Privacy Policy

Last update: 20 November 2024

At Aura CORP, respecting your privacy and protecting your personal data is our priority. 

The purpose of this privacy policy (hereinafter the ‘Privacy Policy’) is to inform you about the ways in which your personal data is processed when using the https://www.loyoly.io/ website in accordance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the ‘GDPR’) and Law No. 78-17 of 6 January 1978 relating to data processing, files and freedoms in its latest version in force (together the ‘Applicable Regulations’).

This Privacy Policy does not describe the methods of collecting and processing your data via cookies and other tracers (‘Cookies’) on the Site. To find out more, please consult our Cookies Policy

Who is the data controller?

When you browse and/or register on our Site or more generally in the context of managing our contractual relationship with you, the data controller is Aura Corp (Loyoly), SAS, registered in the Nantes Trade and Companies Register under number 889 463 519 and whose registered office is located at 4 rue Voltaire, 44000, Nantes (‘We’, ‘Us’, ‘Our’).

However, where our services are used by business customers to provide loyalty and sponsorship programmes, we collect and process personal data on their behalf. Our business customers are therefore responsible for data processing and We act as a data processor.

What data do we collect?

Personal data is data that enables an individual to be identified directly or by cross-referencing with other data. 

We collect personal data in the following categories:

  • Identification data (surname, first name, email address, telephone number) ;
  • Data relating to your orders;
  • Connection data (connection logs, encrypted passwords);
  • If you choose to connect using a third-party authentication service (e.g. Google or Facebook), certain data such as your name and email address may be retrieved from this service. By choosing this method, you agree to this service providing us with this data. We do not collect the password for your third-party account;
  • Browsing data (IP address, pages viewed, date and time of connection, browser used, operating system, user ID, MAID);
  • Data from recordings of telephone calls between you and our customer service department (content of calls, dates);
  • Economic and financial data (bank details, credit card details);
  • Any information you wish to send us as part of your contact request.

Mandatory data is indicated when you provide us with your details. They are indicated by any means.

How do we collect your personal data?

We may collect your personal data in two ways:

  • directly, when you have provided them to us (for example, by filling in a contact request form on our Site or by creating an account on our Platform/Application/Site);
  • indirectly, via commercial partners, service providers and database enhancement tools.  

Details of the processing of your personal data

Goals

Legal Basis

Shelf life

To provide the services available on our Site.

Performance of the contract you or your company have with Us 

When you create an account: your data is kept for the duration of your account. 

Your connection logs are kept for 6 months or 1 year.

In addition, your data may be archived for evidential purposes for a period of 5 years.

Carry out operations relating to the management of our customers concerning orders, quotations, and ensure the follow-up of the contractual relationship with our customers

Performance of the contract you or your company have with Us 

Personal data is kept for the duration of the contractual relationship.

In addition, your data (with the exception of your bank details) is archived for evidential purposes for a period of 5 years.

To analyse your use of the services, understand your expectations and improve the functionalities offered (in particular by analysing exchanges or by compiling statistics on browsing and the Site's audience).

Our legitimate interest in improving our services

Recordings of telephone calls are kept for 1 year from the date of collection.
Documents analysing the content of telephone calls are kept for 1 year from the date of recording.

If this does not concern telephone recordings (in particular via cookies to improve the user experience):

Personal data is kept for 1 year.

Once your data has been anonymised, it is no longer considered to be personal data as it cannot be re-identified. They are kept for as long as necessary.

Managing your opinions on our services

Our legitimate interest in collecting your opinions on our services 

2 years from publication of the notice

Build up a file of prospects

Our legitimate interest in developing and promoting our business

Your data will be kept for a period of 3 years from the date of your last contact with us.

Send newsletters, requests and promotional messages by email

Our legitimate interest in building customer loyalty and informing our customers and prospects of our latest news

Data is kept for 3 years from the date of your last contact with us.

Canvassing by telephone

Our legitimate interest: to develop and promote our business

Data is kept for 3 years from the date of your last contact.

Respond to your requests for information, contact and/or demonstration

Our legitimate interest in responding to your requests

Data is kept for a period of 3 years from the date of your last contact.

Keep information and administrative documents relating to our business

Comply with our legal and regulatory obligations

Invoices are archived for 10 years.

Data relating to your transactions (with the exception of bank details) is kept for 5 years.

Data relating to your contract and elements relating to the signing of the contract are kept for 5 years.

Organising competitions

Performance of the contract (i.e.: the rules of the competition accepted before taking part)

The data is kept for the duration of the games or promotional operations and may be archived for 5 years for evidential purposes.

Combating fraud 

Our legitimate interest in preventing fraud and dealing with it where appropriate

Data relating to identity verification is kept for 2 years.

Assessing the relevance of the alert: data is kept for a maximum of 6 months from the time the alert is issued, the time it takes for us to qualify the alert. We immediately delete alerts deemed to be irrelevant.

Retention of alerts classified as relevant: the data is retained for 5 years from the closure of the fraud file.

Responding to requests from data subjects to exercise their rights

Comply with our legal and regulatory obligations

If we ask you for proof of identity: we only keep it for the time needed to verify your identity. Once the verification has been carried out, the proof of identity is deleted.

If you exercise your right to object to receiving canvassing: we keep this information for 3 years.

Who will receive your data? 

We will have access to your personal data:

  1. The staff of our company ;
  2. Our subcontractors: hosting service provider, newsletter sending service provider, audience measurement and analysis service provider, e-mail service provider, secure payment service provider, invoicing tool, cookie management tool; 
  3. Our partners act as independent data controllers. We accept no responsibility for the processing of personal data by our partners and invite you to consult their general conditions of use and their privacy policy;
  4. To any authority legally empowered to deal with it, in particular the judicial, police or administrative authorities, if they so request.

Is your data likely to be transferred outside the European Union?

Your data is kept and stored for the duration of processing on Clever Cloud's servers, which are located in the European Union.As part of the tools we use (see article on recipients concerning our subcontractors), your data may be transferred outside the European Union. The transfer of your data in this context is secured using the following tools :

  • or the data is transferred to a country that has been the subject of an adequacy decision by the European Commission, in accordance with Article 45 of the GDPR: in this case, this country provides a level of protection deemed sufficient and adequate to the provisions of the GDPR;

  • or the data is transferred to a country whose level of data protection has not been recognised as adequate for the purposes of the GDPR: in this case, the transfers are based on appropriate safeguards as indicated in Article 46 of the GDPR, tailored to each service provider, including but not limited to the conclusion of standard contractual clauses approved by the European Commission, the application of binding corporate rules or under an approved certification mechanism;

  • or the data is transferred on the basis of one of the appropriate guarantees described in Chapter V of the RGPD.

You can obtain a copy of the tools used to transfer your data outside the European Union by contacting us as indicated in the ‘What are your rights regarding your data’ section below.

What rights do you have over your data?

You have the following rights with regard to your personal data:

  • Right to information : this is precisely why we have drawn up this Privacy Policy. This right is provided for in Articles 13 and 14 of the RGPD. 
  • Right of access: you have the right to access all your personal data at any time, in accordance with Article 15 of the RGPD.
  • Right of rectification : you have the right to rectify inaccurate, incomplete or obsolete personal data at any time in accordance with Article 16 of the RGPD.
  • Right to limitation: you have the right to obtain a limitation of the processing of your personal data in certain cases defined in Article 18 of the RGPD.
  • Right to erasure: you have the right to demand that your personal data be erased, and to prohibit any future collection on the grounds set out in Article 17 of the GDPR.
  • The right to set out instructions for the storage, deletion and communication of your personal data after your death. 
  • Right to withdraw your consent at any time: for purposes based on consent, Article 7 of the GDPR states that you may withdraw your consent at any time. This withdrawal will not call into question the lawfulness of the processing carried out prior to the withdrawal.
  • Right to portability : under certain conditions specified in Article 20 of the GDPR, you have the right to receive the personal data you have provided to us in a standard machine-readable format and to request that it be transferred to the recipient of your choice.
  • Right to object : under Article 21 of the GDPR, you have the right to object to the processing of your personal data. Please note, however, that we may continue to process your data despite this objection, for legitimate reasons or to defend legal claims.

You can exercise these rights by writing to us at the following address: legal@loyoly.io

We may ask you to provide us with additional information if there is reasonable doubt, or any document likely to prove your identity if the doubt persists.

For any question or request that remains unsuccessful, you are entitled to lodge a complaint with the competent supervisory authority in France, the Commission Nationale de l'Informatique et des Libertés (‘CNIL’), located at 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07.

Changes

We may modify this Privacy Policy at any time, in particular in order to comply with any regulatory, legal, editorial or technical developments. These modifications will apply from the date on which the modified version comes into force. You are therefore invited to consult the latest version of this policy on a regular basis. Nevertheless, we will keep you informed of any significant changes to this confidentiality policy.

Effective: 20/11/2024