Privacy Policy

Updated 2023

Definitions and nature of personal data

The following terms and expressions, when used with capital letters, have the meanings attributed to them in the General Terms of Use of Qontrol's Services.

When you use the website (hereinafter: the "Site") or the application (hereinafter: the "Application"), we may ask you to provide us with personal data about yourself in order to use the services we offer (hereinafter: the "Services").

In the context of this charter, the term "personal data" refers to all data that allows the identification of an individual, which includes your name, first name, email address, IP address, cybersecurity habits and level of knowledge, browsing behavior, as well as any other information you choose to provide about yourself.

If you choose to connect your Qontrol account through a third-party authentication service (such as Google), certain data, such as your name, surname, email address, and photograph, may be retrieved from this service. By choosing this method, you agree that said service may provide us with this data.

Purpose of this charter

The purpose of this charter is to inform you about the means we implement to collect your personal data, in strict compliance with your rights.

We inform you that we comply with the collection and management of your personal data in accordance with Law No. 78-17 of January 6, 1978, relating to data processing, files, and freedoms, in its current version (hereinafter: the "Data Protection Law"), as well as Regulation (EU) 2016/679 of April 27, 2016, relating to the protection of individuals with regard to the processing of personal data and the free movement of such data (hereinafter: the "GDPR").

Identity of the data collection controller

The data controller for the collection of your personal data is the company Articule, a simplified joint-stock company with a single shareholder, registered with the Paris Trade and Companies Register under number 843 409 954, with its registered office at 231 rue Saint-Honoré, 75001 PARIS. (hereinafter: "We").

Contact point for personal data protection

We have appointed a contact point for personal data protection, whose contact details are as follows:

Collection of personal data

The legal basis for our collection of your personal data is as follows:

This collection is necessary to perform the contract concluded when you use our Services on our Site/Application.

Your consent regarding cookies described in our Cookie Policy accessible in the appendix.

Legitimate interest when you voluntarily provide us with personal data during your visit to our Site/Application, the data being collected to allow us to provide our Services to you at the highest level of quality.

We inform you, when collecting your personal data, if certain data must be provided or if it is optional. Mandatory data is necessary for the operation of the Services. Regarding optional data, you are entirely free to provide it or not. We also inform you of the possible consequences of not responding when relevant.

Processing of personal data by Qontrol as Data Controller

Your personal data is collected to meet one or more of the following purposes:

Perform operations related to customer management concerning contracts, orders, invoices, customer relationship monitoring,

Constitute a file of registered members, users, customers, and prospects,

Send newsletters, solicitations, and promotional messages. In case you do not wish this, we give you the option to express your refusal in this regard when collecting your data;

Develop commercial and attendance statistics of our services,

Manage people's reviews of products, services, or content,

Manage unpaid invoices and possible disputes regarding the use of our products and services,

Personalize responses to your information requests.

Processing of personal data by Qontrol as Sub-Processor

As part of the Services and the Application, Qontrol collects personal data on behalf of and for its clients, as a Sub-Processor within the meaning of the GDPR, for the following purposes:

Conduct a diagnosis of the practices of our clients and those of their employees to understand their exposure to cybersecurity risks;

Be guided in the choice and implementation of solutions adapted to the needs;

Enable dynamic monitoring of the implementation of cybersecurity measures within the client's structure.

In this context, our clients are data controllers within the meaning of the GDPR.

Recipients of collected data

The following may have access to your personal data:

the staff of our company, control services (in particular statutory auditors);

our subcontractors: data hosting provider (OVH), transactional email sending provider, traffic data analysis provider, application error tracking provider

Public bodies may also receive your personal data solely to meet our legal obligations, officers of the court, ministerial officers, and entities responsible for debt collection.

Transfer of personal data

Your personal data will not be transferred, rented, or exchanged for the benefit of third parties.

However, we also inform you that we may share or disclose to your employer, when it is a Qontrol client, your data resulting from interaction with the platform in its dedicated space, for the sole purpose of relevant management of its cybersecurity approach (activities carried out on the platform, monitoring of action plans where actions are expected, learning modules followed, procedures followed, connections to the platform, responsiveness regarding tasks to be performed).

Duration of personal data retention

Regarding data related to customer and prospect management:
Your personal data is kept for the duration strictly necessary for the management of our contractual relationship with you.

Regarding any prospecting operations intended for you, your data may be kept for a period of 3 (three) years from the end of the contractual relationship.

Data allowing the establishment of proof of a right or contract, which must be kept for compliance with a legal obligation, will be kept for the duration provided by the current law.

Personal data relating to a prospect, non-customer, may be kept for a period of 3 (three) years from their collection or the last contact made by the prospect.

At the end of this period of 3 (three) years, we may contact you to inquire if you wish to continue receiving commercial solicitations.

Regarding identity documents:
In the event of exercising the right of access, rectification, or opposition, data relating to identity documents will be kept only for the time necessary to verify your identity.

Regarding the management of opposition lists to receive prospecting:
The information allowing us to take into account your right of opposition is kept for a minimum of 3 (three) years from the exercise of the right of opposition.


We inform you that we take all useful precautions, appropriate organizational and technical measures to preserve the security, integrity, and confidentiality of your personal data, and in particular to prevent it from being distorted, damaged, or accessed by unauthorized third parties. We also use secure payment systems in accordance with the state of the art and applicable regulations.


We inform you that your data is stored and kept, for the entire duration of their retention, on the servers of the company OVH (application), within the European Union.

Anonymized data is also processed by European servers of the Typeform application.

Transfer outside the European Union

As part of the tools we use (see article 6 on recipients concerning our subcontractors), your data may be subject to transfers outside the European Union. The transfer of your data in this context is secured using the following tools:

Either this data is transferred to a country that has been deemed to offer an adequate level of protection by a decision of the European Commission;

Or we have concluded with our subcontractors a specific contract framing the transfer of your data outside the European Union, based on the standard contractual clauses between a data controller and a subcontractor approved by the European Commission.


For more information on cookies, we refer you to our Cookie Policy in the appendix.

Access, rectification and deletion of your personal data

In accordance with Law No. 78-16 from January 6, 1978, relating to data processing, files, and freedoms, and the GDPR, you have the right to obtain communication and, if necessary, rectification, through online access to your account, or the erasure of the data concerning you. You can also contact:

Email address:

Postal address: Articule - Qontrol, 231 rue Saint-Honoré, 75001 PARIS

Persons whose data are collected on the basis of our legitimate interest, as mentioned in the "Collection of Personal Data" section, are reminded that they may at any time object to the processing of data concerning them. However, we may continue processing if there are legitimate reasons for the processing that override your rights and freedoms or if the processing is necessary to establish, exercise, or defend our rights in court.

Right to define directives regarding data processing after your death

You have the right to define directives regarding the storage, erasure, and communication of your personal data after your death.

These directives can be general, meaning they cover all personal data concerning you. In this case, they must be registered with a digital trust third party certified by the CNIL.

Directives can also be specific to the data processed by our company. In this case, you should transmit them to the following addresses:

Email address: privacy @

Postal address: Articule - Qontrol, 231 rue Saint-Honoré, 75001 PARIS

By transmitting such directives to us, you expressly consent to these directives being stored, transmitted, and executed in accordance with the provisions herein.

You can designate a person responsible for their execution in your directives. This person will have the authority, upon your death, to access said directives and request their implementation from us. In the absence of designation, your heirs will have the authority to access your directives upon your death and request their implementation from us.

You can modify or revoke your directives at any time by writing to the above addresses.

Portability of your personal data

You have the right to data portability for the personal data you have provided us, understood as the data you have actively and consciously declared in the context of accessing and using the Services, as well as the data generated by your activity in using the Services. We remind you that this right does not apply to data collected and processed on a legal basis other than consent or the performance of the contract binding us.

This right can be exercised free of charge at any time, especially when closing your account on the Site and/or the Application, in order to retrieve and retain your personal data.

In this context, we will send you your personal data by any means deemed useful, in an open standard format commonly used and machine-readable, in accordance with the state of the art.

Filing a complaint with a supervisory authority

You are also informed that you have the right to lodge a complaint with a competent supervisory authority (the Commission Nationale Informatique et Libertés for France), in the Member State where you reside habitually, work, or where the alleged violation of your rights occurred, if you consider that the processing of your personal data covered by this charter constitutes a violation of applicable laws.

This recourse can be exercised without prejudice to any other remedy before an administrative or judicial authority. Indeed, you also have the right to an effective administrative or judicial remedy if you consider that the processing of your personal data covered by this charter constitutes a violation of applicable laws.

Limitation of processing

You have the right to obtain the limitation of the processing of your personal data in the following cases:

- During the verification period that we implement when you contest the accuracy of your personal data,
- When the processing of this data is unlawful, and you wish to limit this processing rather than delete your data,
- When we no longer need your personal data, but you wish to retain it to exercise your rights,
- During the period of verification of legitimate grounds when you have objected to the processing of your personal data.


We reserve the right, at our sole discretion, to modify this charter, in whole or in part, at any time. These modifications will come into effect upon publication of the new charter. Your use of the Site and the Application following the entry into force of these modifications will constitute acknowledgment and acceptance of the new charter. If this new charter does not suit you, you should no longer access the Site and the Application.


By signing the contract that binds you to Qontrol, you explicitly consent to the collection, processing, and use of your personal data in accordance with the terms set forth in this Privacy Policy. This consent constitutes the legal basis for us to process your data in the context of the services we offer you. Withdrawal of your consent may impact the company's ability to provide the services stipulated in the contract. To withdraw your consent, you can contact us via the means indicated in the "Access, rectification, and erasure of your personal data" section of this Privacy Policy.

Effective Date

This charter came into effect on 31/08/2023.

Annex - Cookie Policy

What is a Cookie?

During your browsing on our Site or our Application, cookies, pixels, and other trackers (hereinafter collectively referred to as "Cookies") are deposited on your browser or your device.

A Cookie is a small file, often encrypted, stored in your browser or your device and identified by a name. It is deposited when consulting a website or an application. Each time you return to the website or application in question, the Cookie is retrieved from your browser or device. Thus, each time you visit the site or application, the browser is recognized.

The deposit of these Cookies may allow us to access your browsing data and/or personal data concerning you.

Identification of Cookies

Technical and Functional Cookies

Technical and functional Cookies are necessary for the proper functioning of the Site and/or the Application and to provide you with our services. They are used throughout your navigation to facilitate it and perform certain functions.

A technical Cookie can, for example, be used to remember your responses entered in a form or your preferences regarding the language or presentation of the Site and/or the Application, when such options are available. It does not have any marketing tracker or monitoring.

We use the following technical and functional Cookies:

Cookie Name

Cookie Function

Storage Duration

Auth0, Authentication, login (purely technical), 30 days

Crisp, Live Chat support discussion, enables ongoing support discussions, 6 months

Social Media Cookies

Social media Cookies allow you to share content from our Site and/or our Application on social networks and to share your opinion or consultation of our Services on these networks by clicking on the "like" and "share" links.

These Cookies may also allow tracking of users' navigation on the Site and/or the Application.

We invite you to consult the privacy policies of the social networks originating these Cookies, to understand the purposes of using the browsing information they may collect through these Cookies and the procedures for exercising your rights with these social networks.

Curious to know the first thing to improve ?

Book a demo
Accroître la confiance Cyber des clients