Privacy policy

Last updated: May 4, 2023

Privacy and security of your personal data are of utmost importance to SnapCall. Therefore, we are taking all the necessary measures to ensure the data of our customers and their users are always protected and processed in accordance with the applicable data protection laws.This Privacy Policy describes how SnapCall processes and stores personal data submitted in the context of providing our services.

1. Introduction

During the use of the SnapCall services (the “Services”) subscribed via our website snapcall.io (hereinafter referred to as the “Site”), Seampl SA, located at 20 rue Saint Ferdinand 75017 Paris France, a French société anonyme (SA) whose registered office is at 5, Parvis Alan Turing, 75013 Paris (France), registered with the Paris Registre du commerce et des sociétés under No. 814 387 817 and referred to as “the Provider” may require from Your organization (referred to as “the Client”) which subscribed to the Services to give access to Personal Data in order to be able to benefit from the Services provided by the Provider.

2. Definition of Personal Data

According to European General Data Protection Regulation 2016/679 (GDPR), which came into effect on May 25, 2018, “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3. Personal Data processed by SnapCall

In the context of the Services of the Provider (SnapCall), “Personal Data” means any data or information that enables the identification of an individual (whether directly or indirectly), such as their first and/or family name, email address, telephone number, postal address, location, data relating to their interaction with the Client (details of their orders and subscriptions placed with the Client, voice), as well as any other information about individual users that the Client gives to the Provider. It also relates to any personal information of the employees, agents or representatives of the Client given to the Provider for the purpose of using the Services.

Only data that the Client processes and gives access to is accessible to the Provider. If the data of customer has been processed by the Client and the Client allows the Provider to access this data for the purpose of provision of the Services, it will be accessible to the Provider who will use it in order to ensure the provision of the subscribed Services and will securely store it in the host servers on which the Provider stores its databases that are located exclusively within the European Union.

4. How do we process Personal data concerning an identified or identifiable natural person?

Once the Client installs the Services of the Provider, the Client provides personal data in order to create an account and use the Services. While creating the button, the Client indicates personal data (such as email address, telephone number or agent ID) of their employees in order to be able to use the Services. Once the Client creates a button and fills in all the required information needed to use the Services via personal Dashboard on the Site of the Provider, a digital call button appears on a website of the Client. Once a customer (natural person or a business subject) of the Client uses the digital call button displayed on the website of the Client, the personal data processed by the Client is submitted to the Provider, who presents the data in the personal account of the Client on the Site and securely stores it in the backup servers as long as the Client has subscribed to the Services. The Provider only processes data collected and provided to them by the Client.

The client can decide not to give the Provider any data. In this case, the Provider will not have any access to personal data of the customers of the Client and it may have an effect on the Services.

5. Legal basis of processing your Personal data

The Provider has legal basis for collecting and processing Personal data described in a section no. 2 because the Provider needs Personal data to perform a contract with the Client(e.g. to provide the Client with the Services), where the processing is in the legitimate interests of the Provider and not overridden by Personal data protection interests or fundamental rights and freedoms, or where we have the consent of the Client.

If the Provider asks the Client to provide personal information to perform a contract with the Client, the Provider will make this clear at the relevant time. If the Provider processes Personal data processed by the Client in reliance on the consent of the Client, the latter may withdraw their consent at any time.

6. Purposes of processing Personal Data

A table provided below indicates the different purposes Personal Data may be processed for, as well as categorizes these purposes and provide the legal basis the processing is based on.

7. How do we use processed Personal Data?

The Provider may use the data they collect about the Client in order to perform other obligations under the two-party agreement and on the basis of the legitimate interest of the Provider including to provide, operate, maintain, improve, and promote the Site and the Services:

• enable the Client to access and use the Site and the Services;
• process and complete transactions, and send related information, including purchase confirmations and invoices to the Client;
• send transactional messages, including responses to your comments, questions, and requests;
• provide the Client with information about products and services, features, newsletters, offers, promotions, and events;
• monitor and analyze trends, usage, and activities in connection with the Websites and Services and for marketing or advertising purposes;
• investigate and prevent fraudulent transactions, unauthorized access to the Websites and the Services, and other illegal activities.

8. How do we ensure information security in transit between the Client and SnapCall?

All the data sent between the Client and the Provider is encrypted. Any data in audio or video format is encrypted via WebRTC technology. Session initiation singling is encrypted by secure protocols such as TLS and SRTP, HTTPS/WSS. Therefore, the encryption of the identity of both the calling customer as well as the Client is encrypted.

9. Sharing of Video and/or Photo through SnapCall Assist.

SnapCall Assist allows customers to record and share videos and/or photos with our support team to help resolve their support issues. The videos and/or photos are stored securely and accessed only by authorized personnel for the purpose of providing customer support. By using SnapCall Assist, customers consent to the sharing of their videos and/or photos with our support team. We do not use or share these videos and/or photos for any other purpose without explicit consent from the customer, unless required by law. We take all reasonable steps to ensure the security and confidentiality of these videos and/or photos and will delete them upon the customer's request, in accordance with our retention policy outlined in section 10.

10. How long do we keep processed Personal Data of the Client?

All the data received and processed by the Provider is retained in a personal account of the Client and saved in backup servers as long as the Client has subscribed to the Services. If the Client wants to terminate the usage of the Services, they need to inform the Provider according to the conditions agreed by both parties and specify the wish to delete all the data regarding processed during the period of the usage of the Services. The Provider is committed to permanently delete all the processed data from the account as well as from the backup servers provided, associated with the account of the Client and inform the Client once all the data is permanently deleted.

11. How do we ensure secure processing Personal data of the Client?

The Provider ensures that all employees that have access and are processing any Personal Data of the Clients are subject to a duty of confidence, ensured via confidentiality agreement. DPO appointed by the Provider holds a responsibility to review and update this Privacy Policy as well as introduce the Provider’s employees with any updates and/or changes in law and/or Privacy Policy.

This Privacy Policy is being reviewed annually.

12. Is the Provider able to provide the Client with whatever information is needed to ensure meeting GDPR Article 28 obligations?

Following the Client’s request, the Provider is available for audit/inspection with 30 days prior notice. The Provider will provide the Client with the information related to processed Personal Data according to the obligations of GDPR article 28.

13. Integrated Services on the Site

The Site and Services of the Provider may include links to and from the websites of third parties. If the Client follows a link to any of these websites, SnapCall is not responsible or liable for any use of Personal Data by such third parties, as these websites have their own privacy policies. We, therefore, recommend the Client to check their policies before visiting these websites.

14. Personal Data protection responsibilities of the Provider

As the Provider of the Services, SnapCall is committed to ensuring the fulfillment of these responsibilities:

• implement the appropriate technical and organizational measures to protect Personal Data from any foreseeable risk of destruction, loss, alteration, disclosure, or unauthorized access, as well as to ensure the availability and integrity of those Personal Data. In that regard, the Provider can be required in order to take account of risks that may exist for the security of Personal Data and for persons’ privacy, to encrypt Personal Data and/or supports;
• take all security measures to ensure compliance with the Data Regulation, and, in particular, at the end of the Contract and at the Client’s choice, destroy all files that include Personal Data, or return in full all supports that include such Personal Data, and not to retain any copy or original thereof;
• in the event of a security failure causing a violation of Personal Data, inform the Client thereof in writing as soon as possible after having learnt of the event, and carry out an investigation that enables a gradual series of reports to be sent, as the investigation progresses, to the Client containing information on the nature and extent of the Personal Data that may already be affected and the corrective measures that have been taken or that are envisaged;
• provide the Client with all necessary assistance to enable the latter to comply with all its obligations under the Data Regulation, in particular enabling it to carry out the analyses and other consultations required, and to enable Persons to exercise their rights in relation to their Data. In the latter case, if Persons make requests directly to the Provider, the latter undertakes to use all means to pass them on to the Client. The Provider also undertakes to cooperate with the competent control authority, doing so in conjunction with the Client.
• make available to the Client and provide the latter on first request from it, all evidence to prove compliance with the Provider’s obligations under the Data Regulation, and shall make available to the Client all the information needed to enable audits, including inspections, to be carried out by the Client or by an auditor appointed by it, at the Client’s expense, and shall contribute in a reasonable manner to those audits;
• not to use the documents and Personal Data for purposes other than those specified in the Contract. In addition, the Provider undertakes to make its staff subject to a duty of confidentiality and to ensure compliance therewith;
• the Provider is authorized to entrust the performance of certain services set out in the Contract to Subcontractors subject to having previously ensured, on the basis of contracts, that those Subcontractors offer security guarantees and are subject to obligations that are at least as binding as those applicable by virtue of the Contract.
• the Client guarantees that it has taken the precautions needed to comply with the Data Regulation, in particular regarding its obligations relating to informing its own clients. In that regard, the Client guarantees to the Provider that the Client’s subscription to the Services and the performance of the Contract by the Parties shall not, under any circumstances, constitute a breach of the Data Regulation.

15. Notice to the end-users

The  Services of the Provider are intended for use by the enterprises (referred to as the Clients in this Privacy Policy) mostly. Where the Services of the Provider are made available to the end-user through the Client of the Provider, the latter is the Data Controller of end-user’s Personal Data. Data privacy questions and request of the end-user should be submitted to the Provider and their Data Controller. The Provider is not responsible for its Clients privacy or security practices which may be different than the one of the Provider.

16. Your data protection rights

When the Client chooses to give access to the data they have processed, they consent to the processing and use thereof, in accordance with the French Data Protection Laws and the European General Data Protection Regulation 2016/679 (GDPR) and the provisions of this Privacy Policy and applicable laws and regulations.

Any data subject has the following rights:

• To access and obtain a copy of Personal Data that is processed by the Provider;
• To rectify the Personal Data if inaccurate or outdated and/or supplement them if incomplete;
• To object to the processing of Personal Data that is based on legitimate interests;
• To request the deletion of Personal Data and a right to be forgotten;
• To withdraw their consent, at any time, to any processing of their Personal Data that is solely based on their consent;
• To move, copy or transmit Personal Data relating to them;
• To restrict or limit the processing of Personal Data;
• To set guidelines on how to organize the use of Personal Data after their death.
• To file a complaint before a supervisory data protection authority;