Sommaire

Dernière mise à jour le 29/06/2026

Nos engagements en matière de confidentialité

I. WhAt is the purpose of this privacy policy?

‍

MODJO is committed to an ongoing compliance programme with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (the General Data Protection Regulation - « GDPR »), the French Data Protection Act (Loi Informatique et Libertés, hereinafter the « LIL ») of 6 January 1978, as amended, in particular by Law No. 2018-493 of 20 June 2018, Regulation (EU) 2018/1725, and all legal and regulatory requirements applicable to MODJO, including in relation to IT security (collectively, the « Applicable Regulations »), so that all Personal Data are processed in a transparent, confidential and secure manner.

‍

To reflect such commitment, this Privacy Policy is intended to relate how and why your Personal Data is processed by MODJO, remind your right and how to exercise them, and describe the commitments and practical measures implemented by MODJO in order to safeguard the Personal Data of visitors, users, clients, prospects, candidates and any partners (hereinafter the « Data Subjects »),

in connection with their test, use, promotion, distribution of MODJO’s artificial intelligence Platform and related products and services (hereinafter the « Services »), and
when accessing and browsing our website at https://www.modjo.ai/ (hereinafter the « Website »), and
when having interaction with our social networks (hereinafter our « Social networks »), and
when discussing, negotiating, and more generally having business-related relations with MODJO,
and where authorised users of the Client enable, configure or use Connectors or Third-Party Services in relation with the Services or Interfaces,.

‍

Regarding the Processing of Personal Data where MODJO acts as a Processor, specifically Processings concerning your clients or prospects that you may entrust to us while using our Services, it is your responsibility to ensure that Data Subject rights and, more generally, Applicable Regulations are abided by.

If your Personal Data is processed by a Client of MODJO, please refer to that Client’s privacy policy or the information they have provided regarding their processing activities.

When Personal Data is processed through a Connector or Third-Party Service, please refer to that Connector’s or Third-Party Service’s privacy policy or the information they have provided regarding their processing activities.

‍

This Privacy Policy may be updated from time to time, particularly to reflect changes in our services, technologies, or applicable regulations. Such updates will take effect as soon as they are made available on our Website or via the Platform.

‍

MODJO’s General Terms and Conditions (hereinafter the « T&Cs »), are accessible following this link, including the provisions relating to the protection of Personal Data, governed by the Data Processing Agreement (hereinafter the « DPA »), which are accessible following this link.

‍

If you have any questions regarding this Privacy Policy or, more generally, the collection and processing of your Personal Data by MODJO, please do not hesitate to contact us at the following email address: dpo@modjo.ai.

‍

II. Who can you contact in the internal organisation of Modjo?

III. What is a "personal data"?

3.1 The GDPR and the LIL provide the following definitions:

‍

3.1.1 « Personal Data » (Article 4(1) of the GDPR)

‍

Personal Data means any information relating to an identified or identifiable natural person (referred to as a « Data Subject »).

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity.

Because such data concerns individuals, those individuals must retain control over it.

‍

A natural person may be identified:

directly (for instance: surname and first name);
indirectly (for instance: by a telephone number, a vehicle registration number, the social security number, a postal or email address, and also by voice or image).

‍

The identification may be done through:

a single item of data (for instance: your name);
by correlation, through the cross-referencing of a set of data (for instance: a man wearing a pink suit, taking his coffee at the same exact time, to the same coffee corner address, on Tuesdays).

‍

3.1.2 « Processing » (Article 4(2) of the GDPR)

‍

Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‍

Accordingly, Processing of Personal Data means an operation or set of operations carried out on Personal Data, regardless of the process used (collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission or dissemination or otherwise making available, alignment).

‍

Processing of Personal Data is not necessarily computerised: paper files are also concerned and must be protected under the same conditions.

‍

A Processing operation must have a purpose determined prior to the collection and use of the data.

‍

3.1.3 « Controller » (Article 4(7) of the GDPR)

‍

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing; where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.

‍

3.1.4 « Processor » (Article 4(8) of the GDPR)

‍

The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

‍

3.1.5 « Personal Data Breach » (Article 4(12) of the GDPR)

‍

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

‍

3.1.6 « Sensitive Data » (Article 9(1) of the GDPR)

‍

Sensitive Data form a special category of Personal Data.

‍

They are information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

‍

The Regulation prohibits the collection or use of such data, except, in particular, in the following cases (Article 9 of the GDPR):

where the Data Subject has given explicit consent (an active, explicit and preferably written step, which must be freely given, specific and informed);
where the information has manifestly been made public by the Data Subject;
where the information is necessary to protect human life;
where its use is justified by public interest and authorised by the CNIL;
where the information concerns members or adherents of a political, religious, philosophical, political or trade-union association or organisation.

‍

3.2 Further definitions for the purposes of this Privacy Policy:

‍

3.2.1 « Client » : designates MODJO’s clients using MODJO’s Services, and thus having accepted MODJO’s T&Cs, DPA and Privacy Policy..

‍

3.2.2 « Services » : designates the MODJO’s Platform and related services. The Services are governed by the T&Cs, and the DPA.

‍

3.2.3 « Platform » : designates the MODJO’s platform, accessible after becoming a MODJO’s Client or official partner.

‍

3.2.4 « Interface(s) » : means the MODJO’s APIs, MCP, webhooks, endpoints, authentication mechanisms, MCP-compatible interfaces, chrome extension, service accounts and other programmatic interfaces made available by MODJO to enable Clients authorised users’ access to, or interaction with, information from the Platform.

Interfaces are technical access channels, part of the Services. They are not, in themselves, Third-Party Services, although they may be used by, or in connection with Connectors and Third-Party Services selected, configured, enabled or authorised by the Client.

‍

3.2.5 « Connector(s) » : means any connectors, applications, systems, platforms, environments, plug-ins, integrations, actions, agents, MCP clients or other technical connectors of a third-party enabling authorised users of the Client to access, query or interact with the Platform or the Interfaces from, or through, an external environment, including third-party artificial intelligence platforms, models, assistant or agent environment operated by a third-party, such as, without being limited to, Anthropic, OpenAI, Dust or similar environments.

Depending on the Connector’s capabilities, the Client generally can manage the Platform elements made available to the Connector by choosing to grant access or block them, directly from the Connector.

Connectors may technically initiate, route or relay instructions, prompts, queries, requests, inputs or outputs between the Client, its authorised users, the relevant Third-Party Service and the Platform.

Connectors are Third-Party Services.

‍

3.2.6 « Third-Party Services » : means third-party or Client-side services, including Connectors, connected to, synchronised with, sending data to, receiving data from, or otherwise interoperating with the Platform or the Interfaces, including CRM systems, email services, calendar services, meeting and video-conferencing tools, VoIP, productivity suites, storage solutions, sales engagement tools, iPaaS bots or middleware tools, data warehouses, communication tools and similar business applications, as well as services through which Connectors or Interfaces are used and connected to.

Restriction: Connectors and Third-Party Services must not be used to bypass, weaken or circumvent the technical, contractual, privacy, security or AI safeguards implemented within the Services, including access controls, role-based permissions, approval flows, authentication requirements, rate limits, usage restrictions, audit logs, data minimisation controls, confidentiality restrictions, security filters or any other measure designed to protect Personal Data and the Services.

In particular, the Client must ensure that Connectors and Third-Party Services are not used for unauthorised access, privilege escalation,, circumvention of contractual usage limits, prompt injection, disclosure of secrets or credentials, unauthorised disclosure of confidential information, or processing of Sensitive Data.

Condition of use: The Client must ensure that (a) API keys, tokens, credentials, service accounts and authentication mechanisms are generated, stored, rotated, restricted and revoked in accordance with appropriate security standards, and (b) more generally, that Connectors and Third-Party Services are (i) secured, (ii) compliant with the Applicable Regulation, (iii) and with the T&Cs.

When using Third-Party Services, the Client shall also abide by such Third-Party Services terms and conditions, including related to privacy.

Disclaimer: The Client remains responsible for the acts and omissions of its authorised users and for any instructions, prompts, queries, API calls, webhook configurations, agents, automations, inputs, outputs, bulk extraction, scraping, reconstruction of datasets, exfiltration of data, exports or onward disclosures initiated through Connectors and Third-Party Services, including related to Interfaces. MODJO shall bear no responsibility, of any kind whatsoever, related to the use by the Client of Connectors and Third-Party Services, including for the privacy, security, confidentiality, retention, model-training, international transfer or data processing practices of Connectors and Third-Party Services, except to the extent such liability may not be excluded under applicable law.

‍

3.2.7 « Integration Data » : means Personal Data processed in connection with the use of Third-Party Services, including with the Interfaces, including authentication and authorisation data, account and workspace identifiers, permission scopes, API calls, tool requests, prompts or instructions, inputs and outputs, webhook payloads, data retrieved from or transmitted to the Platform, configuration choices, and technical, security, diagnostic and audit logs necessary to provide, secure, evidence and troubleshoot the relevant access or interaction.

‍

IV. What personal data is collected?

MODJO may collect Personal Data concerning Clients and prospects of the Services, when you test or use the Services, when you browse our Websites and Social networks, in connection with the promotion, distribution, and other negotiations related to our products and services, as well as Personal Data relating to partners, suppliers, integrators, etc. MODJO may also collect Personal Data concerning candidates for recruitment-related activities.

‍

When we process Personal Data on behalf of and as instructed by our Clients, we do it in line with the terms and conditions outlined in our Data Processing Agreement. As a result, this Privacy Policy, which outlines MODJO’s Processing practices, does not govern the Personal Data Processing practices of our Clients, also when using the Platform.

For information about our Clients’ privacy policies and practices, please reach out to them directly.

‍

We may collect or generate the following types of Personal Data:

‍

Personal Data related to our Clients, including:

contact and business details including name, email address, phone number, job title, workplace, and related business insights,
communications with Clients, such as correspondence, calls, meetings, along with their transcriptions and analyses,
any Personal Data included in your support tickets,
feedback and testimonials received,
contractual and billing information,
related to usage of the Services, including log files and statistics relating to actions taken on our Services,
where a Connector is used: Integrated Data,
as well as any expressed, inferred, or identified needs, preferences, attributes, or insights relevant to our current or potential engagements,
and more generally, any Personal Data provided by our Clients, uploaded or used as inputs in the Platform, as well as comments sections, or otherwise processed on their behalf and under their instructions, pursuant to our Data Processing Agreement.

‍

Personal Data related to prospects and partners, including:

contact and business details including name, email address, phone number, job title, workplace, and related business insights,
communications with you, such as correspondence, calls, meetings, along with their transcriptions and analyses,
collected either directly, or indirectly,
related to prospects’ use of our marketing communication, including login credentials, device information, participants at our events, and ones who engage with our online advertisements, contents, emails, integrations, or other communications managed by us,
as well as any expressed, inferred, or identified needs, preferences, attributes, or insights relevant to our potential engagements.

‍

Personal Data related to visitors of our Website and Social networks, including:

information transmitted within the various forms made available by MODJO (contact form, demonstration request, appointment request, webinar registration, etc.), including contact and business details such as name, email address, phone number, job title, workplace, and related business insights,
transmitted by default by your web browser, and we therefore collect it automatically, such as any device and operating system (Windows, Mac, Android, iOS, etc.), the web browser used and its language setting, your Internet Protocol (IP) address, the time and date of your visit, technical information about your device type (computer, smartphone, etc.), credentials, device information, information relating to your use of our Website, data traffic and records of the choices you make online, the pages of our service you visit, log files and statistics relating to actions taken on our Website, the time spent on those pages and other statistics,
messages and comments on our pages.

‍

Personal Data related to candidates and job applicants,

such as information in the CV you sent, in particular when you apply via Welcome To The Jungle, LinkedIn, Teamtailor, etc.,
information provided on your Linkedin profile,
our communications with you, such as correspondence, calls, meetings, along with their transcriptions and analyses.

‍

We use cookies to collect and process tracking data on our Website. For a better understanding of how it works and what it is used for, you can consult our Cookie Policy available on our Website.

‍

When collecting Personal Data, MODJO undertakes to comply with the requirements of the Applicable Regulations. In this respect, we ensure in particular that we collect and process only Personal Data that are adequate, relevant and limited to what is necessary in relation to the purposes pursued (Article 5 of the GDPR), that Data Subjects are informed (Articles 12, 13 and 14 of the GDPR), that even though another legal basis is selected Data Subjects’ consent is obtained whenever technically, financially and operationally feasible (Article 6 of the GDPR), that risks are reduced and the collected Personal Data is secured (Article 32 of the GDPR), and that an adequate level of protection is imposed on our processors (Article 28 of the GDPR).

‍

This Privacy Policy, as well as the DPA, may be accessed at any time on the Website and within the T&Cs.

‍

V. What is modjo's role under the GDPR?

Personal Data collected by MODJO is recorded in our records of Processing (Controller record and Processor record).

‍

5.1 MODJO as a Controller:

‍

MODJO acts as a Personal Data Controller when Processing Personal Data of prospects, partners, Website and Social media visitors, and recruitment candidates, determining the purposes and means of Processing such Personal Data, in accordance with Applicable Regulations.

‍

5.2 MODJO as a Processor:

‍

MODJO acts solely as a Processor for Personal Data processed for the Services, including (i) where authorised users of the Client access the Platform, directly or (ii) through a Connector configured, enabled or used by a Client, as well when (iii) the Client uses any Third-Party Services in relation with the Services.

‍

Our Clients are exclusively responsible for deciding whether and how to use our Services. They must ensure that all individuals using the Services on their behalf or at their direction, as well as any individuals whose Personal Data is included in Client’s data processed through the Services, receive appropriate notice and, where required, provide informed consent for the Processing of their Personal Data. Clients must also ensure that all legal obligations related to the collection, storage, use, or other Processing of Personal Data through our Services are fully complied with, particularly in the context of employment relationships. Additionally, our clients are responsible for managing Data Subjects’ right requests in accordance with Applicable Regulations, whether from their users or other individuals whose Personal Data they process through the Services.

‍

Where a Client enables a Connector or a Third-Party Service to process data of the Services in any manner whatsoever, the Client remains responsible for determining whether such enablement is appropriate for its organisation, for configuring access rights and permission scopes, for informing authorised users and other Data Subjects, and for ensuring that the Third-Party Service selected by the Client or user is secured, compliant with the Applicable Regulation and with the Client’s and MODJO’s own obligations, and may lawfully receive and process the data made available. The Client shall make such assessment before enabling them to access or interact with the Services.

Third-Party Services and Connectors are separate services from the Services, selected, configured or authorised by the Client or its users. MODJO does not control, audit, determine or warrant their privacy policies, security measures, retention periods, international transfer mechanisms, model-training settings or data processing practices. The Client remains responsible for assessing and validating such Third-Party Services.

In case of using the Services with a Connector or more generally a Third-Party Service, this includes Integration Data and any Personal Data processed for authentication, authorisation, permission enforcement, security, audit logging, monitoring, troubleshooting, support, abuse prevention, incident management or connector operation.

In that context, MODJO does not determine any purpose for the processings made and acts only on behalf of and under the documented instructions of the Client, as set out in the DPA and Privacy Policy herein. The Client shall ensure processes requested through Third-Party Services are compliant with the DPA and its documented instructions.

‍

VI. Why do we collect personal data and what for?

The purpose of Processing is the main objective for which Personal Data is processed.

‍

Processing carried out by MODJO pursues an explicit, legitimate and determined purpose. The Personal Data collected is not subsequently processed in a manner incompatible with that original purpose.

‍

6.1 Processing in connection with business management

‍

Processing of Personal Data being necessary for MODJO’s business management, the legal basis for such Processing is the legitimate interest (Article 6(1)(f) of the GDPR).

‍

In connection with the Processing related to its business management, MODJO acts as a Controller.

‍

The main and usual purposes of Processing carried out by MODJO in relation to Personal Data of Data Subjects external to MODJO in connexion to MODJO’s business management are, in particular :

Order Management: MODJO may collect and process Personal Data relating to the prospects, Clients and some partners for internal administrative and organisational purposes, including reporting activities and the allocation of responsibilities among MODJO’s various departments,

‍

Invoicing: MODJO shall issue invoices to the email addresses designated by Clients and, where necessary, shall send payment reminders using the email addresses and telephone numbers provided by the Client,

‍

Compliance: In order to ensure our compliance with the obligations incumbent upon us, MODJO may need to retain some information and documents, such as some contracts, logs, etc.,

‍

Defense: For the purposes of establishing, exercising, or defending legal claims in connection with any dispute involving the Parties, a third party, or any competent authority, MODJO may retain certain documents and communications, including agreements, which may contain Personal Data.

‍

Such a list, however, is not exhaustive, as it may evolve.

‍

6.2 Processing in connection with marketing and promotion of products and services

‍

Processing of Personal Data being necessary for MODJO’s marketing and promotion of its products and services, the legal basis for such Processing is the legitimate interest (Article 6(1)(f) of the GDPR).

‍

In connection with the Processing related to its marketing and promotion of its products and services, MODJO acts as a Controller.

‍

The main and usual purposes of Processing carried out by MODJO in relation to marketing and promotion of products and services are, in particular :

‍

Offers: For offer creation and qualification processes in response to a commercial lead, in particular through our CRM, Website and Social networks,

‍

Contact forms: When you contact us through our contact forms, we collect the information relating to your contact request (including: first name, last name, company name, telephone number and email address),

‍

Newsletter and marketing communications: When you subscribe to MODJO’s newsletter(s) and marketing communications, we collect the information relating to such subscription (including: first name, last name, company name, email address),

‍

Prospecting: electronic and telephone prospecting is performed following the three requirements to be met to benefit from the specific regime for B2B marketing, where prior consent is not systematically required, i.e. (i) the marketing is related to the professional activity of the person contacted, (ii) the person is informed of the origin of their Personal Data and the purpose of the message, and (iii) the person can simply object to receiving further solicitations, pursuant to the CNIL guidance applicable to B2B prospecting, as updated from time to time (last update of 10 June 2026),

‍

Continuous improvement: We also process Personal Data for improving our Services, understanding how they are used and how our campaigns perform, when consulting and carrying out statistical studies and audience measurement for our Website and Social networks, gaining insights to allocate resources more effectively, providing better customer and technical support, and ensuring security,

‍

Cookies: In addition to the Personal Data that you provide to us directly, we may also collect information regarding your browsing activity on the Website, through the use of cookies.

‍

Such a list, however, is not exhaustive, as it may evolve.

‍

6.3 Processing in connection with the Services

‍

In connection with the Processing of Personal Data relating to its Services, MODJO acts as a Processor. Where MODJO processes Client’s Personal Data as a Processor, the legal basis is determined by the Client. MODJO processes such Personal Data under the Client’s documented instructions and the DPA.

‍

Processing of Personal Data being necessary to perform the Services, the legal basis for such Processing is generally either the legitimate interest (Article 6(1)(f) of the GDPR), or as required to deliver our Services and therefore perform our contracts (Article 6(1)(b) of the GDPR).

‍

Details of MODJO’s obligation for such Processing are set out in the Data Processing Agreement, and any further information, subject to confidentiality obligations, can be requested to MODJO’s DPO at dpo@modjo.ai.

‍

The purposes of such Processing are determined by the Client. They are mentioned in the DPA or in specific data processing agreements approved by the stakeholders.

‍

For further information on the Processing carried out by MODJO for its Services, please consult our Data Processing Agreement.

‍

6.4 Conversation recording

‍

This section does not cover recordings made for Clients as part of the Services.

‍

Processing of Personal Data being necessary for our business management and to perform the Services, the legal basis for such Processing is either the legitimate interest (Article 6(1)(f) of the GDPR), or as required to deliver our Services and therefore perform our contracts (Article 6(1)(b) of the GDPR).

‍

Where conversations recorded are calls, the recording is managed by the Client’s tool, which is a Third-Party Service following its own terms, conditions and policies.

Where conversations recorded are videoconferences, the recording can either be managed by a Client’s tool or a MODJO’s subprocessor.

When managed by a MODJO’s subprocessor, MODJO ensures the respect of the Data Subjects’ rights.

‍

To this end, MODJO provides native touchpoints where it surfaces privacy information to Data Subjects, so that participants are informed of the recording, and

MODJO’s recorder (named the « Modjo AI Assistant ») appears as a pop-up and request the owner permission to enter the call,
a sound signal is emitted when the Modjo AI Assistant appears,
when access is given, the Modjo AI Assistant joins as a visible participant,
a message in the conversation is displayed, informing that the recorder has joined, will take notes and enable the delivering of AI and other features,
admins can customise the Modjo AI Assistant’s name and display an explanatory phrase at each meeting to inform participants that recording is taking place and why (CNIL‑aligned guidance).

‍

MODJO respects objection rights of Data Subjects, and

the Modjo AI Assistant is never accepted when someone has objected to recording or AI analyses,

and the person can always change his mind, as the Modjo AI Assistant can be dismissed at any time, even if access has been granted,
in case an objection is expressed before access of the Modjo AI Assistant to the meeting, no Personal Data has been processed by the bot and no MODJO functionality will perform on such data,
in case an objection is expressed after access of the Modjo AI Assistant to the meeting, such recording will then be deleted from our internal platform.

‍

Not all conversations are recorded, our teams chose the relevant ones and retained the ones they necessary need. Also, internal conversations are generally not recorded, except when specifically needed.

‍

We may record telephone calls and videoconferences between our teams and Clients, prospects or partners (not candidates) for the following purposes:

for training purposes (reusing recordings as training material),
for service quality improvement purposes, including by enhancing the tracking of interactions and the management of business relationships with our contacts,
to promote collaboration among teams,
and more generally, for the Platform’s functionalities (transcription, CRM filings, analyses, etc.).

‍

All AI analyses are exclusively performed on transcripts (text data), and not on recordings.

The Client shall not hijack these instructions nor bypass any safeguards, as well when using Interfaces through Third-Party Services.

‍

6.5 Processing in connection with Connectors and Third-Party Services

‍

MODJO has no control over, and no ability to determine, modify or enforce the privacy policy, data processing terms, retention settings, model training settings, international transfer mechanisms or security practices of Connectors, Third-Party Services or other connector environments selected, enabled or used by the Client or by an authorised user.

‍

The Client is exclusively responsible for reviewing and accepting the applicable third-party purposes and related documentation, and for ensuring that the use of the Connectors and Third-Party Services through such environments is lawful and consistent with its own internal policies.

‍

Processing of Personal Data in such context is made pursuant to Section 6.3 and the Client shall ensure its DPA is updated to Connectors and Third-Party Services’ use.

‍

VII. What are your rights and how to exercise them?

7.1 General

(Article 19 of the GDPR)

MODJO treats the respect of Data Subjects’ rights, as set out in the GDPR, as a priority.

‍

Requests to exercise rights may be made simply by sending a request to dpo@modjo.ai, accompanied by a copy of an identity evidence.

‍

In that context, we will respond to requests within a maximum period of one (1) month* from its receipt.

*Where the request is incomplete (in particular where the identity evidence is missing), MODJO is entitled to request additional information. The response period is then suspended and begins to run again once such information has been provided.

‍

However, under certain conditions, MODJO is entitled to:

Refuse to act on a request: in such case, MODJO shall provide reasons for its decision and inform the applicant, within the applicable time limit*, of the available remedies and the applicable time limits for challenging such decision (for example, where compliance with the request would adversely affect the rights and freedoms of another individual);
Not to respond to requests that are manifestly unfounded or excessive, in particular due to their repetitive or systematic nature, or due to the volume of request submitted;
Decline a request where MODJO does not hold any Personal Data relating to the individual exercising the right of access, or where such data has been permanently deleted. In such circumstances, Modjo nevertheless undertakes to respond to the requester within one (1) month.

‍

Requests relating to the exercise of Data Subjects’ rights are recorded in MODJO’s Register of Data Subject’s Rights Requests.

‍

The rights that Data Subjects may exercise are set out below.

‍

7.2 Procedure for handling requests

‍

Responsibilities

‍

The handling of requests is handled by and under the supervision of the DPO.

‍

Where MODJO is a Processor: the DPO forwards requests to exercise rights to the Controller in accordance with Article 28(3)(e) of the GDPR, and waits for the Controller’s instructions.

‍

Where MODJO is a Controller: the DPO relies (i) on the representatives identified in the Controller Register and, where applicable, (ii) on one or more processors.

‍

Management of the requests (where MODJO is a Controller)

‍

All requests sent to MODJO are forwarded to the DPO, who records them in the Register of Data Subject’s Rights Requests.

‍

The DPO verifies the applicant’s identity.

‍

The DPO acknowledges safe receipt of the request.

‍

The DPO qualifies the request and specifies, in particular, its type:

right to rectification;
right to object;
right of access;
right to erasure;
right to restriction of Processing;
right to portability.

‍

Information to the applicant (where MODJO is a Controller)

‍

Depending on the type of request qualified by the DPO, a response is sent to the applicant using the email template provided for that purpose within MODJO’s processes.

‍

The DPO checks whether all information required by the competent team which shall implement the request for rights (in particular, proceed with the deletion of Personal Data), are given by the applicant.

‍

Where the request is accepted, the email generally specifies the period within which the request will be processed (which generally is a maximum of one (1) month, except as for special cases).

‍

Where the request is refused, the email states the reason(s) for the refusal and provides information on avenues of appeal before the supervisory authority.

‍

Emails are recorded in the Register of Data Subject’s Rights Requests.

‍

Processing the request (where MODJO is a Controller)

‍

The request is processed by the Controller and, where applicable, the Processor, as identified in each GDPR Processing Sheet.

‍

The DPO transfers all useful information to the competent team along with the associated instructions, and the latter implements the required measures.

‍

Once achieved, the DPO confirms to the applicant that the request has been treated.

‍

For data processed in software packages, software or other SaaS tools

‍

Persons authorised to use these tools follow the operating procedure associated with the exercise of each right, monitor the data and delete them in accordance with this Privacy Policy.

‍

Regularly, the persons authorised to use these tools report the progress of Processing and the results of handling rights requests to the DPO, so that she can update the relevant records.

‍

For data that are not processed in software and that are processed via Excel, CVs, emails or other local databases, meeting notes or internal team feedback

‍

Personal Data that are systematically deleted after Processing and therefore do not remain on users’ workstations are not affected by requests.

‍

For data that are not systematically deleted, requests are processed in accordance with the operating procedure associated with the exercise of each right.

‍

7.3 Right to information and transparency (Articles 5(1)(a), 12, 13 and 14 of the GDPR)

‍

MODJO ensures that Data Subjects are informed of the nature of the Processing, its purpose, its location and the storage arrangements.

‍

In order to be fair and lawful, the collection of Personal Data must be accompanied by clear and precise information for individuals. The medium used for such information varies depending on the characteristics of the file (for example, an information notice for conversation recordings, an information clause on a form, or reading out the information when data is collected by telephone).

‍

MODJO ensures that the right to information is provided in accordance with Articles 13 and 14 of the GDPR, both where Personal Data are collected from the Data Subject (Article 13 of the GDPR) and where Personal Data have not been collected directly from the Data Subject (Article 14 of the GDPR).

‍

MODJO includes, on relevant materials (through a link to the T&Cs within documents or within email signatures, or by mentioning dpo@modjo.ai), the information required to understand and exercise Data Subjects’ rights to information.

‍

7.4 Collection of consent and lawfulness (Article 6 of the GDPR)

‍

Consent is an active step by the user, explicit and preferably in writing, which must be freely given, specific and informed. In an online form, for example, it may take the form of a tick box that is not pre-ticked by default.

‍

Consent must be obtained « prior » to Personal Data collection.

‍

The prior consent of the Data Subject may be required in particular:

in the event of collection of Sensitive Data (health data, political opinions, sexual orientation, and trade union membership, etc. of Article 9 of the GDPR) or special Personal Data (such as Personal Data relating to criminal convictions and offences or related security measures of Article 10 of the GDPR);
in the event of the use of cookies and other trackers for certain purposes;
in the event of the use of data of consumers (BtoC) for electronic direct marketing purposes, and as from 11 August 2026 for telephone prospecting except in case of an ongoing agreement.

‍

MODJO uses the reasonable best efforts expected in light of its activities and structure to ensure that Data Subjects’ consent is implemented as soon as possible and, a minima, whenever such consent is required.

‍

7.5 Right of access (Article 15 of the GDPR)

‍

Upon request, MODJO will reasonably provide you with a copy of all your Personal Data as well as all legally required information:

the categories of Personal Data collected and processed;
the purposes of their Processing;
the categories of recipients to whom the Personal Data have been or are likely to be disclosed;
the retention period for the Personal Data;
information concerning your rights in relation to your Personal Data.

‍

7.6 Right to rectification (Article 16 of the GDPR)

‍

You may request the correction, completion, updating, locking, or deletion of your Personal Data if it contains errors, inaccuracies, or in case the presence of Personal Data whose collection, use, disclosure, or storage is prohibited have been identified.

‍

7.7 Right to erasure (Article 17 of the GDPR)

‍

Any Personal Data collected may be erased where:

they are no longer necessary in relation to the purposes for which they were collected or processed;
you withdraw your consent to the Processing - with respect to Processing for which prior consent is the legal basis and no other legal basis is available;
you have objected to the collection or Processing of your Personal Data and the file controller has no legitimate or compelling ground for not granting the request;
the Processing of your Personal Data is unlawful;
your Personal Data must be erased in order to comply with a legal obligation to which MODJO is subject;
you were a minor at the time your Personal Data was collected.

‍

In the event you are a minor at the time of the request, the holders of parental authority may submit a request for erasure of your Personal Data (Article 8 of the GDPR).

‍

7.8 Right to restriction of Processing (Article 18 of the GDPR)

‍

This right may be exercised alongside a request for deletion or rectification of Personal Data. Where the foregoing rights require a certain period of time to review the request, the Personal Data concerned is then frozen pending the decision on deletion or rectification.

‍

Where Personal Data is frozen, its use remains possible if:

you have given your consent;
this is necessary for the establishment, exercise or defence of legal claims;
this is necessary to protect the rights of another natural or legal person;
or for important reasons of public interest of the Union or of a Member State.

‍

7.9 Right to portability (Article 20 of the GDPR)

‍

This right applies to Processing based on consent or on performance of a contract, as legal basis. The Personal Data that may be subject to portability are those that you have provided, those generated by your activity and those derived, calculated and inferred from the data you initially provided.

‍

This right enables you to obtain such Personal Data in a structured and machine-readable format. There is no requirement that the format be human-readable.

‍

You may transfer your Personal Data yourself or ask MODJO to transmit your Personal Data to another entity (Controller or Processor).

‍

7.10 Right to object (Article 21 of the GDPR)

‍

General case

‍

This right applies primarily to Processing based on legitimate interest or a task carried out in the public interest. Any person may object, on legitimate grounds, to its Personal Data being included in a file. The individual must then demonstrate reasons related to their specific situation.

‍

If the Processing is based on consent, the term used is withdrawal of consent, not objection.

‍

Marketing purposes

‍

Any person may refuse, without however having to provide reasons, the use of their Personal Data for direct marketing purposes.

‍

Legal obligation

‍

If the Processing is required by law, for example, for tax, social security, or accounting obligations, the right to object may be waived or ineffective.

‍

Scope of this right

‍

The right to object is not a right to simple and definitive deletion of all your Personal Data or the account attached to you. For instance, only a breach of contract allows the deletion of an account with your mobile operator or an e-commerce site.

‍

If your objection request does not concern prospecting, the organisation may justify its refusal on the grounds that:

there are legitimate and compelling reasons to process the Personal Data or that they are necessary for the establishment, exercise or defense of legal rights;
you have consented – you shall then withdraw this consent and not object;
a contract binds you to the organisation;
a legal obligation requires this Processing of your Personal Data;
the processing is necessary to safeguard the vital interests of the Data Subject or of another natural person.

‍

7.11 Automated decision-making (Article 22 of the GDPR)

‍

Every Data Subject has the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects them, unless such decision (i) is necessary for entering into or performing a contract, (ii) is authorised by law, or (iii) is based on their consent.

‍

MODJO does not use its solutions to make decisions about Data Subjects based solely on automated Processing which would produce legal effects or similarly significant effects within the meaning of Article 22 of the GDPR.

‍

In this respect, features made available through MODJO’s Platform are designed to assist users by providing, for example, reporting, analysis, transcription, summarisation, recommendations or workflow automation. These features are intended to support human users and do not, by themselves, determine decisions affecting Data Subjects. Any decision based on information generated or made available through the Platform remains subject to the user’s own assessment, responsibility and human oversight.

They are based on actions that could previously be performed by a human.

‍

7.12 Right to issue instructions concerning your data after your death (Article 40-1 of the French Data Protection Act)

‍

You may define instructions concerning the arrangements for retention, erasure and disclosure of your Personal Data that you wish to apply after your death.

‍

7.13 Right to withdraw consent (Article 4, 6 and 7 and Recitals 42 and 43 of the GDPR)

‍

With regard to Processing based on your consent, you have the right to withdraw such consent. Withdrawal may occur at any time and no justification is required.

‍

7.14 Controller’s notification obligation (Article 19 of the GDPR)

‍

The Controller shall notify each recipient to whom Personal Data have been disclosed of any rectification, erasure of Personal Data or restriction of Processing carried out in accordance with Articles 16, 17 and 18 of the GDPR, unless such communication proves impossible or involves disproportionate effort.

Information about such recipients shall be provided to the Data Subject if he or she so requests.

‍

7.15 Right to a remedy

‍

In the event of a dispute that is not resolved amicably with your Controller, you may lodge a complaint with the CNIL in accordance with the procedures detailed on its website: https://www.cnil.fr.

‍

You may also bring proceedings before the competent court, without first lodging a complaint with the CNIL.

‍

In the event of deletion of Personal Data, MODJO can provide a certificate of destruction of the Personal Data to the Data Subject, which it will also retain.

‍

VIII. what are Modjo's commitments when acting as controller or processor?

8.1 Where MODJO acts as a Controller

‍

When using the Platform, Clients of MODJO act as Controllers. In the event of sole controllership, the Client, acting as Controller, undertakes to:

indicate which Personal Data (sensitive or otherwise) will be involved in the project;
provide the information necessary to establish the record of Processing activities;
define the purpose(s) of the Processing of Personal Data;
inform Data Subjects of their rights;
carry out a Data Protection Impact Assessment (DPIA) whenever required and, where applicable, conduct prior consultation with the supervisory authority in accordance with Articles 35 and 36 of the GDPR;
communicate to subprocessors the risks associated with the Processing of Personal Data.

‍

8.2 Where MODJO acts as a Processor

‍

Where MODJO acts as Processor, MODJO undertakes to:

reasonably assists the Controller in fulfilling its obligation to respond to requests from Data Subjects to exercise their rights under Chapter III of the GDPR (Article 28(3)(e) of the GDPR);
reasonably assist the Controller in ensuring compliance with obligations relating to the protection of Personal Data (Article 28(3)(f) and Articles 32 to 36 of the GDPR), including demonstrating security compliance of the Processing, notifying the competent control authority and communicating to Data Subjects in case of a Personal Data Breach, drafting Data Protection Impact Assessments (DPIA), and prior consulting the competent authorities where required, taking into account the nature of the Processing and the information available to MODJO, and subject to the confidentiality of the information requested,
effectively implement all the Security Measures to ensure the security of the Personal Data processed (Article 28(3)(c) of the GDPR);
delete or return all Personal Data at the end of the applicable retention period or upon specific request (Article 28(3)(g) of the GDPR);
authorise the client to have audits, inspections or checks carried out on MODJO’s Processing, pursuant to the Data Processing Agreement (Article 28(3)(h) of the GDPR);
reasonably inform the Controller where, under MODJO’s appreciation, the Controller’s instructions constitute a breach of the regulations relating to data protection (Article 28(3)al.2 of the GDPR).

‍

IX. where do we record our processing activities? (article 30 of Gdpr)

MODJO maintains three records relating to Personal Data Processing.

Except for cases concerning Processing internal to MODJO, the records are established on the basis of information provided by and exchanged with Clients and external partners, and the measures implemented by MODJO.

‍

9.1 Controller Record

MODJO maintains a Controller record listing all Personal Data Processing in which the company participates. This record is kept in writing in digital form.

It contains the following information:

identification of the Processing;
date of implementation of the Processing and date of last update of the record;
name and contact details of the Controller;
name and contact details of the DPO;
legal basis governing the Processing;
description of the Processing;
purposes of the Processing;
categories of Data Subjects;
categories of Personal Data processed;
sources of the information;
the optional or mandatory nature of Personal Data collection and the consequences of not providing said Personal Data;
retention period(s) for the different categories of Personal Data processed;
whether or not automated decision can be made;
information on the recipient(s), including internal recipients and subprocessors;
any transfers to a third country;
technical and organisational security measures implemented or the reference to such measures;
arrangements for the exercise of Data Subjects’ rights;
and the right to lodge a complaint with the CNIL.

‍

9.2 Processor Record

MODJO maintains a Processor record listing all Personal Data Processing carried out by the company, as Processor, on behalf of its clients and distributors, acting as Controllers, in connection with the deployment of its products and services. This record is kept in writing in digital form.

It contains the following information:

identification of the Processing;
date of implementation of the Processing and date of last update of the record;
name and contact details of the Controller;
name and contact details of the DPO;
description of the Processing;
purposes of the Processing;
categories of Data Subjects;
categories of Personal Data processed;
information on the subprocessors;
transfers to third countries;
technical and organisational security measures implemented or the reference to such measures.

X. is your personal data secured?

10.1 Security measures

‍

MODJO’s Security Measures may be accessed at any time via this link: https://www.modjo.ai/en/trust-center.

‍

We implement systems, applications, and procedures aimed at securing your Personal Data and reducing the risk of theft, damage, loss, unauthorised access, or misuse. However, we cannot guarantee that our Websites, Social networks or Services will be completely free from malfunctions, unlawful access, or other forms of misuse.

‍

10.2 Access management

‍

Only persons authorised by MODJO may access Personal Data, and only as necessary to execute the tasks entrusted to them. Thus, recipients of Personal Data authorised by MODJO are employees and sub-contractors with a sufficient level of security, i.e. the Service Providers.

‍

As part of its commercial prospecting operations, MODJO may share with its partners company names of Clients or prospects that they have in common. These partners are subject to confidentiality clauses. This does not include identity data and contact details.

‍

In the context of recruitment, MODJO may share information relating to candidates with external organisations involved in the recruitment of candidates (sub-contractors) such as recruitment agencies or SaaS recruitment software.

‍

For more information, please visit our Trust Center: https://www.modjo.ai/en/trust-center.

‍

XI. what are the principles of protection of personal data by default and by design?

Taking into account the state-of-the-art, the costs of implementation, and the nature, scope, context and purposes of the Processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons arising from the processing, MODJO implements, both at the time of the determination of the means for processing and at the time of the Processing itself, appropriate technical and organisational measures designed to ensure effective application of data protection principles, such as data minimisation (Article 25 of the GDPR).

‍

Accordingly:

as from the design stage, MODJO incorporate principles relating to the protection of Personal Data to its products and services, thanks to combined actions of its product, legal and engineering teams;
by default, MODJO provides some default settings (which may subsequently be modified by the Controller at its discretion, the Client remaining solely responsible for determining means and conditions of the Processing carried out) on the Platform, designed to support compliance with the data minimisation principle, for instance ensuring that only Personal Data necessary for the relevant Processing purposes are collected, processed and retained, delimitating the extent of their Processing, as well as some retention periods, and the number of individuals having access to the data.

‍

XII. where is your personal data stored?

‍

12.1 Storage

‍

With regard to Personal Data storage, MODJO requires its hosting service providers to store the Personal Data exclusively within the European Economic Area (EEA).

‍

MODJO’s Website and databases are hosted by AWS on servers located in France and within the European Union.

‍

12.2 Access and Processing

‍

For technical reasons or for specific needs related to the maintenance of certain applications, Personal Data may be transmitted or made accessible to MODJO’s service providers located outside the EEA.

‍

In this situation, MODJO only contracts with subcontractors having an adequate level of data security and protection.

‍

Accordingly, MODJO first ensures that these service providers guarantee an adequate level of protection for Personal Data, and comply with the GDPR in particular Chapter V, for instance through the supervision of data transfers outside the EEA by (i) adequacy decisions, (ii) binding company rules or (iii) through the adoption of the European Commission’s Standard Contractual Clauses.

‍

XIII. do we use subprocessors?

MODJO may use processors and subprocessors.

‍

Where this is contemplated, before any Processing begins, MODJO has ascertained the processor’s or subprocessor’s compliance with the GDPR, and has entered into a DPA.

‍

Where any transfer shall take place, MODJO assesses the transfer mechanism, and takes the appropriate measures to always remain compliant with Chapter V of the GDPR, as specified in Section XII of this Privacy Policy.

‍

In connection with the Services, the list of MODJO’s subprocessors is detailed in the Data Processing Agreement.

‍

Connectors and more generally Third-Party Services are not subprocessors nor subcontractors, as they only contract with the Client and MODJO has no contractual engagement with them.

‍

XIV. how long is your personal data retained?

14.1 Retention period for Personal Data

‍

The retention period for Personal Data may vary depending on the purpose of the Processing and existing and applicable legislation (retention limited by a legal obligation), as well as according to the instructions of the Controller.

‍

Accordingly, MODJO undertakes to retain Personal Data only for the period necessary to achieve the purpose pursued, unless legal obligations require retention for a longer period, and pursuant to the Controller’s instructions.

‍

At each Personal Data collection, MODJO undertakes to use its best efforts to make available to Data Subjects, in compliance with the Applicable Regulations, all information relating to the retention period for Personal Data, including within this Privacy Policy.

‍

By way of indication, retention periods are set out below:

Once the retention period has expired, relevant Personal Data is permanently deleted.

‍

For this purpose, MODJO can provide a Data Destruction Certificate, upon request sent to dpo@modjo.ai, which it regularly completes for the needs of Data Subjects.

‍

NOTE:

law of evidence: five (5) years (Article 2224 of the French Civil Code);
tax law: six (6) years (Article L102 B of the French Tax Procedures Book);
accounting: ten (10) years (Article L123-22 of the French Commercial Code).

‍

14.2 Retention period for Sensitive Data

‍

In connection with its internal activities, and upon deliberation of its DPO, Legal Manager, CISO and Direction, MODJO has decided not to authorise Processing of Sensitive Data by its employees, except for specific purposes. In such an exception, the Sensitive Data collected would not remain indefinitely in our information system. We would retain them only in order to achieve the purpose for which they were collected. When such Sensitive Data were no longer necessary in relation to the purposes for which they were collected, they would be immediately deleted.

‍

As regards the Platform, MODJO does not need nor wish to process any special category of data. Therefore, the presence of such particular data is not wanted, nor planned.

Special category of data may only be present incidentally in recordings or transcripts, if disclosed by the user. Therefore, MODJO firmly requires Clients’ and partners’ users:

Not to disclose either Sensitive Personal Data, nor confidential information or any other protected data;
To dismiss the recording bot, if the user nevertheless wishes to disclose such type of information or data during any conversation, for the duration of such disclosing;
And in case of forgetfulness, to immediately delete any recording (from calls and/or visioconferences), transcript or other element including such type of information or data.

‍

When a Connector or Third-Party Service is used, users must not submit through a Third-Party Service Sensitive or protected Data, including passwords, API keys, MFA/OTP codes, special categories of Personal Data, or other confidential information unrelated to the Services’ professional and commercial purposes.

‍

14.3 Deletion process

‍

Personal Data whose retention period has expired will be deleted either automatically or manually, depending on the type of Personal Data.

‍

Personal Data stored electronically will be deleted from the computers of the persons responsible for the Processing as well as from the various storage media (hard drives, servers, etc.).

‍

If deletion is carried out through the graphical interface of an operating system, the person responsible for the deletion obligation shall empty the recycle bin after deletion in order to ensure that the Personal Data cannot be recovered.

‍

XV. how incidents are managed and notified in the event of a personal data breach?

MODJO enables any person, internal or external, to notify us of any incident, whether or not such incident constitutes a Personal Data Breach within the meaning of the Applicable Regulations on the protection of Personal Data.

‍

15.1 Internal procedure

‍

MODJO implements, reviews and keeps up to date its SOC2 Type II Certification and Security Measures in order to manage risk and limit the occurrence of any such risk, including verification and monitoring mechanisms enabling any incident to be identified and handled as soon as possible where applicable, so as to minimise its potential consequences.

‍

If an incident occurs, MODJO has implemented an internal incident escalation Procedure, detailed in the Data Breach Procedure (internal).

‍

Incidents may be escalated by any person by activating the support service, which may be contacted by any means of communication by tagging ask-support. They are addressed via a ticketing tool. The incident is monitored over time until it reaches « resolution » status.

The internal MODJO persons who must be informed are the DPO, Legal Manager and CISO.

‍

15.2 External procedure

‍

In the event that an incident is identified, any person is invited to notify MODJO without delay via the email address of its DPO: dpo@modjo.ai.

‍

Individuals are informed of this procedure via this Privacy Policy accessible in the Website and in the T&Cs (link), all of which shared with each Client and partners through quotes, invoices, the Website or by being inserted into the email signatures of some MODJO’s internal employees facing Clients and prospects on a day-to-day basis.

‍

Where MODJO is a Controller, MODJO acknowledges receipt of the incident, records it in the Data Breach Register, notifies the CNIL within seventy-two (72) hours, and informs the Data Subjects where applicable where the risk is classified as « limited » or « high » in the register (Article 33 of the GDPR), and in any event, where the risk is « high » (Article 34 of the GDPR).

‍

Where MODJO is Processor, in addition to the measures specified above relating to the recording of the incident in the Data Breach Register and its management, MODJO notifies the Controller of any Personal Data Breach (whether sensitive or not) as soon as possible, enabling the Controller to notify the CNIL within its own time limits where applicable, after becoming aware of the breach.

The Controller (in principle, a Client) must then notify the Personal Data Breach to the supervisory authority within the time limits imposed by the GDPR (Article 33 of the GDPR) and inform the Data Subjects affected by the breach (Article 34 of the GDPR).

‍

Such written notification must:

describe the nature of the Personal Data Breach (unauthorised access, alteration or loss of Personal Data), including, where possible, the categories and approximate number of Data Subjects affected by the breach and the categories and approximate number of Personal Data concerned;
communicate the contact details of the DPO who will act as the contact point;
describe the likely consequences of the Personal Data Breach;
describe the measures taken or proposed to be taken to remedy the Personal Data Breach and the measures to mitigate its possible adverse effects.

‍

For any Personal Data Breach, Modjo undertakes to implement, as soon as possible, the measures necessary to mitigate the impact of the breach and prevent, to the extent possible, its recurrence.

‍

The notification or response by MODJO to an incident shall not be construed as an admission by MODJO of any fault or liability in relation to the incident.

‍

XVI. do we have a data protection officer (dpo)?

‍

MODJO has appointed a Data Protection Officer (also « DPO ») in accordance with the regulations in force (Article 37 of the GDPR) and ensures that its DPO is involved in all matters relating to Personal Data protection.

‍

The DPO is independent, subject to professional secrecy and to a confidentiality obligation in the performance of her duties, and receives no instructions regarding the performance of her duties (Article 38 of the GDPR).

‍

Accordingly, for any request relating to Personal Data, you may contact our DPO, indicating the subject matter of your request, at the following email address: dpo@modjo.ai.

The DPO is the preferred contact for any request for information or to assert your Personal Data protection rights.

The contact details of our DPO are communicated to Data Subjects, in particular in the legal notice of the Website, in T&Cs and in the DPA, and may be transmitted by them to the supervisory authority.

‍

The main duties of MODJO’s DPO are as follows (Article 39 of the GDPR):

to inform, advise and, where necessary, alert the Controller or Processor and the employees who carry out Processing of their obligations pursuant to Union or Member State data protection law, including the GDPR;
to disseminate a Personal Data protection culture within the company through awareness-raising and training actions for personnel involved in Processing operations;
to analyse and monitor compliance with those provisions and with internal data protection rules, including with regard to the allocation of responsibilities, awareness-raising and training of personnel involved in Processing operations, and related audits;
to provide advice, upon request, regarding the Data Protection Impact Assessment and verify its performance;
to establish and maintain documentation, in particular the « GDPR » records and related documents;
to mediate with Data Subjects and handle responses to requests to exercise rights where MODJO is involved (in conjunction with the Controller);
to cooperate with stakeholders (processors, controllers, clients, etc.) and, where applicable, with the supervisory authority, namely the CNIL;
to act as the contact point for the Data Subjects and the supervisory authority on matters relating to the Processing operation(s).

‍

XVII. what are transparency and traceability principles?

‍

MODJO always processes Personal Data pursuant to its Data Processing Agreement, and this Privacy Policy.

‍

MODJO commits to reasonably provide its best efforts for ensuring adequate levels of transparency and traceability of Processing of Personal Data.

XVII. what are the ethics principles?

18.1 Ethics principles

‍

The emergence in our societies of innovative technologies such as artificial intelligence requires appropriate attention. Ethics is fundamental in the implementation of Personal Data Processing and is therefore one of the major issues specific to the field of artificial intelligence.

‍

In light of this, MODJO attaches particular importance to the ethical use of its products and services. MODJO encourages its employees and Clients to abide by the ethics principles derived from the European Commission’s 2019 Guidelines, and prohibits use of its Services in an unethical manner.

‍

18.2 AI for good

‍

This principle implies to ensure that AI enhances individual and collective well-being within society, as well as the common good. It also aims to ensure that AI fosters innovation and progress while minimizing negative impacts on citizens’ well-being, the environment, and energy consumption.

The user must be able to retain their decision-making power when using AI. AI systems must not constrain, deceive, or manipulate the user.

‍

18.3 Bias mitigation

‍

MODJO commits to preventing and mitigating algorithmic bias, by conducting checks on the purposes, constraints, requirements, and results provided by the systems, as technically, financially and temporarily feasible.

‍

XIX. how do we cooperate with competent authorities (cnil)?

In the event of an inspection by the supervisory authority, MODJO’s DPO cooperates with the authority responsible for the inspection in order to ensure that it runs smoothly, in particular by providing all useful and necessary documents and information and by answering all questions relating to the Processing and to the transmission of clear and up-to-date related information.

‍

XX. additional notices

20.1 Updates and Amendments

‍

We may revise this Privacy Policy periodically by publishing an updated version on our Website or Services, which will take effect from the date of publication.

‍

Following the notice period, the updates will be considered accepted.

‍

20.2 Contacting Us

‍

If you have any questions about our Privacy Policy or, more generally, about the collection and Processing of your Personal Data by MODJO, please do not hesitate to contact us at the following e-mail address: dpo@modjo.ai.

‍

*****

‍

REMINDER: This document and its contents are the exclusive property of MODJO. They are protected by copyright and database rights. The disclosure or dissemination of this document and its contents shall not grant, convey or imply any right of reproduction, representation, use, adaptation, licensing, transfer, or any other right of any nature whatsoever in respect of this document and its contents to any person who may become aware of them. MODJO remains the sole and exclusive holder of all related intellectual property rights. Any infringement shall be prosecuted.

‍