📥 Download this document in PDF format

Privacy policy

Updated on the 11/04/2023

Before joining the Phyto-info non-profit organization, please read and accept this privacy policy concerning the use of your personal data.

1. What does the personal data use policy cover?

This personal data use policy relates to the use of your personal data by the Phyto-info non-profit organization.

2. Who is this policy for?

This policy is intended for members of the non-profit organization.

3. Who is the data controller?

The data controller is Phyto-info: a non-profit organization declared Law 1901 by the prefect of Doubs under the number W251009984, registered under the number SIRET 915 366 819, whose official address is located at 13 la Grange des Noyes 25110 Voillans.

4. Purposes, what is the purpose of the data collected?

The purpose of the treatments is the management of the activities offered on the website, namely:

• the management of non-profit organization memberships
• the payment of subscription
• the management of user accounts for the search tool
• managing subscriptions to the newsletter (newsletter)
• the technical management of the site (hosting, security, maintenance)

5. Personal data processed

The Phyto-info non-profit organization processes the following categories of data:

• for the management of memberships to the non-profit organization: the name and first name, the email address;

• for the payment of subscription: bank details for online payments on Stripe;

• for the management of user accounts for the search tool: only the identifier (email address) is collected and, possibly with the express agreement of the person, the authentication cookie allowing you to remain connected for 2 weeks. No personal data is collected when using the search tool by the user;

• for subscriptions to the newsletter (newsletter): the email address is collected and, the first name is optional;

• for the technical management of the site (hosting, security, maintenance), the data processed are those stored on the site as well as the connection data (IP address, logs, identifiers, terminals, etc.).

6. Legal basis for processing: what gives us the right to process data

The legal bases for the treatments are as follows:

• for the management of memberships in the non-profit organization: the legal basis is the conclusion of contractual documents relating to membership;

• for the payment of subscription: the legal basis is the conclusion of the membership contract. Since the proposed default payment is an online payment through the Stripe module, express consent is however requested from the member when signing the membership documents for this online payment. The person has the option of refusing payment by Stripe;

• for the management of user accounts for the search tool: the legal basis is the conclusion of contractual documents relating to membership (including the Terms of Use) and legitimate interest;

• for the management of subscriptions to the newsletter (newsletter): the legal basis is the consent of the subscriber;

• for the technical management of the site: the legal basis is legitimate interest.

7. Data retention period

The data subject to processing is stored for a period that does not exceed that required for the purposes for which they are recorded (principle of minimization of processing).

The maximum preservation periods are as follows:

• for the management of memberships to the non-profit organization: the data is kept throughout the membership and then for 10 years from the end of the membership;

• for the payment of subscription: the data is kept throughout the membership and then for 10 years from the end of the membership;

• for the management of user accounts of the search tool: the login ID is kept for the duration of the membership. The code sent to login is single use and valid only for a few minutes. The User has the option of remaining connected for 2 weeks using an authentication cookie;

• for the management of subscriptions to the newsletter (newsletter): the subscription data is stored for as long as the person is a subscriber;

• for the technical management of the site (hosting, security, SEO): the data is kept for the time necessary for technical operations (a few weeks maximum).

8. Mandatory or optional nature of data collection

The data collected is mandatory to achieve the purposes of processing, with the exception of certain information, such as order notes.

For online subscription payments, the data collected is required for the conclusion and execution of the order (contract). To subscribe to the newsletter, collecting the first name is optional.

9. Data sources

The data is transmitted directly by the person concerned.

10. Data recipients

Depending on their respective needs, the recipients of all or part of the data are:

• the online payment service provider Stripe;

• persons in charge of technical services (hosting provider, site security) -Mailchimp for the newsletter.

11. What security measures are in place?

The data controller implements the appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk.

The controller shall take measures to ensure that any natural person acting under their authority or under that of the processor, who has access to personal data, does not process them, unless required to do so.

12. The existence of data transfers to a country outside the European Union and associated guarantees

The data controller may be required to transfer personal data outside the European Union, through its subcontractors, in particular Stripe for online membership payments or Mailchimp for the newsletter.

Personal data may be stored and/or data transfers may take place outside the European Union, in particular to the United States. Given US national security legislation, data transfers to the US at the request of the US government cannot be excluded. The Court of Justice of the European Union ruled in a judgment of 16/07/20 that American legislation is not as protective of personal data and rights of recourse as European regulations.

The data controller undertakes to ensure that these transfers are carried out:

• to countries with a so-called adequate level of protection within the meaning of the European data protection authorities or
• with appropriate guarantees pursuant to Article 46 of the GDPR or
• in compliance with article 49 of the RGPD.

13. Automated decision making

The processing does not provide for fully automated decision-making.

14. Disposition of personal data after death - Right to access, rectify, delete and portability of data

The person concerned by processing may define guidelines for the storage, deletion and communication of their personal data after their death. These instructions may be general or specific.

The person concerned by processing also has the right to access, oppose, rectify, delete and, under certain conditions, the portability of their personal data. The person concerned has the right to withdraw consent at any time if consent is the legal basis for the processing.

The request must indicate the name and surname, e-mail or postal address, of the person concerned, and be signed and accompanied by a valid proof of identity.

It can exercise these rights by contacting:

Ms Sylvie Thouësny - sylvie(@)thouesny(.)net - Tel : 0781466724

15. Complaint

The person concerned by processing has the right to lodge a complaint with the supervisory authority (CNIL): https://www.cnil.fr/fr/webform/adresse-une-plainte