Comment ça marcheTémoignagesTarifsBlog
S'inscrireReserver une démoContact

PRIVACY POLICY

Review Collect SAS
Last Updated: June 19, 2025
Effective Date: June 19, 2025

1. INTRODUCTION AND SCOPE

This Privacy Policy ("Policy") describes how Review Collect SAS, a French société par actions simplifiée registered under SIRET number 352846891 ("Review Collect," "Company," "we," "us," or "our"), collects, uses, processes, stores, and discloses personal information in connection with our review management services ("Services") and website located at https://review-collect.com ("Website").

This Policy applies exclusively to personal information processed by Review Collect as a data controller within the meaning of Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and applicable French data protection laws, including the French Data Protection Act (Loi Informatique et Libertés).

Important Distinction: This Policy does not apply to personal information that Review Collect processes as a data processor on behalf of our business customers ("Clients") when they use our Services to collect and manage customer reviews. For such processing activities, our Clients act as data controllers and are responsible for compliance with applicable data protection laws. If you have questions about how our Clients process your personal information, please contact them directly.

By accessing our Website or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with the terms of this Policy, you must not access our Website or use our Services.

2. LEGAL BASIS AND COMPLIANCE FRAMEWORK

2.1 Regulatory Compliance

Review Collect operates under the following legal and regulatory framework:

  • Primary Jurisdiction: French Republic, European Union
  • Applicable Laws: GDPR, French Data Protection Act (Law No. 78-17), ePrivacy Directive (2002/58/EC)
  • Supervisory Authority: Commission Nationale de l'Informatique et des Libertés (CNIL)
  • Data Residency: European Economic Area exclusively

2.2 Legal Basis for Processing

We process personal information only when we have a valid legal basis under Article 6 of the GDPR:

  • Contractual Necessity: Performance of our contractual obligations to provide Services
  • Legitimate Interests: Security measures, fraud prevention, and service improvement
  • Legal Obligations: Compliance with applicable laws and regulations
  • Consent: Where explicitly obtained for specific processing activities

3. CATEGORIES OF PERSONAL INFORMATION

3.1 Information We Collect Directly

3.1.1 Business Contact Information

For business clients and prospects:

  • Legal entity name and commercial registration details
  • Primary business contact name and professional title
  • Professional email address and telephone number
  • Billing address and payment information (processed exclusively through Stripe Ireland Limited)

3.1.2 End-User Information

For individuals submitting reviews through our platform:

  • First name or chosen pseudonym
  • Email address (subject to automated anonymization after thirty (30) days)
  • Review content and associated rating
  • Timestamp of submission for authenticity verification

3.2 Information We Do Not Collect

Review Collect maintains a strict data minimization policy. We explicitly do not collect:

  • Precise geolocation data or IP addresses (country-level information only)
  • Browsing history or cross-site tracking data
  • Biometric identifiers or health information
  • Social media profile information (unless explicitly connected)
  • Financial information (handled exclusively by certified payment processors)
  • Information about family members or associates

3.3 Automatically Collected Information

We automatically collect limited technical information necessary for service operation:

  • General geographic location (country/region level only)
  • Device type and browser information
  • Service usage patterns (anonymized and aggregated)
  • Security event logs for fraud prevention

4. PURPOSES OF PROCESSING

4.1 Primary Service Delivery

  • Provision of review collection and management services
  • Customer support and technical assistance
  • Service performance optimization and quality assurance
  • Billing and payment processing (through certified third-party processors)

4.2 Security and Compliance

  • Fraud detection and prevention
  • Security incident response and investigation
  • Compliance with legal obligations and regulatory requirements
  • Protection of legitimate business interests

4.3 Prohibited Uses

Review Collect expressly prohibits the following uses of personal information:

  • Commercial sale or licensing to third parties
  • Cross-platform user profiling or tracking
  • Unsolicited marketing communications
  • Behavioral analysis for advertising purposes
  • Secondary data monetization activities

5. DATA SHARING AND DISCLOSURE

5.1 Third-Party Service Providers

Review Collect engages a limited number of carefully vetted service providers who process personal information solely on our behalf:

5.1.1 Infrastructure and Hosting

OVHcloud SAS (France)

  • Purpose: Secure data hosting and infrastructure services
  • Data Types: All encrypted service data
  • Location: Gravelines and Roubaix data centers, France
  • Contractual Protections: EU Standard Contractual Clauses, ISO 27001 certification

5.1.2 Payment Processing

Stripe Ireland Limited

  • Purpose: Secure payment processing services
  • Data Types: Billing information and transaction data only
  • Location: European Union (Ireland)
  • Compliance: PCI DSS Level 1, Strong Customer Authentication (SCA)

5.1.3 Transactional Communications

Brevo SAS (France)

  • Purpose: Delivery of service-related communications
  • Data Types: Email addresses for transactional messages only
  • Location: Paris, France
  • Compliance: ISO 27001, GDPR-compliant data processing

5.2 Legal and Regulatory Disclosures

Personal information may be disclosed to law enforcement agencies, regulatory bodies, or judicial authorities only in the following circumstances:

  • Pursuant to a valid court order or judicial warrant
  • To comply with applicable legal obligations
  • In response to lawful requests from competent authorities
  • To protect the vital interests of data subjects or third parties

Legal Challenge Commitment: Review Collect reserves the right to challenge any data disclosure request that appears overbroad, unlawful, or inconsistent with applicable data protection principles.

5.3 Business Transfers

In the event of a merger, acquisition, corporate reorganization, or asset sale, personal information may be transferred to the acquiring entity, subject to:

  • Continuation of equivalent privacy protections
  • Prior notification to affected data subjects
  • Compliance with applicable data protection laws
  • Right of data subjects to object to the transfer

6. DATA RETENTION AND DELETION

6.1 Retention Periods

Review Collect maintains personal information only for the minimum period necessary to fulfill the purposes outlined in this Policy:

Data CategoryRetention PeriodAutomated DeletionBusiness contact informationDuration of contractual relationship plus six (6) monthsYesEnd-user review dataDuration of client contract plus thirty (30) daysYesSecurity and audit logsTwelve (12) months maximumYesBilling and payment recordsSeven (7) years (French tax law requirement)YesMarketing communicationsUntil withdrawal of consentYes

6.2 Secure Deletion Procedures

Upon expiration of applicable retention periods, Review Collect implements secure deletion procedures:

  • Cryptographic erasure of encryption keys
  • Physical destruction of storage media
  • Verification of complete data removal
  • Certificate of destruction upon request

6.3 Data Anonymization

Where legally permissible and technically feasible, personal information may be anonymized for legitimate business purposes, including service improvement and security analysis. Anonymized data does not constitute personal information under applicable law.

7. INTERNATIONAL DATA TRANSFERS

7.1 European Union Exclusive Processing

Review Collect maintains a strict "EU-only" data processing policy:

  • All personal information is stored and processed exclusively within the European Economic Area
  • No transfers to third countries or international organizations
  • All service providers and sub-processors maintain EU-based operations
  • Technical and organizational measures prevent inadvertent data transfers

7.2 Adequacy and Safeguards

In the limited circumstances where international transfers may be necessary for legal compliance:

  • Transfers occur only to countries with European Commission adequacy decisions
  • Implementation of appropriate safeguards pursuant to GDPR Chapter V
  • Additional contractual protections exceeding minimum legal requirements

8. DATA SUBJECT RIGHTS

8.1 Scope of Rights

Under the GDPR and French data protection law, individuals have the following rights regarding their personal information:

8.1.1 Right of Access (Article 15 GDPR)

  • Confirmation of processing activities
  • Access to personal information being processed
  • Information about processing purposes and legal basis
  • Details of data recipients and retention periods

8.1.2 Right to Rectification (Article 16 GDPR)

  • Correction of inaccurate personal information
  • Completion of incomplete personal information
  • Real-time updates through secure client interface

8.1.3 Right to Erasure (Article 17 GDPR)

  • Deletion of personal information where legally required
  • Implementation within twenty-four (24) hours of verified request
  • Notification to all relevant third parties
  • Certificate of deletion upon request

8.1.4 Right to Restrict Processing (Article 18 GDPR)

  • Temporary suspension of processing activities
  • Limitation to storage only pending resolution
  • Notification before lifting restrictions

8.1.5 Right to Data Portability (Article 20 GDPR)

  • Export of personal information in structured, machine-readable formats
  • Direct transmission to other controllers where technically feasible
  • Support for common standards (JSON, CSV, XML)

8.1.6 Right to Object (Article 21 GDPR)

  • Objection to processing based on legitimate interests
  • Immediate cessation unless compelling legitimate grounds demonstrated
  • Absolute right to object to direct marketing

8.2 Exercise of Rights

Data subjects may exercise their rights through the following channels:

  • Online Portal: privacy.review-collect.com
  • Email: dpo@review-collect.com
  • Postal Mail: Review Collect SAS, ATTN: Data Protection Officer, [Address]
  • Telephone: +33 (0)1 XX XX XX XX (business hours)

Response Timeframe: Review Collect commits to responding to all data subject requests within seventy-two (72) hours, significantly exceeding the one-month requirement under GDPR Article 12.

8.3 Identity Verification

To protect against fraudulent requests, Review Collect implements robust identity verification procedures:

  • Multi-factor authentication for online requests
  • Documentary evidence for high-risk requests (erasure, portability)
  • Additional verification for third-party representatives
  • Secure communication channels for sensitive information

9. SECURITY MEASURES

9.1 Technical Safeguards

Review Collect implements state-of-the-art technical security measures:

9.1.1 Encryption Standards

  • Data at Rest: AES-256-GCM encryption with hardware security modules
  • Data in Transit: TLS 1.3 with perfect forward secrecy
  • Key Management: HSM-based key rotation every twenty-four (24) hours
  • Future-Proofing: Post-quantum cryptography implementation roadmap

9.1.2 Access Controls

  • Zero-trust architecture with least privilege principles
  • Multi-factor authentication for all system access
  • Role-based access controls with regular review
  • Privileged access management with session recording

9.1.3 Network Security

  • Intrusion detection and prevention systems
  • DDoS protection and traffic analysis
  • Network segmentation and micro-segmentation
  • Continuous vulnerability assessment

9.2 Organizational Safeguards

9.2.1 Personnel Security

  • Comprehensive background checks for all employees
  • Regular security awareness training and certification
  • Confidentiality agreements and code of conduct
  • Incident response training and tabletop exercises

9.2.2 Physical Security

  • ISO 27001-certified data centers with 24/7 monitoring
  • Biometric access controls and visitor management
  • Environmental monitoring and disaster recovery
  • Secure destruction of physical media

9.3 Security Incident Management

Review Collect maintains a comprehensive incident response program:

  • Detection: Automated monitoring and threat intelligence
  • Response: Dedicated incident response team available 24/7
  • Notification: Data subjects and supervisory authorities within legal timeframes
  • Recovery: Business continuity and disaster recovery procedures

9.4 Third-Party Security Assessments

  • Quarterly penetration testing by certified security firms
  • Annual security audits by Big Four accounting firms
  • Continuous vulnerability scanning and remediation
  • Bug bounty program with responsible disclosure policy

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 Cookie Categories

Review Collect uses only essential cookies necessary for service operation:

10.1.1 Strictly Necessary Cookies

  • Session management and authentication
  • Security and fraud prevention
  • Load balancing and performance optimization
  • Legal basis: Legitimate interest (service delivery)

10.1.2 Cookies We Do Not Use

  • Third-party advertising or tracking cookies
  • Social media integration cookies
  • Analytics cookies (except anonymized, aggregated data)
  • Cross-site tracking mechanisms

10.2 Cookie Management

Users may manage cookie preferences through:

  • Browser settings and controls
  • Our cookie preference center (strictly necessary cookies only)
  • Opt-out mechanisms for optional cookies

10.3 Do Not Track Signals

Review Collect honors Do Not Track signals and implements privacy-by-design principles that minimize tracking regardless of user settings.

11. CHILDREN'S PRIVACY

11.1 Age Restrictions

Review Collect Services are not directed to individuals under sixteen (16) years of age. We do not knowingly collect personal information from children under the applicable minimum age.

11.2 Parental Verification

If we become aware that personal information from a child has been collected:

  • Immediate suspension of the account
  • Prompt deletion of all associated information
  • Notification to parents or guardians where legally required
  • Implementation of additional safeguards to prevent recurrence

11.3 Educational Institution Compliance

For educational clients, Review Collect provides additional protections consistent with applicable student privacy laws and institutional policies.

12. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

12.1 Scope and Application

For California residents, Review Collect provides additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

12.1.1 Categories of Personal Information

We collect and process the following categories of personal information as defined under the CCPA:

  • Identifiers (names, email addresses)
  • Commercial information (transaction records)
  • Internet activity (service usage patterns)
  • Professional information (business contacts)

12.1.2 Sources of Personal Information

  • Directly from California residents
  • Business partners and service providers
  • Public records and databases

12.1.3 Business and Commercial Purposes

  • Service delivery and customer support
  • Security and fraud prevention
  • Legal compliance and protection of rights

12.2 California Consumer Rights

12.2.1 Right to Know

California residents may request disclosure of:

  • Categories and specific pieces of personal information collected
  • Sources of personal information
  • Business purposes for collection and sharing
  • Categories of third parties with whom information is shared

12.2.2 Right to Delete

California residents may request deletion of personal information, subject to certain exceptions for legal compliance and legitimate business purposes.

12.2.3 Right to Correct

California residents may request correction of inaccurate personal information.

12.2.4 Right to Opt-Out

Review Collect does not "sell" or "share" personal information as defined under the CCPA.

12.3 Non-Discrimination

Review Collect will not discriminate against California residents for exercising their privacy rights under the CCPA/CPRA.

13. DATA PROTECTION OFFICER AND CONTACT INFORMATION

13.1 Data Protection Officer

Contact Information:

  • Name: [DPO Name], CIPP/E Certified
  • Email: dpo@review-collect.com
  • Address: Review Collect SAS, ATTN: Data Protection Officer, [Full Address]
  • Telephone: +33 (0)1 XX XX XX XX

Responsibilities:

  • Monitoring compliance with data protection laws
  • Conducting privacy impact assessments
  • Serving as contact point for supervisory authorities
  • Providing data protection guidance and training

13.2 Privacy Inquiries

For all privacy-related inquiries, complaints, or requests:

  • General Privacy: privacy@review-collect.com
  • Data Subject Requests: requests@review-collect.com
  • Security Incidents: security@review-collect.com
  • Legal Matters: legal@review-collect.com

14. CHANGES TO THIS POLICY

14.1 Amendment Process

Review Collect reserves the right to modify this Policy to reflect:

  • Changes in applicable laws and regulations
  • Updates to our business practices and Services
  • Enhancement of privacy protections and user rights
  • Technical or organizational developments

14.2 Notification Requirements

Material changes to this Policy will be communicated through:

  • Email notification to registered users (minimum 30 days advance notice)
  • Prominent notice on our Website
  • In-service notifications where appropriate
  • Updated effective date at the top of this Policy

14.3 Continued Use

Continued use of our Services following notification of changes constitutes acceptance of the revised Policy. If you do not agree to the changes, you must discontinue use of our Services.

15. SUPERVISORY AUTHORITY INFORMATION

15.1 Lead Supervisory Authority

Commission Nationale de l'Informatique et des Libertés (CNIL)

  • Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
  • Website: https://www.cnil.fr
  • Telephone: +33 (0)1 53 73 22 22

15.2 Right to Lodge Complaints

Data subjects have the right to lodge complaints with supervisory authorities regarding our processing of personal information. However, we encourage you to contact us first to allow us to address your concerns directly.

15.3 Cross-Border Cooperation

For cross-border processing activities, Review Collect cooperates with relevant supervisory authorities through the consistency mechanism established under GDPR Chapter VII.

16. LEGAL COMPLIANCE AND CERTIFICATIONS

16.1 Security Certifications

Review Collect maintains the following certifications and compliance standards:

  • ISO 27001:2013 Information Security Management Systems
  • SOC 2 Type II Security, Availability, and Confidentiality
  • Privacy by Design Certification Foundation
  • HDS (Hébergeur de Données de Santé) Health data hosting certification

16.2 Financial Safeguards

To ensure adequate protection for data subjects:

  • Professional Liability Insurance: EUR 5,000,000 annual coverage
  • Cyber Security Insurance: EUR 10,000,000 annual coverage
  • Errors and Omissions Insurance: EUR 2,000,000 annual coverage
  • Financial Guarantee: EUR 1,000,000 blocked funds for data protection obligations

16.3 Audit and Transparency

  • Annual third-party privacy audits by certified auditors
  • Quarterly security assessments by independent firms
  • Monthly compliance reviews and gap analyses
  • Semi-annual transparency reports (available upon request)

17. DEFINITIONS

For purposes of this Policy, the following terms have the meanings set forth below:

"Controller" means the natural or legal person which determines the purposes and means of processing personal data.

"Data Subject" means an identified or identifiable natural person whose personal data is processed.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, including collection, storage, use, and disclosure.

"Processor" means a natural or legal person which processes personal data on behalf of the controller.

"Services" means the review management platform and related services provided by Review Collect.

"Third Country" means any country outside the European Economic Area.

18. GOVERNING LAW AND JURISDICTION

18.1 Applicable Law

This Policy and all matters relating to privacy and data protection shall be governed by and construed in accordance with the laws of the French Republic and the European Union, without regard to conflict of laws principles.

18.2 Jurisdiction

Any disputes arising under this Policy shall be subject to the exclusive jurisdiction of the courts of Paris, France, except where data subjects have the right to bring proceedings in their country of residence under applicable data protection laws.

18.3 Severability

If any provision of this Policy is held to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect.

ACKNOWLEDGMENT

By using our Services or accessing our Website, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy in its entirety.

Review Collect SAS
Date of Last Update: June 19, 2025
Document Version: 3.0

This Privacy Policy has been prepared in accordance with applicable data protection laws and regulations. For questions about this Policy or our privacy practices, please contact our Data Protection Officer at dpo@review-collect.com.