Translated from French. The french version prevails.
At Combo SAS, the protection of your personal data is a top priority.
When you use the website combohr.com (hereinafter referred to as the "Site"), we may collect personal data about you.
The purpose of this policy is to inform you about how we process this data in accordance with Regulation (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data (hereinafter referred to as the "GDPR").
Who is the data controller?
The data controller is Combo SAS.
The Solution and Services are operated by COMBO SAS, registered with the Paris Trade and Companies Register under number 818 582 801, with its registered office located at 35 Rue de Trévise, 75009 Paris.
(hereinafter “We”).
What data do we collect?
Personal data is any information that allows an individual to be identified directly or indirectly through cross-referencing with other data.
We collect data falling into the following categories:
- Identification data (including your first and last name, personal and/or professional email address, personal and/or professional phone number);
- Professional life data (such as the name of the company you work for, your industry sector, and your professional role);
- Connection data (your login logs);
- Economic and financial data (your bank account details - RIB);
- Payment card data.
When you communicate with our services, we may also keep records of the content of your exchanges.
Mandatory data is indicated at the time you provide your information. These fields are marked with an asterisk and are necessary for us to provide our services.
On what legal bases, for what purposes, and for how long do we retain your personal data?
Providing services available through the Combo SAS solution (team management, HR monitoring, work schedule planning):
- Legal basis: Performance of a contract you have entered into
- Retention period: Data is retained for the duration of the contractual relationship, plus 3 years after its end for marketing purposes.
Carrying out customer management operations (contracts, orders, complaints), customer relations, and accounting:
- Legal basis: Performance of a contract you have entered into
- Retention period: Data is retained for the duration of the contractual relationship, plus 3 years after its end for marketing purposes.
Payment card data is retained by our payment service provider Chargebee (Stripe) for the duration of your subscription. CVV2 (visual cryptogram) data is not stored.
Creating a customer and prospect database:
- Legal basis: Our legitimate interest in developing and promoting our business
- Retention period:
- Customers: duration of the contractual relationship + 3 years
- Prospects: 3 years from the last contact
Sending newsletters, solicitations, and promotional messages:
- Legal basis: Our legitimate interest in developing and promoting our business
- Retention period: 3 years from your last contact
Responding to demo requests:
- Legal basis: Our interest in responding to your demo request
- Retention period: Duration needed to process your request; data is deleted after the demo request is processed
Responding to information requests:
- Legal basis: Our legitimate interest in responding to your request
- Retention period: Duration needed to process your request; data is deleted after processing
Producing website traffic statistics:
- Legal basis: Our legitimate interest in improving our services
- Retention period: Time needed to produce statistics, after which the data is anonymized
Conducting satisfaction surveys and customer research:
- Legal basis: Our legitimate interest in improving our services
- Retention period: Duration needed to carry out the survey or study, after which data is anonymized
Processing job applications:
- Legal basis: Performance of pre-contractual measures
- Retention period: Duration of application processing. If the application is unsuccessful, we may retain your data; we will inform you of this. If you do not object, we will keep the data for 2 years from your last contact.
Complying with legal obligations:
- Legal basis: Compliance with legal and regulatory obligations
- Retention period:
- Invoices: retained for 10 years
- Transaction data (excluding bank account and card details): retained for 5 years
Managing rights requests (e.g., access, rectification):
- Legal basis: Compliance with legal and regulatory obligations
- Retention period:
- Proof of identity (if requested): retained only for the time necessary to verify your identity, then deleted
- Opposition to marketing: such information is retained for 3 years
Who are the recipients of your data?
The following entities may access your personal data:
- Internal recipients: Our company’s personnel
- External recipients: Mobile and instant messaging applications
- Our subcontractors: Web hosting providers, enterprise telephony solutions, internal messaging systems, CRM tools, email marketing and transactional services, client invoicing software, payment service providers, data aggregation tools, cloud office and storage suites, collaborative work tools, data integration software, webinar tools, web page creation services, newsletter dispatch services, data recovery solutions, and relationship marketing platforms
- Where applicable: Public or private authorities, strictly to meet legal obligations
Are your data transferred outside the European Union?
Your data is stored on servers located within the European Union for the duration of processing.
However, some of the tools we use (see section on subcontractors) may result in data transfers outside the EU. These transfers are secured by the following means:
- The data is transferred to a country deemed to offer adequate protection by a decision of the European Commission;
- We have signed specific contracts with our subcontractors based on the standard contractual clauses approved by the European Commission;
- We use other appropriate safeguards as permitted under applicable regulations.
What are your rights over your data?
You have the following rights regarding your personal data:
- Right to information: This policy is designed to fulfill this right (Articles 13 and 14 of the GDPR)
- Right of access: You may access all your personal data at any time (Article 15)
- Right to rectification: You may correct inaccurate, incomplete, or outdated data at any time (Article 16)
- Right to restriction of processing: You may restrict data processing in certain circumstances (Article 18)
- Right to erasure: You may request the deletion of your data and the cessation of future collection (Article 17)
- Right to lodge a complaint: You can file a complaint with a supervisory authority (in France, the CNIL) if you believe your data is being unlawfully processed (Article 77)
- Right to set post-mortem instructions: You can define directives on the handling of your data after your death (Article 40-1 of the French Data Protection Act)
- Right to withdraw consent: You may withdraw consent at any time where processing is based on it (Article 7). This does not affect prior processing
- Right to data portability: Under certain conditions (Article 20), you may receive your data in a machine-readable format and request transfer to another party
- Right to object: You may object to data processing (Article 21), though we may continue processing for legitimate reasons or legal defense
You can exercise these rights by contacting us at the details below. We may request proof of identity.
Contact for personal data matters
Email: privacy@combohr.com
Mailing address: Combo SAS, 39 rue de Bellefond, 75009 Paris, France
Changes
We may amend this policy at any time, especially to comply with legal, case law, editorial, or technical changes. The amended version takes effect on its publication date. You are advised to regularly review this policy. We will inform you of any material changes.
Effective date: June 9, 2021