Data protection policy

Preamble

Hublo attaches particular importance to the protection of your privacy and is committed to scrupulously complying with the applicable regulations, namely Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, commonly known as the "General Data Protection Regulation" (GDPR), as well as Law No. 78-17 of January 6, 1978, as amended, in its latest version in force, known as the "Data Protection Act".

By using the Services offered by Hublo, all users declare that they have read this Data Protection Policy, which contains exhaustive information on the processing of personal data, and that they accept all its terms.

Article 1. Purpose of the data protection policy

This Data Protection Policy informs you about the nature of the personal data we collect when you use our Platform and all our Services, and how we use it.

Article 2. Definitions

The terms "Administrator", "Healthcare Professional", "Account", "Customer", "Identifiers", "Platform", "Services" and "Users" are defined in the General Terms of Use (GTU) publicly available on Hublo's website.

The terms "Supervisory Authority" "Personal Data", "Personal Data", "Personal Data Protection Officer", "DPO", "Data Controller", "Subcontractor", "Process", "Processing(s)", "Processing(s) of Personal Data", "Data Breach" shall be understood as defined in Article 4 of the RGPD.

Article 3. Personal data collected by Hublo

When you use our Site, our Platform and, more generally, our Services, we may ask you to provide us with personal data enabling us to identify you as an individual.

3.1. Data relating to healthcare professionals

Hublo is the Data Controller for the processing of Personal Data of Healthcare Professionals. This data concerns :

• registration data: surname, first name, date of birth, gender, telephone number, email address, profile photo, location;
• personal life: information on whether the Healthcare Professional is driven, and his or her mobility radius (this data mainly concerns the Hublo Service, and is requested when registering as a temporary Healthcare Professional);
• professional life: CV, professional training, professional skills, position held. For Service Hublo, this can also include your personnel number or work schedule (to validate skills and target assignment requests);
• connection data: user ID, IP address, browsing statistics, operating system, referring URL, name of Internet service provider, browser and type of device used, language and time zone, cookies;
• data relating to your use of our Services: information submitted on our Platform, history of your communications and messages, quantity of data transferred, access status (content transmitted, not found, etc.), comments, opinions, notes, dates and times of requests made;
• certain sensitive data: social security number, full postal address and commune of birth if the customer concerned has subscribed to the contract/DPAE module, and only for temporary workers. In exceptional cases, an extract from the criminal record (bulletin B3) may be requested, but only at the customer's request.
  
  Sensitive data is masked and cannot be read in the database. Thus, in the event of an intrusion into the infrastructure, the data cannot be recovered in a readable format.

The Personal Data collected are only those that can be used within the framework of the Services offered by Hublo, and that are useful in the launch of a replacement mission, a recruitment offer and their processing.

The Healthcare Professional's Personal Data is processed to ensure that he or she is not over-solicited, particularly in the context of requests for replacement assignments (analysis of assignments carried out, enabling us to target the recipients of the assignments).

3.2. Directors' data

As supervisory staff of the Customer establishment, you are registered during the deployment and configuration of the Platform by means of a file transmitted by the Data Controller, in compliance with the principles of the RGPD.

In this case, your Customer establishment is designated as the Data Controller, and Hublo as the Subcontractor.

The data concerned by the Processing is limited to personal data relating to :

• registration details: surname, first name, email address and business telephone number (optional);
• your professional life: the position you hold and, if applicable, the department in which you work;
• connection data: user ID, IP address, browsing statistics, operating system, referring URL, browser and device type, language and time zone, cookies.

‍Article 4. Legal basis for processing

We process your personal data on the following legal bases:

• Contract: Hublo processes most of your personal data within the framework of the contract you entered into when you registered by accepting our general terms and conditions of use (if you wish to consult our general terms and conditions of use again, you will find them at this link ...).
• Thus, all the data you provide to us when creating and managing your Account, as well as the data required to create, monitor and invoice an assignment and the communications we send you in connection with our Services or relating to the monitoring of your Account, are processed on the basis of this legal basis.
• Legitimate interest: we consider that it is in our legitimate interest to process your Personal Data to enable us to provide the Services to you in the best possible way.
• Consent: we may also collect your prior consent to process certain Data, for example to request your social security number, to store your bank details, but also for commercial purposes. Furthermore, if you have not yet subscribed to our Services or are no longer a User of our Services, we collect your Personal Data exclusively on the basis of your express prior consent.
• Legal obligations: we process certain data because of legal obligations imposed on us, for example in order to meet the requirement of traceability of our operations.

Article 5. Use of your personal data

Hublo uses your Personal Data for the following purposes:

• Create and manage your account ;
• Use of the Services to put you in contact with other Users, healthcare professionals or healthcare facilities, as the case may be;
• Carry out communication, prospecting and marketing operations, particularly by e-mail or SMS;
• Ensuring you get the best user experience;
• To carry out a personalized follow-up in order to send you only relevant communications, adapted to your needs and directly related to the Services (for example: to propose missions adapted for the Users Professional of health, to invite you to update/complete your profile);
• To meet our contractual obligations to you, for example, by informing you about possible contacts (interview requests, assignment/recruitment offers) via the Platform, by e-mail, SMS or telephone;
• Inform you about our Services, changes to them or similar services we provide;
• Evolve our Services to offer you new functionalities and adapt to your needs;
• For statistical use, in anonymous form.

Article 6. Recipients of data

We share your Personal Data with :

• Our authorized personnel ;
• The Users of the Services that you have authorized, solely for the proper performance of the Services;
• Our service providers acting on our behalf, within the limits of the tasks entrusted to them and when strictly necessary for external processing requirements;
• Authorities (tax, regulatory), our insurers, lawyers, auditors, banks or other third parties, where this is justified by the legitimate interests of our company, to the extent permitted by applicable law, or where it is necessary to comply with a legal or regulatory obligation to which we are subject. In particular, your data may be transmitted to the competent authorities, at their request, in the context of legal proceedings, judicial investigations and requests for information from the authorities, or in order to comply with other legal obligations.

Apart from the cases set out above, we undertake not to give third parties access to your Data without your prior consent unless we are obliged to do so for a legitimate reason (legal obligation, fight against fraud or abuse, exercise of rights of defence, etc.).

Article 7. Shelf life

• Directors' personal data‍some text
  • On an active basis: for the duration of the contractual relationship, then in anonymized form from the end of the relationship to feed Hublo's customer database.

• Personal data of healthcare professionals‍some text
  • Active base: two (2) years from the last activity on the Platform. On an archive basis: five (5) years from the last activity on the Platform, for evidentiary purposes. When the Personal Data of Healthcare Professionals is reused for personnel management purposes by the Customer establishment, please refer to the personal data protection policy of the establishment in question.

• Data concerning User activity on the Platform, connection data (IP address, cookies)some text
  • In active base: two (2) years from the last activity on the Platform. On an archive basis: five (5) years from the last activity on the Platform, for evidential purposes.

Generally speaking, when your Personal Data is no longer required, we will ensure that it is deleted or made anonymous.

Article 8. Cookies and analysis tools‍

8.1. Cookies

A cookie is a file deposited on the terminal of any user (computer, tablet or mobile device), when consulting our site hublo.com. It does not contain any personal information, but allows us to make the link between the User's device and his/her preferences for use and experience on our Site.

You can always prevent the installation of cookies by configuring your browser.

‍8.2. Analysis tools

We use analysis tools that enable us to obtain information about the actual use of our Website and Platform, by collecting data relating in particular to the number of visits and the browsing behaviour of Users.

This information is particularly useful to us in measuring and improving the performance of our Services. For example, we may create anonymous aggregate data for advertising, market research, improving existing products and creating new Services.

In this context, we use tools to optimize the User experience by using cookies (as described above), which are stored on the User's device and enable an analysis of the User's use of the Services. All data is used in anonymous form.

Article 9. Transfer of data

We use AWS hosting centers that have the necessary approvals and authorizations to ensure the security of the data hosted, in particular the Personal Data hosted. The data centers are located within the European Union.

AWS, the global leader in cloud hosting, supports numerous security standards and compliance certifications, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2 and NIST 800-171, helping customers meet the compliance requirements of the vast majority of regulatory bodies worldwide. AWS is certified to ISO/IEC 27001:2013, 27017:2015, 27018:2019, ISO/IEC 9001:2015 and CSA STAR CCM v3.0.1.

Some data is also hosted on Heroku, whose data centers are located in Dublin, also within the European Union.

Heroku also conducts regular audits and maintains PCI, HIPAA, ISO and SOC compliance to reinforce customer confidence.

We also rely on Cloudflare's Content Delivery Network (CDN), designed to optimize security, performance and reliability.

In addition, we may transfer part of your Personal Data to countries outside the European Union where some of our service providers are established. We make a point of checking beforehand that they comply with their obligations in terms of personal data protection, and that they offer an appropriate level of protection. More specifically, we use the following guarantees:

• A decision by the European Commission that the country outside the EU/EEA to which your personal data is transferred offers an adequate level of protection, corresponding to the level of protection guaranteed by the GDPR. In particular, we rely on the European Commission's adequacy decision for the United States via the EU-US Data Protection Framework, and the adequacy decision for the United Kingdom.
• The conclusion of the European Commission's standard clauses with the recipient of personal data outside the EU/EEA. This means that the recipient guarantees that the level of protection for your personal data, as provided by the GDPR, continues to apply, and that your rights are always protected.

Where your personal data is transferred outside the EU/EEA, we also put in place appropriate technical and organizational safeguards to protect personal data in the event of disclosure. The specific safeguards we implement depend on what is technically feasible and sufficiently effective for the transfer in question.

Article 10. Your rights

You have a number of rights in relation to your personal data. Each of these rights is described in more detail below:

• Withdrawal of consent: you may revoke your consent to any processing of your Personal Data based on your consent at any time.
• Access: you may ask us to confirm whether we are processing your Personal Data and, if so, to inform you of the characteristics of such processing and allow you to access and obtain a copy of it.
• Rectification: you may ask us to rectify or complete your Personal Data if it is incorrect or incomplete.
• Deletion: you may ask us to delete your Personal Data in the following cases: when it is no longer necessary for the purposes for which it was collected; you have revoked your consent; following the exercise of your right to object; your Personal Data has been processed unlawfully; or to comply with a legal obligation. We are not obliged to comply with your request for deletion of your Personal Data, in particular if their processing is necessary to comply with a legal obligation or to establish, exercise or defend legal claims.
• Restriction: you may ask us to restrict the processing of your Personal Data (i.e. to keep it without using it) when: its accuracy is contested; its processing is unlawful but you do not want it to be deleted; it is still necessary for the establishment, exercise or defense of legal claims; we are verifying the existence of compelling reasons in connection with the exercise of your right to object. We may continue to use your Personal Data following a request for restriction: with your consent; for the establishment, exercise or defense of legal claims; or to protect the rights of any other natural or legal person.
• Portability: you can ask us to provide you with your Personal Data in a structured, commonly used and machine-readable format, or you can request that it be transmitted directly to another data controller, but only if the processing is based on your consent or on the performance of a contract concluded with you and the processing is automated.
• Digital legacy: if you live in France, you have the right to define general or specific directives concerning the fate of your personal data after your death.
• Objection to processing of Personal Data based on legitimate interest: you may object to any processing of your Personal Data that is based on our "legitimate interest". If you exercise this right, we must cease the processing, unless we demonstrate compelling legitimate grounds that override your fundamental rights and freedoms, or for the establishment, exercise or defense of legal claims.
• Opposition to the processing of Personal Data for canvassing purposes: you may object at any time to the processing of your Personal Data for canvassing purposes.

You may exercise the above rights at any time, by sending an e-mail to dpo@hublo.com or by writing to Hublo, Service client - DPO - 86 Rue Voltaire - 93100 Montreuil. You will receive a reply within one month of your request.

You also have the right to lodge a complaint with the competent supervisory authority regarding the processing of your personal data: the lead authority for the protection of personal data is the CNIL (www.cnil.fr).

Article 11. Revision of the data protection policy

We reserve the right to modify this Privacy Policy at any time. The most current version of this policy governs our use of your information and will always be available at the following link ...

Your continued use of our Services constitutes your acceptance of any changes to this policy.

Should we make any substantial changes, we undertake to notify you.

The date of the last revision of this policy is indicated at the top of the page.

Article 12. Contacts

As set out in article 10 above, you may contact our company and/or our Data Protection Officer (DPO) at any time by sending an e-mail to dpo@hublo.com or by sending a letter to Hublo, Service client - DPO - 86 Rue Voltaire - 93100 Montreuil.