Privacy Policy

1. General

The company Flash Contract (papernest), in its capacity as data controller, attaches the utmost importance to the respect and protection of your personal data. The purpose of this privacy policy is to inform you about the purposes and methods of data processing that you are required to provide us with through our web application https://app.papernest.com (hereinafter "the App"), accessible from the website https://www.papernest.com (hereinafter "the Site"), or through our "Call center".

This document also sets out your rights concerning the data we hold about you. For any request for additional information, please contact our Data Protection Officer whose contact details are specified below.

The company Flash Contrat will be referred to hereinafter as "papernest", "we", "us" or "our".

1.1 Identity of the Data Controller and the Data Protection Officer

The person responsible for processing the personal data of users collected via the aforementioned Site and App is:
The company Flash Contrat, a simplified joint stock company (SAS) registered under French law, with a capital of 25,000 euros, whose registered office is located at 157 Boulevard Macdonald, 75019 Paris, RCS (Paris B 809 710 858), SIREN number (809 710 558), represented by Mr. Philippe de la Chevasnerie, Chairman and Mr. Benoît Fabre, Managing Director.
The Data Protection Officer (or "Data Protection Officer", "DPO") is:
Mr. Pierre Dubail, domiciled at the same address as the Data Controller and whose email address is: pierre.dubail@papernest.com.

1.2 Competent supervisory authorities

The competent supervisory authority shall be, as appropriate:

France:

  • Commission nationale de l'informatique et des libertés (CNIL); 3 place de Fontenoy 75007 PARIS, tel: +33153732222

Spain:

  • Secretaría de Estado para el Avance Digital, del Ministerio de Economía y Empresa; P. de la Castellana 160, C.P. 28046 Madrid, España.Teléfono Sede Electrónica: 91 349 46 40 | 902 446 006
  • Agencia Española de Protección de Datos; C/ Jorge Juan, 6. 28001 MADRID, tel. (+34)90110099 - (+34)912663517R

United Kingdom:

  • United Kingdom: Information Commissioner's Office; Wycliffe House Water Lane, Wilmslow, Cheshire, SK9 5AF; (+44) 0303 123 1113

To contact us

For any information regarding your personal data, you can contact the Data Controller or the DPO at the postal address previously indicated, or by email at the following address:

  • donneespersonnelles@papernest.com, for the Data Controller
  • pierre.dubail@papernest.com, for the Data Protection Officer

2. Collected data

What personal data do we collect?

When do we collect your personal data?

Personal data is any information relating to a natural person from which that person can be identified, directly or indirectly, such as his or her first and last name, email address or telephone number.
In the course of our business, we may collect your personal data when:

  • you engage in a subscription or termination of contract (energy, internet box, mobile, insurance, mail forwarding or other services) on our App or via our Call Center;
  • you browse our Site and/or our App and use our services;
  • you contact our customer service directly, by telephone, email, post or via our online chat.

We may also receive information from third parties, in this case our partners, when you sign a contract with one of them through us (for example, to confirm that we have taken into account and validated the said contract).
The collection of your data by us is a prerequisite for the conclusion of contracts with our partners (energy, telephone and internet suppliers, insurers, other service providers). You have the right to refuse to provide the information requested. However, this may compromise the processing of your requests relating to the services offered by the Data Controller. When certain information is mandatory to access specific functionalities, of the Site or the App, the form indicates the mandatory nature at the time of data entry.

2.2. The data that you send us directly

The personal data we collect is essentially the information you provide us directly when you initiate a subscription (or cancellation) process on our App or by telephone via our Call Center. This data includes:

  • The identification data required to create an online user account: last name, first name, new postal address, email address, telephone number, date and place of birth;
  • The data necessary to qualify your needs and to obtain quotes and comparison information (for an energy contract for example, we need to know the type of energy you need, the type of home you occupy to estimate your consumption or the start date of the desired subscription);
  • The data on which the subscription of the offers you select is based (in particular information relating to payment (credit card number, cryptogram, expiry date) when you accept that we proceed on your behalf to the payment of a subscribed offer);
  • Proof of identity, only in the event of a request for access, rectification, deletion, limitation or portability of your data.

Please note that our telephone experts, duly authorised for this purpose, may collect, as a complementary measure, certain personal data concerning you, other than those expressly provided for in the fields of the forms of the various routes, by taking notes in a free field of our CRM provided for this purpose, only when this proves to be strictly necessary for the processing of your requests. The content of this field is automatically and irreversibly destroyed 3 months after it has been entered. You have the right to specifically object to this processing and for this purpose you can contact our Data Protection Officer at the above-mentioned addresses.

2.3. The data that you transmit to us indirectly

When you take out a contract through us with one of our partners (energy supplier, internet box provider, insurance company, etc.) this partner may share information with us relating to the contract in question.

2.4. The data we collect automatically

In addition to the information you provide directly, we collect a certain amount of data relating to your connection, your navigation and your interaction with our services.

  • Connection and navigation data on our Site and our App: we collect, through the use of cookies (please refer to the article Cookies below), information on how you interact with our content/features that help us to optimize the user experience and the offer we provide to our visitors.
  • Customer Service interaction data: when you contact us by phone, post, email or via our chat. We may keep the date, the reason for your request as well as the content of your exchanges with Customer Service in order to guarantee an efficient follow-up of your needs. If you contact us by telephone, please note that your call may be recorded for training purposes and to improve our services.

2.5. Telephone recordings

In order to improve the quality of the user experience delivered by our Call Center, to optimize the training of our operators in this respect, and to evaluate them, your calls are likely to be recorded. This recording is not systematic. Recordings are kept for a period not exceeding six months. You may, if you wish, object to this treatment by contacting our DPO at the above-mentioned address.

3. Purpose of processing

How do we use the data we collect?

We only process your personal data when we have a relevant legal basis for doing so. Depending on the purpose, the processing we carry out may be appropriate:

  • due to a contractual or pre-contractual necessity
  • for the purposes of the legitimate interests pursued by Papernest, namely:
    • our legitimate economic and commercial interest
    • the improvement of our offer
    • training and evaluation of our employees
  • for compliance with a legal obligation
  • following your consent, which you may choose to withdraw at any time

The data we collect and process is strictly necessary for the purposes specified below:

Category of data processed Purposes of processing Legal Basis Storage life
Identification data, data necessary for the qualification of your needs and the subscription to the various offers
  • Allow you to access our services and present you with offers (those of our partners) personalised according to your needs and profile;
  • To provide you with access to the various functionalities of the App
  • Contact you, when necessary regarding our services, to retrieve the information required to conclude / validate the contract to which you have subscribed (your Meter Point Administration Number for example for the subscription of an energy contract)
  • Execution of a contract / pre-contractual measure
  • Our legitimate interest
3 years from your last activity (subscription, connection to the App, incoming call, click in an email) or from the closing of your user account (+5 years in archiving base)
Please note that the "notes" entered by the operators in the margin of the calls are automatically deleted 3 months after they are entered.
Data required to take out contracts with our partners
  • Allow us to tell you whether you are eligible for a particular contract with a particular supplier and to tell you the exact price;
  • Allow us to subscribe on your behalf to our partners' contracts;
  • Allow us to make payment on your behalf for the contract you wish to subscribe to through us
  • Execution of a contract
3 years from your last activity (+5 years in archiving base)
Connection and navigation data on the Site and/or the App
  • To measure the audience that visits our Site and App;
  • To measure the interest and improve the efficiency and quality of the services we offer you;
  • Personalize the ergonomics, the user experience according to your profile, for example by pushing you the offers most relevant to you;
  • Allow our Customer Service to help you as efficiently as possible if you have any questions or complaints;
  • To carry out analysis, selection and user segmentation statistics to improve our services and serve our marketing strategy;
  • Your Consent
13 months from the deposit of cookies
Contact data (email address, telephone) To communicate with you in general, and more specifically to:
  • Keep you informed of the evolution of your contracts (by sending you, for example, an email confirmation of the validation of a contract you have subscribed to online or by telephone)
  • Collect your opinion / satisfaction on our services and/or the contracts subscribed;
  • Inform you in case of changes to our privacy policy;
  • Answer the questions you ask us by email or via our chat for example;
  • Help you to finalize the subscription of a contract initiated on our App or via our Call center, but not validated;
  • To propose you offers similar to those you have already subscribed to with us and that may be of interest to you.
  • Our legitimate interest
  • Performance of a contract / pre-contractual measure
3 years from your last activity (+5 years in archiving base)
You can unsubscribe from our emails at any time by clicking on the unsubscribe link at the bottom of each email
Data obtained from our partners necessary for the conclusion of a contract
  • Enable us to monitor and inform you about the proper taking into account and validation of your contract by our partner with whom you have taken out a contract through us
  • Allow us to contact you if any information is missing to proceed with the actual contractualisation on the supplier side (meter reading, MAPN, etc.).
  • Execution of a contract
  • Our legitimate interest
3 years from your last activity (+5 years in archiving base)
Telephone conversations via our Call Center
  • Enable us to record our telephone exchanges in order to improve the quality of the user experience delivered by our Call Center, optimize the training of our teleoperators in this respect and evaluate them.
  • Our legitimate interest
6 months from collection
Proof of identity
  • To enable us to verify your identity in the event of a request from you to access, rectify, delete, limit or portray your data
  • Your Consent
12 months

4. Recipients of the data

Who are the recipients of the data we collect? Why do we give them this information?

We strive to treat your personal data in a private and confidential manner.
The data collected or processed when using our services are intended for the entities of papernest, more specifically for the persons authorized and empowered internally who by their functions need to know them for the purposes of the aforementioned processing.
These data may also have as recipients:

  • our service providers, who may take part in the aforementioned processing operations, on our behalf and on our instructions
  • our partners (energy suppliers, telephony/internet access providers, insurers and other service providers) to validate and activate the contracts that you may take out with them through us

Apart from the cases listed above, personal data concerning you may only be disclosed in application of a law, a regulation, or by virtue of a decision of a competent regulatory or judicial authority, or, if necessary, for the purposes of the Data Controller to protect your rights and interests.

5. Data Retention Period

How long do we keep your personal data?

Your data is kept on an active basis for a period of 3 years from the date of your last activity on the App (subscription to a contract, connection) or via our Call center (incoming call), or from the closing of your user account.
We may retain certain personal data for a longer period of time, including after the closure of your account, to fulfill our legal obligations regarding retention or those of our partners and to defend or enforce our rights. At the end of the aforementioned 3-year period, your data may thus be archived for 5 years in a dedicated archive with restricted access. These data are kept in their entirety, in view of the purposes pursued.
The transfer to an intermediate archiving database is irreversible and the data stored there can no longer be reintroduced into an active database.
We transfer these data concomitantly to our Big Data platform for statistical purposes. This data, which is 100% irreversibly anonymised after the aforementioned 3-year period, is useful to us to compile statistics on the development and performance of our business.
Certain personal data are subject to a shorter retention period, which cannot exceed:

  • 3 months from the date of their entry for notes entered manually by our call centre operators
  • 6 months for audio recordings of telephone conversations via our Call Center
  • 1 year for identity documents
  • 13 months from the date of filing for cookies.

6. Data security

What security measures are applied to your data?

The security of your personal data is important to us. Because we want you to use our services with complete confidence, we are committed to ensuring the protection of the data you entrust to us. To this end, we have put in place physical, technical and organisational measures to ensure that your personal data is protected against unauthorised access, accidental loss, destruction or damage.
To this end, we use firewalls to prevent unauthorised persons from accessing your information.
For added security, we use the AES-256 encryption algorithm to encrypt all data at rest on our application and statistical analysis systems. In addition, access to production databases is controlled and secured (IP filtering, access management policy) and access keys to computer servers are themselves encrypted, managed in accordance with the FIPS 140-2 standard, and their access is logged.
Concerning payment data: we do not store any data relating to bank cards. We delegate to Stripe, a certified payment intermediary, the secure processing of this data.
When the subscription takes place by telephone via our call center and the call concerned is audio recorded, a masking function allows the part of the conversation containing your bank card data to never be recorded. This information is entered directly into the interfaces of the partners for whom you have selected contracts, without it being stored by our services at any time.
Several specific procedures have been put in place within our internal organisation to optimise the security of your data and minimise the risks of disclosure:

  • The appointment of a Data Security Technical Manager, who is responsible for regularly auditing the effectiveness of the procedures in place.
  • Raising awareness and training our staff on their obligations regarding the protection of personal data.
  • The notification of cases of data violation to the ICO within a maximum of 48 hours.
  • Conducting a data protection impact assessment - planned for the second half of 2019

7. Your Rights

What are your rights regarding your personal data?

You have the following rights in relation to your Data:

7.1. Right to be informed

You have the right to be informed in a clear, transparent and intelligible manner about how we collect and process your personal data and about your rights regarding such data. This is the purpose of this privacy policy!

7.2. Right to access

The right to request (i) copies of the information we hold about you at any time, or (ii) that we modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this, unless your request is "manifestly unfounded or excessive." Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will tell you the reasons why.

7.3. Right to correct

The right to have your Data rectified if it is inaccurate or incomplete.

7.4. Right to erase

The right to request that we delete or remove your Data from our systems.

7.5. Right to restrict our use of your Data

The right to "block" us from using your Data or limit the way in which we can use it.

7.6. Right to object

The right to object to our use of your Data including where we use it for our legitimate interests.

7.7. Right to data portability

The right to request that we move, copy or transfer your Data.

7.8. Right to withdraw consent

Where the processing is based on your consent, you have the right to withdraw your consent at any time, without prejudice to the lawfulness of the processing based on the consent given prior to the withdrawal of your consent. To do so, simply contact us at the above-mentioned address.

7.9. Right to object to telephone solicitation

we are likely to contact you by telephone to finalise the subscription of a contract that you have initiated with us, by telephone or directly on our website, or to offer you a service similar to the one(s) that you have already subscribed to with us (provided that you have given us your telephone number). You have the right to object to your personal data being canvassed by telephone.

7.10. Right to determine instructions concerning the processing of your data after your death

You have the right to issue instructions regarding the storage, deletion and disclosure of your personal data after your death. In order to define these instructions, we invite you to contact our Data Protection Officer at the above-mentioned address

7.11. Right to lodge a complaint with the competent supervisory authority

You have the right to lodge a complaint about the way we handle or process your data with the competent national supervisory authority (see 1.2).

7.12. Time limits for processing rights and notification

We undertake to respond to your requests within a reasonable period of time, which may not exceed 1 month from receipt of your request, and to notify you of any operation carried out by our services in accordance with your requests.

7.13. Closing your user account

If your user account is closed, we will in principle keep your personal data for a period of no more than 3 years. However, you have the right to object to this processing, by exercising your right of deletion in accordance with the methods described above.

8. Cookies

Cookies What is our policy on the use of cookies?

8.1. What is a cookie?

Cookies are small text files that are automatically deposited on your computer, smartphone or tablet when you visit websites. They are stored by your browser.
The vast majority of websites use cookies to collect basic information about your browsing, to recognise you from one browsing session to the next, and thus to optimise and personalise their operation and ergonomics and to offer you the best possible browsing experience.
For example, we use cookies on our web application to memorize your connection data so that you don't have to re-enter them each time you visit. We also use other cookies to analyse the traffic on our site and to better understand how our visitors use our site so that we can continually improve the service we offer.
Cookies are not malicious. They are not programs or viruses that can damage your terminal.
For more information about cookies in general, you can visit: www.allaboutcookies.org and http://youronlinechoices.com/fr

8.2. What types of cookies do we use?

We use 2 types of cookies:

  • “Essential" cookies: these cookies are absolutely essential for the proper functioning of our Site and our App. They facilitate your access, help you to navigate smoothly and to access all the functionalities integrated into our service offer. Without them, our Site and our App would not function properly and your navigation would not be as smooth as we would like it to be. For example, they allow us to identify your browser when you return to us and to keep your login information so that you do not have to re-enter it each time you visit.
  • Third party cookies: We use third party services to better understand how you use our App, and how we can improve the user experience we offer you. For example, analytics cookies help us track the volume, source and browsing behavior of our traffic. This information is anonymous and is valuable to us to recognize and count the number of visitors to our App and to collect information about how the App is used.

This allows us to identify the contents / features that are of most interest to our users in order to make our service evolve in the right direction. For example, by ensuring that you can easily find what you are looking for on our App.
Advertising cookies are only used to measure the performance of the campaigns that we activate on social networks, i.e. to identify the share of our traffic attributable to this access lever.
No advertising is displayed on our Site or on our App and none of your data is marketed to third party partners.

8.3. How long are cookies kept?

Cookies have a limited lifetime of 13 months after their first deposit on your browser.

8.4. What should you do if you wish to oppose cookies?

9. Updating the privacy policy

We may change this Privacy Policy from time to time. The date on which the last revisions were made will appear in this article. All changes will be effective immediately upon posting. We will notify you of any such changes by email to the email address you have provided, or by posting a notice directly on our Site and Application.
We invite you to consult this document regularly in order to be aware of the most recent version.

This Privacy Policy was last updated on January 15, 2019.

By continuing to browse the site, you are agreeing to our use of cookies to measure and personalize your experience. Find out more.