1. Scope
MiTrust attaches the highest importance and the utmost care to the protection of privacy and personal data, whether for its customers, partners or employees, as well as compliance with legal provisions in this field.
The European Regulation on the Protection of Personal Data states that personal data must be treated lawfully, fairly and transparently. Thus, this privacy policy (hereinafter “Policy”) aims to provide you with simple, clear information about the processing of personal data about you, as part of your browsing and operations performed on our website.
2. Definitions
All terms relating to the protection of personal data used in this document and identified by capital letters, used in the singular or plural, must be interpreted in accordance with the General Data Protection Regulation 2016/679 of 27 April 2016 repealing Directive 95/46 / EC (hereinafter “the European Regulation”).
The term “Data”, used in the singular or plural, refers to the Personal Data processed by the Joint Managers or the Manager and the Subcontractor as part of the MiTrust Service.
Login credentials: credentials and passwords to access the user’s online accounts at Data Sources;
Shareable Data: personal data of the User, which may refer to data (address for example) or documents (proof of address for example) and which are the object of the Service;
Service: All services rendered by MiTrust to Users, in particular the sharing of Shared Data;
Online Service: MiTrust Partner Service Provider soliciting the User’s Personal Data via MiTrust;
Data source: Service provider with whom the User has an existing business relationship, such as banks, telephone operators, energy distributors or utilities, and who has Personal Data of the User;
3. Responsible for treatment
As part of your activity on the site https://mitrust.eu/ or on our user journey, we collect and use personal data related to you, natural persons (hereinafter referred to as “the person concerned”).
The M-iTrust Service is provided by M-iTrust SAS, registered with the RCS of Nanterre under number 842 232 878, having its registered office at 98 route de la Reine, 92100 Boulogne-Billancourt.
When an Online Service offers the M-iTrust Service to its users, three situations are possible with regards to the regulation of personal data, and in particular RGPD:
Either M-iTrust acts as the controller,
Either the Online Service acts as the controller and M-iTrust is a subcontractor,
Either the Online Service and M-iTrust act as co-controllers.
This situation depends on the historical contractual relationship defined between the Online Service and M-Itrust.
Whatever the contractual situation, M-iTrust will be your sole point of entry for exercising your rights (see chapter "What are your rights").
4. What data do we collect and how?
By using our website, or our service, you send us information about you, some of which may identify you (“Personal Data”). This is the case when you browse our site or use our Service from Online Services.
The nature and quality of the personal data collected about you vary, it is mainly about:
Login credentials to Data Sources: for example, username and password or one-time-password; we collect this data to access, with your consent, the personal data in your account with the Data Source;
Captured documents and proof of life: photo or video of a document you upload or capture in real time, as well as proof of life (e.g. selfie); we collect this data with your consent in order to extract certain data for you to share and in order to verify their authenticity;
Shareable Data: personal data that we access through your account with the Data Source or that we extract from a document that you have entrusted to us, so that we can share it, with your consent, with the Online Services that need it; see examples of categories of shareable data below;
Information about your navigation: we collect certain information about your equipment for maintenance and statistics. In addition, by browsing our website, you interact with it and some information about your browsing is collected.
Shareable data categories MiTrust has a wide range of uses; here are a few examples of data that MiTrust can enable you to share securely:
User Profile data:
• Surname, first name, postal address, telephone
• Bank details: first and last name of the account holder, IBAN, BIC, account statement, solvency indicator…
• Identity data: surname, first name, gender, date of birth, place of birth…and associated capture information (photo/video of the ID document, of the user’s face…)
• Administrative data: certificate of rights, tax notice…
• Technical data: session information enabling automatic synchronization of your data from a Data Source, with your consent.
5. Why do we collect Personal Data and how?
We collect your personal data for specific purposes and on different legal bases.
Purposes | Header | Legal bases | Retention period |
---|---|---|---|
Navigation on the website and the Service | Management of traffic statistics on the website and the Service (anonymized IP) | Consent and legitimate interest | 13 months for the cookies |
Contact form | Requests sent from the online form | Consent | Generally 6 months (and never more than 2 years) |
Using our Service | Transmission of your Shareable Data to an Online Service in connection with the use of our Service | Consent | The Shareable Data is erased just after the transaction. |
Maintenance of our Service and tracking user requests | Data Source, pseudonymized trace (hash) of Login credentials, Identity data (only for identity verification), Online Service, navigation data, date of the transaction. | Consent | 13 months – or 72 hours maximum for Identity data for identity verification |
Corrective maintenance related to web collection (error report or maintenance program) | Connection Logins to the Data Source (eg. login, password) | Consent, in case of error related to web collection or voluntary contribution to the maintenance program | 120 days |
Cookies management
A cookie is a small file stored on your computer that allows you to switch from one web page to another while maintaining your browser settings. The MiTrust website uses the Matomo cookie (ex Piwik). This cookie, called audience measurement cookie, allows us to have information that users browsing. We only collect and store information related to website traffic anonymously, including: the number of unique visitors, the number of page views, the country of origin of the connection to the site, the originating service which in provided access (live, by search engine or social network), type of device used (computer, mobile or tablet), time and date of attendance. When browsing the site and the MiTrust service, you can decide whether or not to allow the posting of cookies on your computer. The setting of cookies is done directly via your Internet browser and, depending on the type of browser used, allows the choice of systematic refusal of cookies during navigation or their authorization on a case by case basis. To find out more about the configuration to follow, consult the dedicated page on the CNIL website (https://www.cnil.fr/en/cookies-the-tools-to-control).
6. Do we share your personal data ?
For some processing purposes, we may be able to share your data with the service providers we use to perform a set of operations and tasks on our behalf:
• Microsoft Azure for hosting our service,
• Xamance for the web collection technical service.
This data sharing is necessary for the execution of the service, and mentioned in the general conditions. Only the information that they need for the realization of the Service is communicated to these service providers. They refrain from using the data for purposes other than those originally intended. We make every effort to ensure that these third parties maintain the privacy and security of your data. In connection with the use of our Service, your Login IDs are used to connect to the Data Sources for and to enable your identification on their sites. Finally, your data may also be transmitted to legal or regulatory authorities, in order to comply with our legal obligations. In this case, only the necessary data are provided. We make every effort to maintain their privacy and security. We do not sell your data.
7. Is your data transferred to third countries ?
The MiTrust Platform that processes Personal Data for the purposes of the Service is hosted on servers in France with the possibility of transfer of certain data outside France by the host during maintenance operations or for technical reasons.
In case of transfer of this type, we guarantee that the transfer is made:
• Either to a country providing an adequate level of protection, ie a level of protection equivalent to what European regulations require;
• Or it is framed by standard contractual clauses;
• Or it is framed by internal company rules.
8. How long do we keep your data ?
We keep your personal data only for the time necessary to achieve the purpose for which we hold this data, to meet your needs or to fulfill our legal obligations.
• The retention period varies depending on several factors, such as:
• The needs of M-iTrust’s activities
• Contractual requirements
• Legal obligations
• The recommendations of the supervisory authorities
Refer to the table in article 5 for more details on retention periods by type of data.
9. How do we guarantee the security of your data ?
M-iTrust is committed to protecting the personal data we collect, or what we process, from loss, destruction, alteration, access or unauthorized disclosure.
Thus, we implement all appropriate technical and organizational measures, depending on the nature of the data and the risks that their treatment entails. These measures must preserve the security and confidentiality of your personal data. These measures may include practices such as limited access to personal data by authorized persons, because of their duties.
In addition, our practices and policies and / or physical and / or logical security measures (secure access, authentication process, backup copy, software, etc.) will be regularly checked and updated if necessary.
All personal data is encrypted with the RSA protocol and a 4096 bit key. Private keys are stored in a Hardware Security Module (HSM) hosted by a leading cloud provider. In order to fully protect the personal data of users of M-iTrust, the identifiers are encrypted in the browser, and are never stored in clear or decrypted, except at the last moment for the actual collection of personal data.
In case of anonymous session (i.e. without creating an M-iTrust account), personal data is automatically deleted after 1 hour maximum.
The M-iTrust platform is hosted by a leading cloud provider. All platform components are individually secured by an authentication and network filtering layer. The platform is regularly audited by a renowned player in the security of information systems. Network exchanges are protected by an SSL certificate based on a 4096-bit RSA key.
10. What are your rights ?
On the personal data we collect / process, you may exercise the following rights:
• A right of access: You have the right to request access to the personal data that we hold about you, and you can request a copy;
• A right of rectification: you can request a correction of any inaccurate data concerning you;
• A right of cancellation: you can request the deletion of your personal data in certain circumstances;
• A right to portability: under certain conditions you can receive all the personal data about you that you have provided, in a structured format. You also have the right to demand that we forward them, as far as possible, to another controller;
• A right to oppose treatment by invoking legitimate interests;
• A right to withdraw consent at any time;
• A right to limit processing:
You have the right to restrict the processing of your data if:
• You dispute the accuracy of your data until we verify its accuracy;
• The treatment is illegal but you do not want us to delete your data;
• We no longer need your personal data for processing but you need its data to sue, assert or defend against legal claims;
• You are opposed to treatment on the basis of related grounds until we verify whether our legitimate and compelling reasons for pursuing treatment take precedence over those interests
If such personal data are subject to such limitations, we will only process your data with your consent, or with a view to bringing, asserting or defending against legal claims;
A right to determine the fate of your personal data after your death.
To exercise your rights, please contact M-iTrust's Data Protection Officer (DPO): dpo@m-itrust.com or DPO Consulting, Service DPO externalisé, 18 rue Pasquier, 75008 Paris. In certain cases, M-iTrust will forward your request to the Online Service in order to process it.
When you send us a request for an exercise of right, you are asked to specify as much as possible the scope of the request, the type of right exercised, the processing of personal data concerned, and any other useful element, in order to facilitate the review of your request. In addition, you may be required to provide proof of your identity.
11. Update of this Policy
This policy may be updated regularly to reflect changes in the regulation of personal data.
Date last updated 03/04/2024