Privacy Policy
Protecting the personal data and privacy of its users is of great importance to SFBX SAS ("SFBX", "we", "us" or "our"). This includes protecting your privacy by ensuring that you have the access and control necessary to decide how your data is used.
To this end, SFBX undertakes to process personal data in compliance with the applicable data protection laws and regulations in the countries from which its users access and use the AppConsent® solutions ("Solution"), in particular the European General Data Protection Regulation (known as "GDPR " ).
This privacy policy clarifies how we collect and process your personal data in the context of your use of this website:
- of the SFBX.io website
- AppConsent® Enterprise, Standard, Essential and Free offers
- AppConsent® Xchange offer
Please read it carefully, as it applies every time you use them.
What is personal data?
Personal data means any information relating to an identified or identifiable natural person (the "data subject").
In connection with your use of our solution, you are considered a data subject. The personal data covered by this Privacy Policy is therefore any information about you or your users, to the extent that you or your users are identified or identifiable, for example by reference to the IP address and or IMEI of the device or account identifiers.
The processing of personal data is subject to specific legal and regulatory provisions, in particular GDPR.
2. Why do we collect your personal data?
We only collect personal data that is necessary for purposes such as ensuring that you have the best possible experience with the solution, communicating easily with you, and in the context of the purpose of the solutions and based on your consent and that of the users of your websites or application, sharing your users' personal data with partners that you have chosen through the validation of contracts that will be offered to you.
3. under what conditions and what personal data is collected.
We collect personal data from you and your users in the following situations and for the purposes detailed below. For each case, we detail the information that is stored by our services. Our solutions have been built with Privacy by Design and Privacy by Default in mind, ensuring the highest possible level of data protection.
So very little information is stored by our services, none of it is nominative and all of it is encrypted and anonymized.
3.1 When connecting to the website as a visitor
When you log on to the website, we will automatically collect the following personal data for technical purposes so that the website you use is tailored to provide you with the best possible user experience:
- The truncated IP address of your device,
- The URL of the site you are currently viewing,
- The user agent,
- The timestamp,
- Technical session cookies,
- Retargeting cookies,
- Audience measurement cookies,
The data is kept for 12 months.
3.2 When registering, subscribing to an offer and using your account on the website.
When you register/use your account on the website, we will collect the following data through the registration form:
- Your complete IP
- Your login : Hash email
- The secure version of your password
We also retain your account information in the interests of the contract between us so that you can use our products:
- Company name,
- Siret number,
- Address of the head office,
- Name of the legal representative,
- Account managers' names and functions,
- URLs of websites and applications.
This data will be collected and processed for the purpose of managing your user account and providing you with the Solutions services. This processing is based on its necessity for the performance of a contract to which you are a party, namely the Terms of Use of the products.
These data are kept for the duration of the contract plus the 5-year commercial prescription.
Bank and billing information is not stored or managed by SFBX but by its partner Stripe: https: //stripe.com/fr whose privacy policy and TOS are as follows: https: //stripe.com/fr/privacy.
SFBX shall not be liable for any breach or improper handling of the Client Data by the Stripe Partner.
The Client is obliged to inform SFBX in the event of non-compliance or breach by the Stripe Partner of its obligations to manage its Data.
3.3 When using the solutions.
3.3.1 AppConsent® Enterprise, Standard, Essential and Free
AppConsent® is a consent management platform (CMP), a solution for collecting user consent for our customers' websites and applications. It is available in 4 packages: Enterprise, Standard, Essential and Free. The rules are the same for all 4 offers.
The following data is kept for the purpose of product operation and transmission of evidence:
- User IDs of your websites or applications,
- Transaction history, i.e., date, time, version of consent notice, consent status, source, and the Global Vendor List (GVL).
- Positive, negative or mixed consents.
These data are kept for the duration of the contract plus the 5-year commercial prescription.
The Customer's bank and billing details are administered and stored by Stripe's partner: https: //stripe.com/fr, whose privacy policy and T&Cs are as follows: https: //stripe.com/fr/privacy, and not by SFBX.
3.3.2 AppConsent® Xchange
With AppConsent® Xchange, in return for the free provision of the CMP, SFBX collects organic data from the user's device. This data is basic and non-intrusive. It allows SFBX and its partners to create high value-added products based on the traceability and security of data exchanges. The goal is to build a strong data governance ecosystem in order to predict the post-cookie world.
This product allows our Xchange customers to share the data they hold with Partners and provide traceability and ensure that the user's choice is respected in the use of their data.
No data is shared without its legal basis attached.
The following data is kept for the purpose of product operation and transmission of evidence:
- User IDs of your websites or applications,
- Transaction history, i.e., date, time, version of the consent notice, consent status, source, and the Global Vendor List (GVL),
- Positive or negative consents,
- CMP XChange customer references,
- References for buyers,
- Contracts,
- Shared data types.
The data passes through our platform between the seller and the buyer, we only store them temporarily between 6 hours and 1 month, the time they are used by the buyer.
These data are kept for the duration of the contract plus the 5-year commercial prescription.
The data of the Internet users/mobility collected within the framework of the Xchange service :
The Xchange offer has been designed to only deliver data to advertisers, brands or other actors who are clients of our platform, if we have a positive consent signal beforehand. Under no circumstances will data be delivered without this consent being present.
The legal basis for the delivery of this data is consent. In order to be delivered, the purposes for processing this data must match. If, for example, a brand is pursuing Personalization and Measurement processing purposes and you have objected to both via the Consent Management Platform (CMP) notice, then the data will not be delivered. If you object to the Measurement processing, the data will be delivered but our platform will indicate that you objected to this purpose via the IAB consentString, or specific meta-data for processing not covered by the IAB or specific purposes.
Here is the list of data concerned, this list may be updated regularly. This is organic data, not intrusive for the users.
Type of data | Example |
MAID (Mobile Advertiser ID) | 22F02CE6-12DB-4E69-B0A3-95CE2B1E4BA3 |
MaidType | IDFA(Apple) or AAID(Android) |
AppConsentID (cookie) | 524f957-8126-4bbb-9cb6-f4d59341a50b |
TimestampCollect | 1572006875 |
deviceManufacturer | Xiaomi |
DeviceModel | E A2 |
DeviceCarrier | Orange |
IP (Truncated) | 90.50.183.XX |
AppNameBundle | com.SFBX.appconsenttest.xchange |
DeviceOS | ANDROID |
DeviceOSVersion | 28 |
ConsentString | BOpdxkUOpdxkUACABAFRCo-AAAAq57__f__3_8_v3_9_NuzvOv_j_ef93VW8fvYvcEvzhY9d_u_Uzxc4m_0vRc9ycgx85eprGsoxQ7KSsG-VOgd_7t__3ziX9ohP6wkcprxz3bEw-jo2o8Jg |
extraConsentSignal | { "GEOLOC_AD" = { id = 359fFyR; state = 1; vendors = { 124 = 1; 368 = 1; 435 = 1; Ironsource = 1; }; }; "GEOLOC_MARKET" = { id = JU7iLdm; state = 1; vendors = { 124 = 1; 368 = 1; 435 = 1; Ironsource = 1; }; }; } Purpose xO7AjTTJ ( { xO7AjTTJ = 1; }, { 124 = 1; }, { 368 = 1; }, { 435 = 1; }, { Ironsource = 1; } ) |
deviceCountryCode | EN |
ExternalId | ABCDA24321 |
SignalStrenght | 99 |
NetworkType | UNKNOWN |
URL (Web) | https://www.awebsite.com |
Content | Text content of the page or application |
ID Sync(web) | True/False |
3.4 When using the contact form.
By using the contact form on the website, we will collect, through this form, the following data:
- Subject of your message;
- E-mail address
- The message you write in the "Description" field;
- Any screenshots you can attach to your message;
- Data related to your account and technical data related to the context of use to help us understand the problem you may be experiencing.
This data will be collected and processed for the purpose of receiving and processing your message, to be able to respond to it and to resolve any problems you may encounter described in your message. This processing is based on your consent, expressed by clicking on the "Send" button on the "Contact Us" form.
In the event that your message contains personal data classified as "sensitive data" under applicable data protection laws and regulations, for example data relating to your state of health, you explicitly consent to SFBX, by clicking on the send button on the contact form, receiving and processing such data in order to respond to your message.
It is understood that SFBX does not require or encourage its users to provide sensitive data through the "Contact Us" form.
This information is destroyed after processing your request made in this contact form.
We do not keep a history of these exchanges.
How is your personal data protected?
We apply the necessary internal and technological security measures to ensure that your data is not lost, misappropriated, accessed or disclosed to third parties except :
- Within the framework of the contracts and uses of the products,
- At the request of a judicial or police authority or any authority empowered by law.
Your information is encrypted and stored on servers based in Belgium. Access to your user account is protected by your user password. You are responsible for the confidentiality of the password you chose when you registered on our platform, and you undertake not to communicate it to anyone.
If you request deletion of your account, deletion will take effect immediately, unless your account has been suspended or blocked. In this case, we will keep your data for a period of 2 years in order to prevent you from circumventing the rules in force on our platform.
The deletion of your account does not mean the deletion of the data stored and listed in Article 3. To delete your information, you must complete the procedure to exercise your erasure rights as set forth in Article 7.
Who is the data controller and can I contact them?
The controller is SFBX, which provides the solutions.
If you have any questions or concerns about this privacy policy, SFBX's processing of personal data on the Solutions, or SFBX's data protection and privacy commitments more generally, you can contact the privacy policy administrator by sending an email via dataprotection@SFBX.io or by writing to
SFBX SAS, Attention: Privacy Policy Administrator, 15 Place Canteloup, 33800 Bordeaux.
6. With whom is my personal data shared?
The data will only be shared with third parties/partners in the context of the contracts that you have validated in the solutions.
These partners may use subcontractors within the framework of GDPR for the use of this personal data. In this case, the data controller will always remain the third party/partner with whom you have validated the contract and with whom you can exercise your rights (see article 7).
Apart from this case, the personal data collected and processed in accordance with Article 3 above will be shared with SFBX people and departments, in particular our staff dedicated to technical issues and user experience studies.
Only in specific cases, your personal data may be shared to respond to requests from the relevant authorities and in legal proceedings if necessary.
7. what are your rights in relation to your personal data?
The data will only be shared with third parties/partners in the context of the contracts that you have validated in the solutions.
These partners may use subcontractors within the framework of GDPR for the use of this personal data. In this case, the data controller will always remain the third party/partner with whom you have validated the contract and with whom you can exercise your rights (see article 7).
Apart from this case, the personal data collected and processed in accordance with Article 3 above will be shared with SFBX people and departments, in particular our staff dedicated to technical issues and user experience studies.
Only in specific cases, your personal data may be shared to respond to requests from the relevant authorities and in legal proceedings if necessary.
- What are your rights with respect to your personal data?
In accordance with the applicable data protection laws and regulations, you have the following rights regarding the processing of your personal data: right of access, right of data portability, right of rectification, right of erasure, right to object to processing and right to restrict processing.
- Right of access: you can access your data to modify it, or request a copy of your personal information.
- Right of rectification: you can ask SFBX to correct inaccurate information on its database.
- Right of deletion: you can request the deletion of your Personal Data.
- Right of objection: you may object at any time to the processing of your personal data on AppConsent Xchange by clicking on this this link.
- Right to limit processing: you can request the suspension of processing concerning you for the time of an audit.
- Right to portability: you can have the personal data you have provided transmitted in a structured, commonly used and computer-readable format to us or to another data controller, where technically possible.
You may exercise these rights by contacting the Privacy Policy Administrator at dataprotection@SFBX.io or by writing to SFBX.com SAS, Attention: Privacy Policy Administrator, 15 Place Canteloup 33800 Bordeaux, France.
These rights are purely personal and can only be exercised by the individual concerned. Therefore, you may be asked to provide a copy of a valid form of identification; we will only keep this copy for the time necessary to verify your identity.
In this case, SFBX will cease processing the personal data concerned and will retain it for the appropriate period of time.
For those processing activities described in sections 2 and 3 above that are based on your consent, you have the right to withdraw that consent at any time, without justification.
Finally, you have the right to lodge a complaint about the processing of your personal data by SFBX with the competent supervisory authority in your country.
SFBX has appointed a DPO in charge of personal data protection whose contact details are as follows
- juridique@dipeeo.com
- Tel: 09.50.39.07.50
- Postal address: Dipeeo, 95 avenue du Président Wilson, 93100 Montreuil, France
8. Changes to this privacy policy
This privacy policy was last updated on September 13, 2023. Please note that we may revise it from time to time and reserve the right to update or amend it.
We will post the revised Privacy Policy on the app, so users can always know what personal data we collect and how we collect it. In addition, if you have registered under the registration form, you will also receive an email notifying you of changes or updates to the Privacy Policy on the email address associated with your user account.
