Back to home

Privacy Policy

Effective Date: August 2, 2025 | Version 2.0

1. Introduction

Forward Digital SAS, operating under the trade name PromoLedger ("PromoLedger," "we," "us," or "our"), a French société par actions simplifiée registered under number 835 311 176 R.C.S. Bobigny, with registered offices at 13 Avenue des Fruitiers, 93210 Saint-Denis, France, is committed to protecting and respecting your privacy.

This Privacy Policy, together with our Terms of Service and any other documents referred to herein, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

2. Data Controller

For the purposes of the EU General Data Protection Regulation 2016/679 ("GDPR") and the French Data Protection Act (Loi Informatique et Libertés), the data controller is Forward Digital SAS. Our Data Protection Officer can be contacted at dpo@promoledger.com.

3. Categories of Personal Data We Process

3.1 Identity and Contact Data

  • Full name, professional title, and job function
  • Company name, VAT number, and business registration details
  • Email address (business and/or personal)
  • Telephone numbers (mobile and/or landline)
  • Business address and billing address
  • LinkedIn profile and other professional social media handles

3.2 Financial and Transactional Data

  • Bank account details and payment card information (tokenized)
  • Transaction history and invoice records
  • Tax identification numbers where applicable
  • Credit status and payment behavior

3.3 Technical and Usage Data

  • IP address, browser type and version, time zone setting
  • Operating system and platform information
  • Unique device identifiers and mobile device information
  • Session recordings (with consent) for user experience optimization
  • Campaign performance metrics and engagement analytics
  • API usage logs and integration data

3.4 Marketing and Communications Data

  • Contact lists and recipient databases (processed on your behalf)
  • Email open rates, click-through rates, and engagement metrics
  • Communication preferences and opt-out records
  • Feedback and survey responses

4. Legal Basis for Processing

We process your personal data on the following legal grounds:

Performance of Contract (Article 6(1)(b) GDPR)

Processing necessary to deliver our services, manage your account, process payments, and provide customer support.

Legitimate Interests (Article 6(1)(f) GDPR)

Processing for fraud prevention, network security, service improvements, and aggregated analytics. We have conducted Legitimate Interest Assessments (LIAs) for these activities.

Legal Obligations (Article 6(1)(c) GDPR)

Processing to comply with tax regulations, anti-money laundering requirements, and court orders.

Consent (Article 6(1)(a) GDPR)

Processing for marketing communications, non-essential cookies, and optional features. Consent can be withdrawn at any time.

5. Data Sharing and International Transfers

5.1 Service Providers and Processors

We engage the following categories of service providers who process data on our behalf under strict contractual terms:

  • Amazon Web Services (cloud infrastructure) - EU-based servers
  • Stripe, Inc. (payment processing) - EU-US Privacy Shield certified
  • SendGrid (transactional emails) - Standard Contractual Clauses
  • Datadog (monitoring and analytics) - EU data residency

5.2 International Transfers

Your data is primarily processed within the European Economic Area (EEA). Where transfers outside the EEA occur, we implement appropriate safeguards including EU Commission-approved Standard Contractual Clauses (2021/914/EU) and supplementary measures following the Schrems II ruling.

6. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • ISO 27001 certified data centers with 24/7 monitoring
  • Multi-factor authentication and role-based access controls
  • Regular penetration testing and security audits by independent third parties
  • Incident response procedures aligned with ENISA guidelines
  • Employee security training and confidentiality agreements

7. Data Retention

Data CategoryRetention Period
Account informationDuration of contract + 5 years
Financial records10 years (French tax law requirement)
Campaign data24 months from campaign completion
Technical logs12 months
Marketing consent records3 years from last interaction

8. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR and French data protection law:

Right of Access (Article 15 GDPR)

Obtain confirmation of processing and access to your personal data, including information about purposes, categories, recipients, retention periods, and your rights.

Right to Rectification (Article 16 GDPR)

Request correction of inaccurate data and completion of incomplete data without undue delay.

Right to Erasure (Article 17 GDPR)

Request deletion of your data when no longer necessary, consent withdrawn, or processing is unlawful, subject to legal retention requirements.

Right to Data Portability (Article 20 GDPR)

Receive your data in a structured, commonly used, machine-readable format (JSON/CSV) and transmit it to another controller.

9. Automated Decision-Making

We use automated systems for fraud detection and service optimization. These systems do not make decisions with legal or similarly significant effects. You have the right to request human intervention and to contest any automated decisions.

10. Contact Information

Data Protection Officer

Email: dpo@promoledger.com
Phone: +33 1 84 20 48 65
Address: 13 Avenue des Fruitiers, 93210 Saint-Denis, France

Supervisory Authority

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy, 75007 Paris, France
www.cnil.fr