0330 818 6395

Privacy Policy

1. General

The company Flash Contract (papernest), in its capacity as data controller, attaches the utmost importance to
the respect and protection of your personal data. The purpose of this privacy policy is to inform you about
the purposes and methods of data processing that you are required to provide us with through our web
application https://app.papernest.com
"the App"), accessible from the website
https://www.papernest.com (hereinafter "the
or through our "Call center".

This document also sets out your rights concerning the data we hold about you. For any request for additional
information, please contact our Data Protection Officer whose contact details are specified below.

The company Flash Contrat will be referred to hereinafter as "papernest", "we", "us" or "our".

1.1 Identity of the Data Controller and the Data Protection Officer

The person responsible for processing the personal data of users collected via the aforementioned Site and
App is:
The company Flash Contrat, a simplified joint stock company (SAS) registered under French law, with a
capital of 25,000 euros, whose registered office is located at 157 Boulevard Macdonald, 75019 Paris, RCS
(Paris B 809 710 858), SIREN number (809 710 558), represented by Mr. Philippe de la Chevasnerie, Chairman
and Mr. Benoît Fabre, Managing Director.
The Data Protection Officer (or "Data Protection Officer", "DPO") is:
Mr. Pierre Dubail, domiciled at the same address as the Data Controller and whose email address is:

1.2 Competent supervisory authorities

The competent supervisory authority shall be, as appropriate:


  • Commission nationale de l'informatique et des libertés (CNIL); 3 place de Fontenoy 75007 PARIS, tel:


  • Secretaría de Estado para el Avance Digital, del Ministerio de Economía y Empresa; P. de la Castellana
    160, C.P. 28046 Madrid, España.Teléfono Sede Electrónica: 91 349 46 40 | 902 446 006
  • Agencia Española de Protección de Datos; C/ Jorge Juan, 6. 28001 MADRID, tel. (+34)90110099 -

United Kingdom:

  • United Kingdom: Information Commissioner's Office; Wycliffe House Water Lane, Wilmslow, Cheshire, SK9
    5AF; (+44) 0303 123 1113

To contact us

For any information regarding your personal data, you can contact the Data Controller or the DPO at the
postal address previously indicated, or by email at the following address:

  • donneespersonnelles@papernest.com, for the Data Controller
  • pierre.dubail@papernest.com, for the Data Protection Officer

2. Collected data

What personal data do we collect?

When do we collect your personal data?

Personal data is any information relating to a natural person from which that person can be identified,
directly or indirectly, such as his or her first and last name, email address or telephone number.
In the course of our business, we may collect your personal data when:

  • you engage in a subscription or termination of contract (energy, internet box, mobile, insurance, mail
    forwarding or other services) on our App or via our Call Center;
  • you browse our Site and/or our App and use our services;
  • you contact our customer service directly, by telephone, email, post or via our online chat.

We may also receive information from third parties, in this case our partners, when you sign a contract with
one of them through us (for example, to confirm that we have taken into account and validated the said
The collection of your data by us is a prerequisite for the conclusion of contracts with our partners
(energy, telephone and internet suppliers, insurers, other service providers). You have the right to refuse
to provide the information requested. However, this may compromise the processing of your requests relating
to the services offered by the Data Controller.
When certain information is mandatory to access specific functionalities, of the Site or the App, the form
indicates the mandatory nature at the time of data entry.

2.2. The data that you send us directly

The personal data we collect is essentially the information you provide us directly when you initiate a
subscription (or cancellation) process on our App or by telephone via our Call Center. This data

  • The identification data required to create an online user account: last name, first name, new postal
    address, email address, telephone number, date and place of birth;
  • The data necessary to qualify your needs and to obtain quotes and comparison information (for an energy
    contract for example, we need to know the type of energy you need, the type of home you occupy to
    estimate your consumption or the start date of the desired subscription);
  • The data on which the subscription of the offers you select is based (in particular information relating
    to payment (credit card number, cryptogram, expiry date) when you accept that we proceed on your behalf
    to the payment of a subscribed offer);
  • Proof of identity, only in the event of a request for access, rectification, deletion, limitation or
    portability of your data.

Please note that our telephone experts, duly authorised for this purpose, may collect, as a complementary
measure, certain personal data concerning you, other than those expressly provided for in the fields of the
forms of the various routes, by taking notes in a free field of our CRM provided for this purpose, only when
this proves to be strictly necessary for the processing of your requests. The content of this field is
automatically and irreversibly destroyed 3 months after it has been entered. You have the right to
specifically object to this processing and for this purpose you can contact our Data Protection Officer at
the above-mentioned addresses.

2.3. The data that you transmit to us indirectly

When you take out a contract through us with one of our partners (energy supplier, internet box provider,
insurance company, etc.) this partner may share information with us relating to the contract in question.

2.4. The data we collect automatically

In addition to the information you provide directly, we collect a certain amount of data relating to your
connection, your navigation and your interaction with our services.

  • Connection and navigation data on our Site and our App: we collect, through the use of cookies (please
    refer to the article Cookies below), information on how you interact with our content/features that help
    us to optimize the user experience and the offer we provide to our visitors.
  • Customer Service interaction data: when you contact us by phone, post, email or via our chat. We may
    keep the date, the reason for your request as well as the content of your exchanges with Customer
    Service in order to guarantee an efficient follow-up of your needs. If you contact us by telephone,
    please note that your call may be recorded for training purposes and to improve our services.

2.5. Telephone recordings

In order to improve the quality of the user experience delivered by our Call Center, to optimize the training
of our operators in this respect, and to evaluate them, your calls are likely to be recorded. This recording
is not systematic. Recordings are kept for a period not exceeding six months. You may, if you wish, object
to this treatment by contacting our DPO at the above-mentioned address.

3. Purpose of processing

How do we use the data we collect?

We only process your personal data when we have a relevant legal basis for doing so. Depending on the
purpose, the processing we carry out may be appropriate:

  • due to a contractual or pre-contractual necessity
  • for the purposes of the legitimate interests pursued by Papernest, namely:
    • our legitimate economic and commercial interest
    • the improvement of our offer
    • training and evaluation of our employees
  • for compliance with a legal obligation
  • following your consent, which you may choose to withdraw at any time

The data we collect and process is strictly necessary for the purposes specified below:

Category of data processed Purposes of processing Legal Basis Storage life
Identification data, data necessary for the qualification of your needs and
the subscription to the various offers
  • Allow you to access our services and present you with offers (those of our partners)
    personalised according to your needs and profile;
  • To provide you with access to the various functionalities of the App
  • Contact you, when necessary regarding our services, to retrieve the information required
    to conclude / validate the contract to which you have subscribed (your Meter Point
    Administration Number for example for the subscription of an energy contract)
  • Execution of a contract / pre-contractual measure
  • Our legitimate interest
3 years from your last activity (subscription, connection to the App,
incoming call, click in an email) or from the closing of your user account (+5 years in
archiving base)
Please note that the "notes" entered by the operators in the margin of the calls are
automatically deleted 3 months after they are entered.
Data required to take out contracts with our partners
  • Allow us to tell you whether you are eligible for a particular contract with a
    particular supplier and to tell you the exact price;
  • Allow us to subscribe on your behalf to our partners' contracts;
  • Allow us to make payment on your behalf for the contract you wish to subscribe to
    through us
  • Execution of a contract
3 years from your last activity (+5 years in archiving base)
Connection and navigation data on the Site and/or the App
  • To measure the audience that visits our Site and App;
  • To measure the interest and improve the efficiency and quality of the services we offer
  • Personalize the ergonomics, the user experience according to your profile, for example
    by pushing you the offers most relevant to you;
  • Allow our Customer Service to help you as efficiently as possible if you have any
    questions or complaints;
  • To carry out analysis, selection and user segmentation statistics to improve our
    services and serve our marketing strategy;
  • Your Consent
13 months from the deposit of cookies
Contact data (email address, telephone) To communicate with you in general, and more specifically to:

  • Keep you informed of the evolution of your contracts (by sending you, for example, an
    email confirmation of the validation of a contract you have subscribed to online or by
  • Collect your opinion / satisfaction on our services and/or the contracts subscribed;
  • Inform you in case of changes to our privacy policy;
  • Answer the questions you ask us by email or via our chat for example;
  • Help you to finalize the subscription of a contract initiated on our App or via our Call
    center, but not validated;
  • To propose you offers similar to those you have already subscribed to with us and that
    may be of interest to you.
  • Our legitimate interest
  • Performance of a contract / pre-contractual measure
3 years from your last activity (+5 years in archiving base)
You can unsubscribe from our emails at any time by clicking on the unsubscribe link at the
bottom of each email
Data obtained from our partners necessary for the conclusion of a contract
  • Enable us to monitor and inform you about the proper taking into account and validation
    of your contract by our partner with whom you have taken out a contract through us
  • Allow us to contact you if any information is missing to proceed with the actual
    contractualisation on the supplier side (meter reading, MAPN, etc.).
  • Execution of a contract
  • Our legitimate interest
3 years from your last activity (+5 years in archiving base)
Telephone conversations via our Call Center
  • Enable us to record our telephone exchanges in order to improve the quality of the user
    experience delivered by our Call Center, optimize the training of our teleoperators in
    this respect and evaluate them.
  • Our legitimate interest
6 months from collection
Proof of identity
  • To enable us to verify your identity in the event of a request from you to access,
    rectify, delete, limit or portray your data
  • Your Consent
12 months

4. Recipients of the data

Who are the recipients of the data we collect? Why do we give them this information?

We strive to treat your personal data in a private and confidential manner.
The data collected or processed when using our services are intended for the entities of papernest, more
specifically for the persons authorized and empowered internally who by their functions need to know them
for the purposes of the aforementioned processing.
These data may also have as recipients:

  • our service providers, who may take part in the aforementioned processing operations, on our behalf and
    on our instructions
  • our partners (energy suppliers, telephony/internet access providers, insurers and other service
    providers) to validate and activate the contracts that you may take out with them through us

Apart from the cases listed above, personal data concerning you may only be disclosed in application of a
law, a regulation, or by virtue of a decision of a competent regulatory or judicial authority, or, if
necessary, for the purposes of the Data Controller to protect your rights and interests.

5. Data Retention Period

How long do we keep your personal data?

Your data is kept on an active basis for a period of 3 years from the date of your last activity on the App
(subscription to a contract, connection) or via our Call center (incoming call), or from the closing of your
user account.
We may retain certain personal data for a longer period of time, including after the closure of your
account, to fulfill our legal obligations regarding retention or those of our partners and to defend or
enforce our rights. At the end of the aforementioned 3-year period, your data may thus be archived for 5
years in a dedicated archive with restricted access. These data are kept in their entirety, in view of the
purposes pursued.
The transfer to an intermediate archiving database is irreversible and the data stored there can no longer
be reintroduced into an active database.
We transfer these data concomitantly to our Big Data platform for statistical purposes. This data, which is
100% irreversibly anonymised after the aforementioned 3-year period, is useful to us to compile statistics
on the development and performance of our business.
Certain personal data are subject to a shorter retention period, which cannot exceed:

  • 3 months from the date of their entry for notes entered manually by our call centre operators
  • 6 months for audio recordings of telephone conversations via our Call Center
  • 1 year for identity documents
  • 13 months from the date of filing for cookies.

6. Data security

What security measures are applied to your data?

The security of your personal data is important to us. Because we want you to use our services with complete
confidence, we are committed to ensuring the protection of the data you entrust to us. To this end, we have
put in place physical, technical and organisational measures to ensure that your personal data is protected
against unauthorised access, accidental loss, destruction or damage.
To this end, we use firewalls to prevent unauthorised persons from accessing your information.
For added security, we use the AES-256 encryption algorithm to encrypt all data at rest on our application
and statistical analysis systems. In addition, access to production databases is controlled and secured (IP
filtering, access management policy) and access keys to computer servers are themselves encrypted, managed
in accordance with the FIPS 140-2 standard, and their access is logged.
Concerning payment data: we do not store any data relating to bank cards. We delegate to Stripe, a certified
payment intermediary, the secure processing of this data.
When the subscription takes place by telephone
via our call center and the call concerned is audio recorded, a masking function allows the part of the
conversation containing your bank card data to never be recorded. This information is entered directly into
the interfaces of the partners for whom you have selected contracts, without it being stored by our services
at any time.
Several specific procedures have been put in place within our internal organisation to optimise the security
of your data and minimise the risks of disclosure:

  • The appointment of a Data Security Technical Manager, who is responsible for regularly auditing the
    effectiveness of the procedures in place.
  • Raising awareness and training our staff on their obligations regarding the protection of personal data.
  • The notification of cases of data violation to the ICO within a maximum of 48 hours.
  • Conducting a data protection impact assessment - planned for the second half of 2019

7. Your Rights

What are your rights regarding your personal data?

You have the following rights in relation to your Data:

7.1. Right to be informed

You have the right to be informed in a clear, transparent and intelligible manner about how we collect and
process your personal data and about your rights regarding such data. This is the purpose of this privacy

7.2. Right to access

The right to request (i) copies of the information we hold about you at any time, or (ii) that we modify,
update or delete such information. If we provide you with access to the information we hold about you, we
will not charge you for this, unless your request is "manifestly unfounded or excessive." Where we are
legally permitted to do so, we may refuse your request. If we refuse your request, we will tell you the
reasons why.

7.3. Right to correct

The right to have your Data rectified if it is inaccurate or incomplete.

7.4. Right to erase

The right to request that we delete or remove your Data from our systems.

7.5. Right to restrict our use of your Data

The right to "block" us from using your Data or limit the way in which we can use it.

7.6. Right to object

The right to object to our use of your Data including where we use it for our legitimate interests.

7.7. Right to data portability

The right to request that we move, copy or transfer your Data.

7.8. Right to withdraw consent

Where the processing is based on your consent, you have the right to withdraw your consent at any time,
without prejudice to the lawfulness of the processing based on the consent given prior to the withdrawal of
your consent. To do so, simply contact us at the above-mentioned address.

7.9. Right to object to telephone solicitation

we are likely to contact you by telephone to finalise the subscription of a contract that you have initiated
with us, by telephone or directly on our website, or to offer you a service similar to the one(s) that you
have already subscribed to with us (provided that you have given us your telephone number). You have the
right to object to your personal data being canvassed by telephone.

7.10. Right to determine instructions concerning the processing of your data after your death

You have the right to issue instructions regarding the storage, deletion and disclosure of your personal data
after your death. In order to define these instructions, we invite you to contact our Data Protection
Officer at the above-mentioned address

7.11. Right to lodge a complaint with the competent supervisory authority

You have the right to lodge a complaint about the way we handle or process your data with the competent
national supervisory authority (see 1.2).

7.12. Time limits for processing rights and notification

We undertake to respond to your requests within a reasonable period of time, which may not exceed 1 month
from receipt of your request, and to notify you of any operation carried out by our services in accordance
with your requests.

7.13. Closing your user account

If your user account is closed, we will in principle keep your personal data for a period of no more than 3
years. However, you have the right to object to this processing, by exercising your right of deletion in
accordance with the methods described above.

8. Cookies

Cookies What is our policy on the use of cookies?

8.1. What is a cookie?

Cookies are small text files that are automatically deposited on your computer, smartphone or tablet when you
visit websites. They are stored by your browser.
The vast majority of websites use cookies to collect basic information about your browsing, to recognise you
from one browsing session to the next, and thus to optimise and personalise their operation and ergonomics
and to offer you the best possible browsing experience.
For example, we use cookies on our web application to memorize your connection data so that you don't have
to re-enter them each time you visit. We also use other cookies to analyse the traffic on our site and to
better understand how our visitors use our site so that we can continually improve the service we offer.
Cookies are not malicious. They are not programs or viruses that can damage your terminal.
For more information about cookies in general, you can visit: www.allaboutcookies.org and http://youronlinechoices.com/fr

8.2. What types of cookies do we use?

We use 2 types of cookies:

  • “Essential" cookies: these cookies are absolutely essential for the proper functioning of our Site and
    our App. They facilitate your access, help you to navigate smoothly and to access all the
    functionalities integrated into our service offer. Without them, our Site and our App would not function
    properly and your navigation would not be as smooth as we would like it to be. For example, they allow
    us to identify your browser when you return to us and to keep your login information so that you do not
    have to re-enter it each time you visit.
  • Third party cookies: We use third party services to better understand how you use our App, and how we
    can improve the user experience we offer you. For example, analytics cookies help us track the volume,
    source and browsing behavior of our traffic. This information is anonymous and is valuable to us to
    recognize and count the number of visitors to our App and to collect information about how the App is

This allows us to identify the contents / features that are of most interest to our users in order to make
our service evolve in the right direction. For example, by ensuring that you can easily find what you are
looking for on our App.
Advertising cookies are only used to measure the performance of the campaigns that we activate on social
networks, i.e. to identify the share of our traffic attributable to this access lever.
No advertising is displayed on our Site or on our App and none of your data is marketed to third party

8.3. How long are cookies kept?

Cookies have a limited lifetime of 13 months after their first deposit on your browser.

8.4. What should you do if you wish to oppose cookies?

  • 8.4.1. Revoke your consent to the use of cookies via your browser

    The registration of a cookie on your terminal is subject to your will, which you can express and
    modify at any time through the settings offered by the browser you use to access our Site or our
    If you have accepted in your browser the deposit of cookies on your terminal, the cookies integrated
    in the pages you have consulted may be temporarily stored in a dedicated area of your terminal. Only
    their sender will be able to read them.
    If you wish to delete the cookies already stored on your device and set your browser to refuse any
    new cookies, you can go directly to the cookie settings of the browser you use to access our Site or
    our App.
    Please note, however, that disabling cookies may affect the proper functioning of our App. Certain
    features of the Site may no longer be accessible, for which we cannot be held responsible.
    In order to exercise your choice, you may consult the following pages, depending on the browser you
    are using:

    • Safari
    • Chrome
    • Firefox
    • Opera

    This configuration differs on mobile or tablet:

    • For iOS
    • For Android
    • For Blackberry
    • For Windows Phone

    8.4.2. For more information on cookies

    If you would like more information on cookies and how to control them, you can consult the ICO website which provides a complete guide or the following website http://www.youronlinechoices.com/ where you will
    find simple instructions on how to manage cookies depending on the browser you are using.

9. Updating the privacy policy

We may change this Privacy Policy from time to time. The date on which the last revisions were made will
appear in this article. All changes will be effective immediately upon posting.
We will notify you of any such changes by email to the email address you have provided, or by posting a
notice directly on our Site and Application.

We invite you to consult this document regularly in order to be aware of the most recent version.

This Privacy Policy was last updated on January 15, 2019.