Privacy Policy

Annex 1: Policy on the processing of Users personal data

In accordance with the provisions of Articles 13 and 14 of the GDPR, the purpose of this personal data processing policy is to provide any information referred to in Articles 13 and 14 of the GDPR to any natural person concerned by the processing of his/her personal data, in particular when:

  • The subscription of any Subscription for the use of the Application Services;
  • The use of his account on the Lodago application;
  • The use of the Application Services (allowing the use of the appointment booking plugin).

The main terms used below are defined at the end of this policy for a better understanding of it.

Data controller

The "data controller" of the personal data processed for the purposes set out below is the company Lodago, a limited liability company with a capital of 12,500 euros, whose registered office is located at 9 rue du Laboratoire, L-1911 Luxembourg, Grand Duchy of Luxembourg, registered with the Trade and Companies Register of the Grand Duchy of Luxembourg under number B157869. The company can be contacted:

  • Purpose of the data processing (purposes, legal basis, categories of data processed, categories of persons concerned, retention period)
Why are personal data processed (purpose(s) of processing)?What is the legal basis for the processing?What categories of personal data are processed?Who are the persons concerned by the processing?How long is the data kept?
To allow Users to create an online account to benefit from Lodago's services in complete security, in particular through an authentication procedure. To customize the user interface according to their language. Consent Personal identity (email address)

Professional life

(Company, Language spoken)

Login data (username and password)
User Maximum 3 years after the end of the Subscription
Manage subscriptions to any Subscription made by any User to benefit from the right to use the Application Services (appointment booking plugin) Execution of pre-contractual measures and contract execution Personal identity (last name, first name, e-mail address, message, postal address)

Professional life

(Company, Function)

Subscription data

(Date of subscription, Options chosen)

Payment data
User Maximum 5 years after the end of the Subscription
Invoice the Subscription to the Application Services and keep the accounts Legal obligation Personal identity (last name, first name, e-mail address, message, postal address)

Professional life

(Company, VAT number)

Subscription data

(Date of subscription, Options chosen)

Payment data

Invoice
User Accounting and tax limitation periods
Allow the User to synchronize his calendar to use the Application Services Consent Personal identity (last name, first name, e-mail address, message, postal address)

Professional life

(Company, Google Calendar or Outlook, Calendar Data)

Connection data

(Identification token provided by the operator)
User During the Subscription period
Allow the User to propose to make an appointment with him/her directly in the email without leaving his/her inbox Consent Personal identity (last name, first name, e-mail address, message, postal address)

Professional life

(Company, Google or Outlook calendar, date and time of appointment, subject of the appointment,

Messages exchanged,

Contacts)

Connection data
User During the Subscription period
Allow the user to have a history of his appointments Consent Appointment history User During the Subscription period
Ensuring the effectiveness of the rights of data subjects in relation to the processing of their personal data and ensuring the identity of data subjects who exercise their rights under the applicable data protection regulations Legal obligation to ensure compliance with the GDPR Personal identity (last name, first name, email address and in case of doubt, unique electronic identifier if creating an account or, if impossible, a copy of an identity document) Data subject Maximum 12 months from the last contact with the data subject (if copy of ID, only for the time of identity verification)
To monitor data breaches Legitimate interest Connection data (connection log, access log) Data subject 6 months

Please note that fields marked with an asterisk in any digital or online form are personal data that must be provided. Failure to respond to the data marked with an asterisk in any form may result in Lodago being unable to respond to the individual's request.

Data from individuals using the online appointment scheduling solution through Lodago Users

The use of the Application Services (appointment setting plugin) by Lodago Users, subscribers of a Subscription, allows their customers, prospects and generally, any natural person to whom the Users send an email using the Application Services, to make an appointment directly with them. The data controller of the data of these persons is the User of the Lodago Application Services. Lodago only acts as a processor in the sense of Article 28 of the GDPR and therefore only complies with the documented instructions of its Users to whom any request to exercise a right must be addressed.

Recipients

Lodago only communicates personal data to authorized and determined recipients. The recipients concerned are, internally, the internal departments of Lodago and, depending on the personal data concerned, externally:

Persons concernedPersonal data concernedRecipients
Users Data from the creation of an online account and login data Hosting of the Amazon website data in the EU
Users Data related to the User's Google calendar and/or Outlook Host (Amazon and Ikoula in the EU)
Users Billing information Ayden banking service

External accounting Zoho EU

Tax administration

Data security

In compliance with the provisions of Article 32 of the GDPR, Lodago undertakes to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, the degree of likelihood and severity of which varies, to the rights and freedoms of natural persons.

Particular account shall be taken of the risks to which the processing gives rise, resulting in particular from the destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed, whether accidental or unlawful. Lodago has implemented the following security measures:

Staff authenticationEncrypted HTTP authentication
Server security Redundant servers and load balancing
Security of software or applications Firewall protection against intrusion
Realization of backups Daily backups on a remote datacenter
Data encryption sha256 and RSA encryption

Transfer outside the EU

No data is transferred outside the EU.

Rights

What are the rights of the User whose data is processed by Lodago as a data controller?

  • Right to withdraw data collected on the basis of consent.

Where the processing is based solely on the consent of the data subject, the data subject may withdraw consent at any time by simple request sent to Lodago by email to dpo@rocketmail.lu or by post to 9 rue du Laboratoire 1911 Luxembourg

  • Right to Information

The purpose of this policy is to provide any data subject whose data is being processed with any information referred to in Articles 13 and 14 of the GDPR.

  • Right of access

The data subject has the right to obtain from Lodago confirmation as to whether or not personal data relating to him or her are being processed and, where they are, access to such personal data, as well as the information set out in Article 15 of the GDPR.

  • Right of rectification

- The data subject shall have the right to obtain from Lodago as soon as possible:

- The rectification of personal data concerning him or her that are inaccurate.

- In view of the purposes of the processing, that incomplete personal data be completed, including by providing an additional declaration.

  • Right to be forgotten

Where one of the reasons referred to in Article 17.1 of the GDPR applies, and except for the cases referred to in Article 17.3 of the GDPR, the data subject shall have the right to obtain from Lodago the erasure of personal data concerning him or her as soon as possible.

  • Right to limitation of processing

The data subject has the right to the restriction of processing where one of the grounds under Article 18 of the GDPR applies.

  • Right to object

The data subject has the right to object under the conditions referred to in article 21 of the GDPR at any time on grounds relating to his or her particular situation, to processing of personal data concerning him or her.

  • Right to data portability

Where processing is based on the consent or legitimate interest of the controller or a third party, the data subject shall have the right to receive the personal data concerning him or her that he or she has provided to Lodago in a structured, commonly used and machine-readable format, and shall have the right to transmit such data to another controller.

  • Absence of any automated individual decision

Lodago does not carry out any decision-making exclusively based on automated processing, including profiling, that produces legal effects on the data subject of a processing of his or her data or significantly affects him or her in a similar way.

  • For data subjects residing in France, a right to define directives regarding the fate of the data after his or her death.

A data subject who is a resident of France and whose data is being processed has the right to define directives regarding the retention, erasure, and disclosure of his or her personal data after his or her death.

How to exercise your rights?

  • The rights can be exercised by simple mail sent to Lodago by post at the address 9 rue du Laboraroire l-1911 Luxembourg or by mail at the address: dpo@rocketmail.lu. In case of reasonable doubt(s) about the identity of the person concerned, Lodago may request a copy of an identity document in order to ensure the exact identity of the person making any request and to avoid communication of data to an illegitimate third party.
  • If the response provided by Lodago is not satisfactory to the person concerned, the latter is hereby informed that he or she may submit a complaint to the National Commission for Data Protection, Complaints Department, 15 Boulevard du Jazz, L-4370 Belvaux or https://cnpd.public.lu/fr/particuliers/faire-valoir/formulaire-plainte.html
  • Definition(s)

For the purpose of understanding this privacy policy, the following terms are used:

« Subscription » means any personalized quote issued by Lodago or any subscription made by the User directly online on the Lodago website on the page dedicated to subscription subscriptions and allowing the User to benefit from the Application Services according to the terms of the general conditions of use in return for the payment of a usage fee.

« Recipient » : means the natural or legal person, public authority, service or any other organization that receives communication of personal data, whether or not it is a third party.

« Personal data » means any information relating to an identified or identifiable natural person. An "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity

« Software » means the extension module, plugin, in the form of object code, and its associated documentation allowing the making of appointments directly in an email, its interfaces and its possible settings.

« Data subject » means any identified or identifiable individual concerned by the processing of his or her personal data.

« Data controller » means the company Lodago, whose contact details are detailed in this policy. 

« Application Services » means the service offered in SaaS mode ("Software as a Service") by Lodago allowing the use of the Software by the User and by which a right to use the Software is granted to the User under these Terms and Conditions.

« Processor » means the natural or legal person, public authority, department or other body that processes personal data on behalf of the data controller.

« Processing » or « Processing(s) » means any operation or set of operations, whether or not carried out using automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, limitation, erasure or destruction.

« User » means the subscriber of a Subscription, who benefits from the Application Services.

Annex 2: Subcontracting of personal data processing

Within the framework of their contractual relations, the Parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable as of 25 May 2018. Services by the User.

Lodago, a personal data processor, is authorized to process on behalf of the User, the data controller, the personal data necessary to provide the services referred to in this Agreement in the article "Purpose".

In accordance with the provisions of Article 28 of the RGPD, the purpose of this agreement is to define the conditions under which Lodago undertakes to carry out on behalf of the User the processing operations of personal data in the context of the use of the Application.

1. Definition

The terms below shall have in these general conditions of use the meaning given by their following definition (regardless of whether the word is singular or plural):

« Software » means the extension module, plugin, in the form of object code, and its associated documentation allowing the making of appointments directly in an email, its interfaces and its possible settings.

Parties : refers to Lodago and the User.

RGPD : refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable as of 25 May 2018.

Lodago : refers to the company Lodago, a limited liability company, whose registered office is located at 9 rue du Laboratoire, L-1911 Luxembourg, Grand Duchy of Luxembourg, registered in the Trade and Companies Register of the Grand Duchy of Luxembourg under number B157869. It is a "subcontractor" within the meaning of Article 4.8 of the RGPD.

« Application Services » means the service offered in SaaS mode ("Software as a Service") by Lodago allowing the use of the Software by the User and by which a right to use the Software is granted to the User under these Terms and Conditions.

Subprocessor: refers to all subcontractors of Lodago.

User : means the subscriber of a Subscription (as defined in the General Conditions), who has a right to use Lodago's Application Services. He has the quality of "data controller" in the sense of the provisions of article 4.7 of the RGPD.

2. Purpose

Lodago is authorized to process on behalf of the User the personal data necessary to provide the services that are the subject of the contractual relationship between the Parties, namely: the use by the User of the Application Services.

3. Duration

This agreement comes into force between the Parties when the User subscribes to the Subscription and lasts during the User's Subscription to the Application Services.

4. Nature and purpose(s)

The nature of the operations performed on the data is the collection, transmission and storage of data for the following purposes:

  • Making appointments with the User by any third party;
  • Updating the User's calendar;
  • Backup and hosting of the data contained in the User's calendar;
  • Securing exchanges;
  • Communication history;
  • Monitoring of email openings;

5. Type of data and categories of persons concerned

The type of data processed mainly concerns data related to appointment making (identity of the persons, email address, date and time of the meeting, purpose of the meeting) and depends on the data transmitted by the User. 

The categories of persons concerned are the Users, the recipients of the Users and, in general, any natural person whose data is processed by the User, the controller, and provided to Lodago, the processor.

6. Obligations and rights of the User

The User undertakes to:

  • To make available to Lodago all information and data necessary for the execution of Lodago's missions.
  • To document in writing any instructions given to Lodago concerning the processing of data by Lodago.
  • To ensure that Lodago complies with its obligations under the GDPR before and during the processing.
  • To supervise the processing.
  • To provide information to the persons concerned by the processing operations at the time of the collection of the data, in accordance with the provisions of articles 13 and 14 of the RGPD and in particular of the fact that their data may be collected by Lodago.

In accordance with Article 28.3 of the RGPD, it is recalled that the controller assumes responsibility for the processing of personal data and that he has the rights, in particular defined in Article 28 of the aforementioned regulation.

7. Commitments of Lodago

Lodago undertakes to:

  • Process data only for the purposes for which it is outsourced and not use it for any other purpose.
  • Process data in accordance with the User's documented instructions. If Lodago considers that an instruction constitutes a violation of the GDPR or any other provision of Union or Member State law relating to data protection, it will immediately inform the User.
  • If Lodago is required to transfer data to a third country or international organization under Union law or the law of the Member State to which it is subject, inform the User of this legal obligation prior to processing, unless the relevant law prohibits such information on important grounds of public interest.
  • Guarantee the confidentiality of personal data processed under this agreement.
  • Ensure that persons authorized to process personal data under this Agreement:
    • Are committed to confidentiality or are subject to an appropriate legal duty of confidentiality;
    • Receive the necessary training in the protection of personal data;
  • Consider the principles of data protection by design and data protection by default in its tools, products, applications or services.
  • To assist the User as far as possible in fulfilling its obligations under Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to Lodago.

8. Recruitment of other subcontractors

Lodago may engage another processor, the Further Processor, to carry out specific processing activities. In this case, Lodago will inform the User in advance and in writing of any planned changes regarding the addition or replacement of other subcontractors. This information will clearly indicate the processing activities subcontracted, the identity and contact details of the subsequent Subcontractor and the dates of the subcontract. The User will have a period of fifteen (15) calendar days from the date of receipt of this information to present its objections. This subcontracting can only be carried out if the User has not raised any objections within the agreed period.

Lodago undertakes to sign a written contract with its subsequent Subcontractor imposing on it the same personal data protection obligations as those set out in this Agreement, in particular as regards presenting sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR.

Lodago remains fully responsible to the User for the performance by the subsequent Subcontractor of its obligations.

9. Assistance

To the extent possible, Lodago undertakes to assist the User in:

  • Fulfill its obligation to comply with requests to exercise the rights of data subjects: the right of access, rectification, erasure and objection, the right to limit processing, the right to data portability, the right not to be subject to automated individual decision making (including profiling), and the right to set out instructions regarding the disposition of data after the death of the data subject. Where data subjects make requests to Lodago directly to exercise their rights, Lodago will send such requests upon receipt by email to the User.
  • Conduct any data protection impact assessment.
  • When carrying out the prior consultation with the supervisory authority.

10. Notification of security breach

Lodago undertakes to notify the User of any breach of personal data as soon as possible and at the latest within 48 hours of becoming aware of it and by e-mail to the address communicated by the User when subscribing to the Subscription. This notification shall be accompanied by any useful documentation to enable the User, if necessary, to notify the competent supervisory authority of this violation.

11. Security measures

In compliance with the provisions of Article 32 of the GDPR, Lodago undertakes to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, the degree of likelihood and severity of which varies, to the rights and freedoms of natural persons.

Particular account shall be taken of the risks to which the processing gives rise, resulting in particular from the destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed, whether accidental or unlawful. Lodago has implemented the following security measures:

Staff authenticationEncrypted HTTP authentication
Server security Redundant servers and load balancing
Security of software or applications Firewall protection against intrusion
Realization of backups Daily backups on a remote datacenter
Data encryption sha256 and RSA encryption

12. End of the service

At the end of the Subscription, Lodago undertakes to destroy all personal data processed as a subcontractor.

13. Register

Lodago declares that it keeps a written record of all categories of processing activities carried out on behalf of the User including:

  • The name and contact details of the data controller on whose behalf it acts, of any subcontractors and, where applicable, of the data protection officer;
  • The categories of processing carried out on behalf of the data controller;
  • Where applicable, transfers of personal data to a third country or to an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the European Data Protection Regulation, the documents attesting to the existence of appropriate safeguards;
  • To the extent possible, a general description of the technical and organizational security measures, including inter alia, as appropriate:
  • Pseudonymization and encryption of personal data;
  • Means to ensure the continued confidentiality, integrity, availability, and resilience of processing systems and services;
  • Means to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
  • A procedure to regularly test, analyze and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.

14. Documentation

Lodago shall make available to the User the documentation necessary to demonstrate compliance with all of its obligations and to allow audits relating to the applicable provisions on the protection of personal data, including inspections, to be carried out by the User or another auditor appointed by the User and at the expense of the User, and to contribute to these audits which may only be carried out under respect of business secrecy and intellectual property law (and consequently will not allow access to the source code of the Application Services under any circumstances).