Privacy policy

Update: 06/30/2023

Downloadable version of the policy

Before using the Natflow webapplication, please read and accept Natflow's privacy policy.

This policy informs you of the characteristics of this processing and of your rights with regard to the personal data concerning you.
This personal data protection policy has been drawn up in accordance with the French Data Protection Act no. 78-17 of January 6, 1978 (known as the "Loi informatique et libertés" or "LIL") and the General Regulation on the Protection of Personal Data ("RGDP") no. 2016/679.

  1. What does the personal data protection policy cover?

The present personal data protection policy concerns the use of personal data when using the Natflow showcase site ("Site") and the Natflow web application ("Natflow Application").
The Site is a showcase site presenting the Natflow company. It does not generate direct sales and is accessible from this url: https: //natflow.app/, from a web browser.
The Natflow Application is an informational application. It constitutes a library of information on naturopathy accessible from this url: app.natlfow.app from a web browser.
The Natflow Site and Application are the property of the Natflow company.

  1. Who is this policy aimed at?

The present policy is addressed to Internet users of the Site and Users of the Natflow Application.
The Internet user is a person browsing the Site. The Internet user may be a potential partner of Natflow (such as a laboratory)
The User is a person who has created an account on the Application, and benefits from rights on the Application in accordance with the General Conditions of Use. The User may be a private individual or a professional.
The User may also be a customer of Natflow. The customer User (hereafter the "Customer") refers to the individual or professional User who has placed an order with the company Natflow to have access to the paid content.

  1. Who is the data controller?

The data controller is, within the meaning of the RGPD, the person who determines the means and purposes of the processing.
Natflow is the data controller. Natflow is a simplified joint stock company with a capital of 1,000 euros, domiciled at 395 Avenue verte campagne Bâtiment 112 13540 Puyricard, registered with the Registre du Commerce et des Société d'Aix-en-Provence under SIRET number 913 632 808. It is represented by its Managing Director Mr. Etienne JAN-AILLERET.
Natflow takes the appropriate measures to ensure the protection and confidentiality of the personal data it holds or processes in compliance with the provisions of the RGPD.

  1. What are the purposes and nature of personal data processing?

The purposes of the processing are as follows:

● The management of User accounts
● The management of paid subscriptions taken out by Customer Users
● The management of requests via the Site contact form
● The management of reviews published on the Site and Application
● The management of audience measurement tracers
● Management of partnership requests
● Support service
● Maintenance of the Natflow Site and Application
● Hosting of the Natflow Site and Application
● Loyalty and commercial prospecting

The purpose and nature of this processing is :

Collecting, importing, storing, recording, organizing, hosting, preserving, adapting, modifying, extracting, consulting, using, communicating by transmission or dissemination or any other form of making available, reconciling, deleting...

  1. Legal basis for processing: what gives the right to process data

The legal bases for processing are as follows:

● For the management of paying customer subscriptions: the legal basis is the contract concluded when the order is placed.

● For the management of requests made via the Site's contact form, as well as for partnership requests, the legal basis is legitimate interest or the execution of pre-contractual measures.

● For the management of user accounts and published notices, the legal basis is legitimate interest and acceptance of the GTCU

● The legal basis for the management of audience measurement tracers that are not essential to the operation of the Natflow Site and Application is consent.

● For the technical management of the Natflow Site and Application (Support, Maintenance, Hosting) the legal basis is legitimate interest.

● For the loyalty and commercial prospecting of Users (newsletter), a distinction must be made according to whether the User is a customer or not.
In the case of a Customer User, the legal basis is the contract.
● In the case of a non-customer User, the legal basis differs according to the status of the User. The legal basis is consent for individual Users and legitimate interest for professional Users.

  1. Processed data

● For the management of User accounts, the data processed is the surname, first name, e-mail address, telephone number, city, image (profile photo), list of favorites, the person's private or professional status, the professional's function (if any), the date of registration, as well as connection data.
For Customer Users, the following additional data is collected: the personal lists in the profile and, the personal notes present in each file.

● To manage customers' paid subscriptions (via the Stripe tool): subscription type, bank details (data required to carry out the transaction via Stripe's Link service: card number, expiry date, visual cryptogram), identification data, date, order number.

● To manage the contact form: last name, first name, e-mail address and telephone number.

● To manage published reviews: first name, message and rating

● Management of audience measurement tracers: IP address, terminal, browser, etc.

● To manage partnership requests: surname, first name, laboratory name, e-mail address, telephone number.

● For technical site management (hosting, maintenance, support): data stored on the Natflow Site and Application as well as connection data (IP address, logs, identifiers, terminals, etc.).

● Loyalty and commercial prospecting of Users (newsletter): mail

  1. Data retention period

● For User account management, data is kept for 3 years from the last connection. Data is then deleted or anonymized.

● For the management of paid subscriptions, payment data is retained for the time required to complete the contract, after which it is deleted. Order data, on the other hand, is kept for 5 years from the end of the contract.

● For the management of requests via contact forms, data is kept for 3 years.

● Published notices are kept for 5 years

● For the management of audience measurement tracers, data is kept for a maximum of 13 months.

● For the technical management of the Natflow Site and Application: data collected for support, maintenance and hosting purposes is kept only as long as necessary for these operations.

● For User loyalty and commercial prospecting (newsletter), data is kept for 3 years after the end of the contract, or the last contact or click from the User. At the end of this period, the User is contacted to find out whether he or she wishes to continue receiving the newsletter or commercial prospecting. In the event of a positive response, the processed data will be kept for a further period of 3 years. In the absence of a positive and explicit response, the data processed will be deleted for this purpose.

  1. Whether data collection is mandatory or optional

The data collected is mandatory in order to achieve the purposes of processing, with the exception of the User's job title, and the city.

  1. Collection origin

Natflow collects Data directly from the person concerned.

  1. Who receives the data?

The personal data collected is reserved for use by Natflow. It may be transmitted to its service providers/suppliers involved in the management of the Natflow Site and Application, such as the Application host (the Landen company, Bubble) and the online payment service provider Stripe.
Natflow may disclose personal data to competent authorities in the context of operations aimed at combating any criminally reprehensible activity.

  1. What safety measures are in place?

The controller implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
The controller takes measures to ensure that any natural person acting under the authority of the controller or the processor, who has access to personal data, does not process them unless instructed to do so by the controller, unless obliged to do so.

  1. Whether or not data is transferred to a country outside the European Union, and associated guarantees

Natflow does not transfer the User's personal data outside the European Union, within the framework of the use of the Natflow Site and Application.
Transfers of personal data outside the European Union, however, cannot be totally excluded within the framework of orders for paid services placed by a User on the Natflow Application, through the intermediary of the subcontractor, Stripe (Link payment service). In this case, data is processed in accordance with Stripe's policy: https: //stripe.com/fr/privacy-center/legal#data-transfers Personal data may then be stored and/or data may be transferred outside the European Union, in particular to the United States. In view of US national security legislation, data transfers to the United States at the request of the US government cannot be ruled out. The Court of Justice of the European Union ruled on 16/07/20 that American legislation is not as protective of personal data and rights of recourse as European regulations.
In addition, data collected by the Site and Application host (Landen, Bubble) may be transferred outside the European Union. Their policy can be consulted at this link: https: //bubble.io/terms.
The data controller undertakes to ensure that such transfers are carried out:
-to countries presenting a level of protection said to be adequate within the meaning of the European data protection authorities or
-with appropriate safeguards pursuant to Article 46 of the RGDP or
-in compliance with Article 49 of the RGPD.

  1. Automated decision-making

The processing does not involve fully automated decision-making.

  1. Fate of personal data after death - Right of access, rectification, deletion and portability of data

The person concerned by a processing operation may define directives relating to the conservation, deletion and communication of his/her personal data after his/her death. These directives may be general or specific.
The data subject also has the right to access, object to, rectify, delete and, under certain conditions, port his or her personal data. The data subject has the right to withdraw consent at any time if consent constitutes the legal basis for processing.
The request must indicate the first and last name, e-mail or postal address of the data subject, and must be signed and accompanied by valid proof of identity.

If you have any questions, please contact Mr Etienne JAN-AILLERET at the following address: contact@natflow.app

  1. Claim

The person concerned by a processing operation has the right to lodge a complaint with the supervisory authority (CNIL): https: //www.cnil.fr/fr/webform/adresser-une-plainte