Privacy POLICY

Go to the French version here

ARTICLE 1: PREFACE

The GDPR and you…

The protection of personal data is one of our major concerns. Our privacy policy falls within a legal context defined by the European Data Protection Regulation (EU Regulation 2016/679 of 27 April 2016), applicable since 25 May 2018 and the French Data Protection Act No 78-17 of 6 January 1978, as amended, relating to data processing, files and freedoms.

The purpose of this data protection policy is therefore to present you with:

  • The personal data controller
  • How your data is collected and processed. Personal data is data allowing a natural person to be identified.
  • Your rights regarding the use of your personal data
  • The recipients to whom your data is transmitted
  • The website’s cookie management policy

This privacy policy supplements the legal notices present on the website and the general conditions of use .

ARTICLE 2: GLOSSARY

We promise you’ll understand us!

Personal Data is any information relating to an identified or identifiable person, that is to say allowing them to be identified directly (e.g. surname and first name) or indirectly (e.g. cookies).

Data Processing is any operation or set of operations (automated or not) applied to personal data or sets of data, such as for example: collection, recording, organisation, storage, transmission of data, etc.

The Data Controller determines the purposes (the objectives of the processing) and the means of processing.

The Data Processor processes personal data on behalf of the Data Controller and under its instructions.

ARTICLE 3: GENERAL PRINCIPLES

We have legal obligations!

In accordance with the provisions of Article 5 of the General Data Protection Regulation (GDPR), the collection and processing of your personal data complies with the following principles:

  • Legality, loyalty and transparency: the collection and processing of personal data can only take place on a legal basis defined beforehand (performance of a contract, legal obligation, consent, legitimate interest, preservation of vital interests)
  • Limited purposes: the collection and processing of personal data can only be carried out to meet one or more defined objectives
  • Minimisation of data collection and processing: only the data strictly necessary for the proper execution of the objectives pursued will be collected
  • Data retention limited in time: the data controller is obliged to define retention periods concerning the personal data processed
  • Integrity and confidentiality of the data collected and processed: the data controller undertakes to guarantee the integrity and confidentiality of the data collected.

ARTICLE 4: DATA CONTROLLER

We are responsible for the data entrusted to us!

As data controller, CYTOO undertakes to comply with the obligations arising from the Regulation and the amended French Data Protection Act concerning the collection and processing of personal data. In accordance with Article 32 of the GDPR, we implement all technical and organisational measures to ensure the protection of your personal data.

 

ARTICLE 5: PERSONAL DATA COLLECTED AND PROCESSED: WHAT DATA?

What do we know about you?

In accordance with the principle of minimisation, we only collect the data necessary to carry out our assignments. Thus, as part of our business, CYTOO may collect and process the following information:  

As part of our scientific research and development assignment, alone or with third-party partners, we are made aware of sensitive data such as medical or genetic data.

Being aware of the level of sensitivity of this information, we are committed to guaranteeing you a maximum level of confidentiality, and we also commit to complying with our legal and regulatory obligations. All the data collected is therefore strictly necessary for the accomplishment of the assignment you have entrusted to us.

ARTICLE 6: PERSONAL DATA COLLECTED AND PROCESSED: FOR WHAT REASONS?

We would like to explain it to you!

In all of these situations, CYTOO acts as the « Data Controller » within the meaning of the GDPR. 

DATA COLLECTED

REASONS FOR COLLECTION

LEGAL BASIS

RETENTION TIME

CONSULTATION OF THE WEBSITE

–     ID

–    Personal life

–     Professional life

–     Login details

–     Localisation

–     Internet

We use this data to:

– Send you marketing communications (if you have made a request)

– Send you our quotes (if you have made a request)

– Contact you when you fill out the contact form

– Conduct audience analyses or prepare statistics (if agreed)

Consent

Your browsing data on our website is kept for a maximum period of 13 months

The data collected through the form is kept for 3 years from the collection or last contact from the prospective client

– Offer you customised services

– Monitor and improve our websites and applications

– Secure our websites/applications and ensure our and your protection against fraud.

Legitimate interest

CUSTOMER AND PARTNER RELATIONSHIP MANAGEMENT

–     ID

–     Personal life

–     Professional life

–     Economic information

–     Login details

–     Localisation

–     Internet

We use this data to:

– Manage the business relationship

– Manager your orders

– Manage payments, invoices, etc.

– Process and track your order, including delivery

– Answer your questions and interact with you in any other way

– Send you offers matching your needs

Execution of a contract

Retention for the duration of the commercial relationship, and 10 years after the end of the relationship.

Retention of invoices for 10 years.

NEWSLETTER SUBSCRIPTION AND MARKETING COMMUNICATIONS

–     ID

–     Personal life

–     Professional life

We use this data to:

– Send you marketing communications (if you have made a request)

–  Manage your participation in surveys, including taking into account your opinions and suggestions

Consent

The data is retained as long as the data subject does not unsubscribe (via the unsubscribe link integrated into the newsletters)

– Conduct audience analyses or prepare statistics

– Send you customer information communications (Newsletters)

Legitimate interest

– Maintain a deleted list if you have asked not to be contacted

Legal obligations

RECRUITMENT MANAGEMENT

–     ID

–     Personal life

–     Professional life

–     Localisation

–     Internet

– Manage applications

– Manage interviews

Consent

Two years after the last contact with the candidate, on the latter’s consent

RESEARCH AND DEVELOPMENT

–     ID

–     Healthcare

–     Genetics

– Target or molecule identification

– Compound identification

– Protocol development

Execution of a contract

Results are retained for 5 years after expiration or termination of a contract, depending on the type of project

ARTICLE 7: PERSONAL DATA: WHO HAS ACCESS TO YOUR PERSONAL DATA?

We don’t pass it on to just anyone!

CYTOO agrees to only share you personal data with internally authorised persons and to authorised third parties such as the tax administration or the health authorities.

CYTOO may, if necessary, transfer your personal data to sub-processors such as:

  • KOESIO: Our IT service provider
  • Salesforce: Our CRM
  • Hostinger: Our data host
  • CPA audit, payroll manager and chartered accountant
  • KPMG, Statutory Auditor

The use of these service providers is necessary for the proper performance of our services. We are committed to verifying and guaranteeing compliance with the GDPR and the amended French Data Protection Act.

Apart from the recipients mentioned above, CYTOO is committed to not sharing your personal data with third parties or external bodies without your express consent.

CYTOO does not and will not make any sale, transfer or communication of your personal data to unauthorised third parties.

CYTOO does not use any automated decision based on your personal data. No profiling is carried out during processing, and the data we collect will never be used without human intervention.