Data protection and data security are top priorities for EXPEDY. We process and use personal data only to the extent necessary to provide our services to you.
Data privacy statement
We, EXPEDY published by AD TELA SAS domiciled at 12 rue des bons enfants 76000 ROUEN. registered with the RCS ROUEN – SIRET: 83767873900017 – VAT: FR96837678739, are the operator of the expedy.fr website, as well as the service provider of the EXPEDY iOS and Android App, including other services that are provided via websites (e.g. expedy.fr/console). We are responsible for the collection, processing and use of personal data in accordance with all data protection legislation, in particular the General Data Protection Regulation (“GDPR”).
You, the customer, are the “controller” and EXPEDY, the service provider, is the “processor” on your behalf. We will only use your data in accordance with data protection legislation. EXPEDY also has a Data Protection Officer (“DPO”) who can be contacted by post or email at firstname.lastname@example.org
1. Data security
In order to protect your data, all data you provide is encrypted using the TLS (Transport Layer Security) standard. TLS is a secure and tested standard, used for example for online banking. You can see this TLS secure connection with the “s” after the “http” in the URL displayed in your browser (e.g. https://..), or from the padlock symbol in the browser tab.
We also take appropriate technical and organisational security measures to protect your data against random or deliberate manipulation, partial or complete loss, destruction and/or unauthorised access. In order to avoid data loss, we run a “mirrored” database configuration, which means that your data is always stored in two separate locations. In addition, we update and store the data every hour in an off-site backup and in accordance with the high-risk analysis, we continuously perform security tests on our infrastructure. Your password is stored via a secure encrypted process. We will never ask you for your password, neither by e-mail nor by phone. If you forget your password, we can reset it for you. Our security measures are continuously improved in line with technological developments.
The personal data we collect is stored in a secure environment within the EU and treated as confidential. Access to this data is limited to selected employees and suppliers of the EXPEDY Group. We always comply with the legal requirements for data protection.
We do our best to secure your data in the best possible way, but we cannot guarantee the security of your data when it is transferred over the Internet. When data is transferred over the Internet, there is a certain risk that others may access the data unlawfully. In other words, the security of your data transfer is your responsibility as the controller.
2. The collection and storage of personal data and the nature and purpose of their use
a) If you visit our website
You can visit the EXPEDY website without revealing your identity. Your browser only sends automatically collected information to our website servers. This information is temporarily stored in a document called a “log”. The following information is automatically collected and stored until it is automatically deleted:
- IP address of the requesting computer
- Date and time of access
- Name and URL of the data accessed
- Website from which the access was made (referrer URL),
- Browser used and, if necessary, the operating system of your computer as well as the name of your access provider
This data is collected and processed for the purpose of enabling the use of our website (login), but also for the purpose of ensuring the security and stability of our system and for the technical administration of the network infrastructure. We do not draw any conclusions about you as an individual.
b) If you register for our online services
To use these services, you must first register. In order to use our services to their full extent, it may be necessary to enter more personal data. For example, to create a legal invoice, it is necessary to enter your company name, address, invoice number and payment information, etc. We also use your name and contact details:
- To find out who our contractor is
- For the justification, structure, processing and changes to our contractual relationship with you, relating to the use of our services
- To check the plausibility of the data entered
- If necessary to contact you
c) If you subscribe to our newsletter
If you have agreed to receive our newsletter, we may use your email address to send you regular newsletters and information about our services. In order to receive newsletters, we must first obtain your consent to accept these messages. This consent can be chosen during registration. You may revoke your consent to receive such communications at any time, either in your account, by deactivating emails or by sending us an email to indicate that you no longer wish to receive such communications. You can also unsubscribe from newsletters at any time, for example by clicking on the unsubscribe link at the bottom of the newsletter. You can also email us at email@example.com
If you unsubscribe from the newsletter, we will retain your email address only to ensure that you do not receive these emails again.
d) Developer, customer, supplier, accountant and team
With our services you have the possibility to enter third party data, to give third parties access to your account, to connect your account to third parties and to offer third parties your own applications or to use third party applications. Of course, we also respect the privacy of third party data, which we may access through your use of our service. Sometimes this may require a separate contract with you. If you think this is the case, please contact us.
Under our terms and conditions, you are not permitted to share your login data with third parties, and you are obliged to treat your data with care. Furthermore, you are responsible for the data of third parties that you enter into EXPEDY. Please note that we have no influence on compliance with data protection and security standards outside our website, the EXPEDY application or the services we provide. In this case, you – or the third party to whom you have granted access to your data – are responsible.
3. Consent to data transfer
We will transfer your personal data to third parties if you request us to do so (for example, when generating a label with a carrier), but only if you have given your explicit consent, or if there are obligations to do so.
EXPEDY may also, from time to time, require that we share data with a sister company, for example to enable the billing of your account with another EXPEDY entity. Data security is maintained at all times. By registering with EXPEDY, you give your consent to the processing of your data.
You also give your explicit consent to share your data with third parties as necessary to provide our service to you.
We confirm that we only share your data with third parties who maintain a satisfactory level of data security to the standards required under all data protection legislation.
In particular, where we share data with territories outside the EU/EEA or a country not on the list approved by the European Commission, we ensure that we comply with all EU standards of data security and privacy. We are required to make available, upon request, evidence of – or reference to – the appropriate safeguards, and may do so following receipt of a request received by EXPEDY in writing or by e-mail.
You retain the right to withdraw your consent to the processing and/or sharing of your data at any time either by closing your account, which has immediate effect, or by contacting us to request closure, at which point we will do so as soon as practicable. After your relationship with EXPEDY ends, we will only retain the minimum data we are required to hold to meet all legal requirements and only for the minimum period required.
If you have any questions about the processing of your personal data, or if you wish to make a data access request, the Data Protection Officer can be contacted at firstname.lastname@example.org or by writing to the address given above. If you are not satisfied, you have the right to lodge a complaint with the relevant data protection authority. EXPEDY will cooperate fully with any such investigation and will endeavour to comply with all requests as far as possible. The competent authority for each country can be found on the European Commission’s website: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080[s4]
Cookies store information about your device. However, this does not mean that we receive detailed information about your identity.
For user purposes, we use temporary cookies, which are stored on your device for a specific period of time. If you visit our website again to use our services, it will be recognised that you have visited our website before and what settings and actions you have taken, so that you do not have to perform them again.
Most browsers accept cookies automatically. You can configure your browser so that no cookies are stored on your computer or so that a warning is always displayed before a new cookie is created.
However, you should note that disabling cookies completely may also limit the functionality of our website.
5. Web analysis
Below you will find more information about our web analytics services and further disabling options:
a) Google Analytics
We use Google Analytics. This is a web analysis service of Google Inc. The information about your use of our website (including your IP address) collected via a cookie is transferred to a Google server in the USA and stored there. The IP addresses are anonymised, so it is not possible to attribute them to you (IP masking). The information is used to analyse the use of our website, to create reports on website activities for us and to provide us with other services related to the use of our website and the Internet. The data you enter when using our service will not be merged with any other data collected by Google.
The transfer of information by Google to third parties will only take place if this is legally required or if third parties process the data on their behalf.
In addition, we use Google Optimize. This is a web analytics service by Google Inc, which is integrated with Google Analytics. Google Optimize allows us to perform A/B and multi-variant tests. This allows us to know which version of our website users prefer. You can prevent the collection of data by the cookie, as well as the processing of data by Google by downloading and installing a browser add-on here. As an alternative to the browser, especially for browsers on mobile devices, you can prevent the collection of data from Google Analytics by clicking on this link.
An opt-out cookie will be set, which prevents future data collection when visiting this site. The opt-out cookie is only valid in this browser and for our website, and will be stored on your device. If you delete the cookie in your browser, you will have to set the opt-out cookie again.
Further information on data protection in conjunction with Google Analytics can be found in the Google Analytics Help.
Further information on data protection by Google can be found here.
The collection and evaluation is carried out anonymously and does not allow us to identify you. In particular, we do not link this information with your personal data. If you do not wish to receive interest-based advertising, you can prevent this via the appropriate cookie settings in your browser.
You can change the display settings for interest-based advertising via the advertising settings manager.
7. Facebook Targeting
As part of our advertising on Facebook, we use a pixel-based tracking mechanism. This is a web analytics service provided by Facebook Ireland Ltd. The information is used to track conversions from the Facebook platform.
This service is provided by Facebook Ireland Ltd. for which the European Union’s data privacy law applies. We do not share any data you enter when using our service with Facebook.
See Facebook’s data protection information for more information about the purpose and scope of data collection, data processing and use by Facebook, and your privacy rights and options.
8. Information, correction, blocking, deletion
You have the right to be informed about the personal data you store and the right to correct or amend incorrect data, as well as the right to block and delete.
As the controller, you are responsible for the content you post. You have the right to rectify, block or delete any of your data at any time. We may decide to delete content you post, at your request, but we retain our right not to delete content already posted or that we are required to maintain to meet legal requirements.
For more information about your personal data, about correcting erroneous data or blocking or deleting it, and for other questions about the use of your personal data, you can send an email to email@example.com
Please note that if you delete your data, you will not be able to use our service in full or at all.
9. Changes to this data privacy statement
This data privacy statement is currently effective and was updated in July 2018.
Due to the development of the website, the EXPEDY app or any other EXPEDY service, or due to changes in legal or regulatory requirements, it may be necessary to amend this data privacy statement from time to time.
Introduction to the Data Processing Agreement
This Data Processing Agreement (DPA) forms the basis of the relationship between you (the customer) as data controller and EXPEDY, the service provider, as data processor under the Data Protection Legislation (GDPR).
This is an essential agreement which forms the contractual basis for the processing of data by us on your behalf. It explains how your data may be processed and its purpose. We process your personal data only as necessary and as instructed by you, as set out in the Agreement.
Due to the volume of our customer base, it would be impossible to enter into individually signed agreements with all our users. We also hope that the ease of agreement with this TAA will mean that accepting the new Terms and Conditions, to comply with the GDPR, will take less time for you as an entrepreneur.
Agreement on data processing
Name of the client (hereinafter “the client” or “controller”) [This information will be automatically filled in once you have completed your registration]
AD TELA sas, 12 rue des bons enfants 76000 Rouen (hereinafter “EXPEDY” or “subcontractor”)
each a “Party”; together “the Parties”,
HAVE AGREED on the terms of this Data Processing Agreement (hereinafter the “DPA” or “Agreement”) on the protection of personal data concerning the processing of personal data where the Client acts as a data controller and EXPEDY acts as a subcontractor, in order to fulfil the service obligations described in the Service Agreement (detailed below). In performing these service obligations, EXPEDY will process certain personal data on behalf of the data controller in accordance with the terms of this agreement. Each party agrees and shall ensure that the terms of this agreement shall also be fully applicable to its affiliates who may be involved in the processing of personal data for the project defined in the service agreement. Specifically, EXPEDY will ensure that all subcontractors operate under the same terms and conditions as this agreement when processing the client’s personal data.
Introduction and definitions
“Personal Data” is defined as any information relating to a data subject, and by which he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural or legal person (if any).
All other definitions mentioned here, including the terms “controller” and “processor”, are determined by data protection laws, including Regulation 2016/679 of 27 April 2016 (hereinafter “GDPR”).
Sensitive personal data is not considered to be processed as part of the application service offered by the data processing centre and is therefore excluded from the terms of this contract.
The purpose of EXPEDY’s processing of the Customer’s Personal Data is to ensure the full use of the Service by the Customer and to enable compliance with this Agreement. EXPEDY shall ensure that sufficient security of personal data is maintained at all times.
Both parties confirm their authority to sign the Agreement by doing so.
Responsibilities of the processor
The processor shall manage all personal data on behalf of the controller and follow their instructions. By entering into this Agreement, EXPEDY (and any subcontractors with whom the subcontractor has a legal agreement for services) is responsible for processing the customer’s personal data:
- In accordance with all national and European laws
- To fulfil its obligations under the terms of the service request
- According to the instructions of the controller
- As described in this agreement
In order to provide its service, the processor is required to always provide the Customer with adequate solutions to support the ongoing development of its business, using the service. The subcontractor monitors how the Customer uses the Application in order to make the best possible suggestions, to provide relevant services at all times and to send accurate communications to facilitate use and improve customer satisfaction. With regard to the processing of personal data of the Application, they are processed only in accordance with this ATD, and the applicable law, and are shared only as necessary to provide a better experience to the customer.
Taking into account the technology available and the costs of implementation, as well as the scope, context and purpose of the processing, the processor shall take all reasonable measures, including technical and organisational measures, to ensure a sufficient level of security, so that the personal data is protected. The processor must assist the controller by taking appropriate technical and organisational measures, taking into account the nature of the processing and the category of information available to the processor, to ensure compliance with the processor’s obligations under the data protection laws. The processor must notify the controller if the controller becomes aware of a security breach without delay.
In addition, the processor must, as far as legally possible, inform the controller if a request for information about the data held is made (data access request) by a body to which the data should be provided. The processor will respond to such requests once it has been authorised by the controller to do so. The processor will also not disclose information about this contract unless the controller is required by law to do so, for example by a court order.
If the controller requires information or assistance regarding data security, or documentation or information about how the processor generally handles personal data, the controller may request such information from the processor.
The processor, its employees and affiliates must maintain the confidentiality of personal data processed under the contract. This provision continues to apply after termination of the Contract, regardless of the reason for termination.
Responsibilities of the data controller
By signing this agreement, the data controller confirms that when using the application, they shall be free to process their data in accordance with all legal requirements on data protection, including the GDPR. They give their explicit consent to the processing of their personal data at all times when using the service.
The controller may revoke this consent at any time, but doing so terminates the contract and the processor will no longer be able to provide the service.
The Customer has a legal basis to process Personal Data with the processor (including subcontractors), with the help of EXPEDY services.
The controller is responsible at all times for the accuracy, integrity, content and reliability of the Personal Data processed by the processor. They have fulfilled all mandatory requirements regarding notification or obtaining permission from the relevant public authorities regarding the processing of personal data. They have also fulfilled their disclosure obligations to the competent authorities regarding the processing of personal data in accordance with all applicable data protection legislation.
The controller must have a clear list of the categories of personal data it processes, in particular if the processing differs from the categories listed by the processor in Annex A.
Agreement on data transfer and use of processors
In order to provide the service to the controller, the processor uses subcontractors. These processors may be third party providers both within and outside the EU/EEA. The Data Processor ensures that all processors meet the obligations and requirements of this agreement, and in particular that their level of data protection meets the standards required by the relevant data protection laws. If a jurisdiction is outside the EU/EEA and is not on the list of satisfactory data protection levels approved by the European Commission, a specific agreement is entered into between EXPEDY and that processor to ensure that all personal data is maintained in accordance with the requirements under current EU data protection laws.
This Agreement constitutes the specific and explicit prior consent of the data controllers to the use of subcontractors by the processor, which may sometimes be based outside the EU/EEA, or territories approved by the European Commission.
The data controller may revoke this consent at any time, but doing so will terminate the contract and the data processor will no longer be able to provide the service.
If a sub-processor is established or stores personal data outside the territories approved by the EU/EEA or the European Commission, the sub-processor is responsible for ensuring the transfer of personal data to a third country on behalf of the controller. This includes the use of European Commission model contracts or specific measures that have been previously approved by the European Commission.
The controller must be informed before the processor replaces its sub-processors. The controller may then object to a new processor processing his or her personal data on behalf of the processor, but only if the processor does not process the data in accordance with the relevant data protection legislation. The processor may demonstrate compliance by providing the controller with access to the data protection assessment carried out by the processor.
If the data controller continues to object to the processor’s use, it may terminate its subscription to the service without the usual notice period and then ensure that its personal data is not processed by the unprivileged processor.
Duration of the agreement
The Agreement shall remain in force for as long as the Processor processes Personal Data with the Processor’s use of the Application, and unless it is superseded by another signed TPA which takes precedence over this Agreement.
Termination of the Agreement
In the event of termination of the subscription, the processor shall delete all personal data, except those that it is required to retain under applicable legal provisions and, in that case, shall be retained in accordance with EXPEDY’s technical and organisational safeguards.
The data controller has the full ability to retrieve all his personal data from the application. If the data controller requests assistance with data recovery, the associated costs will be determined by mutual agreement between the parties and will depend on the complexity of the process requested and the time required to complete it in the chosen format.
Amendments to the Agreement
Amendments to the Agreement shall be included in a separate annex to the Agreement.
If any provision of the Agreement is found to be invalid, this will not affect the remaining provisions. The parties shall replace the invalid provision with a legal provision, which reflects the purpose of the invalid provision.
The controller is entitled to conduct a review of the processor’s obligations under the agreement once a year. If the processor is required to do so under the applicable legislation, audits may be repeated once a year. A detailed audit programme must be provided detailing the scope, duration and start date at least four weeks before the proposed start date. The parties decide together whether a third party should carry out the audit. However, the controller may allow the processor to have the security review by a neutral third party, chosen by the processor, if it is a processing environment in which more than one controller’s data is processed.
If the proposed scope of the audit follows an ISAE, ISO or similar certification report by a qualified third party auditor within the last twelve months, and the processor confirms that there have been no significant changes in the measures reviewed, this will be satisfactory for any request received within this timeframe. Audits must not unreasonably interfere with the processor’s normal activities. The controller is responsible for all costs associated with its request for review.
Liability and Jurisdiction
Liability for actions arising from a breach of the provisions of this Agreement is governed by the liability and indemnity provisions in the Subscription Terms in section 13. This also applies to any breach by data processors. This Agreement shall be governed by the German courts, which shall have exclusive jurisdiction to adjudicate any dispute arising out of it.
Appendix A – Categories of Personal Information and Typical Processing Categories
A. Categories of personal information (non-exhaustive list)
- Telephone number(s)
- E-mail address(es)
- Any account number and/or bank details
B. Typical categories of processing (non-exhaustive list)
- The controller’s contacts (telephone / email / addresses, etc)
- Customers of the data controller
- The controller’s bank details
- The contacts of their customers (telephone / email / addresses, etc)
- The clients of their clients