This privacy policy aims to inform client establishments of Répondia how their personal data are collected and processed in connection with the provision of the Répondia solution.

Répondia provides a solution enabling establishments to manage missed calls and, depending on their configuration, to contact their customers via WhatsApp, qualify requests, provide information, and assist with the management of reservations and related requests.

In accordance with the GDPR, information relating to data processing must be provided in a concise, transparent, intelligible and easily accessible manner.

1. Identity of the data controller

The controller of personal data processed in the context of the commercial relationship between Répondia and its client establishments is:

REPONDIA SAS
16 Bis boulevard de Montréal, 06200 Nice, France

Confidentiality contact / DPO
Natan Darhi
natan.darhi@repondia.com

2. Scope

This policy covers the processing of personal data carried out by Répondia:

• to manage the relationship with client establishments;

• to administer accounts, access, contracts, exchanges and billing;

• to provide support, maintenance, security and operation of the solution;

• to enable the configuration and use of the solution by establishments.

It does not, on its own, constitute the information that establishments must provide to their own end customers. Indeed, when Répondia processes end-customer data on behalf of the establishment, the establishment generally acts as the data controller and Répondia as the processor, according to the instructions and parameters defined by the establishment. This division of roles must be expressly formalised.

3. Personal data processed concerning establishments

Répondia may process the following categories of data concerning representatives, authorised users or contacts of the establishments:

• professional identity;

• service login and access data;

• contractual information;

• billing information;

• customer support data;

• technical logs relating to the use of the service;

• account configuration information, including certain settings linked to the WhatsApp Business account used in connection with the service.

  
  

  
  

4. Purposes of processing

The data of establishments are processed for the following purposes:

• creation and management of the client account;

• provision of the Répondia solution;

• service configuration in accordance with the parameters defined by the establishment;

• management of access rights and authorisations;

• performance of the contractual relationship;

• support, assistance and maintenance;

• security, monitoring and incident prevention;

• billing, accounting and administrative management;

• improvement of the service’s operation and quality monitoring.

5. Legal bases

The processing carried out by Répondia in relation to establishments is based mainly on:

• performance of the contract or pre-contractual measures;

• Répondia’s legitimate interest in ensuring the security, support, maintenance, technical traceability and improvement of its services;

• compliance with legal obligations, in particular accounting, tax and evidential obligations.

6. Retention periods

Unless a contrary legal obligation or a specific evidential need applies:

• operational, support and service data are retained for 3 months;

• data relating to missed calls, conversations and associated operational items are retained for 3 months, unless an extraction is provided to the client before deletion;

• contractual and billing data are retained for 5 years, or longer if required by applicable regulations.

The data are then deleted or, where applicable, retained in archived form where this is legally required. The principle of storage limitation is expressly provided for by the GDPR, and the CNIL reminds organisations that a retention period must be defined according to the purpose pursued.

7. Recipients of the data

The following may access the data, within the scope of their responsibilities:

• authorised Répondia teams;

• technical service providers acting on behalf of Répondia;

• administrative or judicial authorities where required by law.

8. Processors and technical tools

Répondia relies on certain technical service providers to deliver its service, in particular:

• Twilio, for sending messages via the WhatsApp API according to the deployed architecture;

• Meta / WhatsApp, in the context of using the WhatsApp Business platform;

• Google Cloud Platform, notably via Cloud Run and Firestore, with principal hosting declared in the EEA;

• Firebase, notably for application functions including authentication and Firestore;

• FlutterFlow, as a front-end development tool.

Depending on the establishment’s configuration, Répondia may also interact with third-party booking tools such as Zenchef or TheFork.

The GDPR requires that any use of a processor be contractually governed, and that the use of further processors be authorised and transparent.

9. Hosting and transfers

Répondia states a principal hosting arrangement within the EEA.

However, certain technical providers used in the service chain, particularly within the WhatsApp Business ecosystem, may involve processing or access outside the EEA. Where such a transfer occurs, it must be governed by an appropriate mechanism within the meaning of the GDPR, in particular an adequacy decision or standard contractual clauses where required.

10. Security

Répondia implements security measures appropriate to the nature of the processing, including in particular:

• encryption in transit;

• encryption at rest;

• segregation by establishment;

• internal access rights management;

• restriction of support access;

• incident management procedures;

• security reviews and testing.

The CNIL reminds organisations that processors and controllers must implement appropriate technical and organisational measures in light of the risk.

11. End-customer data of establishments

Within the scope of the service, Répondia may process certain data of the establishments’ end customers on their behalf, in particular:

• telephone number;

• surname or first name;

• message content;

• preferences and requests relating to the reservation;

• date, time and number of covers;

• call transcription;

• exchange history;

• technical data necessary for the operation of the service.

Some more sensitive information may be provided by end customers in the free text of exchanges, such as allergies, accessibility needs or special requests. This information is processed solely to fulfil the request made to the establishment and is transmitted to the establishment as part of the service.

Répondia specifies that end-customer data are not used to train general-purpose models.

12. Artificial intelligence

Répondia uses automated assistance mechanisms to:

• qualify requests;

• generate responses;

• suggest reservations;

• extract certain useful information;

• produce summaries;

• direct or route certain requests.

To Répondia’s knowledge, these automations do not, on their own, lead to a decision producing legal effects or similarly significant effects on the data subject. Human intervention on the establishment’s side remains possible.

13. Rights of individuals

Representatives of establishments have, as applicable, the rights of access, rectification, erasure, restriction, objection and, where applicable, portability.

These rights may be exercised with Répondia at the following address:

natan.darhi@repondia.com

If they experience any difficulty, data subjects may also lodge a complaint with the CNIL.

14. Update

Répondia may amend this policy to reflect any legal, technical or operational developments. The version in force is the version published on the medium communicated to establishments.