Privacy policy

Downloadable version of the policy

Before using the Natflow webapplication, please read and accept InnoFlow's personal data protection policy. This policy informs you of the characteristics of this processing and of your rights regarding your personal data.
This personal data protection policy has been drawn up in accordance with the French Data Protection Act n°78-17 of January 6, 1978 (known as the "Loi informatique et libertés" or "LIL") and the General Regulation on the Protection of Personal Data ("RGDP") n°2016/679.

1. What does the personal data protection policy cover?

The present personal data protection policy relates to the use of personal data when using the Natflow showcase site ("Site") and the Natflow webapplication ("Natflow Application").
The Site is a showcase site presenting the Natflow Application. It does not generate direct sales and is accessible from this url: https: //natflow.app/, from a web browser. The Natflow Application is an informational application. It constitutes a library of information on naturopathy accessible from this url: app.natlfow.app from a web browser.
The Natflow Site and Application are the property of InnoFlow.

2. Who is this policy aimed at?

This policy is intended for Internet users of the Site and Users of the Natflow Application. The Internet user is a person browsing the Site. The Internet user may be a potential partner of Natflow (such as a laboratory)
The User is a person having created an account on the Application, and benefiting from rights on the Application in accordance with the General Conditions of Use. The User may be a private individual or a professional.
The User may also be a customer of InnoFlow. A client User (hereinafter referred to as the "Client") is an individual or professional User who has placed an order with InnoFlow for access to paid content.

3. Who is the data controller?

The data controller is, within the meaning of the RGPD, the person who determines the means and purposes of the processing.
InnoFlow is the data controller. InnoFlow is a simplified joint stock company with a capital of 1,000 euros, domiciled at 75 Res Village du Soleil 13080 Aix en Provence, registered with the Registre du Commerce et des Sociétés d'Aix-en-Provence under SIRET number 913 632 808. It is represented by its Managing Director Mr Etienne JAN-AILLERET.
InnoFlow takes the appropriate measures to ensure the protection and confidentiality of the personal data it holds or processes in compliance with the provisions of the RGPD.

4. What are the purposes and nature of personal data processing?

The purposes of the processing are as follows:
● Management of User accounts
● Management of paid subscriptions taken out by Customer Users ● Management of requests via the contact form on the Site
● Management of reviews published on the Site and Application
● Management of audience measurement tracers
● Management of partnership requests
● Support service
● Maintenance of the Natflow Site and Application
● Hosting of the Natflow Site and Application
● Loyalty and commercial prospecting

The purpose and nature of such processing is as follows:
● The collection, import, storage, recording, organization, hosting, preservation, adaptation, modification, extraction, consultation, use, communication by transmission or dissemination or any other form of making available, reconciliation, deletion, etc., of personal data.

5. Legal basis for processing: what gives the right to process data.

The legal bases for processing are as follows:
● For the management of paying Customer subscriptions: the legal basis is the contract concluded when the order is placed
● For the management of requests made via the Site's contact form, as well as for partnership requests, the legal basis is legitimate interest or the execution of pre-contractual measures
● For the management of user accounts and published reviews, the legal basis is legitimate interest and acceptance of the GCU
● For the management of audience measurement tracers not essential to the operation of the Site and the Natflow Application, the legal basis is consent.
● For the technical management of the Natflow Site and Application (Support Service, Maintenance, Hosting), the legal basis is legitimate interest.
● For the development of User loyalty and commercial prospecting (newsletter), a distinction must be made according to whether the User is a customer or not.
o In the case of a Customer User, the legal basis is the contract.
o In the case of a non-customer User, the legal basis differs according to the status of the User. The legal basis is consent for private Users and legitimate interest for professional Users.

6. Processed data

● For the management of User accounts, the data processed is the surname, first name, e-mail address, telephone number, city, image (profile photo), list of favorites, personal or professional status of the person, any professional function, date of registration, as well as connection data.
For Customer Users, the following additional data is collected: personal lists in the profile and, personal notes present in each form.
● For the management of paid Customer subscriptions (via the Stripe tool): type of subscription, bank details (data required to carry out the transaction via Stripe's Link service: card number, expiry date, visual cryptogram), identification data, date, order number
● For the management of the contact form: surname, first name, e-mail address and telephone. ● For the management of published reviews: first name, message and rating
● The management of audience measurement tracers: IP address, terminal, browser
● For the management of partnership requests: name, first name, laboratory name, e-mail address, telephone
● For the technical management of the site (hosting, maintenance, support): data stored on the Natflow Site and Application as well as connection data (IP address, logs, identifiers, terminals, etc.)
● User loyalty and commercial prospecting (newsletter): e-mail

7. Data retention period

● For the management of User accounts, data is kept for 3 years from the last connection. Data is then deleted or anonymized.
● For the management of paying customer subscriptions, payment data is retained for the time required to complete the contract and is then deleted. Data relating to the order, on the other hand, is kept for 5 years from the end of the contract
● For the management of requests via contact forms, data is kept for 3 years
● Published notices are kept for 5 years
● For the management of audience measurement tracers, data is kept for a maximum of 13 months maximum
● For the technical management of the Natflow Site and Application: data collected as part of the support service, maintenance and hosting is only kept for the time necessary for operations.
● For User loyalty and commercial prospecting (newsletter), data is kept for 3 years after the end of the contract, or the last contact or click from the User. At the end of this period, the User is contacted to find out whether he or she wishes to continue receiving the newsletter or commercial prospecting. In the event of a positive response, the processed data will be kept for a further period of 3 years. In the absence of a positive and explicit response, the data processed will be deleted for this purpose.

8. Whether data collection is mandatory or optional

The data collected is mandatory in order to achieve the purposes of processing, with the exception of the User's job title and town.

9. Collection origin

InnoFlow collects Data directly from the person concerned.

10. Who receives the data?

The personal data collected is reserved for use by InnoFlow. It may be transmitted to its service providers/suppliers involved in the management of the Natflow Site and Application, such as the Application host (the Landen company, Bubble) and the online payment service provider Stripe.
InnoFlow may disclose personal data to the competent authorities as part of operations to combat any criminally reprehensible activity.

11. What safety measures are in place?

The data controller implements appropriate technical and organizational measures to guarantee a level of security appropriate to the risk. The data controller shall take steps to ensure that any natural person acting under the authority of the data controller or under that of the processor, who has access to personal data, does not process it unless instructed to do so by the data controller, or unless obliged to do so.

12. Whether or not data is transferred to a country outside the European Union, and associated guarantees

InnoFlow does not transfer the User's personal data outside the European Union when using the Natflow Site and Application. Transfers of personal data outside the European Union, however, cannot be totally excluded in the context of orders for paid services placed by a User on the Natflow Application, via the subcontractor, Stripe (Link payment service). In this case, data is processed in accordance with Stripe's policy: https: //stripe.com/fr/privacy-center/legal#data-transfers Personal data may then be stored and/or data may be transferred outside the European Union, in particular to the United States. In view of US national security legislation, data transfers to the United States at the request of the US government cannot be ruled out. The European Court of Justice ruled on 16/07/20 that American legislation is not as protective of personal data and rights of recourse as European regulations.
In addition, data collected by the Site and Application host (Landen, Bubble) may be transferred outside the European Union. Their policy can be consulted at the following link: https: //bubble.io/terms.

The data controller undertakes to ensure that such transfers are made: -to countries with a so-called adequate level of protection within the meaning of the European data protection authorities or
-with appropriate safeguards pursuant to Article 46 of the GDPR or
-in compliance with Article 49 of the GDPR.

13. Automated decision-making

The processing does not involve fully automated decision-making.

14. Fate of personal data after death - Right of access, rectification, deletion and portability of data

The person concerned by a processing operation may define directives relating to the conservation, deletion and communication of his/her personal data after his/her death. These directives may be general or specific.
The data subject also has the right to access, object to, rectify, delete and, under certain conditions, port his or her personal data. The data subject has the right to withdraw consent at any time if consent constitutes the legal basis for processing.
The request must indicate the first and last name, e-mail or postal address of the data subject, and must be signed and accompanied by valid proof of identity.

If you have any questions, please contact Mr Etienne JAN-AILLERET at the following address: contact@natflow.app

15. Complaint
    The person concerned by a processing operation has the right to lodge a complaint with the supervisory authority (CNIL): https: //www.cnil.fr/fr/webform/adresser-une-plainte