Data Processing Agreement

The Customer acts as data controller within the meaning of the GDPR. Cherine acts as data processor and processes data only on the Customer's documented instructions, within the scope necessary to provide the service.

Cherine may process any data provided by the Customer or generated in the course of using the service, including but not limited to technical, usage, contact, approximate location and analysis data necessary for the provision, security and improvement of the service.

Data is processed for the purposes of providing the service, operational management, usage analysis, feature improvement, producing information for the Customer, and, more generally, any purpose necessary for the performance of the service.

Events and session replays are retained for the duration of the Customer's plan, then purged automatically. Identification data is retained while the account is active and can be deleted at any time upon written request.

• Obtain explicit, free and informed consent from visitors before any loading of the Cherine script, in accordance with the GDPR and ePrivacy Directive.
• Implement a compliant and functional consent banner (cookie banner).
• Update its own privacy policy to mention Cherine as an analytics processor, the purposes, and the retention periods.
• Be the single point of contact for visitors exercising their rights (access, rectification, erasure, portability, objection).
• Never transmit to Cherine any sensitive data within the meaning of Article 9 GDPR.

Cherine may engage third-party providers for the operation, delivery and improvement of the Service, including in the areas of hosting, infrastructure, security, authentication and associated services.

These providers act as sub-processors within the meaning of the GDPR and are bound by appropriate confidentiality and security obligations.

Any transfers to sub-processors located outside the European Economic Area are covered by the Standard Contractual Clauses adopted by the European Commission.

Cherine implements and maintains appropriate technical and organizational measures designed to ensure a level of security appropriate to the risks, in particular to preserve the confidentiality, integrity, availability and resilience of the processed data, and to prevent any unauthorized access, disclosure, alteration or destruction.

In the event of a data breach affecting the Customer, Cherine will notify the Customer without undue delay and at the latest within 72 hours of becoming aware, providing the elements needed for the Customer's own notification to the supervisory authority.

Upon termination, Cherine returns or deletes, at the Customer's option, all processed data, unless required by law to retain it.

For any question regarding this DPA: privacy@cherine.app