Privacy Policy

Last updated: March 10, 2025

1. Preamble

This Privacy Policy (hereinafter the “Policy”) aims to describe the conditions under which Creates.Community (hereinafter the “Company,” “we,” “our”) collects, processes, and protects personal data (hereinafter “Personal Data”) of visitors to the website https://creates.community (hereinafter the “Site”), as well as natural or legal persons (Clients, Users) benefiting from our SaaS services for human resources management and the optimization of internal processes (hereinafter the “Services”).

In accordance with our General Terms of Use (GTU) and our General Terms of Sale (GTS), this Policy outlines our commitments regarding the protection of privacy and compliance with applicable regulations, in particular Regulation (EU) 2016/679 on data protection (GDPR) and the amended French Data Protection Act.

2. Identity of the Data Controller

The company Creates.Community, a SAS with a share capital of €192,001, registered with the Lille Métropole Trade and Companies Register under number 939 100 350, whose head office is located at 165 Avenue de Bretagne, 59000 Lille, acts as the Data Controller for all Personal Data processing described in this Policy.

Mailing address:
Creates.Community
165 Avenue de Bretagne
59000 Lille, France

Email address:
contact@creates.community

3. Scope of Application

This Policy applies to:

• Visitors to the Site who browse its content and/or provide their contact details (contact forms, newsletter subscription, etc.).
• Clients (legal entities) and their collaborators or authorized third parties (Users) within the framework of using the SaaS Platform, as described in the GTU and GTS.

Its purpose is to inform any individual about how we collect, use, retain, and protect their Personal Data.

4. Nature of Data Collected

4.1 Data Collected from Site Visitors

• Identification data: first name, last name, email address, phone number, position, company, etc., when you fill out a form or contact us.
• Browsing data: cookies, IP address, device type, pages visited, session duration, etc. (see the “Cookies” section below).

4.2 Data Collected from Clients and Users

• Contract data: name and legal form of the client entity, billing address, SIRET number, banking information (if needed for invoicing), etc.
• User-related data: first name, last name, professional email address, role/position, and any other information required to create a User Account or authenticate via a Single Sign-On (SSO) system.
• HR data (entered or synchronized by the Client): the Platform allows for the storage and analysis of various data related to skills, professional backgrounds, training, etc. Clients determine the type of data they wish to integrate. This information remains the property of the Client (cf. GTU), and Creates.Community acts as a processor for its processing.

4.3 Technical Data and Logs

When accessing the Services, we collect and store connection logs containing the date, time, URL visited or action performed, IP address, and the User ID. These logs allow us to:

• Maintain the security and availability of the Platform;
• Ensure traceability in the event of an incident or misuse.

5. Purposes and Legal Bases of Processing

In accordance with Article 6 of the GDPR, we process your Personal Data for specific purposes and on the basis of an appropriate legal ground.

• Provision of the Services (performance of the contract)

  • Creation and management of User Accounts.
  • Access to the Platform and HR functionalities.
  • Invoicing and payment (Clients).

• Support, maintenance, and security (legitimate interest and/or performance of the contract)

  • Technical support and incident management.
  • Analysis of connection logs to identify possible malicious actions.
  • Continuous updates and improvements to the Platform.

• Communication and marketing (consent or legitimate interest)

  • Sending newsletters, offers, or information about feature updates.
  • Organizing webinars or events.
    You may object at any time to receiving such communications.

• Statistical analysis and R&D (legitimate interest)

  • Usage studies and development of new features.
  • Processing data in an anonymized or aggregated form to improve the Platform and guide our R&D projects.

• Compliance with legal obligations

  • Retention of certain documents for tax or accounting purposes.
  • Managing requests to exercise rights (GDPR).
  • Responding to legal requests from authorities.

6. Recipients of Data

• Authorized Creates.Community staff: only authorized employees and collaborators (technical, support, administrative) have access to the Data strictly required for their duties, in accordance with the principle of confidentiality.
• Subcontractors and service providers: we may use third-party companies (hosting, technical subcontractors, etc.) to provide or improve the Services. These providers are subject to the same security and confidentiality obligations as we are.
• Administrative or judicial authorities: we may be required to disclose certain Personal Data in order to comply with a legal obligation or as part of legal proceedings.

We do not sell or rent your Personal Data to third parties.

7. Retention Period

We retain Personal Data for the period strictly necessary to achieve the purpose for which it was collected, after which we delete or anonymize it. By way of example:

• User Account data: retained for the entire duration of the Service usage, then deleted within 3 months after the end of the contract or account deactivation, unless otherwise required by law.
• Connection logs: generally retained for 6 to 12 months to ensure traceability and security.
• Billing data: retained for the legally mandated period (10 years in France).
• Cookies: refer to the “Cookies” section below for the retention period.

8. Security and Data Location

We implement technical and organizational security measures (encryption, access management, regular audits, etc.) described in our GTU and GTS to protect the Data against any unauthorized access, alteration, or disclosure.

Data is hosted within the European Union, in particular through our technical service providers OVHcloud and AWS. In principle, no transfer outside the EU is carried out. If such a transfer should occur, we would ensure the implementation of appropriate safeguards (standard contractual clauses, etc.) in accordance with the GDPR.

9. Cookies and Trackers

We use cookies and other trackers to:

• Facilitate navigation on the Site and remember your preferences;
• Carry out traffic analysis (Google Analytics, etc.);
• Ensure the security and stability of the Platform.

When you access the Site, a banner informs you of the use of cookies and allows you to accept or refuse your consent for certain categories (analytics, advertising, etc.). You can manage your preferences at any time via your browser or the cookie management tool on the Site.

For more information, consult our [Cookie Policy] (or the Cookies section in the GTU).

10. Rights of Data Subjects

In accordance with the GDPR and the French Data Protection Act, you have the following rights:

• Right of access: to obtain confirmation that your Data is being processed and, if so, to receive a copy;
• Right to rectification: to correct inaccurate or incomplete Data;
• Right to erasure (“right to be forgotten”): to obtain the deletion of your Data within legal limits;
• Right to restriction of processing: to temporarily limit the processing of your Data in certain circumstances;
• Right to object: to object to the processing of your Data for legitimate reasons, or at any time when the processing is for direct marketing purposes;
• Right to data portability: to receive your Data in a structured, commonly used, and machine-readable format, or to request its transfer to another controller where technically feasible;
• Post-mortem directives: to define what happens to your Data after your death.

To exercise these rights, you can contact us at the following address:

• Email: dpo@creates.community
• Mail: Creates.Community, 165 Avenue de Bretagne, 59000 Lille, France

We will process your request as soon as possible and no later than within one month, unless there is a particular complexity.

You also have the right to file a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés) if you believe that your rights are not being respected.

11. Client Responsibility as Data Controller

Within the framework of using our SaaS Platform for HR Data management, the Client acts as the Data Controller for the Personal Data of its employees or third parties, while Creates.Community acts as the Processor. In accordance with our GTU and GTS, the Client undertakes:

• To inform the individuals concerned and obtain their consent where applicable;
• To respect their rights (access, rectification, etc.);
• To ensure the legality of the Data entered or synchronized on the Platform.

For more details, refer to the GTU, as well as the “GDPR” section of our GTS.

12. Changes to the Privacy Policy

We may modify this Policy to reflect legislative, regulatory, or functional changes. In the event of a substantial modification, we will inform you by any appropriate means (notice on the Site, email, etc.).

13. Contact

For any questions regarding this Policy or your Personal Data, you can contact us:

• By email: contact@creates.community
• By mail: Creates.Community – 165 Avenue de Bretagne, 59000 Lille, France

We undertake to handle any request as quickly as possible and to provide a response that complies with the regulations.

14. Governing Law and Jurisdiction

This Privacy Policy is governed by French law. In the event of a dispute relating to its interpretation or enforcement, the French courts located in the jurisdiction of Lille shall have authority, in accordance with our GTU and GTS.