1. Preamble
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) establishes the legal framework applicable to the processing of personal data.
The GDPR strengthens the rights and obligations of data controllers, processors, data subjects, and data recipients.
The processing of personal data resulting from the consultation, navigation, and use of the website [www.naaia.ai] (hereinafter referred to as the “Site”) and the services it offers is governed by this privacy policy.
For a proper understanding of this policy, it is specified that:
- the “data controller”: Naaia (hereinafter referred to as “Naaia” or “we”);
- the “processor”: refers to any natural or legal person who processes personal data on behalf of Naaia;
- the “data subjects”: refers to Naaia’s customers, prospects, and partners (hereinafter referred to as “customers, prospects, and partners” or “you”);
- the “recipients”: refers to natural or legal persons who receive personal data from Naaia. Data recipients may therefore be both Naaia employees and external organizations (partners, exhibitors, banking institutions, service providers, etc.).
2. Purpose
The purpose of this policy is to fulfill the information obligation to which Naaia is subject pursuant to Article 12 of the GDPR and to formalize the rights and obligations of Naaia’s customers, prospects, and partners with regard to the processing of their personal data.
3. Scope
This policy is intended to apply in the context of the implementation of all personal data processing relating to customers, prospects, and partners.
Naaia makes every effort to ensure that data is processed within a precise internal governance framework. The processing of personal data may be managed directly by Naaia or through a processor specifically designated by Naaia.
This policy is independent of any other document that may apply within the contractual relationship between Naaia and customers, prospects, and partners.
4. Identification of Processing Activities
4.1 Types of Data Collected and Purposes
The personal data processed by Naaia is primarily collected from its customers, prospects, and partners when using the Site, but also during the performance of contracts that bind us.
We undertake to respect the principle of data minimization, which consists of collecting only the data strictly necessary for the purposes of the processing implemented by Naaia.
Consequently, we only collect and use the following personal data:
| Type of Data | Data Subject | Purpose | Legal Basis |
| Email addressContact details: telephone, address | Prospects / Website visitorsCustomers | Newsletter subscription and receipt of promotional offersManagement of unsubscribe and opt-out requestsProvision of demonstrations | Consent if prospectLegitimate interest if customer |
| Connection data | Prospects / Website visitors | Statistics | Consent |
| identification data (IP address),acceptance data (click). | Site visitors | Management of technical data | Legitimate interest or consent depending on the data |
| Identification (Last name, first name)Contact details: email, telephone | Site visitors | Management and improvement of relationships;Enable the Site to function;Respond to user requests and provide them with useful information (contact form);Enable users to receive publications, press releases, and information upon request;Commercial prospecting and activities. | Consent |
4.2 Data Recipients – Authorization and Traceability
Naaia ensures that data is only accessible to authorized internal or external recipients.
| Internal Recipients | External Recipients |
| authorized personnel of the relevant Naaia department (customer/prospect/partner relationship management), administrative services, IT services, and their line managers;authorized personnel of control services (auditors, services responsible for internal control procedures, etc.). | any competent supervisory authority, accountants, legal auxiliaries, and ministerial officers;the organization responsible for managing the telephone canvassing opt-out list;authorized personnel of processors. |
Recipients of personal data of customers, prospects, and partners are subject to a confidentiality obligation.
Furthermore, personal data may be disclosed to any authority legally authorized to access it. In such cases, Naaia is not responsible for the conditions under which the personnel of these authorities access and use the data.
4.3 Retention Period
The data retention period is defined by Naaia in light of the legal and contractual constraints it faces and, failing that, according to its needs and in particular according to the following principles:
| Processing | Retention Period |
| Customer data | For the duration of contractual relations with Naaia, plus 5 years from account closure or termination of the business relationship for data and documents relating to customer identity |
| Statistics | Duration of the statistical study |
| Data relating to Site usage | For the duration necessary to perform the services provided by Naaia and 1 year after the last interventionCookies: 13 months |
| Prospect data | 3 years from their collection by Naaia or from the last contact from the prospect |
| Technical data | 1 year |
After the specified periods, data is either deleted or retained after being anonymized, particularly for statistical purposes. It may be retained in the event of pre-litigation and litigation.
Customers, prospects, and partners are reminded that deletion or anonymization are irreversible operations and that Naaia is subsequently unable to restore them.
5. Management of Data Subject Rights
5.1 Right of Access and Right to a Copy
You have the right to ask us whether we are actually processing data concerning you. You may also request that we provide you with a copy of your data being processed.
However, in the event of requests for additional copies, we may require you to bear the cost of such additional copies.
If you submit your request electronically, the requested information will be provided to you in a commonly used electronic form, unless otherwise requested.
You are informed that this right of access and copy cannot apply to confidential information or data, or to information for which the law does not authorize disclosure.
The right of access must not be exercised abusively, i.e., performed regularly for the sole purpose of disrupting the proper performance of our services.
5.2 Right to Rectification
You have the right to ask us to rectify certain data concerning you that may be obsolete or incorrect. To do so, you must specify the data to be rectified and the data with which we should replace it.
5.3 Right to Erasure
The right to erasure does not apply in cases where processing is implemented to comply with a legal obligation.
Outside of this situation, you may request the erasure of your data in the following limited cases:
- your data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- you object to processing that we perform on the basis of a legitimate interest when there are no overriding legitimate grounds for such processing;
- you object to the processing of your data for direct marketing purposes;
- your data has been subject to unlawful processing.
5.4 Right to Restriction and Portability
You are informed that these rights are not intended to apply insofar as the conditions required by applicable regulations for each of them are not met with regard to the processing we perform on personal data.
5.5 Right to Object
You are authorized to exercise your right to object only for processing based on Naaia’s legitimate interest, provided that you state a reason relating to your particular situation. In such a case, Naaia may not grant your request if it advances legitimate and compelling grounds that prevail over your personal interest and, in particular, over the reason you invoked in support of your request.
5.6 Post-Mortem Rights
We inform you that you have the right to formulate directives concerning the retention, erasure, and disclosure of your data after death.
5.7 Exercise of Rights
The aforementioned rights may be exercised, at the choice of the data subject, by email at the following address: contact@naaia.ai
Please note that only the person concerned by the processing may exercise the rights provided above. Consequently, in case of doubt, we may ask you for a copy of your current identity document. Otherwise, your request may be refused.
We make every effort to respond to requests within a reasonable timeframe and, at best, within one month of receiving the request.
However, in cases where processing requests proves complex or we face a high number of simultaneous requests to exercise rights, the processing period may be extended to two months.
6. Additional Provisions
6.1 Subcontracting
We may engage any processor of our choice in connection with the processing of personal data of our customers, prospects, and partners.
Within the meaning of the GDPR, a processor means any natural or legal person who processes personal data on behalf of the data controller. In practice, this refers to service providers with whom we work and who handle the personal data we process;
In such cases, we ensure that the processor complies with its obligations under the GDPR and undertake to sign a written contract with all our processors imposing the same data protection obligations on them as those we impose on ourselves. Furthermore, we reserve the right to conduct an audit of our processors to ensure their compliance with GDPR provisions.
6.2 Processing Register
We undertake, in our capacity as data controller, to maintain an up-to-date register of all processing activities carried out, which includes processing relating to data of our customers, prospects, and partners.
This register is a document or application that allows us to record all processing activities we implement as data controller.
We undertake to provide the CNIL, upon first request, with information enabling it to verify the compliance of processing activities with applicable data protection regulations.
6.3 Security Measures
We implement physical or logical technical security measures that we deem appropriate to combat the destruction, loss, alteration, or unauthorized disclosure of data, whether accidental or unlawful.
These measures primarily include:
- individual access by username and complex password, regularly renewed,
- security measures for accessing customer databases with rights management procedures,
- traceability system,
- confidentiality clause,
- preservation of the security and confidentiality of processed data, in particular to prevent it from being distorted, damaged, or accessed by unauthorized third parties,
- secure servers.
In any event, we undertake, in the event of changes to the means used to ensure the security and confidentiality of your personal data, to replace them with means of superior performance. No evolution may lead to a regression in the level of security.
6.4 Data Breach
We undertake to notify the CNIL of any data breach we may suffer under the conditions prescribed by personal data regulations.
Our contacts with our customers, prospects, and partners are informed of any data breach that could pose a high risk to their privacy.
6.5 Cross-Border Flows
We reserve the right to implement cross-border flows outside the EU of the data we process, of which you will be informed. In such cases, we will ensure respect for your rights and sign, if necessary, one or more contracts to regulate these flows with the recipient country(ies).
7. Contacts
7.1 GDPR Officer
Naaia has designated a GDPR officer who can be contacted via the following email and postal addresses:
Email address: contact@naaia.ai
If customers, prospects, and partners wish to obtain specific information or ask a particular question, they may contact the GDPR officer, who will provide them with a response within a reasonable timeframe in relation to the question asked or information required.
7.2 Right to Lodge a Complaint with the CNIL
Customers, prospects, and partners concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they believe that the processing of personal data concerning them does not comply with European data protection regulations, at the following address:
CNIL – Complaints Department
3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22
7.3 Updates
This policy may be modified or amended at any time in the event of legal or case law developments, CNIL decisions and recommendations, or changes in practices.
Any new version of this policy will be brought to the attention of customers and contacts by any means determined by Naaia, including electronic means (distribution by email or online, for example).