We process your personal data mainly for the following reasons:

• browse our website, benefit from our services and so that we can respond to your requests (e.g. requests for information, complaints, etc.) on the basis of our general terms of use and our legitimate interest in providing you with the best possible service.
• manage our customer service on the basis of the performance of the contract and our legitimate interest in responding as effectively as possible to your requests and complaints.
• to keep you informed of our latest offers and events by email, on the basis of our legitimate interest in building customer loyalty and prospecting potential new customers.
• manage invoicing and any outstanding payments, on the basis of our legitimate interest in obtaining consideration for the provision of our service and on the basis of our general terms and conditions.
• follow us and comment on our publications on social networks on the basis of our legitimate interest in having a dedicated page on social networks.
• receive our newsletter informing you of all the latest news about our services on the basis of our legitimate interest in building customer loyalty.
• operate the videos on our site on the basis of our legitimate interest in offering you content in video format.
• make an appointment with our teams on the basis of our legitimate interest in offering you a means of easily making an appointment with us.
• allow documents to be downloaded on the basis of our general conditions of use.
• record the conversations we have with you in order to improve our customer service, on the basis of your prior consent and our legitimate interest in improving the quality of our service and training our staff.

Your data is collected directly from you when you are a customer of our services or a “simple” visitor to our website www.searoutes.com and we undertake to process your data only for the purposes described above.

Your personal data may also be processed indirectly in the context of trade fairs or social networks (e.g. LinkedIn).

On the other hand, when you voluntarily publish content on the pages that we publish on social networks, you acknowledge that you are entirely responsible for any personal information that you may transmit, whatever the nature and origin of the information provided.

We have summarised the categories of personal data and their respective retention periods below:

• Professional identification data (e.g. surname, first name, position, company, etc.) and contact details (e.g. e-mail address and business telephone number, etc.) kept for the duration of the service, plus the statutory limitation periods, which are generally 5 years.
• When there is confusion between the name of your organisation and your personal name (e.g. auto-entrepreneur, VSE, etc.), economic and financial data (e.g. bank account number, verification code, etc.) kept for the time required for the transaction and for managing invoicing and payments, plus the statutory limitation periods, which are generally 5 to 10 years.
• Email address, kept for a maximum of 3 years from the last contact we had with you as part of our email prospecting campaigns, and kept until the end of your subscription to receive our newsletter.
• Voice retained during telephone storage for a maximum of 6 months, with the exception of calls used to justify the conclusion of a contract, in which case they are retained for the statutory limitation period, which is generally 5 years.
• Statistical data relating to the viewing of our videos, which is anonymised and stored indefinitely.
• Connection data (e.g. logs, IP address, etc.) kept for 1 year.
• Cookies are generally kept for a maximum of 13 months. For more details on how we use your cookies, you can consult our cookies policy, which can be accessed at any time on our website.

Once the applicable retention periods have expired, the deletion of your personal data is irreversible and we will no longer be able to communicate it to you. At the most, we may only keep anonymous data for statistical purposes.

Please also note that in the event of a dispute, we are obliged to keep all your personal data for the duration of the case, even after the retention periods described above have expired.

The applicable data protection regulations give you specific rights which you can exercise, at any time and free of charge, to control the use we make of your data.

• The right to access and copy your personal data, provided that this request does not conflict with business secrecy, confidentiality or the confidentiality of correspondence.
• The right to rectify any personal data that is incorrect, obsolete or incomplete.
• The right to object to the processing of your personal data for commercial prospecting purposes.
• The right to request the deletion (“right to be forgotten”) of your personal data that is not essential for the proper functioning of our services.
• The right to limit your personal data, which allows you to photograph the use of your data in the event of a dispute over the legitimacy of processing.
• The right to data portability, which allows you to recover part of your personal data so that it can be easily stored or transmitted from one information system to another.
• The right to give instructions on what should happen to your data in the event of your death, either through you or through a trusted third party or beneficiary.

For a request to be taken into account, it must be sent directly by you or your representative to privacy@searoutes.com. Any request that is not made in this way cannot be processed.

Requests cannot be made by anyone other than you or your representative. We may therefore ask you to provide proof of identity if there is any doubt about the identity of the applicant.

We will respond to your request as quickly as possible, subject to a maximum of three months from receipt if the request is technically complex or if we receive a large number of requests at the same time.

Please note that we can always refuse to respond to any excessive or unfounded request, particularly if it is repetitive.

Your personal data is processed by our teams and by our technical service providers for the sole purpose of operating our service.

We would like to point out that we check all our technical service providers before recruiting them to ensure that they scrupulously comply with the applicable rules on the protection of personal data.

WE GUARANTEE THAT WE WILL NEVER TRANSFER OR SELL YOUR DATA TO THIRD PARTIES OR COMMERCIAL PARTNERS.

The personal data processed by our website is exclusively hosted on servers located within the European Union.

Furthermore, we do our utmost to use only technical tools whose servers are also located within the European Union. However, if this is not the case, we scrupulously ensure that they implement the appropriate guarantees required to ensure the confidentiality and protection of your personal data.

We implement all the technical and organisational means required to guarantee the security of your personal data on a day-to-day basis and, in particular, to combat any risk of destruction, loss, alteration or disclosure.

WE GUARANTEE THAT WE DO NOT USE ANY ADVERTISING COOKIES FOR THE OPERATION OF THIS SITE.

However, we would like to inform you that we use statistical cookies when you browse our website. For more information, please consult our Cookies Policy.

To guarantee the protection and integrity of your data, we have officially appointed an independent Data Protection Officer (“DPO“) to our supervisory authority.

You can contact our DPO free of charge at any time at privacy@searoutes.com to obtain more information or details on how we process your data.

You may at any time contact the “Commission nationale de l’informatique et des libertés” or “CNIL” at the following address: CNIL Complaints Department, 3 place de Fontenoy – TSA 80751, 75334 Paris Cedex 07 or by telephone on 01.53.73.22.22.

We may amend our Privacy Policy at any time to adapt it to new legal requirements and to new processing operations that we may implement in the future.

Certified by Dipeeo ®

The Agreement is an indivisible appendix to the Contract signed between the Client and the Processor for the use of the Service. 

In the event of any contradiction between the Contract concluded for the use of the Service and the Agreement, the obligations set out in the Agreement shall prevail over the Contract with regard to the GDPR as a whole.

The Agreement is applicable for the duration of the Contract entered into in connection with the use of the Service and may continue beyond that period as long as all the obligations set out herein remain applicable.

The Client acts under the Agreement as the data controller of the processing activities and Searoutes SAS acts as the data processor within the meaning of Article 28 of the GDPR.

Under no circumstances may the Parties be considered to be jointly liable in connection with the Service. However, the Parties agree that in the event of an error or change in their qualification, the Parties shall meet, as soon as possible, to amend the Agreement and take all measures relating to such a situation in order to comply with the requirements of the applicable Regulations regarding the protection of personal data.

The Agreement exclusively governs the processing of the Client’s Personal Data carried out as part of the Service as a Processor within the meaning of Article 28 of the GDPR to the exclusion of the processing carried out as data controller by Searoutes SAS which is governed by the Contract. 

The Processor undertakes to use the Client’s Personal Data in connection with the use of the Service only in accordance with the instructions documented in the appendix to the Agreement. The Processor shall immediately inform the Client if it considers that an instruction given by the Client is illegal with regard to the Regulations applicable to the protection of personal data. The Processor may not be held liable in the event that, despite the Processor’s notification concerning the illegality of the instruction, the Client maintains and applies this instruction via the Service. 

The Processor undertakes to comply with the provisions of the GDPR and, in particular, to keep a register of processing activities specific to the Service and to develop its Service in compliance with the rules of “Protection by Design” and “Protection by Default”. 

The Processor undertakes never to transfer the Client’s Personal Data for any reason other than the provision of the Service and undertakes never to use the Client’s Personal Data for its own purposes as data controller. 

The Processor declares that all internal or external personnel required to process the Client’s Personal Data are bound by one or more binding legal documents and regularly undergo training and awareness-raising. 

The Processor undertakes to guarantee the security of the Client’s Personal Data and to implement all the technical and organisational measures necessary for its Service, details of which are set out in the appendix to the Agreement. 

On the other hand, the Processor is never liable for the Client’s failure to comply with the Regulations applicable to the protection of personal data when it uses the Service as the data controller. 

DPIAs must be carried out by the Client, in accordance with the provisions of the GDPR. Nevertheless, the Processor undertakes to provide, at the Client’s written request, all the information necessary and required for the Client to ensure that a DPIA is carried out. 

However, the Processor is not obliged to carry out the DPIAs for and on behalf of the Client. Any additional request for information may be refused. 

Individuals’ requests to exercice their rights sent by End Users are transferred to the Client as soon as possible. The Processor is not required to maintain an inventory of individuals’ requests on behalf of the Client and is not liable for any failure by the Client to manage individuals’ requests to exercice their rights.  

The Processor shall, at the Client’s written request, carry out the technical actions to be undertaken so that the Client can fulfil its obligation to follow up the requests of the persons concerned. 

The Client accepts and understands that the Processor is not obliged to manage individuals’ requests as part of the Service in place of and on behalf of the Client. Any additional request for such management will be refused. 

Individuals’ requests to exercice their rights sent to the Processor as data controller are processed exclusively by the Processor and are not transferred to the Client.

The Processor undertakes to provide all necessary and required information on the technical and organisational security measures to be implemented to guarantee the security of the Client’s Personal Data in the context of the provision of the Service. 

The Processor undertakes to notify the Client, as soon as possible and, at the latest, within 48 working hours of becoming aware of any personal data breach in connection with the Service likely to affect the Client’s Personal Data, together with all the necessary and required information in its possession to reduce the effects of the personal data breach. The Client accepts and acknowledges that the 72-hour period applicable to him only starts from the time he becomes aware of the personal data breach and that, in this respect, the 48-hour period complies with the GDPR.

The Processor is not authorised to handle notifications of personal data breaches to the Supervisory Authority and to inform End Users on behalf of the Client. Any such request from the Client will be refused.

The Client grants the Processor general authorisation to recruit sub-processors on condition that the Client is informed of any changes regarding these sub-processors as soon as possible in order to allow the Client to raise objections. The Client accepts and acknowledges that a specific authorisation, for a SaaS tool, is not applicable and could lead to the Service being blocked.  

In the absence of any objections raised by the Client within eight (8) days of notification, the new sub-processor shall be definitively recruited without the Client being able to object, claim damages or request termination of the Contract. If the objection made within the time limit is deemed admissible by the Processor, the latter may offer the Client one of the following solutions: i) the withdrawal of the sub-processor, ii) the implementation of additional measures to guarantee the security of the Client’s Personal Data, iii) the termination of the Service without the Client being able to claim damages.

In order to be considered admissible by the Processor, the objections must be objective and serious and must be duly demonstrated. The Parties accept that the following situations will, by default, be considered admissible : i) the proposed sub-processor is a direct competitor of the Client, ii) the sub-processor is involved in a dispute with the Client, iii) the sub-processor has been convicted by a Supervisory Authority in the 12 months prior to its recruitment and iv) the sub-processor does not comply, if applicable, with the applicable rules relating to transfers outside the European Union.  

The Processor undertakes to only recruit sub-processors who, after verification, offer the necessary and sufficient guarantees to ensure the security and confidentiality of the Client’s Personal Data. The relationship between the Processor and the sub-processor must be set out in an agreement containing obligations similar to this Agreement. 

The Processor shall remain liable, within the limits of liability set out in the Contract, for any breaches of the GDPR that may be committed by its sub-processors in the context of the Service.

a) Data hosting

The Processor undertakes to take all necessary steps to host the Client’s Personal Data exclusively within a Member State of the European Union. The Client authorises the Processor to choose the Member State of the European Union of its choice. In the event of the Personal Data being hosted in a country outside the European Union, the Processor undertakes to obtain the Client’s prior authorisation and to implement all the mechanisms required to govern this transfer, such as concluding Standard Contractual Clauses and, where applicable, implementing additional technical measures designed to strengthen the security of the Client’s Personal Data.  

b) Data transfers

The Client grants the Processor a general authorisation for transfers outside the European Union if, cumulatively, i) the transfers are made exclusively to sub-processors that comply with the GDPR and ii) the transfers are made exclusively to a country benefiting from an adequacy decision or are governed by appropriate guarantees such as, in particular, Standard Contractual Clauses. If these conditions are not met, transfers outside the European Union are only authorised with the Client’s prior consent. Additional technical security measures designed to strengthen the security of the Client’s Personal Data must be implemented if the Personal Data is transferred to a non-democratic country. 

The Processor undertakes to retain the Client’s Personal Data only for the duration of the use of the Service, in accordance with the instructions detailed in the appendix, and to delete it at the end of the Contract. The Processor shall certify, upon written request, that the Personal Data and all existing copies thereof have been deleted.  

The Client is informed that he must recover his Personal Data before the end of the Agreement. If it fails to do so, the Client may no longer recover its Personal Data, the deletion of the Personal Data being irreversible and definitive. The Processor shall not be held responsible for any loss of Personal Data following its deletion, as the Client assumes full responsibility. The Client agrees that the total and irreversible and definitive anonymisation of the Client’s Personal Data may be used as a means of deletion and that the Processor can retain the anonymised data for the improvement of the Service, as is accepted for the Supervisory Authorities.

The Processor informs the Client that the return of Personal Data provided for in the GDPR does not constitute Reversibility of the data to a new processor and that any request to this effect will always be refused by the Processor. 

The Client has the right to carry out an audit in the form of a written questionnaire once a year to verify compliance with this Agreement. The questionnaire shall have the force of a sworn undertaking binding on the Processor. The questionnaire may be sent in any form to the Processor, who undertakes to reply as soon as possible after receiving it.

The Client also has the right to carry out, once a year and at its own expense, an on-site audit, if necessary on the Processor’s premises in the event of a data breach due to a proven and demonstrated breach by the Processor that has resulted in duly justified prejudice to the Client. An audit at the Processor’s premises may be carried out either by the Client or by an independent third party appointed by the Client and must be notified to the Processor in writing at least thirty (30) days before the audit is carried out. The Processor has the right to refuse the choice of the independent third party if the latter is i) a direct or indirect competitor of the Processor, ii) in a situation of conflict of interest with the Processor (e.g. counsel to a competitor of the Processor) or ii) in pre-litigation or litigation with the Processor. In this case, the Client undertakes to select a new independent third party to carry out the audit. The Processor may refuse access to certain areas for reasons of confidentiality or security. In this case, the Processor carries out the audit in these areas and communicates the results to the Client.

In the event of any discrepancies noted during the audit, the Processor undertakes to implement, without delay and at its own expense, the measures necessary to comply with this Agreement. Deviations may only concern the Regulations applicable to the Client’s Personal Data and may not concern procedures or internal measures implemented by the Client on a specific basis. Deviations must be duly demonstrated, justified and documented. 

In the event that the Processor disputes the discrepancies identified, the Processor may, at the Client’s option and subject to prior written acceptance, propose to i) meet in order to find an amicable solution and a compromise, ii) refer the dispute to the Supervisory Authority in order to obtain arbitration on  the dispute, and iii) refer the dispute to an independent expert for arbitration. 

The Processor undertakes to cooperate with the CNIL, the competent supervisory authority, in the event of an inspection concerning the processing carried out as part of the Service and undertakes to notify the Client as soon as possible in the event of requests concerning his Personal Data being made by the supervisory authority or by an administrative, judicial or police authority. 

The Client and the Processor shall each appoint a contact person to be responsible for this Agreement, who shall be the addressee of the various notifications and communications to be made under the Agreement. 

The Processor informs the Client that it has appointed Dipeeo SAS as its Data Protection Officer, who can be contacted at the following address: 

• Email address: privacy@searoutes.com
• Postal address: Dipeeo SAS, 95 avenue du Président Wilson, 93100 Montreuil, France
• Telephone number: 01 59 06 81 85

The Processor reserves the right to amend this Agreement in the event of changes to the rules applicable to the protection of Personal Data or in the event of changes to the Service which would have the effect of amending any of its provisions. 

Certified by Dipeeo ®

The proper operation of our website www.searoutes.com necessarily involves the use of technical cookies, which we may use without your prior consent, on the basis of our legitimate interest in providing you with a functional website.

For example, a technical cookie enables us to remember the language of your website as well as the format of the site to facilitate future connections and navigation.

Although we do not recommend it, you can always prevent these cookies from being deposited on your terminal using your browser settings by following the instructions below: Chrome, Microsoft Edge, Safari, Firefox and Opera.

In this case, however, your experience as a visitor may be degraded. To restore your browsing experience, you will need to reset your technical cookies.

A statistical cookie is used to analyse your use of a website (e.g. browsing time, pages visited, etc.) in order to improve your experience and provide you with a service tailored to your needs.

For our website www.searoutes.com, we use non-exempt statistical cookies which can only be placed on your terminal with your prior consent expressed via our cookies banner. .

An advertising cookie can be used either to provide advertising on a website or to identify the source of a visitor’s arrival on a site (e.g. Google, Bing, etc.).

WE GUARANTEE THAT WE DO NOT USE ANY ADVERTISING COOKIES FOR THE OPERATION OF OUR WEBSITE.

The personal data processed by the cookies we use are :

• your IP address and a user ID that we create when you first connect so that we can recognise you for up to 13 months
• if you accept the deposit of statistical cookies, your personal data relating to your browsing on our website (e.g. pages visited, browsing times, etc.) for a maximum period of 13 months, non-renewable before any new connection before the 14th month.

Once the retention periods specified below have expired, we do not retain any data about you. At most, we may anonymise your data for statistical purposes.

The applicable data protection regulations give you specific rights which you can exercise, at any time and free of charge, to control the use we make of your data.

• The right to access and copy your personal data, provided that this request does not conflict with business secrecy, confidentiality or the confidentiality of correspondence.
• The right to rectify any personal data that is incorrect, obsolete or incomplete.
• The right to request the deletion (“right to be forgotten”) of your personal data that is not essential for the proper functioning of our services.
• The right to limit your personal data, which allows you to photograph the use of your data in the event of a dispute over the legitimacy of processing.
• The right to data portability, which allows you to recover part of your personal data so that it can be easily stored or transmitted from one information system to another.
• The right to give instructions on what should happen to your data in the event of your death, either through you, a trusted third party or a beneficiary.

For a request to be taken into account, it must be sent directly by you or your representative to privacy@searoutes.com. Any request that is not made in this way cannot be processed.

Requests cannot be made by anyone other than you or your representative. We may therefore ask you to provide proof of identity if there is any doubt about the identity of the applicant.

We will respond to your request as quickly as possible, subject to a maximum of three months from receipt if the request is technically complex or if we receive a large number of requests at the same time.

Please note that we can always refuse to respond to any excessive or unfounded request, particularly if it is repetitive.

The statistical cookies we use may send your IP address and user ID outside the European Union in order to function. In this case, we guarantee that these tools comply strictly with the applicable rules on transfers in order to guarantee confidentiality and adequate protection of your personal data.

To guarantee the protection and integrity of your data, we have officially appointed an independent Data Protection Officer (“DPO”) to our supervisory authority. You can contact our DPO free of charge at any time at privacy@searoutes.com to obtain more information or details on how we process your data.

You may at any time contact the “Commission nationale de l’informatique et des libertés” or “CNIL” at the following address: CNIL Complaints Department, 3 place de Fontenoy – TSA 80751, 75334 Paris Cedex 07 or by telephone on 01.53.73.22.22.

We may amend our Cookies Policy at any time to adapt it to new legal requirements and to new processing operations that we may implement in the future.

Certified by Dipeeo ®