Privacy Policy

Last updated: 11/27/2025, Version: 2.0

What is the purpose of our Privacy Policy?

Cogniteev, which manages the website www.oncrawl.com, places great importance on protecting and safeguarding your personal data, which represents for us a guarantee of trust and seriousness.

Our Privacy Policy demonstrates our commitment to complying with applicable data protection rules, in particular the General Data Protection Regulation (“GDPR”).

It aims to inform you about how and why we process your personal data in relation to the services we provide.

Who is this Privacy Policy for?

This policy applies to you, regardless of your place of residence, if you are at least 15 years old, whether a client or a visitor of www.oncrawl.com.

If you are under the legal age, you must obtain prior consent from a parent or guardian and inform us by email at dpo@oncrawl.com.

Why do we process your personal data and on what basis?

  • Browsing our website and using our services to respond to your requests, based on our terms and legitimate interest.
  • Customer service management, based on contract execution and legitimate interest.
  • Sending offers and updates via email, SMS, or phone, based on legitimate interest to maintain customer relationships.
  • Billing and payment management, based on legitimate interest and terms.
  • Social media participation, instant messaging, newsletter management, video content, document downloads, recording meetings or calls, based on consent or legitimate interest.
  • Organizing contests, based on legitimate interest and contract execution.

How did we obtain your personal data?

Directly from you, or with your prior consent, indirectly via partners or social networks. You are responsible for information you voluntarily post.

What personal data do we process and for how long?

  • Identification and professional contact data: duration of service + legal retention (generally 5 years).
  • Financial data: duration of transaction and billing management + legal retention (5–10 years).
  • Phone numbers for marketing: max 3 years from last contact.
  • Email addresses for marketing/newsletter: max 3 years from last contact or until subscription ends.
  • Video statistics: anonymized, unlimited retention.
  • Connection data: 1 year.
  • Cookies: generally 13 months; see Cookie Policy for details.
  • Recorded voice/video meetings: max 6 months, except for contract verification: legal retention (5 years).

What rights do you have?

  • Right of access and copy
  • Right to rectification
  • Right to object to marketing processing
  • Right to erasure (“right to be forgotten”)
  • Right to restriction
  • Right to data portability
  • Right to post-mortem instructions

All requests must be sent directly to dpo@oncrawl.com. Requests via a third party will not be processed. Proof of identity may be requested. Maximum response time: 3 months.

Who has access to your personal data?

Our teams and technical providers, solely for service operation. We never transfer or sell your data to third parties or commercial partners.

Can your personal data be transferred outside the EU?

Our servers are located in the EU. We ensure that tools used also comply with data protection requirements.

How do we protect your personal data?

We implement all necessary technical and organizational measures to safeguard your data.

Do we use cookies?

WE DO NOT USE ANY ADVERTISING COOKIES. Statistical cookies are used; see our Cookie Policy for more information.

Who can you contact?

For more information, contact our DPO at dpo@oncrawl.com.

How to contact CNIL?

CNIL Complaints Service, 3 place de Fontenoy – TSA 80751, 75334 Paris Cedex 07. Phone: 01.53.73.22.22.

Can the Privacy Policy be modified?

We may modify this policy at any time to comply with legal requirements and new processing activities.

Data Processing Agreement

1. Introduction

The Data Processing Agreement (hereinafter the « Agreement ») aims to govern the use of Personal Data belonging to clients (hereinafter the « Client ») of Cogniteev (hereinafter the « Processor » or « Cogniteev ») when they use the feature of log monitoring and analysis provided by Cogniteev (hereinafter the « Service »).

2. Definitions

The terms “adequacy decision”, “technical and organisational measures”, “data subjects”, “data protection by design”, “data protection by default”, “register”, “joint controller(s)”, “controller”, “processor”, “processing”, “personal data breach” in the Agreement have the meanings described in Articles 4 et seq. of the GDPR.

Other terms are defined below:

  • “Agreement” means the appendix to the Contract governing the use of the Client’s Personal Data in accordance with the provisions of Article 28 of the GDPR, also referred to as the “Data Processing Addendum” (“DPA”).
  • “DPIA” means a data protection impact assessment that allows the proportionality of Personal Data processing to be verified and the risks associated with Personal Data processing to be prevented.
  • “Anonymisation” means processing aimed at making it impossible to identify the persons concerned by the processing carried out in the context of the Service, in an irreversible manner.
  • “Supervisory Authority” refers to the supervisory authority responsible for GDPR compliance for the Service provided by the Processor.
  • “Client” means the entity that has subscribed to the Service provided by the Processor.
  • “Client’s Employees” refers to natural persons (e.g. employees) working on behalf of the Client and using the Service in this capacity.
  • “Contract” means the contract concluded between the Processor and the Client for the use of the Service, to which this Agreement is attached.
  • “Right(s) request(s)” refers to the fundamental rights created by the GDPR in Articles 15 et seq. (e.g. right of access, right to erasure, etc.).
  • “Client’s Personal Data” refers to any data relating to an identified or identifiable natural person transmitted to the Processor and processed by the latter on behalf of the Client in connection with the Service, a detailed list of which is provided in the appendix.
  • “White label” refers to the unbranded Service provided by the Processor that allows the Client to customise and market the Service under its own brand.
  • “Party(ies)” means jointly the Client and the Processor.
  • “GDPR” means Regulation (EU) 2016/679 […] also known as the “General Data Protection Regulation”.
  • “Applicable regulations on the protection of personal data” means French Law No. 78-17 of 6 January 1978 […] and the GDPR.
  • “Reversibility” refers to enabling the transfer and integration […] to an equivalent service offered by another service provider.
  • “SaaS Service” refers to software hosted by the Processor that can be used simultaneously by an unlimited number of Clients.
  • “Sub-processor” refers to sub-processors recruited by the Processor to process the Client’s Personal Data exclusively within the scope of the Service.
  • “End Users” means the Client’s Clients who use the Service on a white label basis.

3. Contractual relations and terms

The Agreement is an integral part of the Contract signed between the Client and the Processor for the use of the Service.
In the event of any conflict between the Contract and the Agreement, the obligations in the Agreement shall prevail with regard to the GDPR.
The Agreement remains in force for the entire duration of the Contract and may continue beyond that date as long as all obligations set out herein remain applicable.

4. Role of the Parties and scope of application

The Client acts as the data controller and Cogniteev acts as a data processor within the meaning of Article 28 of the GDPR.
The Parties cannot be considered joint controllers.
In case of an error or change of status, the Parties will update the Agreement as soon as possible.

The Agreement exclusively governs processing carried out as a Processor under Article 28 GDPR, excluding processing carried out by Cogniteev as a data controller.

5. Instructions and commitments

The Processor undertakes to process the Client’s Personal Data only according to documented instructions in the appendix.
It will immediately notify the Client if an instruction appears unlawful.
The Processor is not liable if the Client maintains an unlawful instruction.

The Processor complies with the GDPR, keeps a processing record, applies “Data Protection by Design” and “Data Protection by Default”, and will never use the Client’s Personal Data for its own purposes.

The Processor ensures security through adequate technical and organisational measures.
It is never liable for the Client’s breaches as data controller.

6. Assistance with the implementation of DPIA

DPIAs must be conducted by the Client.
The Processor provides necessary information upon written request but does not perform DPIAs.

7. Assistance with data subjects requests

Requests from End Users are forwarded to the Client as soon as possible.
The Processor is not required to keep an inventory of such requests nor responsible for the Client’s failures.

Upon written request, the Processor takes the technical measures allowing the Client to respond to data subjects.
Requests addressed to the Processor as data controller are handled solely by the Processor.

8. Assistance with security measures

The Processor provides all necessary information about technical and organisational security measures related to the Service.

9. Personal Data Breaches

The Processor notifies the Client as soon as possible and no later than 48 working hours after becoming aware of a breach.
The Client acknowledges that its own 72-hour deadline starts only when it becomes aware of the breach.

The Processor is not authorised to notify Supervisory Authorities or End Users on behalf of the Client.

10. Sub-processors

The Client grants general authorisation for Sub-processors, provided it is informed of changes and may object within 8 days.
If objections are admissible, the Processor may withdraw the Sub-processor, implement additional measures, or terminate the Service.

The Processor ensures Sub-processors offer sufficient guarantees and remains liable (within contractual limits) for their breaches.

11. Hosting and transfers outside the European Union

a) Data hosting

The Processor undertakes to host Personal Data exclusively within the EU unless prior approval is obtained and safeguards implemented.

b) Data transfers

Transfers outside the EU are authorised only if Sub-processors comply with the GDPR and transfers rely on adequacy decisions or appropriate safeguards.
Otherwise, prior consent is required.

12. Retention periods and fate of the Client’s Personal Data

Data is retained only for the duration of the Service and deleted at the end of the Contract.
The Client must retrieve data before termination, as deletion is irreversible.
Anonymised data may be retained to improve the Service.

13. Audits

The Client may conduct a yearly written audit questionnaire and, in specific cases, an on-site audit with 30 days’ notice.
Certain areas may be restricted for confidentiality or security.

Discrepancies must be proven and the Processor must remedy them without delay.
In case of dispute, amicable resolution, authority arbitration, or expert review may be proposed.

14. Cooperation with the authorities

The Processor cooperates with the CNIL and informs the Client as soon as possible in case of authority requests concerning the Client’s Personal Data.

15. Contact

Each Party appoints a contact person for this Agreement.
The Processor has appointed Dipeeo SAS as Data Protection Officer:

Email: dpo@oncrawl.com

Postal address: Dipeeo SAS, 95 avenue du Président Wilson, 93100 Montreuil, France

Telephone: 01 59 06 81 85

16. Revisions

The Processor may modify this Agreement if required by legal or Service changes.

Certified compliant by Dipeeo ®