At KARMEN, the protection of your personal data is a priority.
When you use the https://www.karmen.io/ website (hereinafter the "Site") and/or the KARMEN platform (hereinafter the "Platform"), we are required to collect personal data about you.
The purpose of this policy is to inform you about the ways in which we process this data in compliance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter the "GDPR").
The data controller is KARMEN, a société par actionssimplifiée (simplified joint stock company), registered in the Paris Trade and Companies Register under number 899 181 226 and whose registered office is located at 112 avenue de Paris, 94360 Vincennes CEDEX, France (hereinafter referred to as " We ").
Personal data is data that allows an individual to be identified directly or by cross-referencing with other data. We collect data that falls into the following categories:
● Identification data (e.g. surname, first name, email and postal address, telephone number, copy of ID card or passport, proof of address);
● Data relating to your professional life (e.g. company name, CV, position / job title, LinkedIn URL);
● Connection data (e.g. connection logs, encrypted passwords);
● Browser data (e.g.: IP address, pages viewed, date and time of connection, browser used, operating system, user ID, IFA);
● Data from recordings of telephone calls between you and our customer service department (e.g. content of the calls, their dates);
●Any information you wish to provide to us in connection with your contact request or during our telephone or video conference conversations.Mandatory data are indicated when you provide us with your data. They are marked with an asterisk and are necessary to provide you with our services.
Provide our services available on our Platform via your account (including simulating a financing offer, applying for financing, reviewing your financing application, viewing your performance via a dashboard)
Execution of pre-contractual measures taken at your request and/or execution of the contract that you or your company have entered into with us.
When you have created an account: your data is kept for the duration of your account. Your connection logs are kept for 1 year. If your account is inactive for 2 years, your personal data will be deleted in the absence of a response from you to our reactivation email. In addition, your data may be archived for evidential purposes for a period of 5 years.
Combating money laundering and terrorist financing
Our legitimate interest in combating money laundering and terrorist financing and in responding to the request of our financial partners
The data is kept for 5 years after the termination of the relationship
Our legitimate interest in combating fraud
Assessment of the relevance of the alert: the data is kept for a maximum of 6 months from the time the alert is issued, the time it takes for us to qualify the alert. We delete without delay the alerts qualified as irrelevant. Retention of alerts qualified as relevant: if the alert is relevant, the data is kept for 5 years from the closing of the fraud file.
Carrying out operations relating to the management of our customers concerning contracts, invoices and follow-up of the contractual relationship with our customers
Performance of the contract you or your company have with Us
Personal data is kept for the duration of the contractual relationship. In addition, your data is archived for evidential purposes for a period of 5 years.
To improve our services (e.g. by recording telephone calls, analysis)
Our legitimate interest in improving our services
Recording of telephone calls: 6 months from the date of collection
Documents analysing the content of telephone calls: 1 year from the date of collection
Build a file of clients and prospects
Our legitimate interest in developing and promoting our business
For customers: data is kept for the duration of the contractual relationship.
For prospects: data is kept for a period of 3 years from your last contact, for prospecting purposes.
Send newsletters, solicitations and promotional messages
Our legitimate interest in retaining and informing our customers and prospects of our latest news
The data is kept for 3 years after your last contact with us
Responding to your requests for information
Our legitimate interest in responding to your requests
The data is kept for the time necessary to process your request for information and deleted once the request for information has been processed.
Comply with the legal obligations applicable to our business
Comply with our legal and regulatory obligations
For invoices: invoices are archived for a period of 10 years.
Processing your applications
Execution of pre-contractual measures
The data is kept for the duration of the processing of your application.
If your application is unsuccessful, we may wish to retain your data.
If you consent to such retention of your data, we will retain the data for a maximum of 2 years from your last contact.
To draw up statistics on the site's audience
The data is kept for 25 months
Deliver personalised advertising and re-deliver advertising to people who have shown an interest in our solution
The data is kept for 25 months
Managing requests to exercise rights
Our legitimate interest in responding to your requests and keeping track of them
If we ask you for proof of identity, we will only keep it for as long as it takes to verify your identity. Once the verification has been completed, the proof of identity is deleted. If you exercise your right to object to receiving marketing: we keep this information for 3 years.
Your personal data will be accessible to:
(i) Our staff;
(ii) Our subcontractors: Payment service provider, Open Banking providers, identity document analysis tools
(KYB), hosting provider, newsletter sending provider, CRM tool, accounting tools, lead enrichment tool, appointment setting tool, form creation tool, chatbot provider, video conferencing tool;
(iii) Our financial partners;
(iv) Where applicable: public and private bodies, exclusively to meet our legal obligations.
Your data is kept and stored for the duration of the processing on the servers of Amazon Web Services, located in the European Union. Within the framework of the tools we use (see article on the recipients concerning our subcontractors), your data may be transferred outside the European Union. The transfer of your data in this context is secured by means of the following tools:
● either the data is transferred to a country that has been the subject of an adequacy decision by the European Commission, in accordance with Article 45 of theGPR: in this case, this country ensures a level of protection deemed to be sufficient and adequate to the provisions of the GPR;
● or the data is transferred to a country whose level of data protection has not been recognised as adequate to the GPR : in which case such transfers are based on appropriate safeguards indicated in Article 46 of the GDPR, tailored to each provider, including but not limited to the conclusion of standard contractual clauses approved by the European Commission, the application of binding corporate rules or under an approved certification mechanism.
● or the data is transferred on the basis of one of the appropriate safeguards described in Chapter V of the GDPR.
You have the following rights with regard to your personal data:
Right to information: this is precisely why we have drawn up this policy.
This right is provided for in Articles 13 and 14 of the GDPR.
Right of access: you have the right to access all your personal data at any time, in accordance with Article 15 of the GDPR.
Right of rectification: you have the right to rectify at any time your inaccurate, incomplete or obsolete personal data in accordance with Article 16 of the GDPR
Right to limitation: you have the right to obtain the limitation of the processing of your personal data in certain cases defined in Article 18 of the GDPR.
Right to erasure: you have the right to demand that your personal data be erased, and to prohibit any future collection on the grounds set out in Article 17 of the GDPR
Right to lodge a complaint with a competent supervisory authority (in France, the CNIL), if you consider that the processing of your personal data constitutes a breach of the applicable texts. (Article 77 of the GDPR)
The right to set out instructions on the retention, erasure and disclosure of your personal data after your death.
Right to withdraw your consent at any time: for purposes based on consent, Article 7 of the GDPR states that you may withdraw your consent at any time. Such withdrawal will not affect the lawfulness of the processing carried out before the withdrawal.
Right to portability: under certain conditions specified in Article 20 of the GDPR, you have the right to receive the personal data you have provided to us in a standard machine-readable format and to require its transfer to the recipient of your choice.
Right to object: Under Article 21 of the GDPR, you have the right to object to the processing of your personal data. Please note, however, that we may continue to process your personal data despite your objection on legitimate grounds or for the defence of legal claims.
You can exercise these rights by writing to us using the contact details below. We may ask you to provide additional information or documents to prove your identity.
Contact email: firstname.lastname@example.org
Contact address: 112 avenue de Paris, 94360 Vincennes CEDEX, France
We may amend this policy at any time, in particular to comply with any regulatory, legal, editorial or technical developments. These changes will apply as of the effective date of the modified version. You are therefore invited to consult the latest version of this policy regularly.
Effective date: 05/04/2022