CountAct

Book an appointment

Privacy Policy - CountAct Solutions

Version 2.0 — April 2026

 
This document is a translation of the French version. In case of any discrepancy between this English translation and the original French version, the French version shall prevail.
 

1. Preamble and scope

This privacy policy (hereinafter referred to as “the Policy”) describes how CountAct collects, uses and protects the personal data of users of the solutions it publishes and which are accessible from its unified login page.
 
It applies to all solutions published by CountAct, whether asset security solutions, personal safety solutions, or any other digital solution published by CountAct, in their web and mobile versions.
 
This Policy does not cover the countact.fr showcase website, which has its own privacy policy accessible from its legal notice.
 
The General Terms of Use of CountAct solutions complement this Policy by defining the contractual framework for their use.
 
Within the meaning of this Policy, the following terms shall have the meaning attributed to them by Article 4 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter “GDPR”), in particular: “personal data”, “processing”, “data controller”, “processor” and “data subject”.
 

2. Data Controller

The controller of the personal data collected in connection with the CountAct solutions is:
 
CountAct, a simplified joint-stock company, registered with the Trade and Companies Register under SIREN number 911 314 144, with its registered office at 24 rue Raspail, 38000 Grenoble, France, represented by its legal representative in office.
 
Any request relating to this Policy may be addressed to dpo@countact.fr or by post to the registered office.
 

3. Data Protection Officer

CountAct has appointed a Data Protection Officer (DPO) reporting to the Executive Management, in compliance with the functional independence requirements set out in Article 38.3 of the GDPR.
 
The DPO appointment has been officially declared to the French Data Protection Authority (CNIL).
 
The Data Protection Officer may be contacted at dpo@countact.fr or by post to the registered office address.
 

4. Data collected and processing purposes

The data collected varies according to the nature of the CountAct solution used. The following sub-sections describe the categories of data processed and the purposes pursued for each type of user.
 
4.1 Users of asset security solutions
In connection with asset security solutions (in particular regulatory compliance, risk analysis and document management), CountAct collects the following categories of data:
  • Professional identification data: surname, first name, professional email address, position and client organisation of affiliation
  • Technical data related to the account: unique user identifier, connection logs, IP address
  • Business data entered by the user in the solution: business objects (sites, agencies, buildings and equivalent entities), compliance documents and their associated attributes
  • Documents uploaded by the user to the solution: files in PDF and PNG formats
These data are processed for the following purposes:
  • Enabling use of the solution in accordance with the intended functionalities
  • Managing the user account (creation, authentication, modification, deletion)
  • Traceability of actions performed in the solution for compliance purposes
  • Production of aggregated and anonymised usage statistics
4.2 Users of personal safety solutions
In connection with personal safety solutions (in particular reporting, alert communication and coordination in risk situations), CountAct collects the following categories of data:
  • User identification data: surname, first name, email address, unique user identifier
  • Data entered by the user in the application: manually entered emergency contacts, notes and reports
  • Technical data of the device used: device identifier, operating system version, application version
These data are processed for the following purposes:
  • Enabling use of the application in accordance with the intended functionalities
  • Managing the user account
  • Sending safety notifications
  • Internal safety communication within the client organisation
4.3 Mobile applications — cross-cutting notice
Regardless of the functional scope to which they provide access (asset security solutions or personal safety solutions), the mobile applications published by CountAct do not collect any geolocation data, nor capture any Bluetooth, Wi-Fi signals, beacons or telecommunication antenna identifiers.
 

5. Legal bases for processing

In accordance with Article 6 of the GDPR, the processing operations implemented by CountAct are based on the following legal grounds, depending on the purpose pursued:
  • Performance of the contract entered into with the client (Article 6.1.b of the GDPR): for user account management, the provision of the solutions and associated support
  • Compliance with a legal obligation (Article 6.1.c of the GDPR): for security logging and archiving required by applicable legal and regulatory obligations
  • CountAct’s legitimate interest (Article 6.1.f of the GDPR): for the security of the information system, the prevention of fraud and the improvement of the solutions
  • The consent of the data subject (Article 6.1.a of the GDPR): for optional information-purpose communications

6. Retention periods

CountAct retains personal data for a period strictly necessary for the purposes for which they are processed, in accordance with the following table:
 
Data category Retention period
User account data 3 years from the last login
Connection logs and security audit logs 1 year
Technical backups 30 days
Business data entered in the solution Duration of the client contract, extended by the applicable legal archiving period
Client support tickets and exchanges Duration of the client contract, extended by 5 years for contractual limitation
At the end of the periods indicated, the data are deleted or anonymised irreversibly.
 

7. Recipients and processors

The personal data collected are intended for:
  • CountAct personnel authorised to access them strictly within the scope of their duties, on a need-to-know basis
  • Processors within the meaning of Article 28 of the GDPR, acting on behalf of CountAct under contractually defined conditions
The main processors involved in the data processed by the CountAct solutions are the following:
 
Processor Service Location
Amazon Web Services (AWS) Hosting of web and mobile solutions France (Paris)
OVH Domain Name System (DNS) management France
HubSpot Customer support ticketing tool Germany (EU)
A detailed description of the processing arrangements and a Data Processing Agreement may be provided to clients upon contractual request.
 
In accordance with Article 28.4 of the GDPR, in the event of the addition of a new processor or the replacement of an existing processor likely to be involved in processing client data, the client shall be informed in advance and shall have a right to object.
 

8. Hosting and transfers outside the European Union

The personal data processed by the CountAct solutions are hosted exclusively within the territory of the European Union: in France for the main hosting (AWS) and domain name management (OVH), and in Germany for the customer support ticketing tool (HubSpot).
 

9. Security measures

CountAct implements appropriate technical and organisational measures to ensure a level of security suited to the risks, in accordance with Article 32 of the GDPR. These measures include in particular the encryption of data at rest and in transit, access control, multi-factor authentication, traceability of actions, regular backup, vulnerability monitoring and strict separation of environments.
 
Details of the security measures implemented may be communicated to clients in the context of supplier security questionnaires, upon request.
 

10. Use of artificial intelligence

Certain CountAct solutions incorporate a data-entry assistance module based on a language model hosted on CountAct’s cloud infrastructure in the European region, without transmission to any third-party provider.
 
This module is intended to facilitate the filling of fields when consulting documents uploaded to the solution. The user retains at all times control over the validation of the proposals made.
 
No decision producing legal effects or significantly affecting the user is made automatically within the meaning of Article 22 of the GDPR. No profiling is carried out.
 
This processing complies with the principles of Regulation (EU) 2024/1689 (“AI Act”) and falls within the category of limited-risk artificial intelligence systems.
 

11. Rights of data subjects

In accordance with the GDPR and French Law No. 78-17 of 6 January 1978 as amended, any person concerned by processing carried out by CountAct has the following rights:
  • Right of access to the data concerning them (Article 15 of the GDPR)
  • Right to rectification of inaccurate or incomplete data (Article 16 of the GDPR)
  • Right to erasure of data under the conditions provided for by the GDPR (Article 17 of the GDPR)
  • Right to restriction of processing (Article 18 of the GDPR)
  • Right to data portability (Article 20 of the GDPR)
  • Right to object to processing (Article 21 of the GDPR)
  • Right to withdraw consent at any time, without such withdrawal affecting the lawfulness of prior processing
  • Right to issue post-mortem directives concerning the fate of the data (Article 85 of the French Data Protection Act)

12. Exercise of rights and complaints to the CNIL

The rights mentioned in section 11 may be exercised by sending a request to dpo@countact.fr or by post to the registered office address. Proof of identity may be requested in case of reasonable doubt as to the identity of the requester, in accordance with Article 12.6 of the GDPR.
 
CountAct undertakes to respond within one month of receipt of the request. This period may be extended by two additional months in the event of complexity of the request or a large number of requests, in accordance with Article 12.3 of the GDPR. In this case, the data subject shall be informed of this extension and of the reasons.
 
In accordance with Article 77 of the GDPR, any data subject has the right to lodge a complaint with a supervisory authority, in particular the French Data Protection Authority (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, or online via the form available at www.cnil.fr.
 

13. Changes to this Policy

CountAct may modify this Policy in order to adapt it to legislative, regulatory, jurisprudential, technical or organisational developments.
 
The date of the last update appears on the first page of this Policy. In the event of a substantial modification, users of the solutions shall be informed by electronic message and by a message displayed at the next login.
 
The history of previous versions of this Policy may be communicated upon request sent to dpo@countact.fr.
 

14. Contact

For any question relating to this Policy or to the exercise of the rights of data subjects:
  • Data Protection Officer:
  • Postal address:
    • CountAct, 24 rue Raspail, 38000 Grenoble, France

Safety waits for no one

Find out what CountAct can do for you.

Book an appointment
woman_countact
CountAct logo white
  • Grenoble
  • +33 6 42 25 46 26
  • countact@countact.fr
Download_on_the_App_Store_Badge.svg
Google play download