Privacy Policy

version of 01/01/2021

 

Mindee, a French société par actions simplifiée with a share capital of 7 617 € whose registered office is located 14 rue Charles V 75004 Paris, France, registered with the commercial and companies register of Paris under number 837 811 256 (“Mindee”), attaches great importance to the protection and respect of privacy. 

 

When you, whether as a User (within the meaning of the Terms and Conditions of Use of our Website) or as a Client (within the meaning of the Terms and Conditions of Service on our Platform or any other master agreement entered into with Mindee) (the “Contracting Party”), enter into an agreement with Mindee for access to and use of any one of our remote automated document and image processing services whatsoever (the “Services”), you agree that the resulting Personal Data processing be governed by the provisions of this Personal Data Processing Agreement, which is Mindee’s privacy policy (the “Privacy Policy”).

 

For the purposes hereof, Mindee and the Contracting Party are together referred to as the “Parties and individually as a “Party”. Terms beginning with a capital letter and not defined herein have the meaning that is attributed to them in the applicable contractual document (namely the Terms and Conditions of Use of our Website, the Terms and Conditions of Service on our Platform or any other master agreement entered into with Mindee, hereinafter referred to indistinctly as the “Agreement”) into which this Privacy Policy is incorporated.

 

  1. Compliance with Applicable Regulations

 

The Parties each undertake to comply with their respective obligations pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data (the “GDPR”) and Law n°78-17 of 6 January 1978 relating to data processing and civil liberties in its current version in force (together the “Applicable Regulations”). 

 

Terms such as “processing”, “data controller”, “data processor”, “Personal Data”, etc. defined in the Applicable Regulations have the meaning that is attributed to them in the Applicable Regulations.

 

The Parties acknowledge that, for the performance of the Agreement, Mindee acts as a data processor of the Contracting Party for the processing described in article 2 below, and as a distinct data controller for the processing described in article 3 below.

 

  1. Processing carried out by Mindee as data processor

 

2.1 Processing description

 

Mindee acts as a data processor on behalf of the Contracting Party for the processing operations defined in Annex 1-A for the provision of Services and in Annex 1-B for the training of Client Data sets for the improvement of Services.

 

2.2 General obligations of Mindee 

 

Mindee undertakes to :

  1. process Personal Data only for the purposes described; 
  2. process Personal Data in accordance with Contracting Party’s instructions as set forth in the Agreement. If Mindee considers that an instruction constitutes a violation of Applicable Regulations, it will inform the Contracting Party. In addition, if Mindee is required to transfer data to a third country or to an international organization, pursuant to European Union law or the laws of a member State to which it is subject, Mindee shall inform the Contracting Party of this obligation prior to the processing, unless the law in question prohibits such information on public interest grounds; 
  3. ensure the confidentiality of the Personal Data processed;
  4. ensure that persons authorized to process Personal Data (including sub-data processors): 
  • undertake to comply with confidentiality obligations, or are subject to an appropriate statutory duty of confidentiality;
  • receive the necessary training in terms of Personal Data protection; 
  1. make available to the Contracting Party, upon written request, all information that is reasonably necessary to demonstrate compliance with its obligations and to enable audits to be carried out in accordance with article 2.8 below;
  2. keep a record of processing activities carried out on behalf of the Contracting Party in accordance with Applicable Regulations;
  3. provide assistance to the Contracting Party that is reasonably necessary to respond to requests for the exercise rights by data subjects concerned by the processing operations falling under this article 2;
  4. carry out the actions requested by the Contracting Party on the Personal Data in response to data subjects’ requests to exercise their rights; 
  5. provide the Contracting Party with reasonable assistance required as part of an impact assessment relating to the processing falling under this article 2 to be carried out by the Contracting Party or for the preliminary consultation of a supervisory authority, the time spent for such assistance may be invoiced by Mindee.

 

2.3 General obligations of the Contracting Party 

 

Where the lawfulness of the processing carried out by Mindee on behalf of the Contracting Party is based on consent of the data subjects, the Contracting Party is alone responsible, towards Mindee, to inform and get the data subject’s consent in the forms and according to the requirements prescribed by Applicable Regulations. Consequently, the Contracting Party shall remain solely liable for any and all damages that may result, for Mindee and for the data subjects of the Personal Data processing, from failure to comply with its obligations. In this respect, the Parties agree that in the event Mindee is held liable, under article 82 of the GDPR or by any competent supervisory authority, for a breach that is attributable to the Contracting Party, the Contracting Party shall indemnify and hold Mindee harmless from and against all costs, fees (including attorney fees), fines and damages incurred by Mindee.

 

If a data subject sends a request to the Contracting Party to exercise his/her rights, the Contracting Party is bound to inform Mindee of it, within the deadlines set by Applicable Regulations, so that Mindee can communicate the information in its possession and/or implement the rights of the data subject according to the instructions of the Contracting Party.

 

2.4 Sub-data processors

 

The Contracting Party expressly authorizes Mindee to appoint sub-data processors, included those listed below, and to replace or add any subsequent sub-data processors. Prior to appointing a sub-data processor, Mindee will inform the Contracting Party by any means (including e-mail) and the Contracting Party shall have seven (7) calendar days to object it. Any objection by the Contracting Party must be legitimate and duly motivated (such as a lack of appropriate security measures). If the Contracting Party does not notify its opposition after this period, the Contracting Party shall be deemed to have accepted such sub-data processor. In case of persistent opposition from the Contracting Party, Mindee shall cease to rely on such sub-data processor, as far as feasible, or if impossible the Contracting Party may terminate, without breach, all or part of the Agreement that requires use of this sub-data processor.

 

Mindee undertakes to enter into a legal agreement with its sub-data processors and to impose obligations that are at least as strict as those applicable to Mindee in relation to the Contracting Party pursuant to this Privacy Policy. If the sub-data processor does not comply with its obligations in terms of Personal Data protection, Mindee will remain fully liable towards the Contracting Party for its sub-data processors according to the terms of the Agreement.

 

As of the effective date of the Privacy Policy, Mindee relies on the following sub-data processor: 

 

  • a hosting provider located within the European Union with servers, on which the Personal Data are hosted, located within the European Union.

 

2.5 Data Transfers

 

Where necessary, the Contracting Party expressly authorizes Mindee to transfer Personal Data to countries located outside the European Economic Area (EEA) or which do not benefit from an adequacy decision rendered by the European Commission, subject to implementing, prior to transfer, the appropriate safeguards, such as the execution of Standard Contractual Clauses (“SCC”) adopted by the European Commission, the use of binding corporate rules or any of the safeguards provided for under article 46 of the GDPR. To this end Contracting Party grants to Mindee a general mandate to enter, in its name and on its behalf, into any SCCs in order to govern the transfer of Personal Data to a sub-data processor established in a country outside the EEA or not benefiting from an adequacy decision to carry out processing operations.

In such case, Mindee will justify to the Contracting Party, upon request, of the measures taken for the transfer to a sub-data processor.

 

2.6 Confidentiality

 

Mindee ensures the confidentiality and the integrity of the Personal Data processed and undertakes to comply with the following obligations and to have them complied with by its employees: 

  • not to make any copy of the Personal Data and the materials that are entrusted to it, except for those necessary to carry out the processing, without the prior approval of the Contracting Party;
  • not to use the Personal Data for purposes other than those stated in the processing;
  • not to disclose the Personal Data to third parties;
  • to take all appropriate measures in order to avoid any misappropriation or fraudulent use of the Personal Data during the processing.

 

Mindee will ensure that all of its employees authorized to process Personal Data are bound by confidentiality obligations equivalent to that which Mindee has to the Contracting Party.

 

2.7 Security

 

2.7.1Security measures

 

Mindee represents to the Contracting Party that it implements technical and organizational measures that, taking into account the state of the art, the costs of implementation and the nature, the scope, the context and the purposes of processing, as well as the associated risks, are appropriate to ensure a level of security that is adapted to the Personal Data processing.

 

2.7.2 Notification of Personal Data breach

 

Mindee undertakes to notify the Contracting Party of any Personal Data breach, within the deadlines set out in Applicable Regulations, after becoming aware of the breach. Notification will be made by email sent to the point of contact of the Contracting Party or its DPO or any other contact in charge of Personal Data breaches identified by the Contracting Party. 

 

This notification will be accompanied by any relevant documentation in order to enable the Contracting Party, if necessary, to notify the breach to the competent supervisory authority and to the data subjects, as applicable.

 

2.8 Audit

 

The Contracting Party is authorized to carry out or to have carried out, at its own expense, at any time during performance of the Agreement but no more than one per year, an audit of all or part of the processing falling under this article 2 performed by Mindee. 

 

Any audit must be subject to a prior notice, sent at least thirty (30) days before the audit is held, and an agreement of the Parties on the scope of the audit. 

 

Mindee reserves the right to invoice the Contracting Party for its assistance in the audit.

 

The audit will be carried out by the Contracting Party’s internal team or by persons mandated by the Contracting Party (provided that such third parties are not competitors of Mindee) subject to professional secrecy and to a non-disclosure agreement entered with Mindee, protecting Mindee’s information to which they will have access in the course of the audit. 

 

The audit will be performed during Mindee’s business hours and must not disturb Mindee’s activities. The audit must not, in any way whatsoever, interfere with (i) the technical and organizational measures deployed by Mindee, (ii) the security and the confidentiality of the data of other clients of Mindee, or (iii) the proper functioning and organization of Mindee’s business.

 

The draft audit report will be submitted to Mindee, which will produce its observations in writing. They will be attached to the final report.

 

If the findings of the audit report reveal breaches of Mindee’s obligations as data processor, Mindee will take reasonable steps to remedy them within a period of time agreed between the Parties, at no additional cost for the Contracting Party. 

 

If the findings of the audit report contain recommendations tending to the modification of or improvement to the audited rules and procedures, the conditions for their implementation, as well as any potential additional costs, will first be agreed upon by the Parties. 

 

2.9 Disposal of Personal Data

 

Mindee undertakes to destroy, in an automated or manual manner, all Personal Data processed on behalf of the Contracting Party pursuant to this article 2 at the end of the applicable periods detailed in Annexes 1-A and 1-B. By way of exception, Personal Data may be subject to an additional retention period to enable Mindee to comply with its applicable legal obligations.

 

3. Processing carried out by Mindee as data controller

 

3.1 Processing description

 

3.1.1 Purpose and legal basis of the data processing

 

Mindee processes the Personal Data collected from the Website or the Platform, in its capacity as data controller, for the purposes of:

  1. processing and responding to any contact request from the Website by virtue of the performance of pre-contractual measures, Mindee’s legitimate interests or to comply with legal measures; 
  2. executing any Agreement by means of electronic signature, where applicable, pursuant to the performance of the Agreement or Mindee’s legitimate interests;
  3. creating a Client Account and/or an account for each User from the Platform in accordance with the Client’s request pursuant to the Agreement to authenticate and authorize access to the Services;
  4. managing the Agreement and invoicing the Services subscribed pursuant to the performance of the Agreement; 
  5. draw up audience and usage statistics of the Website or Platform pursuant to Mindee’s legitimate interests;
  6. technical administration of the Website or the Platform (monitoring interruption or unavailability of Services, errors, analysis and detection of abuses) pursuant to Mindee’s legitimate interests or the performance of the Agreement;
  7. carrying out campaigns for prospection and promotion of the Services and their evolution through e-mails sent to points of contact presumed to be professional addresses, pursuant to Mindee’s legitimate interests.

 

(together the “Purposes”).

 

Where Personal Data are collected by Mindee to comply with its obligations under the Agreement, if those Personal Data are not provided, Mindee will be unable to perform its obligations under the Agreement.

 

3.1.2 Category of Personal Data

 

Mindee processes, for the Purposes, the following Personal Data: 

  • identification data of staff members of the Contracting Party, Affiliated Entities or Third Party Service Providers (such as surname, first name, position in the company, professional email address, telephone number, User ID and password);
  • Users’ connexion and navigation data (such as User ID, password, IP address, login logs, API concerned, timestamp data, Request file format);
  • data relating to the Subscription (payment card and cardholder data, logs).

 

3.1.3 Recipient of Personal Data

 

For the Purposes, Mindee may disclose Personal Data to technical data processors, such as the Website and Platform hosting service provider, as well as the on-line payment solution service provider. 

Mindee disclose only to these technical data processors the Personal Data that they need to carry out their obligations, and requires from them that they do not use the Personal Data for other purposes. 

The Contracting Party is also informed that, for invoicing purposes, the on-line payment solution service provider together with the financial establishments in charge of processing payments may also carry out processing of Personal Data on their own behalf, as separate data controllers and for separate purposes, it is the responsibility of the Contracting Party to consult their privacy policies for more information on the processing that they implement.

 

3.1.4 Storage period

 

The identification data of the employees of the Contracting Party, Affiliated Entities or Third Party Service Providers are stored, as the case may be, for the term of the Agreement or up to three (3) years after the term of the Agreement or the last contact for prospection and promotion of Services.

 

The data relating to the connexions and navigation of Users are stored, as the case may be, for a period of 12 months, for the time necessary for the verification and resolution of technical problems, for the term of the Agreement or may be archived for a duration beyond the term of the Agreement for administrative and/or evidentiary purposes. When this data is used to draw up statistics, pseudonymised data will be stored for a period of 24 months while anonymized statistical reports are kept for as long as necessary. 

 

Data relating to payment means are stored until the last payment instalment or due date.

 

3.1.5 Data Transfer 

 

Personal Data processed for the purpose of invoicing the Services are likely may be transferred by our data processor to countries located outside the European Union. Where applicable, transfers are governed by measures such as the European Commission’s standard contractual clauses, binding corporate rules or any other appropriate safeguards according to the Applicable Regulations. 

 

3.2 Obligations of Mindee

 

3.2.1 General Obligations 

 

Mindee is solely liable for compliance of the processing with the Applicable Regulations.

 

3.2.2 Data subjects rights and exercise of rights

 

In accordance with the Applicable Regulations, data subjects have the right to access, rectify, delete, limit, oppose and to data portability of their Personal Data, the right to give instructions relating to their Personal Data in the event of death and the right to bring a claim before the French data privacy supervisory authority (the CNIL). Data subjects may exercise their rights by writing to: privacy@mindee.com

 

3.2.3 Information to data subjects 

 

In the event that Mindee has no direct relationship with the data subjects whose Personal Data is being processed, the Contracting Party undertakes to provide to its employees and those of its Affiliated Entities and Third Party Service Providers, as well as all other relevant data subjects, all information relating to the processing of their Personal Data implemented by Mindee pursuant to this article 3.

 

3.2.4 Security

 

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks varying likelihood and severity for rights and freedoms of natural persons posed by the processing, Mindee undertakes to implement appropriate technical and organizational security measures, in order to preserve the confidentiality and security of Personal Data and in particular to prevent it from being distorted, damaged, misappropriated or communicated to unauthorized third parties and, more generally, to implement all appropriate technical and organizational measures to protect the Personal Data against destruction, loss, alteration, disclosure or unauthorized, accidental or unlawful access.

 

  1. Changes to the Privacy Policy

 

Mindee may make changes to all or part of the Privacy Policy, in order notably to comply with any regulatory, jurisprudential, editorial or technical evolution. Mindee will inform the Contracting Party of it by any means (including e-mail and information on the Website or the Platform) and will update the date on the first page hereof. It is the responsibility of the Contracting Party to regularly consult this page.

 

  1. Contact

 

For any question relating to the Privacy Policy or to Mindee’s Services, please contact Mindee by e-mail:

 

  • Mindee at: contact@mindee.com
  • Mindee’s DPO (currently Olivier Rey) at: dpo@mindee.com

 

These addresses are not to be used for data subjects’ exercise of rights concerned, all such requests are to be sent exclusively by e-mail to privacy@mindee.com or by letter to Mindee’s registered office referred to in the preamble and addressed to the attention of Mindee’s DPO.

 

  1. Enforceability

 

The Contracting Party acknowledges and agrees that this Privacy Policy is enforceable against it when accepted by its authorized representative, whether by way of a ticking a box or by any other means implemented on the Website or on the Platform, or through its signature (handwritten or electronic) when the Privacy Policy is expressly attached as an annex to the Agreement.

 

To this end, the Contracting Party acknowledges that the User or the legal representative executing the Agreement is duly authorized for the purposes hereof. 

 

 

Annex 1-A

Provision of Services

 

For the purposes of providing the Services, Mindee processes Client Data (which include Incoming Data and Results following the processing of a Request) via its APIs and/or as part of Maintenance (notably in the event of Report) remotely (by SaaS, Software as a Service) based on a public cloud infrastructure hosted by one of Mindee’s sub-data processor service provider according to the terms and conditions set out in the Privacy Policy and in the Agreement.

 

Purposes of Processing

Purpose 1: Processing Client Data for Request management as part of the Services 

Purpose 2: Processing Client Data for Maintenance of the Services 

Purpose 3: Production of statistics on usage for Services’ supervision and reporting 

Legal Basis

Purpose 1: as the case may be, performance of pre-contractual measures, performance of the Agreement, compliance with legal requirements or consent 

Purpose 2: legitimate interest

Purpose 3: performance of the Agreement

Categories of data subjects

Purposes 1 to 3: Contracting Party’s, Affiliated Entities’ or Third Party Service Providers’ staff acting as Users;

Purposes 1 and 2: identifiable individuals (such as Contracting Party’s, Affiliated Entities’ or End Clients’ customer, prospect or supplier) in the Incoming Data and Results.

Category of Personal Data

Purposes 1 and 2: types of data (Incoming Data and Results) as featured in the Documentation for each relevant API; 

Purposes 2 and 3: data associated to usage of Website, Platform and/or API (logs)

Source of Personal Data

- Users

- Client Data disclosed by Users

Recipient of Personal Data

- Mindee’s staff expressly authorized for processing purposes 

- staff of Mindee’s sub-data processors 

- Contracting Party, Affiliated Entities, Third Party Service Providers staff members or any other member of End Clients’ staff

Transfer of Personal Data outside the EU

No

Automated decision-making

(art. 22 GDPR)

No

Storage period

- Incoming Data: a few milliseconds, the time to process the Request;

- Results: a few milliseconds, the time for the Module or the Platform to process the Request and to send a Result;

- data associated with the reporting of an Anomaly or reported by the technical administration systems on the Website or the Platform: the time for Mindee to check and review the Anomaly;

- recording history of actions and connexion logs: 6 rolling months;

- statistical data: for the term of the Agreement.

 

 

Annex 1-B

Training of Client Data sets

 

For the purposes of providing the Services, Mindee may be processing sets of Client Data (which include Incoming Data disclosed by the Client and Results processed following a Request) to train its algorithms developed for the API to improve Services.

 

Purposes of Processing

Processing sets of Client Data to improve Services 

Legal Basis

As the case may be, legitimate interest or consent

Categories of data subjects

- individuals like customer, prospect or supplier of the Contracting Party, Affiliated Entities or End Clients concerned by the Incoming Data.

Category of Personal Data

- types of data (Incoming Data and Results) as featured in the Documentation for each relevant API;

- Request data; 

- Anomaly Report data input by the Client or resulting from technical administration measures on the Website or the Platform.

Source of Personal Data

- Users

- Client Data disclosed by Users

Recipient of Personal Data

- Mindee’s staff expressly authorized for processing purposes 

- staff of Mindee’s sub-data processors 

- Client’s staff in charge of following up with data subjects requests to exercise rights

Transfer of Personal Data outside the EU

No

Automated decision-making

(art. 22 GDPR)

No

Storage period

Maximum 2 years, except for data used to measure the performance of models over time, which are archived for the term of the Agreement.

The resulting machine learning model is stored with no time limit.