in legal or regulatory requirements, it may be necessary to amend this data privacy statement from time to time.

Introduction of the Data Processing Agreement

This Data Processing Agreement (DPA) forms the basis of the relationship between you (the customer), as the data controller, and EXPEDY, the service provider, as the data processor under the Data Protection Legislation (RGPD).

This is an essential agreement that forms the contractual basis for the data processing we carry out on your behalf. It explains how your data may be processed and its purpose. We process your personal data only as required and as instructed by you, as set out in the Agreement.

Due to the volume of our customer base, it would be impossible to conclude individually signed agreements with all our users. We also hope that the ease of agreement with this ATD will mean that accepting the new Terms and Conditions, to satisfy the RGPD, will take less time for you as a contractor.

This ATD assures you that we (EXPEDY), as your processor, comply with the requirements arising from the RGPD. you are further assured that we maintain the required agreements with all our third parties. Your company details are automatically populated into your account when you accept the terms of use and privacy policy, including the ATD. your information will always represent the most recent information you have provided to us. The ATD is detailed below for more information.

Data processing agreement

Between :

The customer

And

AD TELA sas, 9 rue du renard 76000 Rouen (hereinafter “EXPEDY” or “subcontractor”)

each being a “part”; together “the parts”,

HAVE AGREED to the terms of this Data Processing Agreement (hereinafter the “DPA” or “Agreement”) on the protection of personal data concerning the processing of personal data where the customer acts as data controller and EXPEDY acts as processor, to fulfill the service obligations described in the Service Agreement (detailed below). In performing these service obligations, EXPEDY will process certain personal data on behalf of the data controller, in accordance with the terms of this agreement. Each party agrees and will ensure that the terms of this contract are also fully applicable to its affiliates who may be involved in personal data processing operations for the project defined in the service agreement. More specifically, EXPEDY will ensure that all subcontractors operate under the same conditions as this agreement when processing the customer’s personal data.

Introduction and definitions

“Personal Data” is defined as any information relating to a data subject, and by which that data subject may be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural or legal person (where applicable).

All other definitions mentioned herein, including the terms “controller” and “processor”, are determined by data protection laws, including Regulation 2016/679 of April 27, 2016 (hereinafter “GDPR”).

Sensitive personal data is not considered to be processed as part of the application service offered by the data processing center and is therefore excluded from the terms of this contract.

By registering to use EXPEDY software and accepting the Terms and Conditions, including the Privacy Policy and this ATD, the parties agree, under all national data protection laws and the RGPD, that this Agreement governs the relationship between the data controller and the data processor, defining EXPEDY’s processing of the customer’s personal data. This Agreement takes precedence, unless it has been superseded by another signed ATD, which communicates its precedence over this Agreement.

The purpose of EXPEDY’s processing of the Customer’s Personal Data is to ensure full use of the Service by the Customer and to enable compliance with this Agreement. EXPEDY shall ensure that sufficient security of Personal Data is maintained at all times.

Both parties confirm their authority to sign the agreement by doing so.

Subcontractor responsibilities

The processor must manage all personal data on behalf of the data controller and follow their instructions. By entering into this Agreement, EXPEDY (and any subcontractors with whom the subcontractor has a legal agreement for services) is responsible for processing the customer’s personal data:

1. In compliance with all national and European laws
2. Fulfill its obligations under the terms of the service request
3. As instructed by the data controller
4. As described in this agreement

To provide its service, the subcontractor is obliged to always provide the Customer with adequate solutions to accompany the continuous development of its business, using the service. The subcontractor monitors how the Customer uses the Application in order to make the best possible suggestions, provide relevant services at all times and send accurate communications to facilitate use and improve customer satisfaction. With regard to the processing of personal data from the Application, it is processed only in accordance with this ATD, and applicable law, and is shared only as necessary to provide a better customer experience.

Taking into account the technology available and the costs of implementation, as well as the scope, context and purpose of the processing, the processor must take all reasonable measures, including technical and organizational measures, to ensure a sufficient level of security, so that personal data is protected. The processor must assist the controller by taking appropriate technical and organizational measures, taking into account the nature of the processing and the category of information available to the processor, to ensure compliance with the processor’s obligations under data protection laws. The processor must notify the data controller immediately if the latter becomes aware of a security breach.

In addition, the processor must, as far as legally possible, inform the data controller if a request for information on the data held is made (data access request) by an organization to which the data should be supplied. The processor will respond to such requests once it has been authorized by the controller to do so. The processor will also not disclose any information about this contract unless the data controller is required by law to do so, for example by a court order.

If the controller requires information or assistance regarding data security, or documentation or information on how the processor generally handles personal data, the controller may request this information from the processor.

The subcontractor, its employees and affiliates must ensure the confidentiality of personal data processed under the Contract. This provision continues to apply after termination of the Contract, regardless of the reason for termination.

Responsibilities of the data controller

By signing this agreement, the data controller confirms that when using the application, that they must be able to freely process their data in accordance with all legal data protection requirements, including RGPD. They give their explicit consent to the processing of their personal data at all times when using the service.

The controller may revoke this consent at any time, but doing so terminates the contract and the processor will no longer be able to provide the service.

The Customer has a legal basis to process Personal Data with the processor (including subcontractors), with the help of EXPEDY’s services.

The controller is responsible at all times for the accuracy, integrity, content and reliability of the personal data processed by the processor. They have fulfilled all mandatory requirements concerning notification to or obtaining permission from the competent public authorities regarding the processing of personal data. They have also fulfilled their disclosure obligations to the competent authorities regarding the processing of personal data in accordance with all applicable data protection legislation.

The controller must have a precise list of the categories of personal data it processes, particularly if this processing differs from the categories listed by the processor in Appendix A.

Agreement on data transfer and use of subcontractors

In order to provide the service to the controller, the processor uses subcontractors. These subcontractors may be third-party suppliers both inside and outside the EU/EEA. The data processor ensures that all subcontractors meet the obligations and requirements of this agreement, and in particular that their level of data protection meets the standards required by the relevant data protection laws. If a jurisdiction falls outside the EU / EEA and is not on the list of satisfactory data protection levels approved by the European Commission, a specific agreement is entered into between EXPEDY and that processor to ensure that all personal data is maintained in accordance with the requirements under current EU data protection laws.

This Agreement constitutes the specific and explicit prior consent of the data controllers to the Use of Processors by the Processor, which may sometimes be based outside the EU / EEA, or territories approved by the European Commission.

The data controller may revoke this consent at any time, but doing so terminates the contract and the data processing center will no longer be able to provide the service.

If a sub-director is established or stores personal data outside the territories approved by the EU / EEA or the European Commission, the processor is responsible for ensuring the transfer of personal data to a third country, on behalf of the controller. This includes the use of European Commission standard contracts or specific measures that have been previously approved by the European Commission.

The controller must be informed before the processor replaces its subcontractors. The controller can then object to a new processor processing his or her personal data on behalf of the processor, but only if the processor does not process the data in accordance with the relevant data protection legislation. The processor can demonstrate compliance by providing the controller with access to the data protection assessment carried out by the processor.

If the data controller continues to object to the use of the subcontractor, he can terminate his subscription to the service without the usual notice period, and then ensure that his personal data is not processed by the unprivileged subcontractor.

Duration of agreement

The Agreement remains valid for as long as the Processor processes Personal Data with the Processor’s use of the Application, and unless it is superseded by another signed ATD which takes precedence over this Agreement.

Termination of the agreement

In the event of termination of the subscription, the subcontractor will delete all personal data, except those it is required to retain under applicable legal provisions, in which case they will be retained in accordance with EXPEDY’s technical and organizational guarantees.

The data controller has the full ability to retrieve all personal data from the application. If the data controller requests assistance with data retrieval, the associated costs will be determined by mutual agreement between the parties and will depend on the complexity of the requested process and the time required to complete it in the chosen format.

Amendments to the agreement

Amendments to the Agreement must be included in a separate annex to the Agreement.

If any provision of the contract is found to be invalid, this shall not affect the remaining provisions. The parties will replace the invalid provision by a legal provision, which reflects the purpose of the invalid provision.

Audits

The controller is entitled to review the processor’s obligations under the agreement once a year. If the processor is required to do so under applicable legislation, audits may be repeated once a year. A detailed audit schedule must be provided detailing scope, duration and start date at least four weeks prior to the proposed start date. The parties decide together whether a third party should carry out the audit. However, the controller may allow the processor to have the security review by a neutral third party, chosen by the processor, if it is a processing environment in which several of the controller’s data are processed.

If the proposed scope of the audit follows an ISAE, ISO or similar certification report carried out by a qualified third-party auditor, within the last twelve months, and the subcontractor confirms that there have been no significant changes in the measures examined, this will be satisfactory for any request received within this timeframe. Audits must not unreasonably interfere with the processor’s normal activities. The data controller is responsible for all costs associated with its request for review.

Responsibilities and jurisdictions

Liability for actions arising from a breach of the provisions of this Agreement is governed by the liability and indemnity provisions in the Subscription Terms in section 13. This also applies to any breach by data processing sub-processors. This Agreement shall be governed by and construed in accordance with the laws of the Federal Republic of Germany, which shall have exclusive jurisdiction over all disputes arising hereunder.

Appendix A

Appendix A – Categories of personal information and usual categories of processing

A. Categories of personal information (non-exhaustive list)

1. Name
2. Address
3. Phone number(s)
4. E-mail address(es)
5. Address(es)
6. Any account number and/or bank details

B. Typical treatment categories (non-exhaustive list)

1. The data controller’s contact details (telephone / email / addresses, etc.)
2. Customers of the controller
3. Bank details of the data controller
4. Customer contacts (telephone / email / addresses, etc.)
5. Their customers’ customers

Français (French) English Español (Spanish)