Lemonway, as data controller, responds to its obligations to comply the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and with Act n°78-17 of 6 January 1978 on Information Technology, data files and civil liberties.
The data controller is the company LEMONWAY, having its registered office at 8 rue du Sentier, 75003 Paris – France. Tel: + 33 (0) 1 48 18 19 30
NATURE OF DATA COLLECTED
Lemonway collects directly and indirectly the following categories of data concerning its Users:
PURPOSE OF THE PROCESSING
In the context of the operation of the Site and our services, the processing of personal data has as its purpose the management of customers, the creation and management of accounts, the management of contracts, regulatory control in the anti against money laundering, prospecting, the preparation of statistics, the management of requests for access, rectification and opposition rights
RIGHTS OF INDIVIDUALS
You have the following rights within the limits provided by applicable regulations.
COMMUNICATION TO THIRD PARTIES
Your personal data may be disclosed pursuant to a law, regulation or decision of a competent regulatory or judicial authority.
DATA RETENTION PERIOD
The personal data that Lemonway collects are kept for the time necessary for the purpose of processing. Beyond this retention period, they become intermediate archives, or they are anonymised and kept for statistical or historical purposes.
Purges concerning your personal data are set up in order to verify the effective deletion as soon as the conservation or archiving period necessary for the fulfilment of the determined or imposed purposes is reached.
A cookie is a text file that can be placed on your device when you visit a website. A cookie file allows its issuer to identify the terminal in which it is stored.
Lemonway undertakes not to store cookies for more than 12 months after the first deposit in the User’s terminal. The validity period of the User’s consent is also 12 months. The law provides for a maximum storage period of cookies of 13 months maximum.
Social network sharing cookies are issued and managed by the publisher of the social network concerned. If you consent, these cookies allow you to easily share some of the content published on our website, in particular through a “button” application sharing according to the social network concerned.
DATA TRANSFER OUTSIDE THE EUROPEAN UNION
Lemonway complies with European regulations and French law regarding data transfers to a country located outside the European Economic Area. Lemonway will inform and seek the consent of its users.
Lemonway implements the appropriate technical and organisational measures to guarantee an appropriate level of security. The technical measures implemented by Lemonway delow.
VIOLATION OF PERSONAL DATA
We undertake to implement all appropriate technical and organisational measures to guarantee a level of security appropriate to the risks of accidental, unauthorised or illegal access, disclosure, alteration, loss or destruction of personal data concerning you. In the event that we become aware of illegal access to your personal data stored on our servers or those of our subcontractors, or unauthorized access resulting in the realization of the risks identified above, we undertake to:
LIMITATION OF LIABILITY
Under no circumstances can the commitments defined in the point above related to the violation of personal data be assimilated to any admission of fault or liability for the occurrence of the incident in question.
In accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to processing personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and in particular Article 32, and the amended Act No. 78-17 of 6 January 1978 on Information technology, Data Files and Civil Liberties, Lemonway ensures the security of your personal data through the following technical and organisational measures:
ENCRYPTION OF CONFIDENTIAL DATA
All data (documents, digital data) are stored in automatically encrypted file systems on the fly (AES-256) and compatible with the General Data Protection Regulations through FIPS 140-2 certified software.
Data hosting is located in France in ISO 27001 and PCI DSS compliant data centers.
ACCESS RIGHTS MANAGEMENT
Rights of access shall be subject to compliance with internal allocation procedures and shall meet the following requirements:
The monitoring of rights of access is subject to ongoing internal control by our compliance team.
TOOLS OF CONTROL EXTERNAL INTRUSIONS INTO THE NETWORK
Lemonway has chosen for many years to trust the antivirus and anti-malware solution publisher McAfee with its VirusScan Enterprise suite, which is deployed throughout the information system. Network protection solutions are also in place with the use of the latest generation firewalls equipped with advanced features such as UTM (Unified Threat Management), DDOS automatic protection solutions (DPS) and a WAF (Web Application Firewall) operated by the company Imperva.
The information system is continuously analysed by Tenable’s Nessus agents in order to trace any new detected vulnerability in real time. A SIEM (Security Information and Event Management) completes the system in order to collect and analyse all the sensitive activities involved in all IS components.
A strong password management policy is in place (unique identifier, complexity, size, regular change, limitation of attempts, etc.), security policies have been defined and implemented. The correct application of these policies is regularly and automatically monitored on all IS machines using specific monitoring agents and any anomalies are reported to the security team.
PROTECTION VIA SECURE FLOWS
Lemonway secures all communications to its applications via the use of SSL – TLS 1.2 point-to-point encrypted connection (systematic HTTPS use, SHA-2 certificates). A network partitioning of the different environments is set up, DMZ (Demilitarized Zone) as well as IDS (Intrusion Detection System) intrusion detection systems