ODYSSEY - Application Personal Data Protection Policy
Last updated : 07 March 2022 Preamble
The Odyssey Application (hereinafter referred to as "the Application") is marketed by ALTAVA, a single shareholder simplified joint-stock company with a capital of €1,000, whose head office is located at 14 rue Bausset 75015 Paris, registered under number 882875388 (hereinafter referred to as "the Owner") .
Access to the Application requires the collection and processing of Users' personal data. The Owner was obliged to establish a personal data protection policy to comply with the recommendations on the processing of personal data as laid down by the applicable legislation and regulations.
The Owner's and the Application's Data Protection Policy has been drawn up in accordance with the recommendations of the Commission Nationale de l'Informatique et des Libertés (CNIL - French National Data Protection Commision). Its purpose is to inform Application Users of how their personal data is processed and of the commitments and measures taken by the Owner to ensure that Application User's personal data is safeguarded.
It has been drawn up in accordance with the provisions of :
France's Data Protection Act of 6 January 1978;
The European Regulation on Personal Data (known as the "GDPR") of 23 May 2018;
France's Law transposing the European Regulation on the Protection of Personal Data (GDPR) of 20 June 2018.
The version currently published on the Application is the current version of this policy. The Owner reserves the right to amend it at any time in order to comply with the legal obligations in force. Any changes to the Confidentiality Policy will be communicated to Users in order to obtain their consent to the updated Policy.
By browsing the Application, Users acknowledge that they have read, understood and accepted this data protection policy. Any questions relating to the policy can be sent to the following address: contact@altava-group.com.
Article 1 - Definitions
Technical terms concerning personal data protection
On the Application, the following terms have the meaning ascribed to them in the context of the GDPR (art.4):
Consent: "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her";
Controller: "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law";
Processor: "natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller"
Processing: "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction"
Personal data breach: "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed "
Other terms used herein
"Application": means the Odyssey Application, operated by the Owner and made available to Users
"Policy": refers to this Personal Data Protection Policy
"User": any visitor to the Application who uses the Application and its features and has access to its content
Article 2 - What is personal data?
"Personal data" refers to any information that can directly or indirectly identify a natural person (surname, first name, e-mail address, telephone number, postal address, etc.).
The GDPR defines personal data as: "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
Article 3 - Data concerning minors
In accordance with the provisions of Article 8 of European Regulation 2016/679 and the French Data Protection Act, only minors aged 15 or over may consent to the processing of their personal data.
The Owner shall not be held liable for any use of the Application by a minor who has not obtained the consent of his or her guardian or legal representative.
Article 4 - Collection of personal data The Owner collects the User's consent
The User must provide some of his/her personal data in several instances, for the purposes indicated in article 5 of the Policy, when browsing the Application and in order to be able to use its features,
By providing his/her data, the User therefore consents to the collection and processing by the Owner of the personal data provided for the exclusive purposes detailed in article 5 of the Policy. This consent provides the legal grounds for processing the data collected.
The Owner collects and processes only such data as is strictly necessary for the purposes for which it is processed. The Owner undertakes not to process data for purposes other than those mentioned below. In the case of a new service becoming available via the Application or a feature within the Application, and which requires data collection and processing, the Owner undertakes to collect the Users' consent once again before making said new service accessible to them.
Whenever the Application processes personal data, the Owner takes all reasonable steps to ensure that the personal data is accurate and relevant to the purposes for which it is processed.
Article 5 - Processing purpose
The Owner collects User data solely for the following purposes:
Geolocation data
Users must provide their geolocation data to be able to access the Application's services and features. By activating their geolocation, the Application shows Users the list of monuments, museums, historical sites and places of interest in the User's vicinity.
No other processing is carried out on the geolocation data by the Owner. The legal grounds are the User's Consent.
Navigation data
The legal grounds are as follows : The processing is necessary for the purposes of the legitimate interests pursued by the Owner, in particular to provide Users with a seamless, optimised browsing experience.
Login data and browsing information are also used to prevent and combat computer fraud. The legal grounds are compliance with a legal obligation.
Login credentials
The legal grounds are as follows : The processing is necessary for the purposes of the legitimate interests pursued by the Owner, in particular to provide Users with a seamless, optimised browsing experience.
Article 6 - Data retention period
The Owner shall not exceed the legal data retention periods, and User data is only retained for as long as is necessary for the purposes for which it was collected.
The retention periods are as follows:
In establishing its data processing policy, the Owner has created a reference grid for data retention periods, in line with the CNIL's recommendations. In addition, the Owner may retain certain personal data in order to fulfil its legal or regulatory obligations, to enable Users to exercise their rights, or for statistical purposes. Personal data is deleted or anonymised once the retention period has expired.
Article 7 - Right of access
The data collected via the Application is intended exclusively for the following recipients.
Application hosting
The Application is hosted by Amazon Web Services Europe.
The host has access to the data within the scope of its respective remit, for the purposes of hosting the Application. It has limited access to Users' data for the performance of these services and has a contractual obligation to use it in keeping with the provisions of the applicable regulations on personal data protection.
For more information, please consult AWS Europe's Privacy Policy.
Third-party service providers
The Application and Owner rely on certain third-party services to provide certain features. These third parties have limited access to Users' data for the performance of these services and have a contractual obligation to use it in keeping with the provisions of the applicable regulations on personal data protection.
Application maintenance is carried out by SINGULARIT.
For more information, please consult SINGULARIT's Privacy Policy.
Within Altava Group
Altava Group’s Development Department has limited access to Users' data, and solely for the purposes of Application development and maintenance.
Legal obligations
Data may also be passed on by the Owner to third parties and competent authorities in order to comply with legislative, judicial, fiscal or regulatory obligations. The Owner guarantees Users that no personal data will be transferred to an unauthorised third party without the User's prior, voluntary, informed, express and written consent.
The Owner shall not process, host or transfer the Information collected about its Users to any country outside the European Union that is not considered "adequate" by the European Commission without first informing the data owner and obtaining his or her consent.
Article 8 - Data Protection
The Owner has taken all useful and necessary precautions, in accordance with state-of-the-art practice, to protect Users' information in a secure environment in order to prevent any destruction, loss, alteration, dissemination or unauthorised access. Notwithstanding best efforts, there is no completely secure method of transmission over the Internet or electronic storage. As a result, the Owner cannot guarantee absolute security. The Owner will notify the Users concerned of any security breach so that they can take appropriate action. The Owner's incident notification procedures take account of its legal obligations, whether at national or European level.
In the event of a User's data integrity and confidentiality being compromised, the Data Controller undertakes to comply with the procedures put in place under the French Data Protection Act of 6 January 1978 and the European Data Protection Regulation ("GDPR").
The Owner shall not sell on or outsource User data. Article 9 - Individual rights
In accordance with the French Data Protection Act of 6 January 1978 and the European Data Protection Regulation ("GDPR"), Application Users have the following rights:
Right of access, rectification and erasure
Users may appraise themselves, update, amend or request the deletion of data concerning them by sending an e-mail to the Controller, specifying the purpose of their request and using the contact e-mail address: contact@altava-group.com.
Right to data portability
Users have the right to request the portability of their personal data that is held by the Application or by the Owner, to any third party, by making a request for the portability of their personal data to the data Controller, by sending an e-mail to the address provided above.
Right of restriction and objection to data processing
The User has the right to obtain from the Controller restriction, or to object, to the processing of their data, which the Owner may not refuse, unless it can be shown that there are legitimate and overriding reasons for doing so, which may outweigh the interests and rights and freedoms of the User.
The User must make a request to the data Controller to restrict the processing of his/her personal data, by sending an e-mail to the aforementioned address.
The right not to be subject to a decision based solely on automated processing
In accordance with the provisions of Regulation 2016/679, the User has the right not to be subject to a decision based solely on automated processing, if the decision produces legal effects concerning him or her or similarly significantly affects him or her.
The right to determine what happens to data after death
Users are reminded that they may organise what is to become of their collected and processed data in the event of their death, in accordance with law no. 2016-1321 of 7 October 2016.
Article 10 - Exercise of Rights
How to exercise one’s rights
To exercise any of his or her rights, the User may simply:
Write a letter to the Owner at the address of its head office;
Or send an e-mail to contact@altava-group.com.
The User's full name and address should be provided along with proof of identity.
Requests will be processed within one month unless a compelling reason is given and justified by the Owner to extend the deadline.
Referral to the CNIL
If the Owner does not satisfy the User's request, the User is entitled to refer the matter to the CNIL (Commission Nationale de l'Informatique et des Libertés, https://www.cnil.fr) in order to assert his/her rights.
Article 11 - Cookie policy
What is a Cookie?
The User is informed that a cookie is a small file deposited on Users' terminals (computer, tablet or mobile device), by our Application, during its use. The file contains no personal information, but is used to make the connection between the User's device and their preferences for using and experiencing our Application (e.g. location, language, font size).
User Consent
The User's consent is always requested for the use of "cookies" that involve the storage and analysis of personal data. This consent is valid for a period of thirteen (13) months, barring one or more exceptions (see table Art.13), after which the User will be asked for a new authorisation.
Article 12 - Use of cookies
In accordance with the CNIL deliberation no. 2013-378 of 5 December 2013, the Owner informs Application Users that cookies record certain information that is stored in the memory of their hard disk. This information is used to generate audience statistics for the Application and to offer services in line with the information they selected during their previous visits.
An alert message, in the form of a banner, asks each User visiting the Application whether he or she wishes to accept cookies beforehand. To guarantee the free, informed, and unequivocal consent of Users visiting the Application, the banner will not disappear until they have continued browsing and configured their choices.
Unless the User has given their prior consent, cookies will not be deposited or read:
If anyone visiting the Application does not continue browsing: a simple lack of action cannot be considered an expression of will, or
If they click on the link in the banner that allows them to define their cookie settings and, if applicable, refuse to accept cookies.
The Owner uses and collects cookies in order to :
To process statistics and information about traffic on the Application and to optimise said traffic as far as possible;
To provide Users with a smooth browsing experience by adapting the Application's appearance to the display preferences for the User's terminal;
To store information provided by the User via the Application.
Article 13 - List of cookies on the Application
The list of cookies present on the Application is as follows: (add list of cookies present on the application)
Cookies | Purpose | Type of Cookie | Data retention period |
Article 14 - Opposition and configuration
All Users may refuse to accept cookies by configuring their browser in the following way(s):
Open a private browser window
Configure cookies via the "Cookies" Widget available on the Application's home page;
Configure the mobile device so that a message appears asking to accept, personalise or refuse cookies, or
Any other means available to the User.
Users can choose to express and change their preferences regarding cookies at any time. The Owner declines all responsibility for any consequences resulting from the operation of the Application and any services offered, as a result of:
Refusal of cookies by the User, and/or
The Application's inability to record or consult required cookies as a result of the User's choice.
Article 15 - Amendment of the confidentiality policy
The Owner reserves the right to amend this Policy at any time. In the event of a change to the Policy, the new version will be published immediately on the Application. If the User does not agree with the terms of the revised policy, he/she has the option of no longer using the Application's Services and of no longer browsing on it.
Article 16 - User acceptance of the privacy policy
By browsing the Application, the User confirms that he/she has read and understood this privacy Policy and accepts its terms, particularly with regard to the collection and processing of his/her personal data and the use of cookies.