Privacy Policy

“Subscription”: the subscriptions to the Solution as taken out by the Client with PEETCHR.

“Cookies”: HTTP cookies, session cookies, technical identifiers used to track the device and any other equivalent mechanism.

“Personal data” or “Data”: any information relating to an identified or identifiable natural person.

“Data Subject”: the natural person to whom the Data relates.

“Data Controller”: the legal entity that determines the purposes and means of the processing of the Data.

“Processor”: the legal entity that processes the Data on behalf of the Data Controller.

“Processing”: any operation or set of operations applied to Data.

The Data Controller is:

• PEETCHR SAS, 38 rue des Mathurins, 75008 Paris, France
• Paris RCS No. 980 220 164
• Legal representative: Raphaël BÉNICHOU, President
• Data Protection Officer: sg@ghemam-avocat.com

PEETCHR acts in two distinct capacities:

(a) As Data Controller, for the following processing covered by this Privacy Policy:

• Management of the B2B relationship with its Clients (administrators, commercial and technical contacts);
• Invoicing, contract management and management of the contractual relationship;
• Marketing and commercial prospecting (subject to applicable consent or legitimate interest);
• Security of the Solution, technical logs, continuous monitoring;
• Product improvement, anonymisation of usage data for analytical purposes;
• Compliance with legal and regulatory obligations.

(b) As Processor within the meaning of Article 28 of the GDPR, for the processing of candidate data and Client user data, carried out on behalf of the Client (Data Controller). The terms of this processing are described in Schedule 1 of the General Terms and in the DPA.

The Data processed by PEETCHR as Data Controller is:

• Identification data: surname, first name
• Professional contact details: email address, telephone number, company, role
• Connection data: technical identifiers, IP address, activity logs
• Usage data: pages viewed, features used (in aggregated or pseudonymised form)
• Client billing and administrative management data

In accordance with the storage limitation principle set out in Article 5(1)(e) of the GDPR, the Data is retained for periods limited to the achievement of the purposes set out above:

• Identification data and contact details of the Client’s Users: for the duration of the contract, then intermediate archiving for 3 years from the end of the contractual relationship for evidential purposes.
• Billing data: retained for 10 years pursuant to accounting and tax obligations (Article L. 123-22 of the French Commercial Code).
• Commercial prospecting data: 3 years from the last contact from the prospect.
• Connection data and technical logs: 6 to 12 months depending on the nature of the logs and security needs (consistent with Article 12 of the AI Act for AI system logs).
• Cookies subject to consent: 6 months maximum.
• Cookies exempt from consent: 13 months maximum.

The Data is processed exclusively within the European Union:

• Back-end hosting and databases: Amazon Web Services, EU-West-1 region (Ireland);
• Front-end hosting: Vercel, Paris region (France);
• Hosting of candidate files and Vertex AI inference operations: Google Cloud Platform, Frankfurt region (Germany).

Any transfers to downstream sub-processors located outside the European Union are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR, as well as by appropriate supplementary measures post-Schrems II where applicable. The full list of downstream sub-processors is provided in Schedule 1 of the General Terms.

In the context of the processing carried out by PEETCHR as Data Controller, the Data may be disclosed to:

• The downstream sub-processors listed in Schedule 1 of the General Terms (hosting providers, security providers, communication tools);
• Statutory auditors, legal and tax advisers in the course of their assignments;
• The competent administrative and judicial authorities, upon a legally founded request;
• PEETCHR’s internal tools (project management, communication, application monitoring), provided that these tools do not have access to the candidate Data processed on behalf of Clients.

PEETCHR does not sell, rent or exchange any personal data.

PEETCHR implements the appropriate technical and organisational measures provided for in Article 32 of the GDPR to ensure the confidentiality, integrity, availability and resilience of the processing. In particular, PEETCHR has:

• An information security management system (ISMS) aligned with SOC 2 Type II standards and in the process of ISO/IEC 27001 certification;
• TLS 1.2+ encryption in transit and AES-256 at rest;
• Strict access control (SSO, MFA, RBAC);
• Continuous monitoring and automated alerts;
• Timestamped logging of sensitive actions;
• Annual penetration testing by independent third parties;
• Documented and tested business continuity (BCP) and disaster recovery (DRP) plans.

In accordance with the GDPR and the French Data Protection Act, each Data Subject has the following rights:

• Right of access to the Data concerning them (Article 15 GDPR);
• Right to rectification of inaccurate or incomplete Data (Article 16 GDPR);
• Right to erasure (“right to be forgotten”) (Article 17 GDPR);
• Right to restriction of processing (Article 18 GDPR);
• Right to data portability (Article 20 GDPR);
• Right to object to processing, in particular to commercial prospecting (Article 21 GDPR);
• Right not to be subject to a decision based solely on automated processing producing legal effects or significantly affecting the person (Article 22 GDPR);
• Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
• Right to define directives concerning the fate of the Data after death (Article 85 of the French Data Protection Act);
• Right to lodge a complaint with a supervisory authority, in particular the French Data Protection Authority (CNIL), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07.

These rights may be exercised by writing to PEETCHR’s Data Protection Officer at sg@ghemam-avocat.com, together with proof of identity where there is doubt about the identity of the applicant (Article 12(6) GDPR). PEETCHR will respond within one month, which may be extended by two months in the event of complexity (Article 12(3) GDPR).

The PEETCHR Solution is classified as a high-risk AI system under Annex III, point 4(a) of Regulation (EU) 2024/1689 (AI Act), because it is used in recruitment, assessment and talent management processes.

Where the Data Subject is a candidate or an employee assessed by the Solution in the context of use by a Client, they have, in addition to the general rights set out in section 10, the following safeguards:

(a) Prior information (Article 50 AI Act): the Data Subject is informed that they are being assessed by an artificial intelligence system, in clear and accessible language.

(b) No solely automated decision (Article 22 GDPR): the Solution produces recommendations and scorecards, but no hiring or rejection decision is made solely automatically. The final decision rests with the human recruiter under the Client’s authority.

(c) Guaranteed human oversight (Article 14 AI Act): no candidate is automatically removed from the selection; all candidates remain visible to the recruiter, regardless of the score produced.

(d) Opt-out option: any candidate may object to assessment by the Solution at any time, without prejudice to their application. The assessment is then conducted entirely by a human at the Client.

(e) Right to explanation (Article 86 AI Act): the Data Subject may request clear and meaningful explanations about the role played by the Solution in a decision concerning them, the main factors underlying the recommendation, and the general parameters of the processing. This request should be addressed primarily to the Client (Data Controller and Deployer), with PEETCHR’s assistance if necessary.

(f) Right to human intervention, to express a point of view and to contest (Article 22(3) GDPR): the Data Subject may request that a decision concerning them be reviewed by a human, express their point of view and contest the recommendation.

(g) Exclusion of sensitive variables: the Solution’s assessment engine does not use the following variables as assessment criteria: age, gender, nationality, ethnic origin, health data, political, religious or philosophical opinions, trade union membership, sexual orientation. No biometric capture, emotion recognition or behavioural analysis is carried out.

The Solution may, on the instruction of the Client acting as Data Controller and subject to an appropriate legal basis defined by the Client, enrich a candidate’s profile from information publicly accessible on their LinkedIn page (professional experience and education published by the person themselves).

This enrichment is carried out via the downstream sub-processor Unipile, whose DPA and safeguards are described in Schedule 1 of the General Terms.

The Client is responsible, as Data Controller, for defining the legal basis applicable to this enrichment (typically, legitimate interest documented by a balancing of interests within the meaning of Article 6(1)(f) of the GDPR, or the candidate’s explicit consent where applicable) and for informing candidates in advance about this processing, in accordance with Articles 13 and 14 of the GDPR and CNIL guidance on profile enrichment.

The Solution uses Cookies to ensure its proper functioning, measure audience and improve the User experience, in accordance with Article 82 of Act No. 78-17 of 6 January 1978 on data processing, files and individual liberties.

PEETCHR has implemented a documented and tested Incident Response Plan. In the event of a personal data breach within the meaning of Article 4(12) of the GDPR:

• PEETCHR notifies the CNIL within 72 hours of discovering the breach (Article 33 GDPR), where the breach is likely to result in a risk to the rights and freedoms of individuals;
• Root cause analysis reports are shared internally within 7 days of the incident being resolved;
• Data Subjects are informed directly where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR).

Incidents are classified according to a P0 / P1 / P2 / P3 criticality matrix and are resolved within the SLAs defined in the DPA.

PEETCHR reserves the right to amend this Privacy Policy at any time, in particular to take account of regulatory, case-law, technical or organisational developments. The date of the last update is indicated at the foot of the document.

In the event of a substantial change affecting the rights of Data Subjects, PEETCHR will inform Users by any appropriate means.

Any question, request for information or request to exercise a right may be addressed to PEETCHR’s data protection point of contact:

• By email: sg@ghemam-avocat.com
• By post: PEETCHR SAS, Data Protection Officer, 38 rue des Mathurins, 75008 Paris, France