Introduction

Sophysa USA Inc, is dedicated to ensuring the highest level of attention and care to your privacy and personal data in full compliance with existing laws and regulations.

Scope of the Privacy Policy

The purpose of this privacy policy is to provide clear, concise and comprehensive information on the processing of personal information collected and the measures implemented by Sophysa USA Inc., in its capacity as controller to safeguard the personal information.

This policy outlines the processing activities for:

• Operating www.sophysa.us website, along with the management of the extranet and the processing of requests send to contact@sophysa.us  and privacy@sophysa.com
• Managing relationships with customers, prospects, suppliers and partners.
• Facilitating Human Ressources recruitment processes.

Identification of the controller
In this policy, « Sophysa USA Inc », « we », « our » and « « ours » refers to Sophysa SA is a limited company, with a registered capital of €500,000, registered with the RCS (Trade and Companies Register) of Evry, France under the number B 306 979 584, established 5 Rue Guy Moquet, 91400 Orsay, France.

For all its processing activities, SOPHYSA serves as the entity which determines the means and purposes and therefore acts as data controller within the meaning of the regulations applicable to personal data and in particular the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR”).

You can find all the information about Sophysa USA Inc in our Legal Notice.

Definitions

Personal Information:

Any information which allows to identify a person directly or indirectly.

Examples: name, identification number, location data and an online identifier.

Data Processing:

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.

Examples: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction and erasure or destruction.

Data Controller:

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor:

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data Protection Officer (DPO):

The person responsible for ensuring compliance with the rules on personal data.

Data breach:

A breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data.

General Principals applicable to all processing activities implemented by Sophysa USA Inc

Sophysa USA Inc ensures for each processing activity the respect of the fundamental principles of data protection. This section informs you about the general principals applicable to all the processing activities covered by this policy, and outlines, for each activity, the specific conditions and procedures of the processing.

Data minimization
Each form on the website is designed to limit the collection of personal data to what is strictly necessary with clear indications of the purpose (s) of the collection of such data and the recipient (s) of the data.

The data required to manage your request are marked with an asterisk (*) on each form. Failure to provide this information will prevent Sophysa USA Inc to answer your requests and / or provide you with the requested services. Other information is optional and allows us to better manage your request and improve our communications and the services we provide to you.

Sharing data with third parties and transferring your data outside the European Union
We never share your personal data with other companies for business purposes with the potential exception of the SOPHYSA distributor in your country.

Each section devoted to a processing activity details the internal recipients intended to access and process the data concerned. The data may possibly be transmitted to technical service providers chosen for their expertise and reliability who act on our behalf and according to our instructions (IT subcontractor, host of our servers, etc.).

We authorize these service providers to use your personal data only to the extent necessary to provide services on our behalf or to comply with legal requirements and we strive to ensure that your personal data is protected at all times.

SOPHYSA may also be required to provide your data to third parties where such communication is required by law, a regulatory provision or a court order, or if such communication is necessary to protect and defend our rights.

We assume people form the US reading this Policy and might be concerned by other countries level of protection.

Cross-border data transfer

We may collect, process, and store your information in the United States and other countries. The laws in the United States regarding information may be different from the laws of your country. Any such transfers will comply with safeguards as required by relevant law. We will ensure:

• Either to obtain your express and unequivocal consent to share your personal data with these third parties.
• To conclude data transfer contracts complying at least with the standard contractual clauses adopted by the European Commission.

Data security
Sophysa USA Inc is committed to safeguarding your personal data against loss, destruction, alteration, unauthorized access, use and disclosure. Sophysa USA Inc has implemented appropriate physical, technical and administrative safeguards. These measures are tailored to the nature of the data and the potential risks of processing, ensuring security and confidentiality of your personal data. Our aim is to prevent your data from being altered, damaged, or accessed by unauthorized parties.

These measures may include, but are not limited to: restricting limited access to data by authorized personnel based on their job responsibilities, implementing contractual safeguards when using an external service provider, conducting privacy impact assessment, and regularly reviewing of our privacy practices and policies about privacy and / or physical and / or logical security measures (secure access, authentication process, backup systems, antivirus software, firewalls, etc.).

While we use these precautions to safeguard your information, we cannot guarantee the security of the networks, systems, servers, devices, and databases we operate or that are operated on our behalf.

Information about children
The services of Sophysa USA Inc are not intended for underage people. We do not knowingly collect or process personal data from underage people. If we discover that we have inadvertently collected personal data of underage people, we will take appropriate measures to delete personal data from our servers and / or those of our service providers.

Data processing controlled by Sophysa USA Inc

Processing activities performed for the management of the website, the extranet and the requests sent from the online forms.

Context of collect
When browsing www.sophysa.us, you may need to make a contact request via the “Contact Us” or “Contact” form.

Data processed
As part of these activities, Sophysa USA Inc processes and stores the following personal data about you to respond to your contact request:

• The information provided on the form, namely:

o Your identity

o Your contact details

o If applicable, the content of the message,

• Any information communicated later during our exchanges.

The basis of the processing activity is the need for processing for the fulfillment of a legal or regulatory obligation, in this case the obligation to respond to the requests made by the data subjects mentioned by the GDPR in Article 12, 2, CCPA and CPRA.

• Lawful basis and period of storage

The basis of the processing activity is your consent that you express by accepting and submitting the contact request.

This data is processed by the service concerned by your request the necessary time to answer you.

Depending on your request and the content of our exchanges, the data thus collected may be used for other purposes in a limit of 5 years.

We also indicate that we make anonymous statistics on the www.sophysa.us website, which do not allow us to identify you.

Processing activities performed in order to manage prospects, customers, suppliers, and partners

Context of collect

Sophysa USA Inc may also process personal data concerning you when:

Your company wishes to enter into a contract with Sophysa USA Inc.

Your company enters into a contract with Sophysa USA Inc as a customer, service provider or partner.

Data processed

In this context, Sophysa USA Inc will collect information relating to:

To the contact (s) indicated to Sophysa USA Inc such as the contact indicated on the form, the main referent for the contract, the contact for billing or any other contact.

o Last name

o First name

o Email address professional

o Business telephone

o Function

o All the information contained in the exchanges (nature of the request, etc.)

To the signatory (iess) of the contract:

o Surname

o First name

o Function

o Signature

Data recipients

These data are intended, as necessary, for the employees in charge of the follow-up of the commercial relationship and / or the partnership, the accounting / invoicing and the collaborators of the services implied by the request / the contract.

Lawful basis and period of storage
They are collected and preserved:

• For non-contracted exchanges:

o The time required to study and track the application + one (1) year after the application is closed (or the last contact if necessary)

• For contracts and in order to execute the contract:

o The duration of the contractual relationship

• For the purpose of responding to our legitimate interest in protecting and defending our rights in the event of litigation:

o For five (5) years following the termination of the contractual relationship.

Processing activities performed for recruitment purposes
Context of collect
SOPHYSA may process personal information about you when you submit an unsolicited application or apply for an advertisement posted by SOPHYSA (via the “Careers” section of the SOPHYSA website or a linking platform such as Indeed).

Data processed
In this context, personal data about you are collected:

• Directly to you during the recruitment process
• Indirectly with third parties for the verification of your diplomas and references, with your agreement.

The collected data are the following:

• Name,
• First name,
• Email address,
• Telephone,
• Professional experience as well as
• All the information that you communicate to us via the transmission of your application and / or your curriculum vitae and / or interviews:

o Photo

o Skills

o Level of study

o Languages spoken

o Salary expectations

o Personal address

o Hobbies

If you provide us with contact information for a reference, it is your responsibility to ensure that it is informed and has agreed to it.

Lawful basis and period of storage
These data are collected and stored only as part of the management of your application, based on the legitimate interest of Sophysa USA Inc and / or your consent and are not used for any other purpose, including commercial.

They are kept:

• In case of a positive outcome to an application:

o The data relating to an employee are kept for the time of his presence within Sophysa USA Inc and after his departure for the applicable legal retention period.

• In case of negative outcome to an application:

o Twelve (12) months, unless opposed by you.

Your personal data will in any case be destroyed on request from you (see the section on the contact details of the DPO), within 1 month from your request.

Data recipients
These data are processed by Sophysa USA Inc recruiting employees only and, incidentally, for technical and logistical reasons, to SOPHYSA USA Inc’s subcontractors.

Exercise of your rights and contact details of our Data Protection Officer

Your rights
SOPHYSA USA Inc informs you that you have the following rights under the European Data Protection Regulation and the Data Protection Act of 1978:

• The right to access your data and to see them communicate.
• The right to request the rectification of your personal data.
• The right to request the erasure of your personal data.
• The right to request the restriction of the processing of your personal data.
• The right to object to the processing of your personal data.
• The right to data portability.
• The right to withdraw your consent for the processing of your personal data at any time.

SOPHYSA USA Inc, informs you that you have the following rights under the California Consumer Privacy Act of 2018 (CCPA) and California Privacy Rights Act (CPRA). Subject to certain limitations, California residents have the following rights:

California residents are entitled once a year, free of charge, to request and obtain certain information regarding our disclosure, if any, of certain categories of personal information to third parties for their own direct marketing purposes in the preceding calendar year. We do not share your personal information with third parties for those third parties’ direct marketing purposes.

• Right to Notice. You have the right to receive notice about the categories of Personal Information we have collected about you within the last 12 months, the sources from which that information was collected, the third parties we share information with and whether we have sold your personal information.
• Right to Access. You have the right to receive a copy of your personal information.
• Right to Delete. You have the right to request the deletion of your personal information, subject to certain exceptions.
• Right to non-discrimination. You have the right to not be discriminated against for exercising any of the above-listed rights.
• Right to opt-out. You have the right to opt-out of the sale or sharing of your Personal
• Right to prevent your information from being sold or shared. Do Not Sell or Share My Personal Information

Where to address your requests
To exercise these rights, please contact Sophysa USA Inc:

• E-mail to privacy@sophysa.com
• By mail, at 503 E Summit Street, Suite 5, Crown Point, IN 46307, USA

All requests must be accompanied by a signed identity document or verification of your identity. We must verify your identity before responding to your request. We verify your identity by asking you to provide personal identifiers that we can match against information we may have collected from you previously. We may need to follow up with you to request more information to verify identity.

We will not use personal information we collect in connection with verifying or responding to your request for any purpose other than responding to your request.

If you are a California resident, you may authorize another individual or a business registered with the California Secretary of State, called an authorized agent, to make requests on your behalf.

We may have a reason under the law why we do not have to comply with your request, or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.

Data processing performed for answering your request
Context of collect
When you exercise your rights, our Data Protection Officer processes your personal data for the purpose of managing your request.

Data processed
The Data processed are:

• Title
• Surname,
• First name,
• Copy of the identity document (in case of doubt about the person’s identity)
• Nature of the request
• Answer provided.

Lawful basis and period of storage
These data are processed for the fulfillment of a legal or regulatory obligation, in this case the obligation to respond to the requests made by the data subjects mentioned by the GDPR in Article 12, 2.

These data are kept for a period of three (3) years, except for a copy of your identity document, which is kept for one (1) year.

Where to complain
Sophysa USA Inc also informs you that you can file a complaint before the National Commission on IT and Liberties:

• By mail at the address 3 Place Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, FRANCE
• Either directly on the CNIL website via an online service at https://www.cnil.fr/en/complaints

Data breach notification
In the event that your personal data is accessed by unauthorized third party, lost or stolen, Sophysa USA Inc will promptly notify you to the extent required by law, and will provide you with personal data that have been consulted / disclosed, using the contact information you have provided to us, or by any other reasonable means.

Links to third party sites
Sophysa USA Inc’s website may contain links to websites and social media platforms not managed by Sophysa USA Inc. Sophysa USA Inc. does not control or endorse this type of information.

Therefore, Sophysa USA Inc is not responsible for the way your data will be stored or used on the servers of third parties. Your use of other websites is subject to the legal terms of those websites, including the privacy policies of those websites. We advise you to read the applicable policy regarding the protection of personal data of each third-party website that you access via our website to assess how your personal data will be used.

Change to this policy
Sophysa USA Inc. may modify the data protection policy as needed. We will ensure that you are informed of these material or substantive changes either by an update notice on our website, or by a personalized warning especially in the context of our sending you a notification through an update notice email. The Sophysa USA Inc. Website Privacy Policy was last updated on November 30^th, 2023.