Corporate Privacy Policy

1. Purpose and Scope of Policy 

ULULA attaches the greatest importance and care to the protection of privacy and personal data, as well as to the respect of the provisions of the applicable Legislation.

The General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”) states that Personal Data must be processed lawfully, fairly, and transparently. Thus, this privacy policy (hereinafter the “Policy”) aims to provide you with simple, clear information on the Processing of Personal Data concerning you, in the context of your interactions with Ulula and the operations carried out on our website.

2. Data Controller

In the course of your activity on the https://ulula.com website, we collect and use personal data.

For these Processing activities, ULULA determines the means and purposes of the Processing. Thus, we act as a Controller, within the meaning of the legislation on Personal Data, and in particular Regulation (EU) 2016/679 on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such Data.

In addition, when you participate in our standard surveys (Hereinafter “Standard Surveys”) or our grievance mechanisms on our App, we also collect and use your personal data. In Standard Surveys, the questions and methodology used are exclusively determined by Ulula.

For these Processing activities, ULULA determines the essential means and purposes of the Processing. Thus, we act as a Controller, within the meaning of the legislation on Personal Data, and in particular Regulation (EU) 2016/679 on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such Data.

3. Data Processor

When you participate in a survey (Hereinafter “Customized Surveys”) conducted by Ulula, we similarly collect and use your personal data. However, in Customized Surveys, the questions and methodology used are mostly determined by the entity that commissioned the survey.

For these processing activities, Ulula acts on behalf of the employer who commissioned the survey, and therefore acts as a Processor, within the meaning of the Regulation on Personal Data, and in particular Regulation (EU) 2016/679 on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such Data.

4. What personal data do we collect and how?

By using our website or by signing up for our services, you provide us with a certain amount of information about yourself, some of which may identify you (“Personal Information”). This is the case when you browse our site, when you use our App or when you get in touch with us.

The nature and quality of the Personal Data collected about you will vary depending on the relationship you have with ULULA, the main ones being:

    • Identification data: This includes all information that would allow us to identify you, such as your name, first name, telephone number. We may also collect your e-mail address, as well as your postal address (in case of payment, the postal address will be necessary to generate an invoice).
    • Authentication data: This is all the information we need to access your personal account on our App, such as password, and other information necessary to authenticate and access an account. We also collect your IP address for maintenance and statistical purposes.
    • Personal data related to the survey conducted in your company. This information is collected from data subjects responding to a survey commissioned by Ulula’s clients and may include: username, password, phone number, responses and feedbacks that the individual chooses to provide.
    • Documents of different kinds (PDF, Microsoft Office, Image) with titles, contents, folder names, or information related to a document, such as comments written in the documents, alert and reminder dates. 
    • Browsing information: by browsing our website, you interact with it. As a result, some information about your browsing is collected.
    • Data collected from Third Parties: Personal Data that you have agreed to share with us or on publicly available social networks and/or that we may collect from other publicly available databases.
5. Why do we collect your Personal Information and how? 

We collect your Personal Data for specific purposes and on different legal grounds.

Based on the performance of the contract or pre-contractual measures, Ulula processes your personal data for the following purposes:

      • Order management, purchasing;
      • Billing management;
      • Contract management;
      • Recruitment management;
      • Account’s management on Ulula’s App. 

Based on your consent, Ulula processes your personal data for the following purposes:

      • Management of personal data collected through the surveys commissioned by Ulula’s clients; Ulula uses this information to send communications and requests for information on behalf of its clients, and to generate aggregate and anonymous insights, data and recommendations, which are shared with Ulula’s clients in a non-identified, anonymous form. This includes when you opt-in to receive SMS/Text messaging in any of the offered ways (IVR, SMS, Whatsapp, Web form, email, signed form) at the mobile phone number(s) you provide.
      • Management of grievances: in the context of a survey, Ulula receives, processes, pseudonymizes and communicate grievances filed by participants to its client. 
      • Management of cookies requiring your consent.

Based on the legitimate interest of ULULA, your Data are processed for the following purposes:

      • Sending emails and updates about Ulula services, including newsletters;
      • Preventing double participation in surveys;
      • Management of the subscription to the newsletter on ULULA’s website;
      • Management of meeting bookings on ULULA’s website;
      • Establishment of statistics for the improvement of products and services;
      • Provide support for Ulula services;
      • Monitor data and user activity to ensure compliance with contractual requirements;
      • Perform any other function reasonably necessary to protect the security or proper functioning of Ulula services;
      • Management of pre-litigation and litigation.

Based on the legal and regulatory obligations to which ULULA is subjected, your Data are processed for the following purposes: 

      • General and auxiliary accounting.
6. Do we share your personal data? 

Your Data are intended for the authorized ULULA collaborators in charge of the management and the execution of the contracts and legal obligations, according to the purposes of the collection and within the limits of their respective attributions.

In addition, it may be disclosed outside of Ulula to several types of recipients, ensuring each time such disclosures are compliant with applicable law.

1. Third-party service providers.
Your Data may be shared to service providers carrying tasks on our behalf, including: (i) the provision of our services; (ii) the provision of information, products, and other services you have requested; (iii) marketing and advertising; (iv) payment processing; (v) customer service activities; and (vi) the provision of IT and related services. Such providers currently include:
– Hubspot for the management of our client database and sending newsletters and other communication;
– AWS and Microsoft Azure for the data hosting;
– Google Analytics and Piwik PRO for analytical processing on our website

When we share your Data with service providers, they must use it only for its intended purpose. We strive to ensure these third parties keep your Data confidential and secure.

2. Affiliates
We may also share your Data with our affiliated companies, members of the Ecovadis Group.

3. Disclosures to protect us or others
We may access, preserve, and disclose your Data to public authorities and/or attorneys if we believe doing so is required or appropriate to: (i) comply with law enforcement or national security requests and legal process, such as a court order or subpoena; (ii) protect your, our or others’ rights, property, or safety; (iii) to collect amounts owed to us; (iv) when we believe disclosure is necessary or appropriate to prevent financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; or (v) if we, in good faith, believe that disclosure is otherwise necessary or advisable.

4. Merger, Sale or other asset transfer

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, then your information may be sold or transferred as part of such a transaction as permitted by law and/or contract.

In all cases, only the necessary Data is provided. We make every effort to ensure the secure communication or transmission of your Data.

7. Is your Personal Data transferred to third countries? 

When the client is located in the European Economic Area (EEA), ULULA strives to keep the Personal Data in France, or at least within the EEA.

However, it is possible that the Data we collect when you use our platform or services may be transferred to other countries. This is for example the case if some of our service providers are located outside the European Economic Area.

In the event of such a transfer, we guarantee that it will be carried out:

      • To a country ensuring an adequate level of protection, i.e. a level of protection equivalent to what the European Regulations require.
      • Within the framework of standard contractual clauses.
8. How long do we keep your personal data? 

We retain your Personal Data only for as long as is necessary to fulfill the purpose for which we hold the Data and to meet your needs or our legal obligations.

Retention times vary depending on several factors, such as:

      • ULULA business needs.
      • Contractual requirements.
      • Legal requirements.
      • Recommendations from regulatory authorities. 

ULULA can limit the access to Data when they are no longer used for the purpose for which they have been collected. These data can still have an administrative interest for the organisation (e.g. legal actions) or should be kept in application of the Applicable Legislation.

Data with a limited access can only be consulted punctually by authorised employees. ULULA must determines the retention period of Data in intermediate archiving prior to any Processing.

The retention periods for your Data are as follows:

Purposes Retention periods
Management of orders, purchases 5 years from the end of the contractual relationship
Contract management 5 years from the end of the contractual relationship
Management of the client user account on the Ulula’s App 3 years from the end of the contractual relationship
Management of the participant user account on the Ulula’s App

Active database: 1 month from the end of the survey 

Intermediate archiving:  5 years from the end of the survey

Management of surveys

Active database: from the production of the results

Intermediate archiving: 5 years from the end of the survey

Management of grievance 5 years
Newsletter management 3 years from the last contact (for example a click on a hyperlink)
Invoicing management  10 years
Hiring process and management of applications 2 years after the last contact with the unsuccessful applicants

Regarding the cookies’ expiration dates, please consult the Cookie Policy.

9. How do we ensure the security of your Personal Information? 

Ulula applies physical, technological and administrative measures to protect personal data at the level appropriate to its sensitivity.

This includes:

      • Limiting access to employees, representatives and agents who require access for the purposes described in this policy;
      • Entry-exit registration of visitors;
      • Secure areas for the protection of servers and devices;
      • Use of SSL Certificates to protect users against unauthorized access;
      • Policies governing the management and protection of personal information, made easily accessible and distributed to staff for implementation;
      • Risk management plans, identifying threats and mitigation measures.
      • Systematic pseudonymization of data: personal data collected through surveys is systematically pseudonymized, making it impossible for the employer to identify the data subjects.  Dashboard filters also prevent re-identification by disabling the search functionality when the number of data subjects is less than 10. 

Although Ulula employs stringent methods in the protection of personal information, we cannot fully guarantee personal information will not be lost or stolen or accessed without authorization.

Ulula and its service providers store and process personal information on computers located in Germany, Canada, China or United States. This means EU, Canadian, Chinese and US privacy laws apply according to where the information is stored. Wherever it stores personal data of individuals located in the EEA, Ulula ensures, through standard contractual clauses, that the information will be protected with a comparable and adequate level of safeguards.

10. What are your rights? 

The GDPR provides Data Subjects with rights that they can exercise. Thus, are provided:

    1. Right to information: the right to have clear, precise, and complete information on the use of Personal Data by ULULA.
    2. Right of access: the right to obtain a copy of the Personal Data that the Data Controller holds on the applicant.
    3. Right to rectification: the right to have Personal Data rectified if they are inaccurate or obsolete and/or to complete them if they are incomplete.
    4. Right to erasure / right to be forgotten: the right, under certain conditions, to have the Data erased or deleted, unless ULULA has a legitimate interest in keeping it.
    5. Right of opposition: the right to object to the Processing of Personal Data by ULULA for reasons related to the particular situation of the applicant (under conditions).
    6. Right to Withdraw Consent: the right at any time to withdraw Consent where Processing is based on Consent.
    7. Right to restriction of processing: the right, under certain conditions, to request that the Processing of Personal Data be temporarily suspended. 
    8. Right to Data Portability: the right to request that Personal Data be transmitted in a reusable format that allows it to be used in another database.
    9. Right to Avoid Automated Decision-Making: the right of the applicant to refuse fully authorized decision-making and/or to exercise the additional safeguards offered in this regard.
    10. Right to define post-mortem directives: the right for the applicant to define directives concerning the fate of Personal Data after his/her death. 

Additional rights may be granted by the Local Regulations to affected Persons.

To this end, ULULA has implemented a procedure for the management of individuals’ rights in accordance with the requirements of the applicable Legislation. This procedure establishes:

      • The standards to be respected to ensure the transparent information of the data subject
      • Legal requirements that must be met
      • The authorized means of applying for each right, depending on the category of Persons concerned
      • The business processes for handling these requests in accordance with the above requirements
      • The stakeholders involved in these processes, their roles and responsibilities. 

To exercise your rights, you may contact the Data Protection Officer (DPO): [email protected] 

When you send us a request to exercise a right, you are asked to specify as far as possible the scope of the request, the type of right being exercised, the Personal Data Processing concerned, and any other useful information, in order to facilitate the examination of your request. In addition, in case of reasonable doubt, you may be asked to prove your identity.

You also have the right to complain to the Commission Nationale de l’Informatique et des Libertés (CNIL), 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, about the way in which ULULA collects and processes your data.

11. Updating of this policy

This Policy may be updated from time to time to reflect changes in the Personal Data Regulations. Date of last update 03/12/2024