Privacy Policy

1. Data Controller

The data controller for personal data collected through the Effinature Platform is:

IRICE — SAS with a share capital of EUR 20,000
10 rue du Lieutenant Parayre, Espace Wagner Bâtiment A2, 13290 Aix-en-Provence, France
RCS Aix-en-Provence 835 324 112
Email: hello@irice-certification.com

2. Data Collected

In the course of using the Platform, IRICE collects the following categories of data:

2.1 Identification Data

Surname, first name, email address, telephone number, position within the company. This data is collected during registration and account creation.

2.2 Company Data

Company name, SIRET/SIREN number, registered office address, legal form. This data is pre-filled via the INSEE SIRENE directory and completed by the user.

2.3 Project Data

Information relating to construction, renovation or development projects submitted for certification: project name, address, building type, technical documents (DCE, tender files, assessment reports), assessment results, certification decisions.

2.4 Connection Data

IP address, connection date and time, browser used, pages viewed. This data is collected automatically through server logs.

3. Purposes of Processing

Data is processed for the following purposes:

Management of user accounts and authentication; processing of certification applications; conducting biodiversity and ecological performance assessments; issuance and tracking of certificates; sending reminders and notifications related to project monitoring; management of recurring compliance checks (CCR) for the HVE standard; publication of the public directory of certified projects; compilation of statistics and quality indicators; compliance with regulatory and normative obligations (ISO 17065).

4. Legal Bases

Processing is based on the following legal grounds:

Performance of a contract (Article 6(1)(b) GDPR): processing certification applications, managing assessments, issuing certificates, project tracking.
Legal obligation (Article 6(1)(c)): retention of data to meet the traceability requirements imposed by ISO 17065.
Legitimate interest (Article 6(1)(f)): improvement of the Platform, security, statistics, publication of the directory of certified projects.
Consent (Article 6(1)(a)): sending communications not directly related to the certification contract.

5. Data Recipients

Data may be disclosed to the following recipients:

Authorised IRICE personnel (project manager, assessment manager, committee chairman, RRE); qualified assessors assigned to projects; Biodiversity Partners involved in the projects; hosting provider (Infomaniak Network SA, Switzerland) for technical purposes; the competent national body in the context of surveillance audits; competent authorities where required by law.

Data is never sold or transferred to third parties for commercial purposes.

6. Transfers Outside the EU

Hosting is provided by Infomaniak Network SA, whose servers are located in Switzerland. Switzerland benefits from an adequacy decision by the European Commission, ensuring a level of data protection equivalent to that of the GDPR. No other transfer of data outside the European Economic Area is carried out.

7. Data Retention Period

Account data: retained for the duration of the contractual relationship, then for 3 years after the last contact for legitimate prospecting purposes.
Certification data: retained for the period of validity of the certificate, then for a minimum of 10 years after expiry, in accordance with ISO 17065 requirements.
Connection data: retained for 12 months in accordance with applicable legislation.
Contractual documents (NDA, General Certification Conditions, contracts): retained for 10 years after termination of the contract.

8. Cookies

The Platform uses strictly necessary cookies for the operation of the service: session cookie (authentication), CSRF cookie (form security). These cookies are exempt from consent in accordance with CNIL guidelines.

The Platform does not use audience measurement, advertising or third-party tracking cookies.

9. Data Subject Rights

In accordance with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act (Loi Informatique et Libertés), you have the following rights over your personal data:

Right of access: obtain confirmation that your data is being processed and receive a copy thereof.
Right to rectification: correct inaccurate or incomplete data.
Right to erasure: request the deletion of your data, subject to statutory retention obligations (in particular ISO 17065).
Right to restriction: request the suspension of processing in the cases provided for by the GDPR.
Right to data portability: receive your data in a structured, machine-readable format.
Right to object: object to processing based on legitimate interest.
Right to withdraw consent at any time for processing based on consent.

To exercise these rights, please send your request to hello@irice-certification.com, enclosing proof of identity. IRICE undertakes to respond within one month.

In the event of an unresolved dispute, you may lodge a complaint with the CNIL (French data protection authority): www.cnil.fr

10. Security

IRICE implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration or disclosure: encrypted communications (HTTPS/TLS), password hashing, role-based access control, action logging, regular backups, secure hosting.

11. Changes to This Policy

IRICE reserves the right to amend this policy at any time. Users will be notified of any material changes via a notification on the Platform. The date of the last update is indicated below.