The company Flash Contract (papernest), in its capacity as data controller, attaches the utmost importance to
the purposes and methods of data processing that you are required to provide us with through our web
"the App"), accessible from the website
https://www.papernest.com (hereinafter "the
or through our "Call center".
This document also sets out your rights concerning the data we hold about you. For any request for additional
information, please contact our Data Protection Officer whose contact details are specified below.
The company Flash Contrat will be referred to hereinafter as "papernest", "we", "us" or "our".
1.1 Identity of the Data Controller and the Data Protection Officer
The person responsible for processing the personal data of users collected via the aforementioned Site and
The company Flash Contrat, a simplified joint stock company (SAS) registered under French law, with a
capital of 25,000 euros, whose registered office is located at 157 Boulevard Macdonald, 75019 Paris, RCS
(Paris B 809 710 858), SIREN number (809 710 558), represented by Mr. Philippe de la Chevasnerie, Chairman
and Mr. Benoît Fabre, Managing Director.
The Data Protection Officer (or "Data Protection Officer", "DPO") is:
Mr. Pierre Dubail, domiciled at the same address as the Data Controller and whose email address is:
1.2 Competent supervisory authorities
The competent supervisory authority shall be, as appropriate:
Commission nationale de l'informatique et des libertés (CNIL); 3 place de Fontenoy 75007 PARIS, tel:
- Secretaría de Estado para el Avance Digital, del Ministerio de Economía y Empresa; P. de la Castellana
160, C.P. 28046 Madrid, España.Teléfono Sede Electrónica: 91 349 46 40 | 902 446 006
- Agencia Española de Protección de Datos; C/ Jorge Juan, 6. 28001 MADRID, tel. (+34)90110099 -
- United Kingdom: Information Commissioner's Office; Wycliffe House Water Lane, Wilmslow, Cheshire, SK9
5AF; (+44) 0303 123 1113
To contact us
For any information regarding your personal data, you can contact the Data Controller or the DPO at the
postal address previously indicated, or by email at the following address:
- for the Data Controller
- for the Data Protection Officer
2. Collected data
What personal data do we collect?
When do we collect your personal data?
Personal data is any information relating to a natural person from which that person can be identified,
directly or indirectly, such as his or her first and last name, email address or telephone number.
In the course of our business, we may collect your personal data when:
- you engage in a subscription or termination of contract (energy, internet box, mobile, insurance, mail
forwarding or other services) on our App or via our Call Center;
- you browse our Site and/or our App and use our services;
- you contact our customer service directly, by telephone, email, post or via our online chat.
We may also receive information from third parties, in this case our partners, when you sign a contract with
one of them through us (for example, to confirm that we have taken into account and validated the said
The collection of your data by us is a prerequisite for the conclusion of contracts with our partners
(energy, telephone and internet suppliers, insurers, other service providers). You have the right to refuse
to provide the information requested. However, this may compromise the processing of your requests relating
to the services offered by the Data Controller.
When certain information is mandatory to access specific functionalities, of the Site or the App, the form
indicates the mandatory nature at the time of data entry.
2.2. The data that you send us directly
The personal data we collect is essentially the information you provide us directly when you initiate a
subscription (or cancellation) process on our App or by telephone via our Call Center. This data
- The identification data required to create an online user account: last name, first name, new postal
address, email address, telephone number, date and place of birth;
- The data necessary to qualify your needs and to obtain quotes and comparison information (for an energy
contract for example, we need to know the type of energy you need, the type of home you occupy to
estimate your consumption or the start date of the desired subscription);
- The data on which the subscription of the offers you select is based (in particular information relating
to payment (credit card number, cryptogram, expiry date) when you accept that we proceed on your behalf
to the payment of a subscribed offer);
- Proof of identity, only in the event of a request for access, rectification, deletion, limitation or
portability of your data.
Please note that our telephone experts, duly authorised for this purpose, may collect, as a complementary
measure, certain personal data concerning you, other than those expressly provided for in the fields of the
forms of the various routes, by taking notes in a free field of our CRM provided for this purpose, only when
this proves to be strictly necessary for the processing of your requests. The content of this field is
automatically and irreversibly destroyed 3 months after it has been entered. You have the right to
specifically object to this processing and for this purpose you can contact our Data Protection Officer at
the above-mentioned addresses.
2.3. The data that you transmit to us indirectly
When you take out a contract through us with one of our partners (energy supplier, internet box provider,
insurance company, etc.) this partner may share information with us relating to the contract in question.
2.4. The data we collect automatically
In addition to the information you provide directly, we collect a certain amount of data relating to your
connection, your navigation and your interaction with our services.
refer to the article Cookies below), information on how you interact with our content/features that help
us to optimize the user experience and the offer we provide to our visitors.
- Customer Service interaction data: when you contact us by phone, post, email or via our chat. We may
keep the date, the reason for your request as well as the content of your exchanges with Customer
Service in order to guarantee an efficient follow-up of your needs. If you contact us by telephone,
please note that your call may be recorded for training purposes and to improve our services.
2.5. Telephone recordings
In order to improve the quality of the user experience delivered by our Call Center, to optimize the training
of our operators in this respect, and to evaluate them, your calls are likely to be recorded. This recording
is not systematic. Recordings are kept for a period not exceeding six months. You may, if you wish, object
to this treatment by contacting our DPO at the above-mentioned address.
3. Purpose of processing
How do we use the data we collect?
We only process your personal data when we have a relevant legal basis for doing so. Depending on the
purpose, the processing we carry out may be appropriate:
- due to a contractual or pre-contractual necessity
- for the purposes of the legitimate interests pursued by Papernest, namely:
- our legitimate economic and commercial interest
- the improvement of our offer
- training and evaluation of our employees
- for compliance with a legal obligation
- following your consent, which you may choose to withdraw at any time
The data we collect and process is strictly necessary for the purposes specified below:
|Category of data processed||Purposes of processing||Legal Basis||Storage life|
|Identification data, data necessary for the qualification of your needs and
the subscription to the various offers
||3 years from your last activity (subscription, connection to the App,
incoming call, click in an email) or from the closing of your user account (+5 years in
Please note that the "notes" entered by the operators in the margin of the calls are
automatically deleted 3 months after they are entered.
|Data required to take out contracts with our partners||
||3 years from your last activity (+5 years in archiving base)|
|Connection and navigation data on the Site and/or the App||
||13 months from the deposit of cookies|
|Contact data (email address, telephone)||
To communicate with you in general, and more specifically to:
3 years from your last activity (+5 years in archiving base)
You can unsubscribe from our emails at any time by clicking on the unsubscribe link at the
bottom of each email
|Data obtained from our partners necessary for the conclusion of a contract||
||3 years from your last activity (+5 years in archiving base)|
|Telephone conversations via our Call Center||
||6 months from collection|
|Proof of identity||
4. Recipients of the data
Who are the recipients of the data we collect? Why do we give them this information?
We strive to treat your personal data in a private and confidential manner.
The data collected or processed when using our services are intended for the entities of papernest, more
specifically for the persons authorized and empowered internally who by their functions need to know them
for the purposes of the aforementioned processing.
These data may also have as recipients:
- our service providers, who may take part in the aforementioned processing operations, on our behalf and
on our instructions
- our partners (energy suppliers, telephony/internet access providers, insurers and other service
providers) to validate and activate the contracts that you may take out with them through us
Apart from the cases listed above, personal data concerning you may only be disclosed in application of a
law, a regulation, or by virtue of a decision of a competent regulatory or judicial authority, or, if
necessary, for the purposes of the Data Controller to protect your rights and interests.
5. Data Retention Period
How long do we keep your personal data?
Your data is kept on an active basis for a period of 3 years from the date of your last activity on the App
(subscription to a contract, connection) or via our Call center (incoming call), or from the closing of your
We may retain certain personal data for a longer period of time, including after the closure of your
account, to fulfill our legal obligations regarding retention or those of our partners and to defend or
enforce our rights. At the end of the aforementioned 3-year period, your data may thus be archived for 5
years in a dedicated archive with restricted access. These data are kept in their entirety, in view of the
The transfer to an intermediate archiving database is irreversible and the data stored there can no longer
be reintroduced into an active database.
We transfer these data concomitantly to our Big Data platform for statistical purposes. This data, which is
100% irreversibly anonymised after the aforementioned 3-year period, is useful to us to compile statistics
on the development and performance of our business.
Certain personal data are subject to a shorter retention period, which cannot exceed:
- 3 months from the date of their entry for notes entered manually by our call centre operators
- 6 months for audio recordings of telephone conversations via our Call Center
- 1 year for identity documents
- 13 months from the date of filing for cookies.
6. Data security
What security measures are applied to your data?
The security of your personal data is important to us. Because we want you to use our services with complete
confidence, we are committed to ensuring the protection of the data you entrust to us. To this end, we have
put in place physical, technical and organisational measures to ensure that your personal data is protected
against unauthorised access, accidental loss, destruction or damage.
To this end, we use firewalls to prevent unauthorised persons from accessing your information.
For added security, we use the AES-256 encryption algorithm to encrypt all data at rest on our application
and statistical analysis systems. In addition, access to production databases is controlled and secured (IP
filtering, access management policy) and access keys to computer servers are themselves encrypted, managed
in accordance with the FIPS 140-2 standard, and their access is logged.
Concerning payment data: we do not store any data relating to bank cards. We delegate to Stripe, a certified
payment intermediary, the secure processing of this data.
When the subscription takes place by telephone
via our call center and the call concerned is audio recorded, a masking function allows the part of the
conversation containing your bank card data to never be recorded. This information is entered directly into
the interfaces of the partners for whom you have selected contracts, without it being stored by our services
at any time.
Several specific procedures have been put in place within our internal organisation to optimise the security
of your data and minimise the risks of disclosure:
- The appointment of a Data Security Technical Manager, who is responsible for regularly auditing the
effectiveness of the procedures in place.
- Raising awareness and training our staff on their obligations regarding the protection of personal data.
- The notification of cases of data violation to the ICO within a maximum of 48 hours.
- Conducting a data protection impact assessment - planned for the second half of 2019
7. Your Rights
What are your rights regarding your personal data?
You have the following rights in relation to your Data:
7.1. Right to be informed
You have the right to be informed in a clear, transparent and intelligible manner about how we collect and
process your personal data and about your rights regarding such data. This is the purpose of this privacy
7.2. Right to access
The right to request (i) copies of the information we hold about you at any time, or (ii) that we modify,
update or delete such information. If we provide you with access to the information we hold about you, we
will not charge you for this, unless your request is "manifestly unfounded or excessive." Where we are
legally permitted to do so, we may refuse your request. If we refuse your request, we will tell you the
7.3. Right to correct
The right to have your Data rectified if it is inaccurate or incomplete.
7.4. Right to erase
The right to request that we delete or remove your Data from our systems.
7.5. Right to restrict our use of your Data
The right to "block" us from using your Data or limit the way in which we can use it.
7.6. Right to object
The right to object to our use of your Data including where we use it for our legitimate interests.
7.7. Right to data portability
The right to request that we move, copy or transfer your Data.
7.8. Right to withdraw consent
Where the processing is based on your consent, you have the right to withdraw your consent at any time,
without prejudice to the lawfulness of the processing based on the consent given prior to the withdrawal of
your consent. To do so, simply contact us at the above-mentioned address.
7.9. Right to object to telephone solicitation
we are likely to contact you by telephone to finalise the subscription of a contract that you have initiated
with us, by telephone or directly on our website, or to offer you a service similar to the one(s) that you
have already subscribed to with us (provided that you have given us your telephone number). You have the
right to object to your personal data being canvassed by telephone.
7.10. Right to determine instructions concerning the processing of your data after your death
You have the right to issue instructions regarding the storage, deletion and disclosure of your personal data
after your death. In order to define these instructions, we invite you to contact our Data Protection
Officer at the above-mentioned address
7.11. Right to lodge a complaint with the competent supervisory authority
You have the right to lodge a complaint about the way we handle or process your data with the competent
national supervisory authority (see 1.2).
7.12. Time limits for processing rights and notification
We undertake to respond to your requests within a reasonable period of time, which may not exceed 1 month
from receipt of your request, and to notify you of any operation carried out by our services in accordance
with your requests.
7.13. Closing your user account
If your user account is closed, we will in principle keep your personal data for a period of no more than 3
years. However, you have the right to object to this processing, by exercising your right of deletion in
accordance with the methods described above.
8.1. What is a cookie?
Cookies are small text files that are automatically deposited on your computer, smartphone or tablet when you
visit websites. They are stored by your browser.
from one browsing session to the next, and thus to optimise and personalise their operation and ergonomics
and to offer you the best possible browsing experience.
to re-enter them each time you visit. We also use other cookies to analyse the traffic on our site and to
better understand how our visitors use our site so that we can continually improve the service we offer.
Cookies are not malicious. They are not programs or viruses that can damage your terminal.
For more information about cookies in general, you can visit: www.allaboutcookies.org and http://youronlinechoices.com/fr
8.2. What types of cookies do we use?
We use 2 types of cookies:
- “Essential" cookies: these cookies are absolutely essential for the proper functioning of our Site and
our App. They facilitate your access, help you to navigate smoothly and to access all the
functionalities integrated into our service offer. Without them, our Site and our App would not function
properly and your navigation would not be as smooth as we would like it to be. For example, they allow
us to identify your browser when you return to us and to keep your login information so that you do not
have to re-enter it each time you visit.
- Third party cookies: We use third party services to better understand how you use our App, and how we
can improve the user experience we offer you. For example, analytics cookies help us track the volume,
source and browsing behavior of our traffic. This information is anonymous and is valuable to us to
recognize and count the number of visitors to our App and to collect information about how the App is
This allows us to identify the contents / features that are of most interest to our users in order to make
our service evolve in the right direction. For example, by ensuring that you can easily find what you are
looking for on our App.
Advertising cookies are only used to measure the performance of the campaigns that we activate on social
networks, i.e. to identify the share of our traffic attributable to this access lever.
No advertising is displayed on our Site or on our App and none of your data is marketed to third party
8.3. How long are cookies kept?
Cookies have a limited lifetime of 13 months after their first deposit on your browser.
8.4. What should you do if you wish to oppose cookies?
The registration of a cookie on your terminal is subject to your will, which you can express and
modify at any time through the settings offered by the browser you use to access our Site or our
If you have accepted in your browser the deposit of cookies on your terminal, the cookies integrated
in the pages you have consulted may be temporarily stored in a dedicated area of your terminal. Only
their sender will be able to read them.
If you wish to delete the cookies already stored on your device and set your browser to refuse any
new cookies, you can go directly to the cookie settings of the browser you use to access our Site or
Please note, however, that disabling cookies may affect the proper functioning of our App. Certain
features of the Site may no longer be accessible, for which we cannot be held responsible.
In order to exercise your choice, you may consult the following pages, depending on the browser you
This configuration differs on mobile or tablet:
- For iOS
- For Android
- For Blackberry
- For Windows Phone
8.4.2. For more information on cookies
If you would like more information on cookies and how to control them, you can consult the ICO website which provides a complete guide or the following website http://www.youronlinechoices.com/ where you will
find simple instructions on how to manage cookies depending on the browser you are using.
appear in this article. All changes will be effective immediately upon posting.
We will notify you of any such changes by email to the email address you have provided, or by posting a
notice directly on our Site and Application.
We invite you to consult this document regularly in order to be aware of the most recent version.