Download as pdf

Privacy Policy

Last update: 2023-11-28

I. Who we are

Opendatasoft is a hosted software solution designed to allow users to publish and share data in a simple, efficient manner. Opendatasoft is available as an "SaaS" solution worldwide and is published by a French company called Opendatasoft SAS and marketed through subscriptions. It may be used by any organisation to effectively manage the collection, preparation, sharing and dissemination of data in a secure manner (hereinafter the "Solution").

This Privacy Policy is drawn up by Opendatasoft SAS (hereinafter referred to as "Opendatasoft" or "we"), a French société par actions simplifiée (simplified company) with a share capital of €399 509, registered in the Paris Trade and Companies Register under number 538 168 329, whose registered office is located at 50, Boulevard Haussmann, 75009 Paris (France).

II. How are we committed to protecting your data?

1. Overview of the GDPR and the aims of this Privacy Policy

We are committed to protecting your data and protecting and safeguarding your privacy. Protecting the personal data of our customers and users and the personal data we may receive from them via our Solution is one of our main concerns. Accordingly, we strive to ensure compliance with French Data Protection Act No. 78-17 of 6 January 1978 as amended and with the EU General Data Protection Regulation No. 2016/679 (the "GDPR") that came into force on 25 May 2018.

This Privacy Policy explains how and why we may collect and process personal data and how you can exercise your rights.

Should you have any questions about this policy or our compliance in general, please contact our Data Protection Officer at dpo@opendatasoft.com.

2. Who should read this Privacy Policy?

This Privacy Policy is designed for anyone who provides or entrusts personal data to us via our website and/or our Solution and the Opendatasoft services.

We may update it, in particular to reflect any changes to our services, the technology used or the applicable regulations. Updates will take effect as soon as they are posted on our website.

3. What is "personal data"?

The French Data Protection Act and the GDPR define "personal data" as any information relating to a natural person who can be identified, directly or indirectly, such as the surnames, forenames and email and postal addresses of natural persons, their image, an IP address or location data etc.

III. Does Opendatasoft process personal data?

We may collect personal data when you visit our website or contact us and/or to allow you to use our Solution and services. We process this personal data as a data controller, meaning that we determine the means and purposes of our processing operations.

Customers using our Solution may also entrust personal data to us. We process this data as a data processor, meaning that we process personal data on behalf of our customers, in accordance with documented instructions only. This data is processed under the responsibility of the customer and if special categories of personal data are to be processed, the customer must ensure full compliance with the provisions of the GDPR and any other applicable laws or regulations.

1. What types of personal data does Opendatasoft process as a data controller?

When you browse our website, we may process:

  • identification data (surname, forename, company, work contact details, email address, telephone number and IP address etc.);
  • information about how you use our website, including data traffic and records of the choices you make online, for in-house purposes such as analysing, developing and improving our products;
  • logs and statistics related to your activity on our website;
  • technical information about any devices and operating systems you use to visit our websites, including your device ID, your Internet Protocol (IP) address, the browser version on your device, which of our pages you visit, the time and date of your visit and the time spent on these pages. We also use cookies to collect and process tracking data on our websites. To find out more about how cookies work and why they are used, please consult our Cookies Policy;
  • any other information you may share with us in other contexts (download whitepaper forms, blogs and newsletter subscriptions etc.) or when applying for a job with us.

Whenever you contact us or use our Solution or services, we may process:

  • identification data (surname, forename, company, work contact details, email address, telephone number and IP address etc.);
  • any other information you share with us in other contexts such as customer support services, customer satisfaction survey, or training via the ODS Academy;
  • identification and authentication details for our services and websites requiring authentication (excluding identification/authentication via a third-party identity provider). If you use federated datasets (access to domain B using the account of domain A), the destination portal will have access to your data;
  • data relating to the services you have purchased (billing and management of accounting, administrative and contractual aspects).

2. What are the purposes of the personal data processing operations performed by Opendatasoft as a data controller?

We process personal data to provide and improve our services, mainly for the following purposes:

  • to provide our services (new account, proper operation and improvement of the platform and preventing computer fraud etc.);
  • to help you use our Solution and services;
  • to contact you to invite you to demonstrations and webinars and communicate about new features or any other commercial offers;
  • to manage our business relationship with users and data controllers (contracts and invoices etc.);
  • to send information and newsletters to our contacts, customers, users and prospective customers;
  • to manage customer satisfaction and user research.

3. What is the legal basis for the processing operations?

Depending on your status (customer or user of our Solution), the legal basis for our personal data processing operations will be one of the legal bases set out in Article 6 of the GDPR, namely:

  • performance of a contract;
  • your consent;
  • compliance with a legal obligation;
  • our legitimate interests.

4. How long do we keep personal data?

We retain the personal data we process as a data controller for a limited time only, based on our contractual or legal obligations, your consent and/or our legitimate interests, and follow the relevant guidelines issued by the French Data Protection Authority (CNIL).

For example:

Data relating to customers

Length of the cont ractual relationship plus 3 years

Prospective customers

3 years from the last contact

Users of the Opendatasoft Solution

Connection data, logs and IP addresses: 13 months

Authorised users: identification data retained for the entire term of the corresponding contract

Candidates

Data retained throughout the hiring pr ocess and then, with the candidat e's consent, for an extra 2 years

5. Who receives your data?

Only employees specially authorised to process this data within their functions may have access to your personal data.

Data may also be transmitted to OPENDATASOFT's suppliers.

When certain trusted third parties mentioned above are located outside the European Economic Area (EEA), OPENDATASOFT implements, in addition to appropriate technical and organisational measures, strong contractual guarantees through the adoption of standard contractual clauses drafted by the European Commission.

6. What rights do I hold? How can I exercise them?

You own the personal data you provide to us directly or that we may collect or process through our website and/or when you use our Solution and services.

You may therefore object to the processing of your personal data or restrict its processing and you also have a right of access, a right to rectification and erasure and a right to data portability. These rights may be exercised by submitting a request to dpo@opendatasoft.com. However, this may limit your access to or use of our Solution and services.

Your request will be processed within one month of receipt. If we have reasonable doubts about your identity, we may ask you to provide a copy of an identity document to check you are who you say you are. This will only be retained by us until your request has been processed.

Please also note that if you submit a data subject request for data processed by us as a data processor, we will promptly forward it to the data controller (for example: for a data subject request for data in a dataset), who will then address your request.

To find out more, submit a request or lodge a complaint, please email our Data Protection Officer at dpo@opendatasoft.com.

You can also find out more about data protection and your rights by contacting the French Data Protection Authority (www.cnil.fr).