Privacy policy
Last updated : 29 May 2026
What is the purpose of this policy?
We place great importance on the protection and confidentiality of your personal data, which represent a mark of seriousness and trust for us.
The data privacy policy specifically reflects our commitment to uphold the applicable rules on data protection, particularly those of the General Data Protection Regulation ("GDPR").
In particular, the privacy policy aims to inform you about how and why we process your data in the context of the services we provide.
Who is this policy for?
The policy applies to you, regardless of your place of residence, as long as you are at least 15 years old, whether you are a client or a visitor to the site www.episto.fr.
If you are a job candidate at Episto, you can view the "candidate" policy, which is accessible on our dedicated page on standard recruitment sites (e.g., LinkedIn, Indeed, etc.).
If you are under 15 years old, you are not allowed to use our services without the prior explicit consent of one of your parents, which must be sent in writing to dpo@episto.fr. If you believe we might hold information about one of your children under 15 years old without consent, you can request that we delete it at the address service dpo@episto.fr.
Why do we process your data?
As part of the services offered, we necessarily need to process your personal data for the following reasons and grounds:
- To browse our website www.episto.fr, pay for and benefit from our services (conducting surveys and studies, launching campaigns, creating surveys, etc.) and for us to respond to your requests (e.g., information requests, complaints, etc.) based on our general terms and conditions of sale, our general terms of use, and our legitimate interest in providing you with the best possible service.
- To keep you informed of our latest offers and events by phone and email based on our legitimate interest in retaining our customers and prospecting new potential clients.
- To follow us and comment on our publications on social media based on the terms and conditions of the social network concerned (e.g., Facebook) and our legitimate interest in having a dedicated page on social media.
- To receive our newsletter that will inform you of all news concerning our services based on your consent.
- To guarantee and enhance the security and quality of our services on a daily basis (e.g., statistics, data security, etc.) based on the legal obligations placed on us, our general terms and conditions of sale and our legitimate interest in ensuring the proper functioning of our services.
- Finally, we may also install “Cookies” on your device. For more information about the use of “Cookies,” we invite you to consult our “Cookies Policy.”
Your data is collected directly from you when you connect to our website and when you use our services.
We commit to processing your data only for the reasons described above. Furthermore, we guarantee that none of your data will ever be sold to a partner or third party. However, as soon as you voluntarily post content on the pages we publish on social media, you acknowledge that you are fully responsible for any personal information you may disclose, regardless of the nature and origin of the information provided.
What data do we process and for how long?
We have summarized the categories of personal data we collect as well as their respective retention periods.
If you would like to obtain more details about the applicable retention periods for your data, you can contact us at: dpo@episto.fr.
- Professional identification data (e.g., name, first name, job title, company, etc.) and contact details (e.g., professional email address, LinkedIn, etc.) retained for the entire duration of service provision, plus the legal limitation periods that are generally 5 years.
- When there is confusion between the name of your structure and your personal name (e.g., sole trader, microenterprise, etc.), economic and financial data (e.g., bank account number, verification code, etc.) retained for the time necessary for the transaction and management of billing and payments, plus the legal limitation periods which are generally from 5 to 10 years.
- Data for commercial prospecting, marketing, and subscription to our newsletter (e.g., email address, etc.) retained for a maximum period of 3 years from the last contact we had with you.
- Connection data (e.g., logs, device type, browser type, etc.) retained for a duration of 1 year.
- Cookies which are generally retained for a maximum period of 13 months. For more details on how we use your cookies, you can consult our cookies policy available at any time on our website.
Upon the expiration of the retention periods summarized above, we delete all your personal data to ensure your privacy for future years.
The deletion of your personal data is irreversible, and we will no longer be able to communicate them to you after this deadline. At most, we can only retain anonymous data for statistical purposes.
Please also note that in the event of litigation, we are required to retain all data concerning you for the entire duration of the case, even after the expiration of their retention periods described above.
What rights do you have to control the use of your data?
The applicable regulation on data protection grants you specific rights that you can exercise at any time and free of charge, in order to control the use we make of your data.
- Right of access and copy of your personal data as long as this request does not conflict with business secrecy, confidentiality, or the secrecy of correspondence.
- Right to rectify personal data that may be incorrect, outdated, or incomplete.
- Right to object to the processing of your personal data carried out for commercial prospecting purposes.
- Right to request the deletion ('right to be forgotten') of your personal data that are not essential for the proper functioning of our services.
- Right to limit your personal data that allows you to photograph the use of your data in case of dispute over the legitimacy of a processing.
- Right to the portability of your data which allows you to retrieve part of your personal data in order to store or transmit it easily from one information system to another.
- Right to give directives on the fate of your data in case of death, either through you or through a trusted third party or heir.
For a request to be taken into account, it is imperative that it be made directly by you at dpo@episto.fr. Any request that is not made in this manner cannot be processed.
Requests cannot come from anyone other than you. We may therefore ask you to provide proof of identity in case of doubt about the identity of the requester.
We will respond to your request as soon as possible, within three months of receiving it, in case the request is technically complex or if we receive numerous requests at the same time.
Please note that we may always refuse to respond to any excessive or unfounded requests, particularly in light of their repetitive nature.
Who can access your data?
We only share your data with persons who are properly authorized to use it to implement our services. This may include our personnel responsible for service implementation, accounting, marketing, or even the security of our premises.
How do we protect your data?
We implement all necessary technical and organizational measures to ensure the security of your data on a daily basis, particularly to mitigate any risk of destruction, loss, alteration, or unauthorized disclosure of your data (e.g., training, access control, passwords, antivirus, "https", etc.).
Can your data be transferred outside the European Union?
Unless strictly necessary and exceptionally, we never transfer your data outside the European Union, and your data is always hosted on European soil. Furthermore, we do our utmost to recruit only providers who host your data within the European Union.
In the event that our providers are nonetheless required to transfer personal data about you outside the European Union, we carefully ensure that they implement the appropriate safeguards to ensure the confidentiality and protection of your data.
Who can you contact for more information?
Our Data Protection Officer ("DPO") is always available to explain in more detail how we process your data and to answer your questions on the subject at the following address: dpo@episto.fr.
How can you contact the CNIL?
You can contact the French data protection authority (the "Commission nationale de l'informatique et des libertés" or "CNIL") at any time using the following contact details: Complaints Department of the CNIL, 3 place de Fontenoy – TSA 80751, 75334 Paris Cedex 07 or by phone at 01.53.73.22.22.
Can the policy be modified?
We may modify our privacy policy at any time to adapt to new legal requirements as well as new processing activities we may implement in the future. You will, of course, be informed of any changes to this policy.
Certified compliant by Dipeeo ®
Ready to discover Episto solutions?
Reliable, fast, and actionable insights for your next decisions.