GDPR

General Data Protection Regulation

This privacy policy defines and informs you of how SMS Partner uses and protects the information you provide to us, where applicable, when you use this website accessible at the following URL: smspartner.fr

Please note that this privacy policy may be modified or supplemented at any time by SMS Partner, in particular in order to comply with any legislative, regulatory, case law or technological developments. In such a case, we will inform you and the date of its update will be clearly identified at the top of this policy. These modifications are binding on the User from the moment they are published online.

This policy supplements the T&Cs (*), and must be understood and read in order to use our platform. Our team and our DPO are of course at your disposal for any questions relating to it ☺

Version V.3. dated 02/08/2021.

GDPR Label: Privacy Protection Pact

The professional label Privacy Protection Pact is a declarative and committed initiative launched in 2019 by DMA France. It enables Data Marketing organisations that meet the requirements of the GDPR to promote their respectful and secure approach to personal data.

Since November 2023, we have been certified and are part of this voluntary initiative. We affirm our commitment to respecting and protecting the personal data of our users and their recipients.

1. GDPR Integration on SMS Partner

What is the GDPR or “General Data Protection Regulation”? It is the now well-known regulation adopted by the European Parliament on 14 April 2016 and which came into force in the European Union on 24 May 2018. Its purpose is to strengthen the protection of individuals and their fundamental rights by regulating the processing of their personal data.

In practical terms, many mandatory formalities previously imposed by the CNIL have disappeared, but companies’ responsibilities have been strengthened. Each company must now ensure optimal data protection at all times and be able to demonstrate this by documenting their compliance!

With this in mind, NDA Media has integrated new technical and organisational processes into the platform in order to comply with this new regulation and to better protect your rights (see also our code of ethics).

Data Protection Officer (DPO): NDA MEDIA is supported by the specialist agency MYDPO SOLUTIONS, whose legal representative is Ms Marine Brogli, located at 18 rue Pasquier, 75008 Paris. She has been appointed as the Data Protection Officer (DPO) of our company.

2. What is the purpose of this policy?

It governs the processing of your personal data when using the various online platforms, all processing related to the creation, management and hosting of the customer account on the Platform, the management of the communication database, and the payment of the subscription.

This privacy policy defines and informs you of how company NDA Media uses and protects the information transmitted when using the following sites:

SMS Marketing Platform

Plateforme dépôt de message vocal

Please note that this privacy policy may be modified or supplemented at any time by NDA Media, in particular in order to comply with any legislative, regulatory, case law or technological developments. In such a case, we will inform you and the date of its update will be clearly identified at the top of this policy. These modifications are binding on the visitor from the moment they are published online.

This policy supplements the information in the General Terms and Conditions of Sale, and must be understood and read in order to use the various platforms.

Our team and our DPO are of course at your disposal for any questions relating to it.

3. SMS Partner: Data controller or data processor?

These terms are probably now familiar to you, but in order to leave no doubt about the nature of our role and responsibilities towards you, the data controller is the entity that determines the purposes and means of processing personal data, and the data processor is the entity that processes data on behalf of the controller.

This classification will be assigned based on the nature of the company’s activities for each of its operations.

As such,

Data controller: NDA MEDIA acts as data controller in all cases where it determines the purposes and means of processing personal data. This therefore covers all activities related to the management of the internal website, the management of your registration and your customer account information, the management of your invoicing… as well as all procedures related to personnel management.

Data processor: Conversely, NDA MEDIA acts as a data processor when it manages, on behalf of its Clients, client databases and the sending of communication campaigns on their behalf. In short, whenever we act on your behalf, we are your data processor in terms of personal data protection.

Our commitment when you entrust us with your information

When you entrust us with your information (contact database, communication content), we take all technical and organisational security measures designed to ensure the protection of your data within the framework of this privacy policy.

As a data processor, we have an obligation not only to provide you with all the necessary means to support the success of your projects, but also to inform, advise and guide you, and to alert you if we find that a data processing operation you are implementing violates the provisions of the GDPR.

To this end, we make available to all our Clients a personal data processing agreement that sets out the legal framework for our relationship.

Request a data processing agreement from us now! or at dpo@smspartner.fr

Platform Monitoring

In accordance with our commitments set out in our General Terms and Conditions of Sale, we do not carry out generalised monitoring of the communication campaigns implemented by our clients.

However, we have implemented all available measures and tools to ensure that all communications are sent in compliance with personal data protection, for example:

– The implementation of a mandatory SMS Stop” button in communications in order to allow the right of objection of the individuals concerned;
– The management of unsubscriptions;
– A reminder of the obligations relating to the requirement to obtain consent when creating databases, or to ensure that the communication is based on any other appropriate legal basis

However, in certain cases, we may carry out checks where we become aware of a violation of the usage rules (complaint, alert, incidental discovery), and we reserve the right to refuse to send and/or remove unlawful content without delay, after notifying the Client.

4. Why and how do we process your data?

We process your data in the following ways:

As data controller

– Managing the business relationship.
– Prospecting.
– Sending information about new features.
– Sending promotional offers.
– Managing Customer accounts on the Platform.
– Creating the customer account, assigning a unique identifier (user code), purchasing credits on the platform.

Data is collected on the basis of the commercial/contractual relationship (within the meaning of Article 6.1.b) of the GDPR), or on the basis of legitimate interests (Article 6.1.f of the GDPR).

As data processor

– Managing Customer databases (Contact book);
– Managing Client contact books, data storage – importing contact databases;
– Recording voice messages prior to sending Voice campaigns;

The legal basis for processing is the commercial/contractual relationship (within the meaning of Article 6.1.b) of the GDPR)
– Retaining messages from communication campaigns;
– Managing requests to exercise rights, objection, deletion, etc.

The legal basis for processing is the fulfilment of a legal obligation (Article 6.1.C) of the GDPR

5. What data do we process?

5.1. As data controller

When we provide you with access to the Platform and its services, we collect the personal data of our clients.

We only collect personal data from business clients (B2B), and in accordance with the General Terms and Conditions of Sale, the platform is not open to individual consumers (B2C).

When opening an account on the Platform, the Client provides:

  • Their password
  • Their valid mobile number
  • Their email address

Upon completion of the customer account opening procedure:

A unique identifier (user code) is created

Before making their first purchase, the Client must provide the following information:

  • Their company name
  • Their SIRET number
  • Their intra-community VAT number
  • The address of their registered office or home address

The Client undertakes to provide accurate information and to inform NDA MEDIA of any changes to that information. The company cannot be held responsible for any errors that may result.

The company also collects all data relating to payment in order to purchase credits – and thus includes all data relating to invoicing.

5.2. As data processor

The company also acts as a data processor for its Clients and processes data on their behalf.

  • The data processed by the Platform on behalf of its clients can be very diverse and vary depending on the nature of the activity;
  • The Client can choose, through criteria, the individuals to whom they wish to send their commercial/marketing prospecting message (gender, age, geographic area…);
  • The data may include
  • Identity information (last name, first name);
  • Contact information (phone number, email…)
  • More sensitive information depending on the nature of the message and may therefore include sensitive data under Article 9 of the GDPR (communications relating to health, political opinions…).

As a data processor, the company informs its clients that they may only process data that is lawful and compliant with applicable regulations (Article 7.9 of the T&Cs). This ethical commitment is binding on its Clients and is a prerequisite for using the platform.

6. How long do we retain your data?

NDA MEDIA only retains data for the period necessary for the intended purposes.

  • Connection logs and IP addresses: 1 year. Data relating to the Customer account and the offer of products or services: for the duration of the commercial relationship, then deletion of data after 3 years of inactivity.
  • Customer databases: for the duration of the commercial relationship. Databases are then automatically deleted after 2 years of inactivity.
  • Messages from communication campaigns: personalised and secure access via the Customer Account to the Contact book and the history of sent Messages for a period of 12 months from the date the Messages were sent.

7. Where is your data hosted?

The Platform is hosted on French territory and does not transfer data outside the European Union.

In the event that the service requires a transfer of data outside the European Union (for example, a sending requested by the Client to a country outside the EU), the Company undertakes to transfer such data only with appropriate protection guarantees (countries covered by an adequacy decision of the European Commission, or with the European Commission’s Standard Contractual Clauses (SCCs)).

Learn more about our subcontractors

As part of the provision of the platform, we use technical and operational subcontractors (hosting providers, telephone operators, SMS/Voice providers…).

We only work with subcontractors who provide appropriate guarantees in terms of personal data protection and who have a contract or legal instrument that clearly sets out the measures implemented and clarifies their roles and responsibilities.

8. Learn more about our subcontractors

As part of the provision of the platform, SMS Partner uses technical subcontractors (hosting providers, telephone operators, SMS providers…). SMS Partner guarantees to its Clients that it only works with subcontractors who provide appropriate guarantees in terms of personal data protection and have a contract or legal instrument that clearly sets out the measures implemented and clarifies their roles and responsibilities.

9. Our security policy

In order to ensure the security of the data processed, we are committed to implementing appropriate technical and organisational measures to guarantee a level of security appropriate to the risk.

In particular, we have implemented the following technical and organisational measures:

Account security: Two-factor authentication via mobile phone number to access accounts, particularly in cases where the IP address has changed. The two-factor authentication verification procedure is renewed every 15 days.

A reinforced password management policy: To secure passwords, all such data is encrypted and non-reversible. Every six months, an awareness campaign is conducted among our users asking them to change their password.

A mandatory level of password complexity:

  • 1 uppercase and 1 lowercase letter
  • 1 number (0-9)
  • 1 special character (!@#$%^*)
  • At least 8 characters

Data hosting and storage: All data is stored and hosted in France. The platform is hosted in a data centre with Uptime Institute certification level (Tier IV) and benefits from an announced availability rate of 99.995%, which corresponds to the highest level of guarantee.

Data access: All data is only accessible by our employees, according to their role within the company, applying the principle of least privilege.

User access rules:
Each role has specific access in accordance with the position held:

– Administrator: administrator account enabling management of platform users
– Advanced user: administrator account with restricted functionality
– User: account identical to the client account

Our employees are bound by strict confidentiality agreements.

Data security

– Integration on our servers of a firewall managed and administered by the company.
– HTTPS protocol: the website, the API and the platform are secured by the HTTPS protocol.
– Regular data backups;
– Backups are carried out by our managed service provider daily each night, incorporating the following elements:
– Database
– Server files (platform / API)
– This backup is stored on a data centre separate from our production platform.

Security awareness: every six months, employees receive security awareness training (password updates, phishing awareness, etc.)

Contractualisation: All managed services and IT subcontracting contracts are governed by an agreement that includes commitments regarding the protection of personal data. Team awareness training is carried out (developers, sales staff, …).


This documentation is kept up to date in order to comply with the highest level of security required by the state of the art and is available upon request at dpo@smspartner.fr


10. Learn more about your rights

In the context of providing the Platform, you have the following rights:

  • Right of access: to access and obtain a copy of all your personal data;
  • Right of rectification: to modify or correct information about yourself;
  • Right to erasure: to delete information about yourself, subject to any exceptions that may prevent such deletion;
  • Right to object: to object to the processing of information about yourself, subject to any exceptions that may prevent such deletion;
  • Right to restriction of processing: to limit the processing of your information while awaiting one or more responses to one or more questions regarding the processing carried out on your data;
  • Right to data portability: to retrieve for yourself or transfer to another data controller the data that has been transmitted on the basis of consent or in the context of the performance of a contract, in an interoperable format.

11. Your data in our Google Sheets Module

The Google Sheets module of our platform does not access any personal data from the user’s Google account.
The extension only allows users to enter their API key to connect to our SMS platform.
No data from the Google account is collected, stored, shared or transferred by our application.
Authentication and use of our service are carried out exclusively via our platform and the API key provided by the user.

SMS Partner informs you that it reserves the right, where applicable, to object to requests that are manifestly abusive (by reason of their number, repetitive or systematic nature). If you believe that, despite all our actions, we are infringing the rules relating to data protection, you have the right to lodge a complaint with the CNIL.

It can be contacted online on this CNIL complaint page or by post at 3, place de Fontenoy, TSA 80715-77334.