Privacy Policy
Last updated: April 28, 2026
Version: 2.0
Preamble
The company File (hereinafter " File " We " Or " OUR "), Simplified joint-stock company (SAS) with a share capital of [Share capital – to be completed] euros, registered with the Grenoble Trade and Companies Register under number SIREN 881 734 800whose registered office is located 12 rue Pierre Semard, 38000 Grenoble, Franceattaches the greatest importance to respecting privacy and protecting the personal data of users of its products and services.
This Privacy Policy (hereinafter the “ Policy " aims to inform you, in a clear and transparent manner, about how Ficha collects, uses, stores, shares and protects your personal data when you use any of our Products (as defined below) or interact with us.
This Policy has been drafted in accordance with:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “ GDPR ");
- to Law No. 78-17 of 6 January 1978, as amended, relating to information technology, files and freedoms (“ Data Protection Act ");
- to the guidelines and recommendations of the National Commission for Information Technology and Freedoms (“ CNIL ".
By using our Products, you acknowledge that you have read this Policy. If you do not agree to its terms, please do not use our Products.
Summary
1. Definitions
For the purposes of this Policy, the following terms have the meanings set forth below:
- “Personal data” Or “Personal data” : any information relating to an identified or identifiable natural person, directly or indirectly, within the meaning of Article 4.1 of the GDPR.
- " Treatment " : any operation or set of operations performed on Personal Data (collection, recording, storage, modification, extraction, consultation, communication, erasure, destruction, etc.).
- " User " Or " YOU " : any natural person who uses one of the Ficha Products or interacts with Ficha (site visitor, application user, ambassador, customer manager, prospect, candidate, etc.).
- “Product(s)” : any of the websites, web applications, mobile applications or IoT sensors published and operated by Ficha, as listed in section 2.
- “Data controller” : the legal entity that determines the purposes and means of the Processing, within the meaning of Article 4.7 of the GDPR.
- " Subcontractor " : the legal entity which processes Personal Data on behalf of the Data Controller, as defined in Article 4.8 of the GDPR.
2. Scope: the Ficha products concerned
This Policy applies to all Products published by Ficha. Ficha's roles in data processing may vary depending on the Product and its use.
| Product | URL / Platform | Target audience | Ficha's Role |
|---|---|---|---|
| Ficha showcase website | https://ficha.fr | General public, prospects | Data controller |
| Camia Dashboard | https://camia.ficha.fr | Employees and agents of local authorities and client operators | Subcontractor acting on behalf of the Client |
| Camia Ambassador App | iOS and Android | Employees and agents of local authorities, sorting operators and public service concessionaires who are clients of Ficha (for example Suez, Brest Métropole) | Subcontractor acting on behalf of the Client (local authority / operator) |
| Cocoon User Application | iOS and Android | End users of the Cocon devices (residents, individuals sorting their waste) | The data controller (user account lifecycle) may act as a data processor on behalf of a local authority or landlord in certain cases. |
| Cocoons Manager | https://manager.ficha.fr | Social housing providers, property managers, local authorities, building managers | Subcontractor acting on behalf of the Client, Jointly responsible for certain ancillary functionalities |
| Onboard IoT sensors (collection trucks, Cocon devices) | Hardware deployed in the field | Indirectly: end users whose sorting images can be captured; local authority employees operating the vehicles | Subcontractor acting on behalf of the Client |
Clarification on the roles When Ficha acts as subcontractor On behalf of a Client (local authority, landlord, operator), it is this Client who determines the purposes of the processing and constitutes the Data Controller. This Policy nevertheless informs you of how Ficha technically processes your data and explains how to exercise your rights, noting that for certain requests, we may need to transfer them to the competent Data Controller.
3. Identity of the data controller and contact details of the DPO
3.1 Data Controller
Ficha SAS
12 rue Pierre Semard 38000 Grenoble, France
SIREN: 881 734 800
Email: contact@ficha.fr
3.2 Data Protection Officer (DPO)
In accordance with Article 37 of the GDPR, Ficha has appointed a data protection officer:
Guillaume Dionisi, CTO and DPO of Ficha
E-mail : guillaume.dionisi@ficha.fr
Phone : +33 6 69 21 81 34
Postal address: 12 rue Pierre Semard, 38000 Grenoble, France
You can contact our DPO for any questions relating to this Policy or to exercise your rights (see section 11).
4. Categories of data collected, purposes, legal bases and retention periods
Ficha systematically applies the principles of minimization and of proportionality : we only collect data that is strictly necessary for the purposes pursued, and only for the duration necessary for those purposes.
The table below details the main treatments implemented.
4.1 Showcase website ficha.fr
| Data category | Purpose | Legal basis | Shelf life |
|---|---|---|---|
| Browsing data (IP address, browser type, pages visited, timestamp, referrer) is recorded in our server logs. | Site security and proper functioning | Legitimate interest (Art. 6.1.f GDPR) | 6 months for server logs |
| Cookie identifiers and marketing trackers | Advertising effectiveness measurement, retargeting | Consent (Art. 6.1.a GDPR) | Maximum 13 months (cookie lifespan) |
| Data provided via contact form (name, surname, email, telephone, message) | Responding to information requests and business inquiries | Pre-contractual measures (Art. 6.1.b GDPR) or legitimate interest (Art. 6.1.f) | 3 years from the last contact (prospect) |
| Data from unsolicited candidates or those responding to a job offer (CV, cover letter, experience) | Recruitment management | Pre-contractual measures (art. 6.1.b); consent for retention beyond recruitment (art. 6.1.a) | 2 years after the last contact, unless explicit consent is given for longer retention |
4.2 Cocoon User Application (iOS and Android)
| Data category | Purpose | Legal basis | Shelf life |
|---|---|---|---|
| Identification data name, surname, email address or telephone number, unique user identifier | Account creation and management, authentication | Performance of the contract (Art. 6.1.b GDPR) | Account lifespan |
| Profile data residence or landlord of attachment | Determining eligible rewards and partners | Performance of the contract (art. 6.1.b) | Account lifespan |
| Usage data Number of sorts performed, points accumulated, points exchange history, badges, rankings | Delivery of reward and gamification services | Performance of the contract (art. 6.1.b) | Account lifespan; anonymized statistics beyond |
| Geolocation data : GPS location of the device (precise) | Location of nearby collection points, collection points and partner businesses | Consent (art. 6.1.a) – can be enabled/disabled at any time in the device settings | For the duration of use of the feature; not retained beyond the session. |
| Photos photos taken from the application | Reporting a problem with the recycling management in the residence | Performance of the contract (art. 6.1.b) | During the processing of the associated event. Beyond that, the images can be kept without any link to a user account after prior anonymization, to be referenced by the residence manager. |
| Device identifiers and technical data Model, OS, app version, language, time zone | Diagnostics, bug fixing, security | Legitimate interest (art. 6.1.f) | During the processing of bug reports |
| Push notifications (FCM/APNs token) | Sending notifications related to the account, rewards, and events | Consent (art. 6.1.a) – can be enabled/disabled in the device settings | As long as the token is valid |
| Connection logs and event logs | Security, anomaly detection, fraud prevention | Legitimate interest (art. 6.1.f); legal obligation in the event of a requisition (art. 6.1.c) | 3 months |
4.3 Camia Ambassador Application (iOS and Android) and Camia Dashboard
When you use these Products as part of your work on behalf of a local authority or operator, it is that entity which is Data controller and Ficha acts in the capacity of subcontractorThe precise legal basis for the processing is determined by the Client in the subcontracting agreement and may, depending on its status, be based on theexecution of the employment contract (art. 6.1.b GDPR), a public interest mission (Art. 6.1.e GDPR) for public authorities, or thelegitimate interest (Art. 6.1.f GDPR). The durations and purposes can be adapted to the Client's instructions.
| Data category | Purpose | Legal basis (determined by the Client) | Shelf life |
|---|---|---|---|
| Professional identification data Name, surname, professional email address, internal identifier, role, team, affiliated organization | Account creation, authentication, and allocation of rights | Performance of the employment contract (Art. 6.1.b GDPR) | Contract duration with the Client + applicable statute of limitations; account deletion within 48 hours of an agent's departure |
| Geolocation data Routes, waypoints, real-time position during tours | Monitoring of awareness campaigns, automatic population of visited addresses | Contract execution | During the duration of use of the feature |
| Technical identifiers of the professional device | Security, auditing, traceability | Legitimate interest / Legal obligation (according to Client) | 3 months |
| Access and action logs | Security, traceability, fraud prevention | Legal obligation / Legitimate interest | 3 months |
4.4 Cocoon Manager (manager.ficha.fr)
| Data category | Purpose | Legal basis | Shelf life |
|---|---|---|---|
| Professional identification data Managers (landlords, property managers, local authorities): name, surname, professional email, position, organization | Account creation, authentication, support | Contract execution | Contract duration with the Client + limitation period (1 month) |
| Functional data : bin reference data, communication materials, residence data, usage indicators | Provision of administrative functionalities | Contract execution | Contract duration with the Client |
| Access logs | Security, traceability | Legitimate interest; Legal obligation | minimum 1 year |
4.5 Data collected in all cases (cross-sectional)
| Data category | Purpose | Legal basis | Shelf life |
|---|---|---|---|
| User support data (email exchanges, screenshots provided, technical identifiers) | Responding to support requests, resolving incidents | Legitimate interest; Performance of the contract | 3 years after the ticket closure |
| Information required for invoicing (company name, billing address, VAT number) | Accounting and tax obligations | Legal obligation (art. 6.1.c) | 10 years (accounting and tax obligations – Commercial Code, art. L123-22) |
4.6 Clarification on the training of artificial intelligence models
Some images collected via IoT sensors and the Camia Ambassador app can be used to train and improve Ficha's artificial intelligence models for waste recognition. Before any use for this purpose, the images are systematically anonymized (removal of EXIF metadata, blurring of elements likely to identify a person). No directly identifying personal data is used for AI training.
5. Data Origin
The personal data that Ficha processes comes primarily from:
- directly from you, when you enter information into our Products (account creation, forms, photos, etc.);
- automatically, when you use our Products (logs, technical data, geolocation activated by you, IoT sensors);
- of our Clients (local authorities, landlords, operators), when they assign you a professional account to use the Camia Dashboard, the Camia Ambassador application or the Cocons Manager;
- of reward partners (partner merchants, voucher platforms), for the delivery of rewards against points in Cocon (without transmission of identifying data beyond what is strictly necessary for the delivery of the reward).
File does not purchase prospecting files from data brokers.
5.1 Information regarding indirect data collection (Article 14 GDPR)
When Ficha processes data about you that was not collected directly from you, for example:
- of the data provided by your landlord, your local authority or your operator (belonging to a residence or team, employee ID, role);
- of the images captured by IoT sensors on board collection vehicles (passersby, license plates likely to appear in the background);
- of the data transmitted by a partner as part of a joint promotional operation;
This Policy serves as the information required under Article 14 of the GDPR. The categories of data concerned and the purposes are described in section 4; the sources are indicated above; your rights are outlined in section 11. Where providing the information directly to the data subject is impossible or would require disproportionate effort, the information is disseminated by any appropriate means (display on vehicles, communication by the Client to its agents and constituents).
5.2 Incidental capture of third-party images by IoT sensors
The IoT sensors installed on Ficha's customers' collection vehicles are designed to automatically recognize the contents of bins and waste streamsAlthough this is not their intended purpose, these sensors may occasionally capture images of passers-by, residents, or license plates.
To minimize this accidental collection:
- the cameras are oriented towards the loading area the containers and their field is restricted to the bare minimum;
- the images are subject, from the moment they are captured, to a automatic blurring processing faces and license plates detected;
- the images are not not stored in plain text beyond the time strictly necessary for business processing ; images stored for the purpose of improving AI models are systematically anonymized beforehand;
- Any image that is the subject of a request to exercise rights by a third party is processed according to the procedure described in section 11.
A data protection impact assessment (DPIA) has been carried out for this processing.
6. Mandatory or optional nature of the data
When Ficha collects Personal Data, whether it is mandatory or optional is indicated at the time of collection (for example by an asterisk on the forms).
THE refusal to provide mandatory data may prevent account creation, access to certain features, or the provision of the service. refusal to provide optional data does not affect access to essential features; it may limit certain optional features.
For example, in the Cocoon user application:
- Refusal of geolocation The map of nearby collection points and stations, as well as the list of local reward partners, cannot be presented to you in a personalized way. You will still be able to use the rest of the application.
- Refusal of access to the camera or photos : some image sorting and reporting features will not be available.
- Reject push notifications You will not receive alerts about point allocations, available rewards, or ongoing promotions in your area. Email communications will still be available.
- Account creation request refused (email/password) : access to features related to accumulating points and exchanging them for rewards is impossible.
No data is collected beyond what is strictly necessary for the intended purpose.
File does not collect audio data : none of our Product features use the device's microphone.
7. Recipients and subcontractors
Ficha does not sell or rent your Personal Data to third parties. Personal Data is accessible, to the extent strictly necessary for their missions, to the following recipients.
7.1 Internal Recipients
- The Product, Technical, Support, Sales and Management teams at Ficha, within the framework of their respective missions, and in compliance with the principle of lesser privilege (access management via Google Cloud IAM, quarterly rights review, mandatory MFA).
7.2 External Recipients
- Our Clients (local authorities, landlords, trustees, public service operators), for the Products they make available to their agents or constituents;
- Our reward partners (local merchants, digital voucher platforms), for the delivery of rewards in Cocon (transmission limited to a unique identifier or code, without unnecessary identifying information);
- Administrative, judicial and regulatory authorities, when required by law (judicial requisition, CNIL request, etc.).
7.3 Subcontractors
Ficha relies on a limited number of technical subcontractors, selected for their guarantees regarding security and GDPR compliance. Each subcontractor is bound to Ficha by a contract containing the clauses required by Article 28 of the GDPR (Data Processing Agreement / DPA).
| Subcontractor | Role | Data location | Guarantees / transfer framework |
|---|---|---|---|
| Google Cloud EMEA Limited / Google Cloud France (Google Cloud Platform, Firestore, Cloud Run, Cloud Storage, Cloud KMS, Cloud Functions, Cloud Logging, Cloud Monitoring, Cloud Audit Logs, Security Command Center, Google Cloud Armor, Cloud Secret Manager) | Hosting, database, media file storage, key management, security | EU regions: France (europe-west9, Paris) and Belgium (europe-west1, St-Ghislain) | ISO/IEC 27001, 27017, 27018, SOC 2/3 certifications; AES-256 encryption at rest, TLS 1.2+ in transit; Google Cloud DPA; Standard Contractual Clauses for support operations that may involve a transfer |
| Firebase (Google) : Firebase Authentication, Firebase Cloud Messaging, Firebase Analytics, Firebase Hosting | Authentication, push notifications, application audience measurement | EU (multi-region configuration) | Same as Google Cloud |
| Twilio Inc. / Twilio Ireland Limited | Sending transactional SMS messages (OTPs, codes, notifications) | EU / United States | Twilio DPA; Standard Contractual Clauses; ISO 27001 and SOC 2 certifications. SMS content is retained by Twilio for the minimum period required by operator regulations; dispatch identifiers are retained by Ficha for 12 months. |
| Twilio Inc. – SendGrid product | Sending transactional emails (account creation, magic link, notifications) | EU / United States | DPA SendGrid (Twilio Inc.); Standard Contractual Clauses |
Detailed list of subcontractors – An up-to-date list of subcontractors used by Ficha can be obtained upon request from the DPO. Any significant changes to this list will be communicated to Clients within the framework of the corresponding contractual relationships.
8. Data transfers outside the European Union
L'main accommodation data processed by Ficha for its Products takes place exclusively within the European Union (France and Belgium, via Google Cloud Platform).
Some of our subcontractors (notably Twilio, SendGrid) may, for ancillary operations (support, backup, monitoring) or by their very nature, process data from the UNITED STATES or other third countries.
In this case, Ficha ensures that a legal framework compliant with Articles 44 et seq. of the GDPR is in place, including:
- a suitability decision of the European Commission (for example the EU-US Data Privacy Framework for certified American subcontractors);
- THE Standard Contractual Clauses (CCT) of the European Commission adopted by Implementing Decision (EU) 2021/914 of 4 June 2021;
- of the additional measures when a transfer impact analysis (TIA) justifies it: enhanced encryption, pseudonymization, specific contractualization.
You can obtain a copy of these safeguards upon request from the DPO.
9. Cookies and other trackers
9.1 What is a cookie?
A cookie is a small text file placed on your device (computer, tablet, smartphone) when you visit a website or use an application. It allows your device to be recognized during subsequent visits.
Under the generic term of " tracers "This includes HTTP cookies, tracking pixels, web beacons, local storage, mobile analytics SDKs and any other equivalent device.
9.2 Obtaining your consent
In accordance with Article 82 of the French Data Protection Act, the deposit and reading of cookies that are not strictly necessary are subject to your prior consentcollected via a banner on first access to the site or application. You can at any time withdraw your consent by clicking on the "Manage my cookies" link accessible from our Products.
9.3 List of cookies and trackers used
a) Showcase website ficha.fr
| Name / Family | Issuer | Purpose | Category | Legal basis | Shelf life |
|---|---|---|---|---|---|
WordPress session cookies (wordpress_*, wp-settings-*) | File | Site functionality, session management | Strictly necessary | Exemption (cookie strictly necessary for the provision of the service, art. 82 LIL) | Session or 1 year |
Consent cookie (cookie_consent) | File | Remembering your cookie preferences | Strictly necessary | Exemption (cookie strictly necessary for the operation of the consent collection service, CNIL guideline of September 17, 2020) | 6 months |
b) Trackers placed in the applications (Cocon, Camia Ambassador, Camia, Cocon Manager)
Mobile and web applications do not use HTTP cookies in the strict sense, but rather... technical identifiers stored via SDKs (Firebase, device OS) and browser local storage. These trackers are also subject to Article 82 of the French Data Protection Act.
| Tracer | Issuer | Purpose | Category | Legal basis | Shelf life |
|---|---|---|---|---|---|
| Firebase authentication tokens (ID tokens, refresh tokens) | Firebase / Ficha | Maintaining the authenticated session | Strictly necessary | Contract execution | 1-hour session; automatic renewal |
| Firebase Cloud Messaging, token push | Firebase / Ficha | Sending push notifications authorized by the User | Strictly necessary for the requested functionality | Consent (system authorization for notifications) | As long as the token is valid |
| Firebase Crashlytics (if applicable) | Firebase / Google | Diagnosing application crashes | Pseudonymized technical diagnosis | Legitimate interest (security and stability of the service) | 90 days |
9.4 Configuring your browser or device
You can configure your browser or device at any time to:
- accept or reject cookies;
- delete cookies already stored.
The precise details are available on the CNIL website: https://www.cnil.fr/fr/cookies-et-traceurs-comment-les-maitriser.
10. Data Security
Ficha implements, in accordance with Article 32 of the GDPR, technical and organizational measures appropriate to guarantee a level of security adapted to the risk, based on the state of the art and the recommendations of the CNIL and the ANSSI.
10.1 Technical Measures
Without going into detail about the configurations that could be useful to an attacker, Ficha notably implements:
- THE encryption Personal Data at rest And in transit, with secure key management;
- L'multi-factor authentication (MFA) and a robust password policy for all access to environments processing Personal Data;
- A access control based on the principle of least privilege, with regular reviews of rights;
- THE partitioning production, testing and development environments, as well as data between Clients;
- there pseudonymization Users by means of technical identifiers distinct from identifying data;
- of the protection mechanisms against attacks (application firewall, protection against distributed denial-of-service attacks, automatic vulnerability detection, code audits);
- of the regular backups, redundant within the European Union, with restoration tests;
- there logging and monitoring sensitive access and operations, with automatic alerts on suspicious events;
- THE hardening IoT devices deployed in the field (minimal operating system, encrypted communications, no direct exposure to the Internet);
- there securing workstations collaborators and local (access control, video surveillance, centralized terminal management).
10.2 Organizational Measures
- Approach Privacy by Design and by Default from the design of functionalities and validation of new processing by the DPO;
- outfit of a processing activities register compliant with Article 30 of the GDPR;
- realization ofData protection impact assessments (DPIAs) for high-risk treatments;
- subcontractor management policy (selection, contractualization in accordance with Article 28 GDPR, monitoring);
- documented procedure for managing incidents and data breaches, with qualification matrix, crisis unit and feedback from experience;
- internal information classification scale determining the applicable protection rules;
- program of awareness and continuing education collaborators (GDPR, security, phishing), in accordance with the recommendations of the CNIL and the ANSSI.
10.3 Detailed Documentation
There detailed documentation Our security system (information systems security policy, processing register, audit reports, subcontracting agreements, business continuity plan, etc.) is kept up to date and can be communicated, in the appropriate context, to our Clients, their authorized auditors and any competent supervisory authority.
10.4 Limitations
No data transmission over the Internet or storage system can be guaranteed to be 100% secure. Ficha employs reasonable and state-of-the-art measures to protect your Personal Data, but cannot guarantee the absolute absence of any incident.
11. Your rights
In accordance with Articles 12 to 23 of the GDPR and Articles 48 to 56 of the French Data Protection Act, you have the following rights regarding your Personal Data.
11.1 List of rights
- Right of access (Art. 15 GDPR): obtain confirmation that your Data is being processed and obtain a copy of it.
- Right of rectification (Art. 16 GDPR): have your inaccurate data corrected or completed.
- Right to erasure or "right to be forgotten" (art. 17 GDPR): obtain the deletion of your Data in the cases provided for by the GDPR.
- Right to restriction of processing (Art. 18 GDPR): obtain a temporary freeze on the use of your Data.
- Right to portability (Art. 20 GDPR): receive your Data in a structured, commonly used and machine-readable format (JSON or CSV), and where appropriate transmit it to another data controller.
- Right to object (Art. 21 GDPR): to object, on grounds relating to your particular situation, to processing based on legitimate interest; to object at any time to processing for direct marketing purposes.
- Right to withdraw your consent (art. 7.3 GDPR) at any time, without this calling into question the lawfulness of the processing carried out before the withdrawal.
- Right to define guidelines relating to the fate of your Data after your death (art. 85 of the Data Protection Act).
- Right to lodge a complaint with a supervisory authority (see 11.4).
11.2 Procedures for exercising
You can exercise these rights:
- directly from our Products, when the functionality exists (account settings: edit, delete, export);
- by email at the address guillaume.dionisi@ficha.fr ;
- by mail To: Ficha – For the attention of the DPO – 12 rue Pierre Semard, 38000 Grenoble, France.
To identify you and prevent any identity theft, we may ask you to verify your identity (identity document, the superfluous elements of which can be obscured).
11.3 Response Times
Ficha is committed to responding to your request within one month The processing time is extended by two additional months from the date of receipt for complex or numerous requests. You will be notified of any extension within one month of receiving your request, along with the reasons for the extension. For number portability requests, Ficha strives to respond as quickly as possible, and always before the one-month deadline expires.
11.4 Complaint to a supervisory authority
If, after contacting us, you believe that your rights have not been respected, you can file a complaint with the National Commission for Information Technology and Civil Liberties (CNIL) or at thesupervisory authority of the European Union member state in which you reside or work or in which the alleged violation occurred (Article 77 GDPR).
CNIL:
- 3 Place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07
- Telephone: +33 1 53 73 22 22
The list of European supervisory authorities is available on the website of the European Data Protection Board: https://www.edpb.europa.eu/about-edpb/about-edpb/members_fr.
11.5 Special case of Products used in the context of a professional mission
If you use the Camia Ambassador application, the Camia Dashboard, or the Cocons Manager as part of your work on behalf of a Ficha Client (local authority, operator, landlord), your request to exercise rights may be forwarded to the relevant Client acting as Data controllerFicha will tell you, if necessary, who to address your request to, and will facilitate its processing by providing the necessary data and tools.
12. Data concerning minors
The Cocoon User application can be used by minors.
In accordance with Article 8 of the GDPR and Article 45 of the French Data Protection Act, the registration and processing of a minor's personal data are subject to the following rules:
- Ages 15 and upThe minor can consent alone to the processing of his or her personal data within the framework of information society services.
- Under 15 years old, consent must be given jointly by the minor and by one of the holders of parental authority.
Ficha takes reasonable steps to verify the declared age and obtain parental consent where required. If you are a parent or legal guardian and believe that a minor under your care has provided personal data without your consent, you can contact us at guillaume.dionisi@ficha.fr so that we can proceed with the deletion of the account and associated data as soon as possible.
No targeted advertising is shown to minors identified as such.
13. Automated decision-making and profiling
Ficha implements certain operations that can be described as profiling within the meaning of Article 4.4 of the GDPR, such as:
- there automatic recognition contents of bins and sorting flows by embedded AI models (IoT sensors, Camia Ambassador application);
- there suggestions for rewards or partners in Cocon depending on your postal code and your sorting activity;
- L'establishment of rankings and badges in Cocoon (gamification).
On the other hand, Ficha does not implement purely automated decision-making producing legal effects or significantly affecting individuals within the meaning of Article 22 of the GDPR. Algorithmic processing likely to have a significant effect (for example: classifying a sorting action as non-compliant) always gives rise to a human intervention in the final decision (validation by an ambassador, a Client agent or a member of the Ficha team).
You can at any time express your point of view, contest a result or request human intervention by contacting our DPO (see section 17).
14. Links to third-party sites
Our Products may contain links to websites or applications published by third parties (partner merchants, authorities, institutional partners, etc.). Ficha has no control over these third-party sites and is not responsible for their data protection practicesWe encourage you to review their own privacy policies before providing them with any personal data.
15. Notification of data breaches
In accordance with Articles 33 and 34 of the GDPR, Ficha has implemented a formalized procedure for managing data breaches.
- Incidents are classified according to a 4-level matrix (Low / Moderate / High / Critical), based on criteria of urgency and impact.
- For incidents classified as High or higher (leakage, alteration or loss of Personal Data), Ficha:
- notifies the Competent data controller (the Client, when Ficha acts as a subcontractor) under 48 hours ;
- notifies the CNIL below 72 hours when the violation is likely to pose a risk to the rights and freedoms of the persons concerned;
- informs the people concerned directly when the violation is likely to result in a high risk to their rights and freedoms;
- documents all violations in an internal register.
16. Amendments to this Policy
Ficha may need to amend this Policy to reflect legal, regulatory, technical or organizational changes.
Any changes will be indicated by updating the "Last Updated" date at the top of the document. For substantial changes, Ficha will inform you through an appropriate means (in-app notification, email, website banner, etc.). Before their entry into force.
We encourage you to review this Policy regularly.
A version history is kept internally and can be consulted upon request to the DPO.
17. Contact us
For any questions, information requests, or requests to exercise rights related to this Policy:
Data Protection Officer – Ficha SAS
Guillaume Dionisi
12 rue Pierre Semard – 38000 Grenoble, France
Email: guillaume.dionisi@ficha.fr
General email: contact@ficha.fr
Telephone: +33 6 69 21 81 34
