Privacy policy
Overview
SCALEWAY attaches great importance to compliance with regulations relating to the protection of personal data and in particular the General Data Protection Regulation (EU Regulation 2016/679 of the European Parliament known as “GDPR”) and the data processing and freedom law (law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms).
In this context, this Privacy Policy will help you to understand what personal data concerning you is collected by Scaleway and what it is intended for.
Scope
This privacy policy is intended to govern the processing carried out by Scaleway as data controller (Scaleway, 8 RUE DE LA VILLE L'EVÊQUE 75008 PARIS 8), in particular the data collected in the context of
- the management of your customer account
- the management of marketing communications or prospection
- the use of one of our websites (not already covered by a specific privacy policy)
- the recruitment management
- the compliance with our legal obligations
- the guarantee of legitimate interests
The data collected for the operation of our services, where Scaleway acts as a processor, is governed by our General Conditions of Services as well as our Data Processing Agreement (DPA).
What kind of personal data is processed ?
Scaleway is required to process the following categories of data:
- Data relating to identity: name, first name, postal and email address, telephone number, customer number, signature, proof of identity.
- Billing data: bank details, means of payment, invoices, etc.
- Consumption data: history of services and products used, event logs etc.
- Communication data: history of exchanges with Scaleway, complaints, support tickets, etc.
- Connection data: IP address, user ID, location data, connection and event logs etc.
The categories of data used are indicated in each of the treatments in the following section. Any reference to “user account data” includes all account data.
How we use your data.
Contracts management and customer relations
Scaleway processes your data in order to manage contracts for the services you use. This includes the management of accounts, support and payment methods.
| Purposes | Categories of data | Legal basis | Retention | Categories of recipients |
| Management of contracts and customer relations (management of accounts, support and means of payment) | Identity data Billing data Consumption data Communication data Connection data | Execution of the contract | Duration of the contractual relationship plus an archiving period to meet our legal obligations and guarantee the defense of our legitimate interest | Scaleway Services Entitled Scaleway Partners for support and payment management Authorized third parties* |
| Management of contracts with our partners (service providers and suppliers) | Identity data Commercial relationship monitoring data (activity reports and, communications) | Execution of the contract | Duration of the contractual relationship | Scaleway Services Entitled Scaleway Partner for the management of suppliers Authorized third parties |
Sales and Marketing
Scaleway processes certain data in order to send its service offers to its customers or prospects, guests for events or even collect their opinions on products (processing may involve profiling techniques). These processing operations may be based either on legitimate interest, if the person is already a customer of the company, particularly if the proposals concern products or services similar to those already subscribed, or on consent. Scaleway mainly collects this data directly but can also obtain it indirectly via specialized data processors in conformity with all applicable legal requirements.
| Purposes | Categories of data | Legal basis | Retention | Categories of recipients |
| Commercial prospecting and communication campaigns relating to our products and services | Identity data Billing data Consumption data Communication data Connection data | Legitimate interest Consent | Duration of the contractual relationship Account deletion request withdrawal of consent objection of the person | Scaleway Sales and Marketing Teams Entitled Scaleway Partners for the management of marketing campaigns and customer relation Authorized third parties |
| Organization of events to promote our services | Identity data Communication data Connection data | Legitimate interest Consent | Duration of the contractual relationship Account deletion request | Scaleway Sales and Marketing Teams Entitled Scaleway Partners for the management of events Authorized third parties |
| Management of cookies and other trackers (learn more about our cookie policy) | Connection data | Consent | Cookies are stored between 3 months and 1 year depending on the type of cookie used | Scaleway Sales and Marketing Teams Entitled Scaleway Partners for the cookies management Authorized third parties |
| Carrying out satisfaction surveys or quality surveys on our services and the training of our teams | Identity data Billing data Consumption data Communication data Connection data Audio or video recording | Legitimate interest Consent | 1 year and anonymization | Scaleway Sales and Marketing Teams Entitled Scaleway Partners for marketing analysis Authorized third parties |
| Produce usage statistics | Connection data | Legitimate interest | Cookies: between 3 months and 1 year Service usage data kept during the contractual period or anonymized | Scaleway Sales and Marketing Teams Entitled Scaleway Partners for quality analysis Authorized third parties |
Recruitment
Scaleway also processes the personal data of candidates as part of its recruitment procedure.
| Purposes | Categories of data | Legal basis | Retention | Categories of recipients |
| Recruitment | Identity data | Execution of contract or pre-contractual measures | If the application is not accepted, the data is kept for a maximum period of 2 years If the application is accepted, the data is kept for the entire duration of the contract, accompanied by an archiving period intended to comply with our legal obligations or guarantee the legitimate interests of the company. | Human resources services Manager and team concerned Scaleway partners for human resources Authorized third parties |
Legal obligations
Scaleway processes some of your data in order to meet its legal obligations. This is particularly the case in order to secure our services as a provider of electronic communications services, to meet our accounting and tax obligations or to process your requests for rights relating to data protection.
| Purposes | Categories of data | Legal basis | Retention | Categories of recipients |
| Guarantee the security of our customers as a provider of electronic communications services (Directive 2002/58/EC and art 32 of the GDPR) | Identity data Billing data Consumption data Communication data Connection data | Legal obligation | Duration of the contractual relationship plus an archiving period for the data necessary to guarantee compliance with our legal obligations | Entitled Scaleway Services Entitled Scaleway Partners for security management Authorized third parties (auditors etc.) |
| Abuse of Scaleway services includes cyber-crime, copyright violation, illegal or offensive content, spamming and malware distribution. Abuse should be reported in the console. These data processings are likely to be subject to automated decision-making (e.g. anti-spam control) | Identity data User account information | Legal obligation | Duration necessary to meet our legal obligations | Entitled Scaleway Services Entitled Scaleway Partners for the ticketing and support management Authorized third parties |
| Responses to the data protection requests and any complaints related to the protection of personal data | Identity data (including proof of identity) User account information ll the data related to the complaint | Legal obligation | 5 years from ticket closing Verification of identity card: 1 month | Entitled Scaleway Services Entitled Scaleway Partner for the management of subject requests Authorized third parties Entitled Iliad service |
| Data breaches management | Identity data User account information related to the data breach All data related to the data breach | Legal obligation | 5 years from the closure of the data breach | Entitled Scaleway Services Competent administrative authority |
| Accounting obligations | Billing data | Legal obligation | 10 years from the end of the contract | Entitled Scaleway Services Entitled Scaleway Partner for the management of payments and invoices Competent administrative authority |
| Legal or administrative procedure management | Identity data User account information related to the case | Legal obligation | The necessary data is kept until the expiration of the legal remedies | Scaleway Legal Department Iliad Legal Department Competent administrative authority Entitled third parties (legal advisor etc.) |
Legitimate interest
Scaleway processes some of your data in order to meet a legitimate interest. This is particularly the case in order to secure our services, ensure the management of unpaid debts and the training of our teams (processing relating to security or fraud may involve profiling techniques).
| Purposes | Categories of data | Legal basis | Retention | Categories of recipients |
| Guarantee the security of services we offer | Identity data User account information | Legitimate interest | Duration of the contractual relationship or duration limited to the limitation period from the closure of the event concerned | Scaleway IT security service Competent administrative authority |
| Debt collection | Identity data User account information | Legitimate interest | 5 years from the payment incident | Scaleway Legal and Accounting Services Entitled Scaleway Partner for debt collection |
| Fraud detection and prevention | Bank details Identity data User account information | Legitimate interest | 5 years maximum from the suspicion of an incident ID card verification: 1 month | Entitled Scaleway service Entitled Scaleway Partner for support and ticketing |
| Litigation management | Identity data Data necessary for the purposes of establishing evidence | Legitimate interest | The data is kept until the expiration of the legal remedies and archived for 10 years | Scaleway legal department Entitled Scaleway partner |
| Ensure the training of our teams | Identity data User account information | Legitimate interest | The data is kept during the contractual period | Entitled Scaleway service |
Data processors
As a data controller, Scaleway uses data processors for the following purposes:
- customer relationship management (support management, etc.)
- carrying out emailing campaigns and surveys on the services
- partnership management with other cloud providers
- meeting our legal obligations (accounting, data protection etc.)
- marketing data analysis
- website data analysis
- management of payment services
- consulting or audit firms
- the organization of events
- security and identity control
Scaleway selects its data processors through a strict security control procedure to ensure that they only process data for the purposes for which they have been chosen. Scaleway also ensures that its data processors have technical and organizational security measures in accordance with the regulations relating to the protection of personal data.
Transfer of data outside the European Union
Scaleway strives to minimize data transfers outside the European Union and only carries out such transfers as data controller for the purposes listed above. Data transferred as part of our services is governed by our Data Processing Agreement (DPA)
All transfers outside the European Union are subject to a strict control to ensure that the contracts entered into with our service providers comply with the Standard Contractual Clauses (SCC) updated by the implementing decision ( EU) 2021/914 of the Commission of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council (Text presenting interest for the EEA) and where possible, to supplement these clauses
Requests from authorities
Scaleway undertakes to inform its customers in advance in the event of a request for information from an administrative or judicial authority in order to enable them to assert their rights subject to compliance with applicable regulations. Scaleway cannot oppose such a request if it complies with French or European regulations, an international agreement (art. 48 of the GDPR) or with one of the exemptions provided for in art. 49 of the GDPR.
Children
Scaleway does not provide services to children. Any children wishing to use our services must be accompanied and under the responsibility of an adult.
with appropriate security measures.
Requests from authorities
Scaleway undertakes to inform its customers in advance in the event of a request for information from an administrative or judicial authority in order to enable them to assert their rights subject to compliance with applicable regulations. Scaleway cannot oppose such a request if it complies with French or European regulations, an international agreement (art. 48 of the GDPR) or with one of the exemptions provided for in art. 49 of the GDPR.
Children
Scaleway does not provide services to children. Any children wishing to use our services must be accompanied and under the responsibility of an adult.
Link to our partners
Our sites may contain links to our partners. We inform you that these links refer directly to the sites of these partners who have their own confidentiality policy for which Scaleway cannot be held responsible.
Data Security
Scaleway implements technical and organizational security measures to guarantee the constant confidentiality, integrity, availability and resilience of its information systems and services. These measures meet the state of the art and are adapted to the type of data concerned. All of our staff are aware of IT security and data protection issues.
Our security measures specifically meet data protection regulations and in particular the following points:
- Information systems security policy (ISSP)
- Physical protection measures for all of our data centers
- Secure authentication of user accounts
- Logging
- Security Information and Event Management (SIEM)
- Incident management procedure
- Secure management procedure for data processors
- Procedure for handling data breaches
- Secure data backup
- Anonymization of data when personal data is no longer necessary for processing in order to produce statistics or improve our services or marketing communication
In accordance with our general conditions of service, we remind you that the customer is solely responsible for the management and security of its content as well as the environments and systems that it deploys on the infrastructures made available to it as part of the services offered by Scaleway. It is also up to the customer to make any backups of their content (or other means aimed at ensuring their longevity) that he considers necessary in order to protect against possible deletion, alteration or modification of said content.
For more information regarding all of our security measures, you can consult our Security and Resilience page.
If you have identified a vulnerability or would like to send us a security question, please send it to us at: security@scaleway.com
Data subjects rights & contact
Scaleway informs you that you have the following rights depending on the purpose of processing:
- Be informed why we process your personal information
- Access your data and obtain a copy of the personal data we process about you
- Rectify incorrect, incomplete or outdated data
- Limit the use of your data
- Oppose the processing of your data if it is processed on the basis of legitimate interest
- Withdraw your consent at any time if the processing is based on this legal basis
- Delete data that is no longer necessary for processing or to meet a legal obligation
- Exercise your right to portability
You can exercise your rights directly in the privacy section of your Scaleway account or via privacy@scaleway.com. If you believe that your rights have not been respected, you can also file a complaint with the competent supervisory authority.
Policy update
This privacy policy may be updated according to regulatory developments. Any modification will enter into force from its date of publication.
Last update : january 2024