In accordance with the General Data Protection Regulation (hereinafter, the «GDPR»), Heva informs you that it places the protection of personal data at the heart of its missions and the services offered to you.

This Policy sets out the principles and guidelines for the protection of Personal Data for users of the Heva website.

Definitions

• CookieA file stored by a server on a user's terminal (computer, telephone, etc.) and associated with a web domain. This file is automatically sent back when the same domain is contacted again;
• Data recipientsData controller: refers to the natural or legal person, public authority, department or any other body that receives personal data, whether or not it is a third party;
• Personal data, Personal data or DataData protection: corresponds to any information relating to an identified or identifiable Data Subject that enables that person to be identified directly or indirectly;
• Shelf lifeDuration imposed by law and/or chosen by the data controller, after which data may be deleted;
• Purpose of processing or PurposePurpose/primary objective of the use of Personal Data. Data is collected for a well-defined and legitimate purpose and is not further processed in a way that is incompatible with this initial purpose;
• Person concernedPersonal Data: means any identified or identifiable natural person to whom the Personal Data processed relates. An identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier (e.g. name, identification number, online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity). In the context of the Heva website, the website visitor/physical person is the Data Subject;
• Data controllerThe natural or legal person, public authority, department or other body which, alone or jointly with others, determines the purposes and means of the processing;  
• SubcontractorThe natural or legal person, public authority, department or other body that processes Personal Data on behalf of the data controller;
• Personal data processingData processing: concerns all operations or sets of operations (whether automated or not) involving Personal Data or sets of Personal Data;
• Transfer of Personal Data or Transfer Any action of sending, communicating, copying, transmitting, distributing or remotely accessing Personal Data, regardless of the medium or means of communication used;
• Usersmeans visitors to the Heva website, whether they are customers, prospects or simply visitors to the website; ;
• Violation of Personal DataAny breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or otherwise processed.

Processing manager

Your data is processed by Heva, a subsidiary of the DOCAPOSTE Group with a share capital of 27,650 euros, headquartered at 45/47 Boulevard Paul Vaillant Couturier, 94200 Ivry-sur-Seine, France, chaired by Cécile BADIOLA LAGARDERE and with a Unique Identification Number 484 248 463 (Créteil Trade and Companies Register).

Purposes of processing

Heva makes available to all its Users a website promoting Heva's offers and services and providing visitors to the website with information on Heva news.

The processing of personal data carried out from the website concerns in particular : 

• Instruction of the contact forms provided. A form is available in the «Contact us» section for customer service or sales contacts;
• Managing unsolicited applications and responses to job offers; ;
• The production of statistics, targeted advertising campaigns, analyses and audience research via cookies placed on the terminals of Users of the Heva website.

In addition, as Data Controller, Heva may also process personal data in particular for the following purposes :

• Marketing and sales campaigns (B2B communications and mailing list management); ;
• Exchanges, recommendations and networking between healthcare professionals and contractors.

As a Subcontractor, Heva provides a tab «Transparency» and «Publications» on behalf of Data Processors or customers. Please refer directly to these tabs to find out more about the processing of personal data of the persons concerned.

Personal data processed & associated retention periods

In order to achieve its processing purposes, Heva is required to process sets of personal data that can be directly or indirectly linked to its users. The following sets of personal data are processed on the Heva website :

Categories of data subjects

The persons concerned by the processing of personal data carried out on the Heva website are prospects, customers and, more generally, all individual visitors to the website whose personal data is processed.

Transfers of Personal Data outside the European Economic Area (EEA)

Personal Data processed by Heva is hosted within the European Union (EU) or the European Economic Area (EEA).

However, in certain cases, your Personal Data may be Transferred outside the European Economic Area, via certain Heva Subcontractors.

As such, Heva undertakes to take all necessary measures to ensure the compliance of the Transfer of Personal Data, by carrying out an impact study of the Transfer, by signing the European Commission's Standard Contractual Clauses in their version of June 4, 2021 (Implementing Decision 2021/914) and by putting in place all additional safeguards necessary for this purpose.

Heva undertakes to ensure that its Subcontractors comply with these obligations in respect of their own Subcontractors.

A list of recipients of Personal Data located outside the European Economic Area giving rise to Transfers of Personal Data between Heva and its Subcontractors is available in the section «Recipients or categories of recipients of Data» below.

Recipients or categories of recipients of data

With regard to the various purposes specified above, the data collected via the forms is intended in particular for Heva's Sales, Communication/Marketing and Human Resources Departments.

Heva, as the Data Controller for personal data processed on its website, is a direct recipient of the data that passes through the website when forms are filled in by website users.

The recipients of indirect data are the following Heva subcontractors and partners :

Personal data security

Your Personal Data is stored in appropriate conditions of security and confidentiality. Heva has implemented a security policy that includes organizational and technical measures that comply with the state of the art and applicable standards.

Rights of the persons concerned

The legal basis for the processing carried out by Heva is based on consent or legitimate interest, depending on the purpose of the processing concerned. These legal bases are likely to affect the rights and freedoms of the persons concerned. With regard to these legal bases for processing, we remind you that you may exercise the following rights, under European data protection legislation :

• Right of access You have the right, without prior justification, to ask Heva directly for access to your personal Data. All users have the right to access their Data by contacting the department in charge of data protection;
• Right to rectify your Personal Data Heva takes appropriate measures to ensure that your Personal Data is accurate and kept up to date for the purposes for which it was collected. If your Personal Data is inaccurate or incomplete, you have the right to have it corrected;
• Right to erase your Personal Data You have the right to request, in certain specific situations, that Personal Data concerning you be deleted. This right to deletion may be exercised in particular by Data Subjects; ;
• Right to limitationIf you wish to challenge the accuracy of the Data used by Heva or object to your Data being processed, the Data Controller is entitled to investigate and examine your request. During this period of investigation, you may ask Heva to freeze the use of your Data while retaining them;
• Right to portability You have the possibility of recovering part of your Personal Data in an open and readable format for re-use for personal purposes;
• Right to oppose or withdraw consent You have the right, at any time, to object to your Data being processed.

Depending on the situation, one or more of these rights cannot be satisfied, for example :

• If there is a compelling legitimate reason(s) to continue processing your Personal Data;
• If your Personal Data is required for the establishment, exercise or defense of legal claims;
• If we are required by law to retain your Data.

For all requests relating to the exercise of your rights, you can contact Heva at the following address : dpo@heva-data.com

Right to lodge a complaint with the CNIL

We remind you that you have the right to lodge a complaint with the supervisory authority, the Commission Nationale de l'Informatique et des Libertés (CNIL).

Contact and data protection officer

The appointment of a Data Protection Officer demonstrates Heva's commitment to the protection, security and confidentiality of its customers' Personal Data.

If you have any questions about this privacy policy and the data processing activities carried out by Heva, or if you wish to exercise any of your rights under the RGPD, please contact :

By post :

KGA Avocats (klein - wenner)

19 rue Danielle Casanova

75001 Paris

By e-mail :

dpo@heva-data.com

Modification of the Privacy Policy

This Privacy Policy may be modified in whole or in part at any time by Heva.

Last updated on 29/08/2025