Privacy policy
Website Privacy Policy
We care a great deal about Privacy
This website does not use cookies, and we don't collect personal information without proactive user consent.
Foreword
This website is operated by Entropia, S.A.S with capital 17,967.31€, a company registered under the Trade and Companies Registry of Versailles under number 980705016, located 29 rue de Lafayette, 78000 Versailles, France (hereinafter “Entropia”, “entropia.io”, or “we”, “us”).
For the purposes of applicable data protection laws, including but not limited to the European Union General Data Protection Regulation 2016/679 of 27 April 2916, (hereinafter “GDPR”), Entropia is controller of the Personal Data you provide to us (“Data Controller”).
As a Data Controller, we process your Personal Data in accordance with this Privacy Policy and the provisions of applicable data protection laws, including the French Act No. 78-17 of 6 January 1978 on information technology, data files and civil liberties and the GDPR.
By using and visiting the website “entropia.io” (hereafter the “Website”) and/or by submitting your personal information to us, and/or by registering as a user of the services that we provide, you agree to us using your Personal Data as set out in this Privacy Policy.
Any dispute which may arise over privacy will be subject to this Privacy Policy, the data protection notice (if any) incorporated into this Website and the provisions of French laws.
We may change our Privacy Policy from time to time. Any modification will be effective as of its publication on the Website. We will notify you of any significant changes.
Our Website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any Personal Data to these websites.
Definitions
- Company : Entropia
- Client: Any professional or person who has capacity as defined by Articles 1123 et seq. of the French Civil Code, or a legal entity, visiting the website to which these terms and conditions refer.
- Services: entropia.io provides Clients with Content : All the elements of information on the website, including texts, images and videos.
- Client Information: Hereinafter, "Information", meaning all the personal data held by Entropia to manage accounts and Client relations, and to undertake analytical and statistical work,
- User : Internet user who visits or uses the above website.
- Personal Information or Personal Data : "Information that allows the person to which it refers to be identified, in any form, whether directly or indirectly," (Article 4 of the French Data Protection Act no. 78-17 of 6 January 1978). The terms "personal data", "data subject", "processor" and "sensitive data" are defined in the General Data Protection Regulation (GDPR: no. 2016/679).
Collection and Processing of Personal Data
We care a great deal about Privacy. This website does not set cookies, nor uses similar technologies like (but not limited to) local storage, session cookies, fingerprinting, or IP address hashing. We track website usage with a limited open source solution called Plausible Analytics which does not collect personal information.
We only collect personal information when you fill in any of the forms on our Website.
Cookies
entropia.io does not set cookies.
Subscribing to our newsletter
When you subscribe to our newsletter, we collect and process your first name, last name and email address to be able to send you our newsletter by email. This processing is based on your consent. You can withdraw your permission at any time, by using the unsubscribe link included in every newsletter you will receive.
We will retain your Personal Data as long as we have an ongoing relationship with you, i.e. three years since your subscription or your last interaction with Entropia. At the end of that period, or once you withdraw your consent, your Personal Data may be stored for evidentiary purposes for the legal prescription periods.
Sending us a message
When you are sending us a message through the contact form, we collect and process your first name, last name, your company and your job title, your email address, your phone number and the object and content of the message you are sending.
This processing is based on your consent, and on our legitimate interest to identify the persons who are contacting us. If you do not provide your Personal Data, we may not be able to process your message properly or at all.
Applying for a job
When you are applying for a job, we may collect and process, depending on what information you deliver: your first name, last name, your email address, your phone number, your LinkedIn profile, the office and position you are applying for, your resume and your motivation.
The legal basis for this processing is its necessity in order to take steps prior to entering into a contract at your request, in this case an employment contract. This processing is also justified on the basis of our legitimate interest for ensuring that we recruit the appropriate employees.
If your application is unsuccessful, we will delete or destroy your Personal Data, unless you allow us to keep it for consideration for future employment opportunities. When you have given your consent, we will store your Personal Data for two years. At the end of that period, or once you withdraw your consent, your Personal Data may be stored for evidentiary purposes for the legal prescription periods.
If your application for employment is successful, Personal Data gathered during the recruitment process will be transferred to your personal file and retained during your employment. The periods for which your data will be held will be provided to you in a HR privacy notice.
Data location and security
When you share personal data with us via our website, it is collected using Brevo platform and its Double Opt-in flow, ensuring that we only collect emails that are owned by the current user. Brevo is ISO 27001:2013-certified.
Your data might also be processed via other third party software providers, such as (but not restricted to) Google Drive. All data uploaded to Google Drive is encrypted in transit and at rest. Google products regularly undergo independent verification of their security, privacy, and compliance controls. Note that Google's infrastructure is distributed across multiple data centers around the globe, some of which are located in countries outside the European Economic Area (EEA).
The 3rd party software service providers we use to process your personal data have their own data security policies. They act as Data Processors with regards to GDPR.
We secure our Website and other systems through technical and organisational measures against loss, destruction, access, modification or distribution of your data by unauthorised persons.
Note that unfortunately, the transmission of information via the internet can't always be considered 100% secure. Although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised data access, destruction or alteration. As technology advances we are regularly updating and enhancing the security and organisational measures.
Sharing personal information
Any Personal Data collected is intended exclusively for Entropia. We do not sell or rent your Personal Data to any other parties.
Updates to this policy
We may change this policy from time to time by updating this page. Please check this page every once in a while to ensure that you are aware of any changes.
Your rights
As a data subject, and in accordance with the French Data Protection Act of 6 January 1978 and the GDPR, you have the right to access, interrogate, limit, port, erasing, modifying and correcting information about you. You also have a right to object to the processing of your personal data, as well as a right to object to this data being used for commercial prospecting purposes. Finally, you have the right to define general and specific guidelines defining the manner in which you intend to exercise these rights after your death.
You may exercise these rights with the Data Protection Officer at the following address: [email protected]. Entropia has a period of one month from the receipt of your request to communicate, complete or delete the information, as the case may be.
Internet users who consent on forms to receive e-mails containing information and requests from Entropia may revoke this consent at any time, either by clicking on the hyperlink provided for this purpose at the bottom of the e-mails they receive, or sending an e-mail with unsubscribe on the subject line [email protected] .
Finally, you have the right to lodge a complaint with the competent data protection supervisory authority, as for instance with the ”Commission Nationale de l'Informatique et des Libertés” (CNIL), the French supervisory authority responsible for compliance with obligations regarding the protection of personal data.
Further information & contact
If you have further questions or concerns, please contact us at [email protected]
API & Services - Data Processing Agreement
Scope
This policy is about Entropia’s softwares and APIs, including but not limited to the SaaS product Documentalist. All are hereafter referred to as the Services.
Personal Data Processing, Purposes, and Controllership
Authentication
- Data Processed
Entropia may collect the credentials of customers' employees, such as email addresses, and set cookies in their browsers for authentication purposes.
- Purpose
The sole purpose is to authenticate users accessing the service.
- Consent
Explicit consent is obtained from users at the time of login.
- Retention
Entropia may retain user credentials for the duration of the contractual relationship with the Customer (the user's employer), with a minimum of 14 days
- Data Controller Status
Entropia acts as a data controller in this context.
- Legal basis for processing
Contract : the processing is necessary for the delivery of the service, to safeguard data access controls.
Data processed via Entropia's Services
- Data Processed
Entropia processes documents belonging to the Customer and containing personal information as a part of its indexing service. This may include personal data of the customer's employees or third parties. Access to indexed data is strictly limited to authorized engineering staff for maintenance or product development, in line with our Data Security Policy
- Purpose
No personal data processed by Entropia is used for any purposes outside those necessary for the provision of the Services.
- Retention
The retention policy aligns with the customer's document lifecycle : Entropia Services behaves in sync with the Customer’s file management system, meaning that Entropia will only retain its copy of a file’s content as long as the file exists in the Customer’s file system. If a file is modified or deleted by the Customer, Entropia will re-index, or de-index the corresponding content as soon as the file system’s API notifies the change (usually within minutes, depending on the file system provider).
- Data Controller Status
In this context, Entropia acts as a data processor.
- Legal basis for processing
Contract : the processing is necessary for the delivery of the service.
User Consent
Before collecting user credentials for authentication purposes, Entropia shows a notification to inform the user about which information will be collected and for which purpose. The sharing of information is therefore informed, specific and voluntary, as required by GDPR.
Data localisation and international data transfers
Entropia is committed to ensuring the secure and lawful handling of all personal data within its custody. This commitment extends to how data is localized and transferred internationally.
Data hosting and processing agreements
Primary data hosting By default, all personal data collected by Entropia is hosted by Scaleway SAS, in data centres based in France. Scaleway SAS operates with the following Data Processing Agreement : Scaleway SAS - Data Processing Agreement
Roles & responsibilities When Entropia functions as a data controller, Scaleway SAS is engaged as a data processor. Conversely, when Entropia acts as data processor, Scaleway SAS assumes the role of a sub-processor.
AI models processing
In-house AI models processing When Entropia runs AI models on Customer’s data, models run in the Entropia infrastructure. This ensures that data remains under our control without being transmitted to third-party entities via APIs for processing.
Consent for AI models training No AI models are trained on customer data without obtaining explicit consent from the data subjects or from the customers, respecting the principle of purpose limitation.
Restriction on third-party benefits The use of AI models trained on customer data to benefit third parties is strictly prohibited unless such arrangements are explicitly agreed upon through formal contracts, ensuring data subjects’ rights and interests are safeguarded.
Custom deployment options
Entropia offers flexibility in data hosting, including options for deployment on other cloud platforms at the customer's request or on-premises installations. In such cases, data localization and processing agreements will adhere to the legal requirements and protections specified by the chosen hosting solution, ensuring continuous compliance with GDPR and other relevant data protection laws.
Data Minimisation
Entropia commits to collecting only the personal data necessary for the specified purposes of authentication and service usage analytics. The principle of data minimization is applied rigorously, ensuring no unnecessary personal data is processed.
Essential Data Collection For authentication purposes, the collection of user email credentials and the setting of authentication cookies are deemed necessary. This approach safeguards against unauthorized access, aligning with our security measures without excessive data processing.
Service Usage Analytics Entropia performs analytics to monitor product engagement and optimize service delivery. This is achieved by aggregating data such as the number of API calls, which provides insights into service utilization without identifying individual users or processing personal data beyond what is necessary.
Data Security
Please refer to our Data Security Policy for all information about technical and organizational measures in place to protect data against unauthorized or unlawful processing and against accidental loss, destruction or damage. These include comprehensive details about data encryption, access controls, and data breach policies (but not limited to).
Data Subject Rights
In accordance with the General Data Protection Regulation (GDPR), Entropia recognizes and upholds the following rights of data subjects:
- Right to Be Informed : Data subjects have the right to be provided with clear, transparent, and easily understandable information about how their personal data is used and their rights. This includes the necessity for providing information through this privacy policy and at the point of personal data collection.
- Right of Access: Data subjects have the right to access their personal data processed by Entropia. This includes the right to obtain confirmation of whether or not personal data concerning them is being processed, access to the personal data, and other supplementary information akin to that provided in this privacy policy.
- Right to Rectification: Data subjects have the right to have inaccurate personal data rectified, or completed if it is incomplete. Entropia commits to prompt action upon receiving rectification requests. Right to Erasure (‘Right to Be Forgotten’): Data subjects have the right to have personal data erased under certain conditions, such as when the personal data is no longer necessary for the original purpose, or when the data subject withdraws consent.
- Right to Restrict Processing: Data subjects have rights to 'block' or suppress further use of their personal data in certain circumstances, such as when the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of that data.
- Right to Data Portability: Data subjects have the right to receive personal data they have provided to Entropia in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller without hindrance, where technically feasible.
- Right to Object: Data subjects have the right to object to the processing of personal data for purposes of direct marketing, scientific/historical research, or statistical analysis, except where the processing is necessary for the performance of a public interest task or exercise of official authority.
- Rights Related to Automated Decision Making and Profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless necessary for entering into, or performance of, a contract between the data subject and a data controller, or based on the data subject’s explicit consent.
Exercising your rights Data subjects may exercise their rights by contacting Entropia’s Data Protection Officer (DPO) through the provided contact details. Entropia is committed to addressing any requests or concerns promptly and within the timeframe stipulated by GDPR.
Data Protection Officer
Entropia has put processes and people in place to ensure compliance with GDPR. Pierre Dulac, co-founder and CTO, was named Data Protection Officer to monitor compliance and act as contact point for data subjects, or authorities.
For any inquiry, please contact [email protected]