Article 1 - Scope of this policy

SalesPath, a société par actions simplifiée, with a capital of 1,309.24 euros, whose registered office is located at 22 Boulevard Maillot, 92200 Neuilly-Sur-Seine France, registered with the RCS of Nanterre under number 903 162 584, is required to collect and process personal data as part of the provision of the SalesPath Solution (hereinafter referred to as the "Solution"), which are transmitted to it by:

• companies using the SalesPath application (hereinafter referred to as the "Client(s)");
• their agents (hereinafter referred to as "Authorized Users");
• their clients and/or prospects (hereinafter referred to as "Final Clients").

Article 2 - Data processing carried out by SalesPath

2.1. Data Processing carried out by SalesPath Regarding Clients

2.1.1. Legal basis for processing

In order to use the Solution, Clients have entered into an agreement with SalesPath in which they agree that Authorized Users will comply with the Solution. This agreement is the legal basis for the collection and processing of personal data.SalesPath may process on behalf of Authorized Users personal data necessary to provide them with access to the Solution.

SalesPath is authorized to process on behalf of its Clients, personal data necessary to provide access to the Solution.

Unless the consent of the data subjects has been obtained in accordance with the conditions provided for under the provisions in force, these data processing must not lead to the establishment of profiles likely to reveal sensitive data (racial or ethnic origins, philosophical, political, trade union, religious opinions, sexual life, or health of individuals).

In any case, SalesPath undertakes to inform the Client prior to any other processing and to ensure compliance with the regulations in force. In particular, the Client is required to carry out, if necessary, an impact assessment of the planned processing on data protection under the conditions provided for in Article 35 of the GDPR.

2.1.2. Description of processing

2.2. Data Processing carried out by SalesPath to manage the activity of Authorized Users

2.2.1. Legal basis for processing

In order to use the Solution, Clients have entered into an agreement with SalesPath in which they agree that Authorized Users will comply with the Solution.

This agreement is the legal basis for the collection and processing of personal data.

SalesPath may process on behalf of Authorized Users personal data necessary to provide them with access to the Solution.

2.2.2. Description of processing

Processing Operations: Collection; storage within SalesPath’s CRM database, storage within SalesPath’s database, marketing, prospecting, and customer support activities; analysis of SalesPath usage data
‍Purpose(s) of the Processing(s): Operation of the platform by Authorized Users; Enhancement of sales operations.
‍Category(ies) of Data Subjects: SalesPath Clients’ Authorized Users.
‍Category(ies) of Personal Data processed: Identification data (e.g., surname, first name, e-mail address), economic and financial information, professional life data, login data, usage data.
‍Categories of Data Recipients: SalesPath.
‍Categories of personnel with access to Personal Data (e.g., security, operational, legal personnel):SalesPath technical and sales teams.

2.3. Processing by SalesPath for Final Clients Operations

2.3.1. Legal basis for processing

SalesPath acts as a processor for all processing of personal data concerning Final Clients.

In order to provide the Solution to Clients, SalesPath may process the personal data of Final Clients on its Clients’ behalf.

Regarding the processing of Final Clients data by the Client, it is up to the Client to determine its legal basis.

2.3.2. Description of processing

Processing Operations: Collection; storage within SalesPath’s database and within the Client's CRM, marketing and customer support activities.
‍Purpose(s) of the Processing(s): Enhancement of sales operations and centralization of sales scripts, customer support and prospecting activities.
‍Category(ies) of Data Subjects: Final Clients.
‍Category(ies) of Personal Data processed: Identification data (e.g., surname, first name, e-mail address), economic and financial information, professional life data.
‍Categories of Data Recipients: SalesPath.
‍Categories of personnel with access to Personal Data (e.g., security, operational, legal personnel):SalesPath technical and sales teams.

Article 3 - Data retention period

3.1. Retention period for data provided by Clients and Authorized Users

The personal data provided by the Client who has concluded an agreement with SalesPath and those of the Authorized Users, will be retained for the duration of the agreement between the Client and SalesPath.

The personal data communicated by the Client who has not concluded an agreement with SalesPath and whose processing is based on consent, will be retained for a period not exceeding three (3) years from the last contact from said Client.

Certain data may be archived beyond the periods provided for (i) in the event of litigation in order to establish the reality of the disputed facts; and/or (ii) for the purposes of investigating, establishing, and prosecuting criminal offences for the sole purpose of allowing, as necessary, the communication of these data to the judicial authority.

Archiving implies that these data can no longer be consulted online but are extracted and stored on an autonomous and secure medium.

3.2. Retention period of data relating to Final Clients

The personal data of Final Clients are retained by SalesPath for the duration of the agreement between the Client and SalesPath, increased by the time necessary to return it to Client if applicable.

Article 4 - SalesPath's commitments as data controller

In accordance with Article 24 of the GDPR, SalesPath undertakes to implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR.

Article 5 - SalesPath's Commitments as a data processor

In accordance with Articles 28 and 32 of the GDPR, SalesPath is committed to:

1. take and maintain all appropriate measures, and in particular, appropriate technical and organizational measures, to preserve the security and confidentiality of the personal data entrusted to it for the provision of access to the Solution, in order to prevent them from being distorted, altered, damaged, disseminated or accessed by unauthorized persons;
2. ensure that persons authorized to process personal data on its behalf, in addition to having received the necessary training in the protection of personal data, respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
3. comply with the applicable legal provisions relating to the processing conditions and/or the destination of the data communicated to it or to which it will have access to in the context of providing access to the Solution;
4. act only on the Client’s documented instruction for the processing of the personal data concerned;
5. use the personal information collected or to which it may have had access for the sole purpose of providing the Solution to Clients, Authorized Users and Final Clients;
6. not to use for purposes contrary to the agreement the personal information collected or to which it may have had access in the performance of the agreement in accordance with the applicable legal provisions, and to transfer it only to a third party indicated or authorized by the Client;
7. not to resell or transfer data that is strictly confidential;
8. to assist Clients, Authorized Users and Final Clients, as far as possible, through the implementation of appropriate technical and organizational measures, as well as to fulfill its obligation to comply with requests from data subjects in order to exercise their rights of access, rectification, erasure, opposition, limitation and portability of data;
9. to assist the Client, as far as possible and taking into account the information provided to it by the Client, to comply with its obligation to: (a) notify the supervisory authority of a personal data breach; (b) notify the data subject of a personal data breach; (c) conduct a data protection impact assessment.

As part of the processing of personal data, SalesPath may need to involve subsequent subcontractors.

In this case, SalesPath ensures that the subsequent subcontractors comply with their obligations under the GDPR and provide sufficient guarantees regarding the implementation of appropriate technical and organizational security measures.

SalesPath undertakes to sign an agreement with all its subsequent subcontractors imposing obligations equivalent to its own in terms of personal data protection in accordance with the provisions of Article 28 of the RGPD.

The list of second-tier subcontractors to date is as follows:

• AWS [servers in France]
• Auth0 [servers in the European Union]
• FullStory
• Hubspot

Article 6 - Rights of Clients and Authorized Users

Clients and Authorized Users have the following rights:

1. A right of access: this right allows Clients and Authorized Users to obtain information regarding the processing of their personal data as well as a copy of such data;
2. A right to rectification: this right allows Clients and Authorized Users to request that personal data they believe to be inaccurate or incomplete be amended accordingly;
3. A right to object: this right allows Clients and Authorized Users to object to the processing of their personal data for reasons related to their particular situation. The right to object is unconditional in the case of processing for commercial purposes;
4. A right of limitation: this right allows Clients and Authorized Users to suspend the processing of personal data to which they are subject while retaining the processed data;
5. A right to portability: this right allows Clients and Authorized Users to obtain that the personal data they have provided be returned to them or, where technically feasible, transferred to a third party. Information requested by Clients and Authorized Users will be provided to them in electronic form, unless expressly requested otherwise;
6. The right to define guidelines relating to the fate of their data after their death;
7. A right of deletion: this right allows Clients and Authorized Users to obtain the deletion of their personal data. Regarding the right to delete the personal data of Clients and Authorized Users, the latter will not be applicable in cases where the processing is implemented to meet a legal obligation.

Clients and Authorized Users are informed that they have the right to lodge, at any time, a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), if they consider that the processing subject to the Privacy Policy constitutes a violation of the applicable legislation on the protection of personal data.

Article 7 - Statistical use of anonymous data

As part of its business, SalesPath collects, processes, and stores statistical data relating to the use of the Solution and the activities of Authorized Users.

This usage data, which will be retained beyond the storage periods as defined hereinabove and may be transmitted to third parties, shall in all cases remain anonymous and does not identify Clients, Authorized Users or Final Clients, even indirectly.

Article 8 - Modification of the Privacy Policy

SalesPath reserves the right to make any change to the Privacy Policy at any time it deems necessary and useful.

In the event of a change to the Privacy Policy, SalesPath will re-accept the new Privacy Policy to Clients and Authorized Users at the time they access the Solution again.