Legal information cover

Privacy policy

This Confidentiality Policy describes how Lectra collects, uses, and transmits personal data.

 

This privacy policy (hereinafter referred to as “Privacy Policy”) describes how Lectra and its Affiliates, as defined in Article 1 below, collect, use, transfer and, more generally, process Personal Data as defined below. 

Any mention of the term “Lectra” refers to the Lectra Group as an entity, as defined below, acting as a Processor or Data Processor of your Personal Data as defined under the General Data Protection Regulation (GDPR) and as further explained in this Privacy Policy.

This Privacy Policy applies both to Lectra SA as an entity, whose head office is located at 16-18 rue Chalgrin, 75016 Paris, France, and to its Affiliates (collectively referred to as the “Lectra Group”). 

This policy may change, notably to meet the requirements of the regulations relating to personal data protection. You are therefore encouraged to periodically review this page of our website to stay informed of potential updates. 

 

1. Definitions

Each of the following terms, used in the singular or in the plural, shall have the same meaning as in the following definitions:

  • The terms “personal data” (hereinafter referred to as “Personal Data”, “Categories of Data”, “Process/Processing,” “Data Controller” and “Data Processor” shall have the same meaning as in Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (General Data Protection Regulation, hereinafter referred to as “GDPR”) and the Law No.78-17 of January 6, 1978 relating to information technology, data files and civil liberties modified by decree No. 2019-536, published on May 30, 2019 (hereinafter collectively referred to as “Information Technology and Liberties”).

Customer”: the organization (for example your employer or any other entity or individual) that has entered into the contract with Lectra.

Customer Content”: any content submitted to Lectra by the Customer, under their responsibility, in connection with the use of the Services.

User Content”: part of the Customer Content constituting Personal Data transmitted to Lectra under the responsibility of the Customer.

Customer Contract”: the contract that the Customer has entered into with Lectra.

Lectra Group”: refers to the Lectra Company, registered with the RCS of Paris under number 300 702 305, whose head office is located at 16-18 rue Chalgrin, in Paris (75016) and its Affiliates.

Services”: tools and/or platforms and/or software made available and operated by Lectra, including any Lectra mobile applications.

Third party services”: tools and/or platforms and/or software made available and operated by third parties and used in connection with the Services.

Websites”: Lectra.com and other Lectra Group websites.

Affiliate”: any company controlled by, controlling, or under the same controlling entity as Lectra. Control extends to the holding of at least 50% of the equity or voting rights.

Users”: employees, agents or subcontractors to whom a Customer grants access to the Services in accordance with the Customer Contract.

Visitors”: any individual accessing the Websites.

 

2. Applicability of this privacy policy

This Privacy Policy applies to the Services and Websites as well as to other interactions (for example, requests made to customer service, forms, emails of all types addressed to prospects or existing customers) that you might have with Lectra.

If you do not agree with the content of this Privacy Policy, please do not access the Services and/or Websites and stop any interaction with Lectra.

This Privacy Policy does not apply to Third Party Services, as they have their own privacy policies to which you should refer.

 

3. Collection and reception of personal data

1. Personal Data provided by Lectra’s Customers and/or Users and/or Prospects

We collect Personal Data through the following:

  • Subscriptions to Lectra Services or when they are used (including but not limited to the following: to create a user account in order to access the Services; when Users submit Customer Content; when Lectra provides Customers with support in connection with the Services)
  • Subscriptions to newsletters
  • Marketing campaigns of all kinds, as well as satisfaction surveys
  • Registration for events (webinars, etc.)
  • Letters, if you contact us through a contact form on our Websites, by email or by any other means, notably to obtain information on Lectra products;
  • Job applications
  • Participation in a discussion group, a competition or when you interact with Lectra’s social network accounts or otherwise communicate with Lectra.

This Personal Data may be added to through other means such as those listed below.

2. Passive data collection

When you visit our Websites and use our Services, some Personal Data are automatically collected, in particular:

  • Metadata: when Users access the Services, metadata is generated to provide additional information on the way users work and to facilitate access to and use of the features offered. 
  • Connection and usage data: Lectra’s servers automatically collect and store information when you access the Websites and Services provided via the Internet. This data may include your Internet Protocol address (IP address), the address of the web page you visited before using the Website or the Services, the type of browser you used and information about its configuration and plugins, the date and time of your use of the Services, your language preferences and cookie data (for more details, please refer to our Policy regarding cookies).
  • Device data: Lectra collects device data, including device type, operating system, device settings, application IDs, unique device IDs, and shutdown data.
  • Interaction data: Lectra may also collect data about your interactions with Lectra, through emails, notably to find out whether you have opened, forwarded, or clicked on a message.
  • Cookies: Lectra collects data through cookies and similar technology on its Websites and through its Services. The Websites and the Services may also include cookies and similar tracking technologies, which may collect data about you through Third Party Services. To find out more about how Lectra uses these technologies, please refer to our Cookie Policy.

3. Personal data from other sources

Personal data may also be collected through the following means:

  • Third Party Services: Third Party Services may be integrated into the Services. Third Party Service providers may share data with Lectra. For example, if a Cloud storage application is used to import files to your user account, your username and email address may be transferred to Lectra, as well as any additional information made available to Lectra by the application to improve integration. Users should check the settings and privacy policy governing these Third Party Services to find out what Personal data may be disclosed to Lectra.
  • Third Party Data: Lectra may receive Personal Data such as identification data or professional data from its Affiliates, its partners or other parties used by Lectra to improve data quality and relevance. It can also be more precise data, such as data used to analyze the performance of an online marketing campaign, a satisfaction survey, a recruitment or an email campaign.

 

4. Use of personal data

4.1 As a data controller

Lectra, as a Data Controller, as defined by the Information Technology and Liberties Regulation, may use Personal Data for the following purposes and according to the following legal bases :

 

Purpose

Legal basis

Retention period

For the management of customer accounts and other administrative tasks such as invoicing

Fulfilment of Customer Contract

Duration of the contract and legal retention period

For marketing purposes (campaigns, online events or at trade fairs, customer satisfaction surveys) 

Consent or legitimate interest

Withdrawal of consent or duration of the event or end of Customer Account activity

For communication purposes regarding new product features, promotions, or any other news about Lectra

Consent or legitimate interest

Withdrawal of consent or end of Customer Account activity or inactive data for 2.5 years.

As part of Customer relationship follow-up

Fulfilment of Customer Contract

Duration of commercial relationship

To conduct security investigations and help prevent security or fraud issues, as well as potential misuse

Legitimate interest and legal obligation

Time needed to undertake security or fraud investigations and their resolution. Extension possible in the event of litigation.

Management of requests from contact form or by any other means

Consent

Withdrawal of consent or processing of the request

Job applications

Consent

Withdrawal of consent or end of recruitment process

Participation in a competition

Consent

Withdrawal of consent or end of competition

Statistics and reporting of Website visitors

Consent and legitimate interest

Different retention periods not exceeding 13 months (see our Cookie Policy )

Personal Data will be used by Lectra in accordance with current regulations.

 

4.2 As a data processor

Personal Data is used by Lectra (in its role of Data Processor according to the definition provided by the Information Technology and Liberties Regulation) in accordance with the instructions received, including the terms applicable to Customer Contract and to the use of the Services by the Customer, if applicable, and in compliance with the current regulations. The legal basis is therefore the fulfilment of the Customer Contract.

Customers control their instance of the Services, the accounts and the User Content associated with them. If you have any questions regarding Customers’ specific settings and privacy practices, please contact the entity or individual who, within your organization, manages the Customer Contract.

As a Data Processor, Lectra uses Personal Data for the following purposes:

  • To provide, maintain and improve its Services;
  • To meet a legal or regulatory obligation;
  • To communicate with you and respond to your requests, comments, and questions;
  • To develop and deliver research, learning and productivity tools, as well as additional features;
  • To send emails and other communications. Lectra may send you service or technical and administrative emails, messages and other types of communication relating to the status of the Services.  Lectra may also contact you to inform you of changes related to the Services and send you important notices related to the Services, such as security and fraud notices. These communications are considered part of the Services and you may not be able to opt out of them;
  • To produce dashboards and statistics relating to the use of the applications provided under the Customer Contract for the needs of the Customer and/or Lectra; 
  • To conduct security investigations and help prevent security issues or fraud, as well as potential misuse.

 

5. Data retention 

5.1 As a data controller

Lectra, in its role of Data Controller, stores Personal Data relating to associated processing operations in compliance with legal or regulatory obligations, if any, for all its activities. When no legal or regulatory obligation is available, Lectra defines the retention periods for Personal Data relating to associated processing operations in compliance with the current regulations (Article 5, paragraph 1.e) of the GDPR).

5.2 As a data processor

Lectra, in its role of Data Processor, may store your Personal Data for as long as necessary for the fulfilment of the Customer Contract and/or to comply with current regulations. Lectra therefore stores Customer Content in accordance with Customers’ instructions.
The deletion of User Content and any trace related to the use of the Services by the Customer may result in the deletion and/or anonymization of the Personal Data associated with it.

 

6. Data sharing and disclosure

Lectra ensures, for each activity, that only authorized individuals can access your data. Lectra may thus share information with its Affiliates if this is necessary for the fulfilment of the Customer Contract, to comply with a legal obligation and/or for its legitimate interest.

6.1 As a data controller

This section describes how Lectra may share and disclose Personal Data in its role of Data Controller, notably to: 

  • Use aggregated or anonymized data. Lectra may transmit, disclose, or use aggregated data if it does not identify the individuals to whom it relates or anonymized data for any purpose whatsoever. For example, Lectra may share aggregated or anonymized data with other corporate clients or partners for commercial or research purposes.
  • Enforce Lectra's rights, prevent fraud and ensure security. Protect and defend the rights, property, or safety of Lectra or of third parties, including in the fulfilment of Customer Contracts, during investigations and to prevent fraud or security issues.
  • Comply with a legal or regulatory obligation following a request from an administrative or judicial authority.

6.2 As a data processor

This section describes how Lectra can share and disclose Personal Data as a Data Processor, as defined by the Information Technology and Liberties Regulation. Customers choose their own policies and practices regarding Personal Data sharing and disclosure. Lectra does not control how its Customers or other third parties choose to share or disclose their Personal Data. Lectra may share and disclose Personal Data, notably to:

  • Follow Customers’ instructions. Lectra will only share or disclose Customer and User Content in accordance with Customers’ instructions, including all applicable conditions defined in the Customer Contract.
  • Display the Services. When Users send information containing Personal Data, they may be disclosed to other Users.
  • Allow Customer access. Owners, administrators, Users and other Customer representatives and employees can access and modify Personal Data or restrict their access.
  • Use Third Party Service Providers and Lectra partners. Lectra may hire Third Party companies or individuals as service providers or business partners to process information and allow Lectra to carry out certain activities. These third parties may notably provide virtual computing and storage services, manage authentication systems, or send emails.
  • Interact with Third-Party Services enabled by Customers. Customers may, if necessary, enable Third Party Services or allow Users to do so. When these are enabled, Lectra may share information with Third Party Services, transfer information and data from its Services to a Third-Party Service, but its Services may also receive information and data from a Third-Party Service. Third-Party Services are not the property of Lectra and third parties that were granted access to this information may have their own policies and practices regarding Personal Data. Please check the privacy settings and policies of these Third-Party Services or contact the provider for any questions.
  • Make a change in Lectra’s activities. If Lectra is involved in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of part or all of its assets or shares, financing, public offerings of securities, the acquisition of part or all of its activities, or a similar transaction or procedure, or steps towards such activities (for example due diligence), certain Personal Data may be shared or transferred, subject to customary confidentiality provisions.
  • Enforce Lectra’s rights in the fulfillment of the Customer Contract, prevent fraud and ensure security. To protect and defend the rights, property, or safety of Lectra or of third parties, including the fulfillment of the Customer Contract, during investigations and to prevent fraud or security issues. 
     

7. Security

The security of your Personal Data is a major concern for Lectra. Lectra therefore implements technical and organizational measures to guarantee the security of your Personal Data and prevent any risk of loss or misuse and any unauthorized access or disclosure. These measures consider the sensitivity of the information that Lectra collects, processes and stores and the state of the art. These measures are valid, in whole or in part, for certain processing of Personal Data, whether Lectra acts as a processor, or as a Data Processor, as defined by the Information Technology and Liberties Regulation.

7.1 Technical security measures

1. Personal Data encryption: depending on the processing implemented and the sensitivity level of the Personal Data, Lectra, both in its quality of Data Controller and Data Processor, as defined by the Information Technology and Liberties, may use Personal Data encryption, both when storing data in databases (at rest) and in transit.

2. Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services: all the processing operations implemented by Lectra, whether as Data Controller or Data Processor, as defined by the Information Technology and Liberties Regulation, are defined in compliance with the obligations prescribed by the GDPR, and by the interpretation made by Lectra, in particular with regard to the assessment of the risks surrounding the Personal Data collected. These means can be managed by Lectra itself or delegated to Third Party hosting providers meeting high security standards. 

3. Ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident: all the processing operations implemented by Lectra, whether as Data Controller or Data Processor, as defined by the Information Technology and Liberties Regulation, are defined in compliance with the obligations prescribed by the GDPR, and by the interpretation made by Lectra, in particular with regard to the assessment of the risks surrounding the Personal Data collected. Regarding the Services, guarantees of availability of service and incident handling may be set in the Customer Contract, depending on the Services concerned.

4. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of data processing: the IT Security Policy (ITSP) describes the organization and the means implemented to define these measures applicable to Lectra’s Internal Information System, which may contain Customer data and Personal Data. Regarding the Services, Lectra relies on Third-Party hosting providers meeting high security standards. Other tests carried out by independent external bodies on a regular basis make it possible to check the efficiency of existing technical and organizational measures, leading, in the event of weaknesses identified, to a dedicated remediation plan.

7.2 Organizational security measures

1. Information security policy: Information security is a pillar of our company’s organization, both for our internal processes as well as regarding our customers. As such, information security in the way Lectra’s employees conduct business is supported at management level, in accordance with business requirements and the current laws and regulations.

2. Information security organization: a management framework to initiate and then verify the implementation and operation of information security within the organization is established, documented, and monitored.

3. Security in human resource management: ability of employees and contractors to understand of their responsibilities. All employees and contractors are subject to confidentiality clauses in the performance of their duties. In addition, an awareness program on information security and good practices when handling Personal Data is being implemented on a regular basis to ensure that both employees and contractors understand their responsibilities and the issues at stake.

4. Asset management: the organization’s assets (human or technical resources such as applications and infrastructure) dealing with Customer and Personal Data have been identified, and responsibilities are clearly defined, in terms of organizational and human resources, as well as in terms of technical means, to provide appropriate guarantees regarding data protection. In addition, access to these assets is strictly controlled and restricted.

 

8. Data transfer

Lectra may transfer your Personal Data to countries other than the one in which you reside. If Lectra transfers Personal Data outside the European Union to countries that do not provide a comparable level of protection of Personal Data, Lectra will ensure that the requirements of Art. 44 et seq. of the GDPR are met, for example by signing the applicable European Union’s Standard Contractual Clauses, in accordance with current regulatory requirements.

8.1 As a data controller

Affiliates located outside the European Union may consult information about their respective Customers that is stored in France or in the European Union for the sole purpose of fulfilling the Customer Contract.

Lectra’s suppliers may consult or store information within their respective scope, and, as such, Lectra has implemented the guarantees specified in Paragraph 8.

8.2 As a data processor

As part of the provision of its Services, Lectra guarantees the localization of Personal Data in a country of the European Union with suppliers contractually bound to Lectra, by default for all Customers in the European Union, subject to the GDPR and the Information Technology and Liberties Regulation. Failing this, Lectra undertakes to sign Standard Contractual Clauses with potential subcontractors located outside the European Union or in a country that does not provide a comparable level of protection of Personal Data.

 

9. Rights of users and visitors

Data subjects have the right to request access to their Personal Data, as well as the updating, deletion, correction, and portability of their Personal Data, and in certain cases, to withdraw their consent and oppose or limit the processing of their Personal Data.

As part of the Services, Lectra acting as a Data Processor, you can exercise your rights by contacting the Customer to obtain the necessary assistance. 

In other cases, when Lectra acts as a processor, you can contact Lectra directly using the contact details provided in Article 11, specifying your Last Name, First Name, Email address and/or Postal address.
 

10. Competent authority for data protection

Subject to the legislation in force, you also have the right, if you consider that the response to your request was not satisfactory (i) to restrict the use made by Lectra of your Personal Data and (ii) to make a complaint to your local supervisory authority, in accordance with Articles 13 and 14 of the GDPR, or to the lead authority designated by Lectra, namely, in France, the Commission Nationale de l'Informatique et des Libertés, at the following address: 

Commission nationale de l'informatique et des libertés 

3 Place de Fontenoy - TSA 80715

75334 PARIS CEDEX 07 – FRANCE

Contact form: https://www.cnil.fr/fr/webform/nous-contacter

 

11. Contact Lectra

Anyone can contact Lectra regarding this Privacy Policy or Lectra's Personal Data practices, or to exercise their rights.

In addition, if you wish to contact Lectra's Data Protection Officer (DPO), please write to dpo@lectra.com or to the address below:

Data Protection Officer (DPO)
Lectra S.A. - 16-18 rue Chalgrin - 75016 PARIS - France.