Ensilog SAS Privacy Policy
Preamble
This privacy policy aims to define the terms of collection, processing, storage, and protection of personal data carried out by Ensilog SAS ("Ensilog", "we", "our"), a company whose head office is located at 20 Place Saint Étienne, 71000 Mâcon, France, acting as a processor within the meaning of Regulation (EU) 2016/679 (hereinafter "GDPR").
Article 1 - Definitions
- Personal Data: any information relating to an identified or identifiable natural person.
- Client: natural or legal person using the Ensilog platform.
- Extracted Data: contents of questionnaires (titles, types, multiple choices, etc.).
- Metadata: technical data (timestamps, session IDs, logs, IP).
Article 2 - Processing Purposes
As a processor:
- Digitalization and structuring: transformation into structured data for statistical analysis.
- Technical support and maintenance: storage of Metadata for six months for debugging and improvement, without AI training.
Article 3 - Legal Bases
- Execution of the client contract (art. 6 §1 b) GDPR)
- Compliance with legal obligations (art. 6 §1 c) GDPR)
- Legitimate interests of Ensilog (art. 6 §1 f) GDPR)
Article 4 - Nature of the Data
- Extracted Data: contents of questionnaires submitted by the Client.
- Metadata: timestamps, logs, session IDs, IP.
The Client remains responsible for the legality of the transmitted content.
Article 5 - Data Retention Periods
Extracted Data: duration defined by the Client.
Metadata: deleted no later than six months after collection.
Article 6 - Recipients and Subprocessors
Data is accessible to Ensilog's technical teams and the following subprocessors:
| Subprocessor | Processing | Location | Transfer outside EU |
|---|---|---|---|
| Supabase (AWS EU) | Operational database | EU (EU-West) | No |
| Microsoft Azure | Backups | Europe | No |
| PostHog | Anonymous analysis | EU | No |
| OpenAI | Multimodal AI | Global | Yes (temporary logs) |
Article 7 - Transfers outside the EU
The data processed by OpenAI is transmitted temporarily and is not stored outside the EU. Ensilog is currently negotiating the implementation of Standard Contractual Clauses for these providers.
Article 8 - Data Security
- TLS encryption in transit and AES-256 at rest.
- Access control, logging, and auditing.
- Violation notification procedure within 72 hours.
Article 9 - Cookies and Trackers
We use cookies and trackers for anonymized analysis of user behavior, in accordance with CNIL recommendations. No marketing or targeting cookies are deployed. Users can refuse or delete them via their browser.
Article 10 - Rights of Data Subjects
In accordance with Articles 15-22 of the GDPR, data subjects have the following rights:
- Access, rectification, deletion, restriction, objection, portability.
- Requests can be made via contact@ensilog.com.
- Response within 1 month, extendable by 2 months if necessary.
Article 11 - Contact and Complaints
Privacy Officer:
contact@ensilog.com
Supervisory Authority: CNIL (www.cnil.fr).