Terms and conditions

Updated on 14/02/2023

Record of processing activities

Screeb is a multitenant platform, hosting data for 2 data subjects:

Screeb users/customers (creating the surveys)
End users: website/app users, survey respondents

By design, we do not track personal data for the second category.

Here is the complete list of data we collect:

Screeb users (Screeb being the Data Controller):

First name
Last name
Email address
Language
Company
Job title
Last connection date
Actions made in our solution (usage data)

End users (Screeb being the Data Processor):

Online identifier or unique personal identifier.
Locale
User Agent
Timezone
Device (Desktop/Tablet/Mobile)
Device OS and version (mobile only)
UTM parameters in URL
Survey responses

Some of our customers may collect personal data in surveys or via our tag and SDKs, in accordance with their own GDPR policy:

visitor properties
event tracking
visitor grouping
...

Those data are used for:

targeting surveys to the right audience, according to rules defined by our customer
customizing surveys
pre-fill some survey responses
responses visualization (reports)
application usage visualization (reports)

Screeb SDK can be used anonymously by our customers. In that case, end-user data and survey responses are associated with a random and unique visitor identifier.

Javascript, Android, and iOS SDKs:

The Screeb widget libraries are third-party code snippets. It allows Screeb customers to collect end-user data and display surveys.

Screeb SDK does not use cookies.

Some information are stored locally in browser's local storage or mobile memory. It can be accessed by any code running on the same domain name.

Local-Storage (web), device memory (mobile)

Here is the full list of data stored locally:

Screeb end-users identifier
Customer end-users identifier (if applicable)
List of surveys displayed or responded to:
survey identifier
response identifier
response date (if applicable)
response status (displayed only, response partial, response full, closed)

The Javascript SDK cannot fetch data available on Screeb servers (push only). Having access to a valid end-users identifier does not allow an attacker to extract private information.

Our targeting engine has been built with security by design.

Targeting rules manipulating visitor information are executed server-side, with no way for attackers to "guess" visitor private data by dichotomy.

For caching purposes, our targeting engine may provide to the browser the date of the last response to a survey.

It is the responsibility of the Screeb Customer to ensure malicious data won't be sent to Screeb over Javascript SDK.

As soon as a response is ended or timed out, the response session won't be recoverable. Session time-out is currently 7 days.

Infrastructure

Storage

Data from Screeb customers and end-users are located in Clever Cloud datacenter (France). Here is their complete Security Policy, which also applies to Screeb.
Static files (widget icon and Javascript SDK) are hosted in a Scaleway datacenter in France. https://www.scaleway.com/en/security-and-resilience/
In our datacenter, data are encrypted before being persisted to disk.
Our internal monitoring solution is hosted in a Scaleway datacenter in France. https://www.scaleway.com/en/security-and-resilience/

Networking

The communication layer has been built on top of Cloudflare, a global CDN. Private data about end-users will be transferred over their network to Clever Cloud, based on the visitor region. It means that if visitors are in Europe, their data won't leave Europe. Cloudflare has an ISO /IEC 27701:2019 certification proving their compliance with GDPR. Read more on their dedicated GDPR website section.
Our websocket gateway is hosted at Scaleway, in a French datacenter. Data is not persisted.
There is no caching of private data in our CDN.
Network communications are secured with TLS 1.2 or 1.3, the best-in-class encryption. Certificates are provided by Cloudflare and LetsEncrypt.

Third-party:

Segment (Privacy Policy)
Intercom (Privacy Policy)
June (Privacy Policy)
Fullstory (Privacy Policy)
Sendinblue (Privacy Policy)
Bannerbear (Privacy Policy)
Stripe (Privacy Policy)

No end-user data is sent to these third-party providers. We use them to monitor the usage of our own users in Screeb and to manage our customer relationships.

Internal company security

A short overview of our internal security guidelines:

A limited group of people has access to the Screeb databases.
Use of MFA when applicable
Enforced password policy
Encrypted device (laptop, smartphone)
Up-to-date tools, devices, and software libraries

Our team is trained on a regular basis.

Privacy Policy

Updated on 07/06/2020

1. General

1.1 This Privacy Policy describes how Screeb SAS (the “Company”, “we”, or “us”) collects, uses, stores, shares and protects your personal information in connection with your use of both the platform accessible through the www.screeb.app domain name (the “Site”) and the services we may offer through the Site from time to time, consisting in ‘Screeb surveys’ forms and other services (indistinctly referred to as the “Services”).

2. Scope of this policy

End-users

2.1 If you are an end-users, please note that we are not the entity responsible for the processing of data, but a mere provider rendering services to the person or company that sent you the Screeb survey to fill out. We suggest you carefully read the terms and conditions and privacy policy of the company or person that sent you the Screeb survey, as those are the ones governing the processing of your personal data. If you have any doubts, please contact that person or company. Also, depending on how the person or company that sent you a Screeb survey configured that survey, your data may be shared or made public. To find out more, please contact the entity or person sending you the survey.

If you use our Services or Site

2.2. If you use our Services or Site, this Privacy Policy sets forth how we are processing your personal data, and how are we processing personal data on your behalf. You are not required to provide any personal information when using the Site, unless you choose to access features that require such information (as, by way of example, subscribing to any newsletter). The use of the Services, however, requires that you sign up and create an account on the Site as described in more detail in the Service Terms and Conditions.

2.3. Personal information you provide us when using the Site and/or the Services is subject to this Privacy Policy, and you will be prompted to read and accept it.

3. How is your data being processed?

3.1. Who processes personal information? (who is the ‘Data controller’)

Personal information is processed by us, an entity incorporated in accordance with the laws of France and with the following contact details:

Screeb SAS
Palace
4 rue Voltaire
44000 Nantes
France
[email protected]

3.2. What are we processing your data for and why are we processing it? (‘Purposes of data processing’, ‘legal basis of the data processing’ and ‘storage periods’)

We will process your data when we have to perform a contract, and we will be processing your data as long as the contractual relationship with you is in force and during the five years following the end of said relationship. This results in us having to process your data for purposes of providing you with both the Services, as well as to perform our obligations under the Services Terms and Conditions.

Subject to obtaining your consent, and as long as you do not withdraw any such consent, we may also process your data for the following purposes:

a) To send you electronic commercial communications (if you subscribe to a newsletter) or to answer the requests you may address us when contacting us;

b) To process information obtained through cookies, as described in more detail in the Cookie Policy, and subject to the terms set forth therein;

c) If you opt to sign in by means of a third-party social media platform, we may obtain ID confirmation and other information from that third party, as mentioned in each case;

d) For profiling purposes based on your behavior and how you browse the Site and use the Services, which pages you have visited, and to build audiences. Please note that we may profile users by means of cookies. In those cases, your acceptance of the installation and use of cookies results in data processing for profiling purposes, as described in this paragraph.

e) We may enrich the data we have about you by obtaining information from a select third party for data enrichment purposes, provided that you have given us prior permission. Enriching data allows us to analyze a deeper subset of data from which we may present personalized content.

When we have to comply with a legal obligation applicable to us from time to time, such as those set forth in tax and anti-money laundering laws and regulations. In any such cases, the data will be processed only during the periods set forth by said laws, being deleted thereafter.

Finally, we may also process your data to protect our legitimate interests, as long as said data is strictly necessary to fulfill the goals set forth below, namely:

a) To review, monitor, investigate, and analyze how to improve the Services and/or the Site, as well as to keep our Services and the Site secure and operational and prevent abusive activity (e.g. fraud, spam, phishing activities, etc.). This may include sending you Screeb surveys to assess any problems in the service or know how to improve your user experience. The interests at stake are ensuring a correct and safe environment for both other users and us, taking those interests prevalence over your legitimate interests (we need to create and maintain an environment that is in accordance with the law, the legitimate interests of other parties, what other users may expect from our end, and to protect other users’ security when accessing the Site and using the Services);

b) Besides any commercial electronic and non-electronic commercial communication sent when we have obtained your consent as mentioned above, we may also send you that kind of communication when you are our client. In this last case, we will only send you information belonging to us concerning services and/or products identical or similar to the ones you have contracted with us. In these cases, we have a legitimate interest in processing your contact information to keep you informed about any of our products and services, prevailing this interest over your right to personal data given the non-sensitive nature of the data in question and the fact that the contractual relationship built with our clients results in those clients expecting these kinds of communications; and

c) Upon dissociating the data we have so as to be impossible to be associated to you or any other person, to perform statistical and other analysis on information we collect (technical and metadata) to analyze and measure user behavior and trends, to understand how people use our services, in order to improve and optimize our performance of such services.

3.3. To what extent do we require to have access to your personal data?

We need to process your personal data to perform the legal and contractual obligations mentioned in section 3.2 above. Otherwise, we are not able to provide you with the Services and/or access to the Site. On the other hand, for data processing that depends on your consent or on our legitimate interests, data processing is not legally required.

3.4. Which companies will have access to your personal information?

We share your information with our service providers who help us to provide the Services to you, in which case those third parties are required to comply with our internal standards, policies, and technical and organizational measures that ensure that your data is protected and kept confidential at all times, and only in accordance with and to the extent authorized by this Privacy Policy.

When you authorize us to do so, we may also share your data with other companies so that they can process the data for other purposes, as explained more in detail when we request your prior consent. In addition, if you provide consent for the installation of cookies, your data may be processed by third companies for the purposes and in the territories mentioned in the Cookie Policy.

We may also share your information with competent courts and authorities, when we are legally required to do so (for instance, to allow such bodies to investigate, prevent, or take action against illegal activities), or we have to take action to protect our rights or any third party rights.

Finally, please note that you may opt for creating a Screeb survey in which the results are displayed not in an aggregated manner but by providing the particular answers provided by end-users. In those cases, if you opt to create a Screeb survey having this functionality, the results will be shared with those third parties you opt to share them with. Please bear in mind that, depending on what you intend to do with your data, you may be required to inform or comply with further legal requirements vis-à-vis end-users.

3.5. In which territories may your personal information be processed?

Your information (not third parties’ information collected through Screeb survey, which is subject to section 4.10 below) may be transferred, processed, and stored in countries that do not have data protection laws as protective as those in your jurisdiction. Your agreement to the terms of this Privacy Policy, followed by your submission of information in connection with the Service, represents your agreement to this international transfer of personal data.

3.6. Your rights

You have the right to withdraw your consent at any time. You also have the right to request access to, and rectification of, or erasure of your personal data, or restriction of processing, or to object to processing, as well as the right to data portability. Please note that if you choose to cancel your data, your account will be deleted and all data in your account will be permanently deleted from our systems. You may lodge a complaint at any time with the French Data Protection Agency.

We allow you to exercise the above-mentioned rights at any time by contacting our team ([email protected]), or by sending a letter to Screeb, Palace, 4 rue Voltaire, 44000 Nantes, France.

3.7. Updating your information. Emails and commercial communications.

You can update any information we may have from you by means of the account settings area or by sending us a written communication as described in section 3.6 above. Please remember that it is your duty to keep the information updated so we can correctly provide you with the Services, and you undertake to verify the information you have handed us from time to time to make sure that it is accurate.

As explained in section 3.6 above, you are entitled to ask us, now or at any moment, not to send you any kind of emails or commercial communications. To that extent, you can either change the communication preferences in your account settings page or contact us as described in section 3.6 above. Note that this will not prevent the sending of emails or other communications related to the Services, as those communications are necessary to perform the relationship we have with you.

4. How is the data we collect on your behalf being processed?

4.1. In order to provide you with the Services, we may need to process on your behalf third parties’ personal data. This is the case, for instance, when a person files out a Screeb survey (the forms we made available to you in the Services), in which case the data is collected, stored, and processed on your behalf. For clarification purposes, the subject-matter of the processing is the provision of said Services, and the type of personal data and categories of data subjects depends on the information uploaded into the Service.

4.2. We will only process any personal data we may have access to as a result of the provision of the Services in accordance with the instructions included in the Service Terms and Conditions and any other that you may provide us from time to time in writing. Should we have reasonable grounds to believe that any of your documented instructions infringes European data protection laws, we will inform you punctually, so that you can confirm in writing that instruction. Please, note that in case of any such reconfirmation, you shall bear any consequences arising out of that instruction being contrary to law, and you shall defend, indemnify, and hold us harmless of any and all costs (including attorney’s fees), fines, or sanctions, or any damages deriving from our performance of the challenged instruction.

4.3. We will ensure that all employees authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.4. To provide you with the Services, we may need to use some service providers we already rely on, as well as hire new ones in the future. Those companies will only process the data to the extent necessary to render the Services, and we will enter into written agreements with them to make sure that said companies comply with the obligations included in this section 4 and implement all necessary security measures to ensure adequate protection of the data.

In the event that we want to change any of those service providers by another, or that we need to hire new companies, you will have the right to reasonably oppose to such changes or new appointments in the non-extendable term of 15 calendar days. ‘Reasonably oppose’ shall be interpreted as any challenge based on the failure to meet the legal requirements set forth by the European data protection laws by the new entity to be hired. In any event, we reserve the right to terminate the relationship with you should we cannot hire a subprocessor that is essential or needed for providing the service.

The Company shall enter into written agreements with any subprocessors engaged in the provision of the Services including the safeguards and guarantees required by the General Data Protection Regulation (EU Regulation no. 679\2016, the “GDPR”), particularly in respect of implementing the security measures required in the GDPR. For those subprocessors not part of the Privacy Shield scheme or located in a country considered by European authorities as having the same level of protection as European data protection laws, you agree to comply with the requirements set forth in 4.10 below.

4.5. At your request and expense, we shall assist you with appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of your obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, if applicable. For the avoidance of doubt, we shall convey to you any request data subjects may address directly to us together with all relevant information, if any, so that you can contact and answer to data subjects, but we shall not take care of responding data subjects.

4.6. We will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. At your request and expense and taking into account the nature of processing and the information available to us, we shall reasonably assist you in compliance with the security obligations set forth by Article 32 of the GDPR.

4.7. We will also provide, at your request and expense and subject to the nature of processing and information available to us, assistance in complying with obligations set forth in Articles 33 to 36 of the GDPR, if applicable.

With respect to data breaches, we will notify you without undue delay upon we confirm that a data breach affecting personal data has taken place. We will provide you with sufficient information to allow you to meet any obligations to report or inform competent authorities or data subjects. We will reasonably cooperate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation, and remediation of each such data breach. For the avoidance of doubt, you shall be responsible for both filing any reports required under applicable law and notifying data subjects, and you shall defend, indemnify and hold us harmless of any and all costs (including attorney’s fees), fines, or sanctions, or any damages that lack of action on your side may cause.

4.8. Upon termination of the Service Terms and Conditions, we shall delete personal data, unless otherwise required by law.

4.9. We will make available to you all information necessary to demonstrate compliance with the obligations laid down in this Section 4 and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you who is not any of our competitors. You accept that you may only conduct up to one (1) audit per year, except if there are reasonable grounds to believe that we are not performing the obligations included in this section 4. Audits shall only be carried out during normal business hours, and you shall bear all costs except that we are found to be in a material breach of this section 4.

4.10. For the provision of the Services or because you want to process data from a given location or hand it to another company, data may be transferred outside the European Economic Area to an entity not part of the Privacy Shield scheme or to a country which has not been declared to offer a level of protection equal to the one provided by European data protection regulations.

In those cases, you shall ensure that said transfer is possible in accordance with European data protection regulations or any other requirements set forth by law without having to sign Standard Contractual Clauses. Should this not be possible—and only to this extent—and with respect to any subprocessors hired by us, you (as ‘data exporter’) and we (as ‘data importer’) hereby agree to enter into the Standard Contractual Clauses in respect of any such transfers of data. You fully agree with the contents of the Standard Contractual Clauses (available here) and—given that the contractual relationship set forth in the Service Terms and Conditions cannot exist without international transfers of data—you further warrant and represent that you will not question the execution of Standard Contractual Clauses in the future, being their signature a mere act evidencing their agreement to the same as set forth herein.

5. Right to be forgotten

5.1. Under Article 17 of the GDPR, individuals have the right to have personal data erased. This is also known as the 'right to be forgotten'. The right only applies to data held at the time the request is received. It does not apply to data that may be created in the future. We remove data upon request, either for a single customer user or for the global customer account. The request usually takes 2 open days. Please contact us on support or at [email protected].

5.2. For reliability reasons, we don't alter backups. Personal data will be deleted permanently at the end of the backup retention period (from 7 days to 1 month).

5.3. Data collected by Screeb can be anonymous. If Screeb is not able to identify the end-user doing a direct removal request, the demand will be rejected. A request coming from the Screeb customer will be accepted immediately.

5.4. Data from inactive visitors are removed automatically after 3 years.

6. How to contact us

6.1. Send a request via email to [email protected]

7. Changes to the privacy policy

7.1. We may amend this Privacy Policy from time to time. You may be required to accept the amended Privacy Policy upon logging in to your Screeb Account in order to keep using the Service. Alternatively, we may post any non-material changes to this Privacy Policy on the Site with a notice advising of the changes in advance of the effective date of the changes. We may also notify you of material changes to this Privacy Policy, before the effective date of the changes, by sending an email or otherwise. If you do not agree to any non-substantial change to this Privacy Policy, you may terminate the Service Terms and Conditions.

Cookie Policy

Updated on 07/06/2020

The platform accessible through the www.screeb.app domain name (the “Site”) is provided by Screeb SAS (hereinafter referred to as “us”, “we” or the “Company”), a French entity with registered address at 18 rue Scribe, 44000 Nantes. Siret 84825801800011.

You may contact us should you have any questions regarding this CP by sending an email to [email protected]

1. What are cookies?

Cookies are small text files that are generated when you access the Site and that collect your browsing information. All cookies used by us are safe for your computer and only process information which is stored on your internet browser. Our cookies cannot execute code, do not contain malware or viruses, and cannot be used to access content on your computer.

2. What types of cookies do we use?

We use our own and those of third parties, as described below:

Strictly necessary cookies: are those cookies needed to ensure you can access the Site, and browse it securely. These cookies are strictly necessary, as the use and access to the Site and the services provided through the Site require them. They also protect us from any fraudulent use of the Site or our services, to verify that anyone using your account is actually you, and protect your data from any unauthorized users. For instance, technical cookies are those relating to the communication and exchange of data, or those required to verify your identity when you sign in into your account.

We use third-party cookies for the purposes mentioned above. Said cookies are installed, used, and owned by:

Stripe, Inc., a US entity with registered address at 510 Townsend Street, San Francisco, California, 94103 (United States of America). To know more about Stripe’s cookies, please visit its cookies and privacy policies, as available here. Please note that the processing of data by Stripe may entail the international transfer of data outside the European Union, as further described in the link above.

Cookies that remember your settings (functional cookies): are those cookies that are installed and used to adapt the Site and the services offered by us to your preferences, such as language, or look and feel of the Site. You can opt to block or limit the installation and use of these cookies as explained in section ‘How can you block or delete cookies’ below, and this shall not impact the usability or functionalities of the Site and/or the services, but your preferences will be lost.

Cookies that measure website use (analytics cookies): are those cookies used for tracking, monitoring, and analyzing how you browse and interact with the Site and our services. They reveal usage trends as well as which users upgrade the services rendered by us and how is this done. You can opt to block or limit the installation and use of these cookies as explained in section ‘How can you block or delete cookies’ below, and this shall not impact the usability or functionalities of the Site and/or the services.

We use third-party cookies for the purposes mentioned above. Said cookies are installed, used and owned by:

Google Ireland Limited, an Irish entity with a registered address at Gordon House, Barrow Street, Dublin 4 (Ireland). To know more about Google’s cookies, please visit its cookies and privacy policies, as available here. Please note that the processing of data by Google may entail the international transfer of data outside the European Union, as further described in the link above;

Segment, a Twilio Company. To know more about Segment’s privacy policy, you can read it here. You can also opt-out to their tracking here;

Intercom R&D Unlimited Company, a company registered in Ireland with a registered address at 2nd Floor, Stephen Court, 18-21 Saint Stephen’s Green, Dublin 2. To know more about Intercom’s privacy policy, you can read it here.

and

Cookies that help with our communications and marketing (advertising and profiling cookies): refers to cookies aimed at tracking, monitoring, and analyzing how you browse and interact with the Site and our services, as well as segment our users based on their behavior and how they browse the site, and to build audiences. They reveal usage trends as well as which users upgrade the services rendered by us and how is this done. All those actions are aimed at better understanding our users for improved communications and marketing strategies. You can opt to block or limit the installation and use of these cookies as explained in section ‘How can you block or delete cookies’ below, and this shall not impact the usability or functionalities of the Site and/or the services.

We use third-party cookies for the purposes mentioned above. Said cookies are installed, used and owned by:

3. How can you block or delete cookies?

You can allow, block, or delete cookies at any time by configuring your browser settings, as well as by means of the cookie banner. As mentioned in section 2 above, blocking or deleting some cookies may impact your ability to access and/or use the Site or the services offered by us. You can find more information on how to block or deactivate cookies below:

Internet Explorer
Safari
Chrome
Firefox

Annex 1 - Screeb’s sub-processors

Screeb customers:

Screeb customers and end users:

Annex 2 - Screeb’s record of processing activities

Get started with Screeb today

Get a demo Try for free