Terms and conditions of use of the AppConsent XChange solution
AppConsent, the Consent Management Platform (CMP) built and distributed by SFBX, is a complete and powerful trusted third party solution. It allows digital players to optimize their consent rate and ensure a qualitative and personalized user experience.
With AppConsent, the Client can collect, prove, centralize and distribute user consents across all its digital channels.
The subscription and access to the AppConsent solution published by SFBX by the Client implies the express and unreserved acceptance by the latter of the present General Terms and Conditions and agrees to be bound by them.
SFBX may modify these Terms and Conditions at any time.
SFBX shall inform Clients of such changes by e-mail or any other form of communication accepted by the Clients, taking care to respect a notice period.
Article 1 - Definitions
The following terms have the following meanings in these General Conditions unless otherwise specified.
CGU: the present General Conditions of Use.
Digital Channels: means the Customer's applications and databases, under its responsibility, to which the Consents are communicated in the context of the SaaS Service.
Customer: means a natural or legal person, consumer within the meaning of the Consumer Code, who has subscribed to and uses one of the offers of the AppConsent solution thanks to an Identifier (including client seller and client buyer).
Customer seller: means a legal or natural person, using the AppConsent Xchange solution, and sharing its users' data with their consent to XChange partners.
Customer buyer: means a legal or natural person, using the AppConsent Xchange solution, and purchasing the data of the customer sellers for which it has been designated as an XChange Partner.
Account : consolidated set of the Customer's data including raw data and files uploaded by the Customer in the context of the collection of consent from users of its websites or mobile applications.
Consent : means any free, specific, informed and unambiguous expression of will by which the User accepts, by a declaration or by a clear positive act, that personal data concerning him/her may be processed as defined by the Personal Data Regulations, which must be obtained prior to the installation by the Client of cookies or tracers on the Visitor's Terminal.
AppConsent Xchange Agreement: means the legal document that the Customer shall sign in order to formalise legally the subscription and use of the AppConsent Xchange Solution. This document shall govern the relationship between the Customer and the Service Provider.
Data Dictionary: defines all user data for which they have given consent, which is collected and shared within the AppConsent Xchange.
Data: means any information or documents that the Customer registers on his Account, and in the context of the application of the contracts, any user data collected in the context of the consent collection and any user data collected in the context of the sharing defined by AppConsent XChange in accordance with the Data Dictionary.
Commitment: means the set of commitments constituted by the opening of an AppConsent XChange account by the Customer and his acceptance of these Terms and Conditions.
Hosting Company: an external service provider to whom SFBX subcontracts the hosting of the AppConsent XChange Solution and Customer Data.
Username: the combination of username and password required by the Customer to log in to their Account to access the back office of the AppConsent Platform.
Consent Notice: The notice owned by the Service Provider containing the legal information required to obtain a Consent and provided by the Service Provider to the Client as a deliverable at the end of the SaaS Service installation and implementation services.
New Versions: refers to all functional and/or technical evolutions of the Platform developed at the initiative of the Service Provider within the framework of the SaaS Service, to enrich the Platform and to meet needs that can be shared between SaaS Service customers and the new obligations of the Personal Data Regulation.
Partner: an organisation with which the Customer agrees to share Data for the purpose of using and paying for the provider's Saas Service.
XChange Partner: an organisation with which the Client agrees to share its Data and those of its users to whom it has given consent, in return for the provision of the CMP by SFBX free of charge.
AppConsent XChange Platform: referred to below as the "Platform": a SaaS service to which the Customer must connect from mobile, tablet or personal computer to use the AppConsent Consent and Personal Data Management Solutions. Means the set of computer programs based on a permissioned blockchain or other equivalent technology, of which the Provider owns the intellectual property or has licensed the necessary intellectual property rights, that meet the needs of the Saas Service customers in a standard way, including the New Versions developed and deployed automatically by the Provider.
Portability : the right of the Customer to receive Personal Data in a structured, commonly used and machine-readable format and to transmit this Data to any XChange partner or third party of his choice.
Provider: provider of the Saas service, i.e. SFBX.
Proof: means the extraction from the Platform of information relating to a User's Consent.
Personal Data Regulation: means the law of 6 January 1978 known as "Informatique & Libertés", as amended by law no. 2018-493 of 20 June 2018, and all associated or substitute implementing texts, and European Regulation no. 2016/679 of 27 April 2016 applicable as of 25 May 2018 (hereinafter the EU Regulation 2016/679).
SaaS Service : means the automatic collection, management and tracking of Consent on the Platform for the Site(s).
Site : means the Client's website(s), mobile site(s), application(s) or software (such as Chatbot).
XChange AppConsent Solution: refers to the intermediation and consent management services offered by SFBX which allows the Customer to store, administer and share the consents as well as the Data of the Users of its services (websites or applications) with XChange partners in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of Data.
Matching table: means the reconciliation, allowing to identify a User, between the identifier assigned by the Service Provider to a Consent and the personal data of the User associated with his Terminal and collected on the Site. The blockchain thus contains the identifier assigned to the User but not his personal data (his IP address; MAC number, etc.).
Terminal : refers to the computer, smartphone, IOT, or any other device on which it is technically possible to collect consent, used by the User to access the Site.
Users: means any natural person, end customer of the Customer or simple Internet user, accessing with his Terminal the Customer's Site benefiting from the Services and having to give their consent in order to authorize the Customer to share their data to XChange partners.
Article 2 - Characteristics of the services offered by SFBX
SFBX provides its Clients with a trusted third party solution to collect, prove, centralise and distribute the Consents collected from Users on all their digital channels. AppConsent® is a Consent Management Platform (CMP).
The Customer must connect to the Internet (SaaS solution) and then to the Platform to use the AppConsent solution.
The Platform respects the RGPD, the guidelines and recommendations of the CNIL and integrates the IAB standards (IAB Framework) in its latest versions but also our own non-IAB Framework.
It therefore makes it possible to obtain the User's consent for a specific purpose, in a clear and unambiguous manner, to be able to prove it, but also, if the User so wishes, to withdraw his consent at any time.
The design of all Consent Notices are customizable via the back office. Predefined templates are also available.
The information is available via REST APIs so that the Customer can query the status of the consent before triggering a specific marketing action and if necessary expose the proof.
These APIs can therefore also be used to propagate Consents to the Customer's IS, CRM or DMP via the management console (integration required).
The platform also manages the propagation of Consents through sites/groups or web. Specifically, depending on the settings made during the setup phase, a Consent can be collected for Site A, a group of Sites (A+B+..) and/or any Site. Thus, Users' Consents can remain valid only for the Customer's perimeter. In this case, the withdrawal of Consent will be symmetrical.
The technology of the Platform is based on a private blockchain developed by SFBX, the consents as well as all the mutations (acceptance/refusal/withdrawal/modifications...) are stored in secured, immutable and auditable ledgers.
The SaaS Service Customer will be able to deliver proof of the collection of Consent as well as the User's choices regarding their preferences upon request from a regulator or the User.
The Platform is designed in its foundations respecting the concepts of Privacy by Default and Privacy by Design. Thus, its default behaviour will always take the decision that protects the personal data of the Users, as well as the Processes.
The AppConsent XChange solution is subject to change as improvements or updates are made without prior notice to the Customer.
With AppConsent® Xchange, in return for the free provision of the CMP, SFBX collects organic data from the User's device. This data is basic and non-intrusive. It allows SFBX and its partners to create high value-added products based on the traceability and security of data exchanges. The goal is to build a strong data governance ecosystem in order to anticipate the post-cookie world.
The Xchange offering has been designed so that we can only deliver data to advertisers, brands or other actors who are customers of our Xchange Platform, if we have a prior positive consent signal. Under no circumstances will User data be delivered without such consent.
The legal basis for the delivery of this data is consent. In order to be delivered, the purposes for processing this data must match. If, for example, a brand pursues Personalization and Measurement processing purposes and the User has objected to both via the Consent Management Platform (CMP) notice, then the data will not be delivered. If he objects to the Measurement processing, the data will be delivered but the Xchange platform will indicate that he objected to this purpose via the IAB consentString, or specific meta-data for processing not covered by the IAB or specific purposes.
Article 3 - Legal capacity
By creating an Account, the Customer declares that he/she is of legal age and able to enter into a contract.
In the case of incapacitated persons and minors, the Customer declares that he is legally authorised to represent them, either because he has parental authority or because he has been designated as their legal representative by a court decision. The Customer undertakes to justify this at the first request of AppConsent.
For any person working for a legal entity, the latter declares that he/she is authorised to commit the company he/she represents.
Article 4 - Registration, Account creation, connection to AppConsent solutions
The platform is common to all AppConsent offerings.
The AppConsent Platform, for technical reasons, automatically collects the unique identification number of the device (IP and/or IMEI) used to create the Account and of other devices subsequently authorized by the Customer to connect to the Account.
The Customer is responsible for keeping his login and password.
The Client undertakes to immediately inform SFBX of any loss and/or disclosure of his/her login or password.
Access to AppConsent solutions can be achieved by means of a digital identity authentication process (such as a PIN code or other) which guarantees the Customer secure access to his Account in addition to the email address and password chosen at the time of creating the Account.
Following registration, the Client will have to sign the Contract governing the relationship between the Client and the Service Provider in order to formalise the subscription to the offer and will have access to all the functionalities of the Solution enabled by the offer.
To access the AppConsent XChange Platform, the Customer must subscribe to the AppConsent XChange offer on the SFBX.io website and fill in the following information in order to activate the SaaS service:
- Company name,
- Postal address and country,
- Siret and RCS numbers,
- Intracommunity VAT number,
- Name of the legal representative,
- Name and surname of the contact person,
- Volume in MAU/VU
- Email (Username)
- Password (creation)
A verification email is sent to the address provided to activate the Account and access the platform.
Article 5 - Use of the AppConsent Xchange Data Processing Solution
Access to the AppConsent platform and the conditions of use are the same for customers of all AppConsent offers as well as for AppConsent Xchange customers and buyers
The Customer has the right to access the Platform from its fixed or mobile equipment using the Identifiers provided to the Customer and in its custody. The Identifiers are intended to restrict access to the Platform to the Customer's administrators authorised by the Customer to manage the Customer's account, to protect the integrity and availability of the Platform and the integrity, availability and confidentiality of Users' data.
The Identifiers are personal and confidential. They are managed by the Customer. The Customer undertakes to do everything possible to ensure that its administrators keep the Identifiers confidential and respect the security instructions.
The Customer is fully responsible for the materials and the Credentials and for the implementation of adequate security measures.
SFBX grants the Client, for the duration of the Contract, a personal, non-exclusive, non-assignable and non-transferable right to use the Platform, for the purposes of the activity of its website(s) or mobile applications.
For the performance of the Services, the Parties implement processing of Users' personal data for which the Client is qualified as the controller and the Provider as the processor in accordance with Article 28 of the GDPR (hereinafter the "Users' Processing").
The purpose of User Processing for CMP is to manage the Visitor's consent to the installation of cookies or tracers on his Terminal.
The data processed for this purpose are :
- identification data, i.e. the attribution of a unique identifier to each Visitor in order to keep the characteristics relating to his consent;
- IP address ;
- MAC address
- IMEI number
- IDFA number
- connection data.
The nature of the operations carried out on Users' personal data is defined below:
- Consent operations
- Consent Management Operations
- Operations related to the withdrawal of consent
- Data archiving
- Destruction of documents
- Realization of statistics
The Platform automatically collects, manages, tracks and stores Consents on behalf of the Customer, which are time-stamped and unchangeable. At the time of collection, each Consent is collected in accordance with the Consent Notice and linked to a User by the implementation of the correspondence table.
With AppConsent® Xchange, in return for the free provision of the CMP, SFBX collects organic data from the User's device. This data is basic and non-intrusive.
AppConsent XChange is therefore also a technological solution for the secure distribution of data collected via the SFBX SDK (Direct Collection) or in Server2Server connection with the Client. AppConsent XChange is based on the private blockchain stack and more broadly on the SFBX Privacy-by-Design and Privacy-by-Default infrastructure.
- Delivery by smartcontract (therefore auditable and controllable).
The delivery and therefore the transaction can only take place if and only if :
- the purposes of processing authorized by the Client seller correspond to that of the Client buyer,
- A valid consent signal is attached to the data which validates the eligibility of the data to be distributed.
- Anti-Fraud System: Each data delivery is trapped by trapped IDs up to 1% of the volume.
A data exists only if and only if it has the following characteristics:
- A declared legal basis and the attached consents if the legal basis is consent,
- A verified and audited collection source,
- Authorized treatments (purposes): IAB or Extra-IAB,
- Permitted destinations: *(any buyer), Advertisers, Exclusions: [Brand, Brand], Exclusions: [Broker],
- A validity [14 days, 30 days, 90 etc, noLimit]
- Security: SFBX does not store personal data in its platform. On the other hand, SFBX keeps MIDs, deviceTokens and other pseudonymous identifiers but never attributes or different HASH.
Thus, in the event of an attack, hacking or other data leakage, SFBX cannot expose any personal data other than those in transit on the platform at the time of the system compromise.
The input data is encrypted and never loaded in clear text.
- Data recombination: in the event that a Client Buyer wishes to purchase profiles that contain attributes that are missing from the Client Seller's data dictionary, SFBX will create junctions with another Client Seller in order to complete the attributes delivered to the Client Buyer. In all cases, traceability is ensured.
- Data types: see data dictionary in Article 6 (non-exhaustive list).
The Customer firmly undertakes not to share any personal data such as racial or ethnic origins, political opinions, religious or philosophical beliefs, membership of a trade union organisation, data concerning life or sexual orientation, health information or data assimilated to health data on the platform.
The AppConsent Xchange Solution allows the Client seller to share its users' Data with any XChange Partner (Client buyer) connected to the AppConsent XChange Platform on the basis of a prior agreement (contract).
SFBX provides access to the Customer's saddled Data and allows its transfer to registered XChange partners (Customer buyers) in accordance with the signed contract and in accordance with the consents given by the visitors of the Customer's saddled websites or applications and in a secure manner.
Each contract is specific, the Consent is different from one XChange partner (Customer buyer) to another and can be modified or revoked according to the terms of the contracts by the Customer seller.
The Customer can view the status and history of contracts with his XChange partners at any time from his Account, as well as the status of the consents collected.
SFBX shall not be liable for any breach or misuse of Customer Data by an XChange partner.
The Customer is obliged to inform SFBX in case the XChange partner does not comply with the terms of the Consent given for access to the Data.
Article 6 - Data dictionary in the context of AppConsent XChange.
In return for the free provision of the AppConsent CMP, the Client will provide SFBX with user data from mobile applications and/or websites that it publishes directly or through its network when it acts as an aggregator. This data is organic, non-intrusive for the users.
Here is the list of data concerned, this list is not exhaustive:
Article 7 - Financial conditions
In return for the free provision of the CMP AppConsent, the Seller client will provide SFBX with the user data of the mobile applications and/or websites that it publishes directly or through its network when it acts as an aggregator.
In return for a fee defined according to the type of personal data and the status of the Client seller, the Client buyer purchases from SFBX personal data for which the Client seller has given prior authorization.
Article 8 - Data Security
The hosting of the AppConsent XChange Platform, and the Data, meets high standards of protection and security.
The Data that the Customer registers in his AppConsent Account is encrypted.
SFBX and its Host cannot decrypt the Data, even when SFBX authorizes access or sharing of the Data with the Client's XChange partners.
The Customer may at any time upload, download or delete the Data in his account, under his sole responsibility.
SFBX guarantees that in the Client Account Data only the email, and the encrypted password are stored and that they :
- are stored and, if necessary, shared with XChange partners in accordance with the authorizations granted by the Customer;
- are hosted, backed up and secured according to the best technical standards in force in order to prevent any attempt at misappropriation or accidental loss;
- are available, accessible and portable at any time at the first request of the Customer;
- are strictly confidential and are not communicated to third parties except with the prior authorisation of the Client, in cases provided for by law or in the event of a judicial requisition.
The AppConsent XChange platform undertakes not to make any copies of the Data other than for technical purposes.
Only an SFBX administrator is authorized to work on the Encrypted Data for well-defined technical needs: maintenance and update of the AppConsent Platform.
Article 9 - Duration of the appointment
The SaaS Service takes effect from the time the Customer subscribes to the Offer for an indefinite period.
The Customer may terminate the commitment at any time by cancelling the offer subscribed to on the Platform and under the conditions set out in the contract. The termination will be effective at the end of the current monthly period.
SFBX may, as of right, terminate the commitment at any time in the event of non-compliance by the Client with the obligations set forth in these general terms and conditions, in accordance with the contractual terms and conditions.
Article 10 - Effects of the end of the engagement
The end of the commitment leads to the closing of the Account and the archiving of the Data.
SFBX guarantees the Portability of Data to the Client (return or transfer) or their deletion in the cases provided for by law, as soon as possible.
The restitution will be made by providing a link to download the Data, in json format. This link will be available for 10 days after the effective termination date.
Beyond that, the Customer's data will be deleted without further notice.
Article 11 - Suspension of access to the Account
SFBX reserves the right to suspend access to the Account in the event of non-compliance with any of the clauses contained in these GTC or in the signed contract.
Access will be restored once the Customer has remedied the deficiencies that caused the suspension.
Article 12 - Client's obligations
Customer is solely and entirely responsible for the Processing of User Data based on the consent collected by the AppConsent XChange solution.
The Customer undertakes to respect the rights of third parties, in particular personal rights, intellectual or industrial property rights such as copyright, patent rights, designs and models or trademarks.
Article 13 - Obligations of SFBX
The obligation undertaken by SFBX is an obligation of means.
In this context, SFBX undertakes to take all the necessary care and diligence to provide a quality service in accordance with the practices of the profession.
SFBX shall endeavour to provide 24-hour access to the Platform, every day of the year, except in the event of force majeure, as defined by law, in the event of breakdowns, failures due to the Host, or maintenance operations necessary for the proper functioning of the Platform.
In case of absolute necessity, SFBX reserves the right to interrupt access to the Platform in order to carry out technical maintenance or improvement work to ensure the proper functioning of its services, regardless of the time and duration of the work.
Interruptions in service shall not entitle the Customer to any compensation.
Article 14 - Responsibility of SFBX
The Customer acknowledges having read and understood all of its obligations and more generally all of the conditions relating to the use of the AppConsent Xchange solution.
Under no circumstances and to the extent permitted by law, SFBX shall be liable, directly or indirectly, for any loss or damage caused to the Client or a third party as a result of the use of the AppConsent XChange solution, regardless of the cause.
In the same way and within the same limits, SFBX shall not be held responsible, directly or indirectly, for any prejudice caused to the Client or to a third party due to the non-availability or malfunctioning of the AppConsent XChange solution, regardless of the cause and duration thereof.
SFBX does not assume responsibility for compensation of direct or indirect, material or immaterial damages caused by the use of AppConsent XChange solutions.
This clause is considered essential and determining by SFBX which would not have contracted without it.
Article 15 - Right of withdrawal
In accordance with article L.221-18 of the French Consumer Code, any consumer Customer, within the meaning of the Consumer Code, has a period of 14 days to exercise his right of withdrawal, without having to give any reason or pay any fees or penalties.
The withdrawal period expires 14 days after the subscription to the AppConsent XChange service.
To exercise this right of withdrawal, the Client must notify SFBX of his decision to withdraw by means of an unambiguous statement, either on the platform, or by e-mail: dataprotection@SFBX.io, or by post to the following address SFBX SAS - 15 Place Canteloup 33800 Bordeaux FRANCE.
In order for the withdrawal period to be respected, it is sufficient for the member to send SFBX his or her communication concerning the exercise of the right of withdrawal before the expiration of the withdrawal period.
Article 16 - General
The nullity of one of the clauses of the Contract in application of a law, a regulation or following a decision of a competent court which has become final shall not entail the nullity of the other clauses of these General Conditions which shall retain their full effect and scope between the parties.
The fact that SFBX does not take advantage at a given time of any of the clauses of these General Terms and Conditions and/or of a breach by the Client of any of its contractual obligations may not be interpreted as a waiver by SFBX of its right to take advantage at a later date of any of the said clauses or contractual obligations.
Article 17 - Applicable law and jurisdiction
This Agreement is governed in its entirety by French law.
In the event of a dispute arising from the interpretation or performance of this Contract, the undersigned shall endeavour to settle it amicably before taking any legal action.
The Customer who is a consumer is informed that he may in any case have recourse to conventional mediation, in particular with the National Consumer Mediator (www.mediation-conso.fr), or to any other alternative dispute resolution method.
In case of persistent disagreement on the interpretation or execution of this Agreement, exclusive jurisdiction is attributed to the Courts of Bordeaux.