Foxintelligence publishes Greenfox, a service that provides a history of your online purchases and calculates your carbon footprint.

In return for this service, with your consent, we will extract transactional data from users' mailboxes to establish data for statistical studies marketed to various economic operators (companies, associations, schools, and universities) so that they can improve their products and services and refine their knowledge of the markets.

We guarantee that we do not communicate to these operators any personal data for advertising targeting purposes. In order for Greenfox to function properly, we are required to process the personal data of its users. We act as a data controller in that we determine the means and purposes of processing your data.

As such, we undertake to comply with the provisions of the General Data Protection Regulation (GDPR). Article 12 of this regulation requires us to inform you about the characteristics of the processing that we carry out with your data and the rights that you have in relation to them.

The purpose of this Greenfox Privacy Policy is to satisfy our obligation of transparency and notice. This Privacy Policy explains how we will use, share, and protect the personal data we may collect or otherwise obtain about you when you use Greenfox and also describes your choices and legal rights in relation to such personal data.

We access your mailbox with the purpose of identifying transactional emails in order to reconstruct the details of your online purchases and to extract data that will allow us to compile statistics.

In no case do we access the content of your personal emails. With regard to transactional emails, we extract the data contained therein without accessing them, except in the case of a residual hypothesis of the updating of our filtering and data extraction tools, in which case only a limited number of our teams are likely to access these emails.

When we prepare studies and share insights with our clients, we use tools and methods that are designed to ensure that there is no reasonable possibility of identifying you. For example, we will combine data obtained from you with data obtained from other participants in order to produce reports with aggregated data from which you cannot be reasonably identified; or studies based upon modeled data with projections based on demographic and behavioral characteristics that look at a sample group of people and then predict what people with similar characteristics or preferences would want to buy.

Personal data we collect about you.
We may collect and use the following personal data that identifies, relates to, describes, is reasonable capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household:
‍

Special (Sensitive) Personal Data: The extracted personal data may include data for which certain jurisdictions require higher protection. This data is referred to as Special Category Personal Data and may include personal data revealing racial or ethnic origin, data concerning health, or data concerning your sex life or sexual orientation. Like other data we collect, we will only extract Special Category Personal Data contained in transactional data (such as electronic receipts) from user mailboxes for the purpose of establishing statistical studies marketed with various economic operators (companies, associations, schools, and universities) to improve their products and services to refine their knowledge of the markets. We we do not communicate Special Category Personal Data for advertising targeting purposes, profiling or reidentification. By downloading the Greenfox App and participating in Greenfox, you explicitly consent to us processing this Special Category Personal Data.

- Data that you provide directly to us when you create your Greenfox account.

- Data automatically generated from our services to identify you and secure your access to Greenfox (application password, user id).

- Enriched data generated from our services using machine learning, data science and crawling tools to obtain additional information about your buyer profile, additional information on your buyer profile (gender, city) and on the transactions you have made; however, not all of the enriched data is personal data because it does not allow you to be identified or identifiable.

- Device data: We may collect standard technical data about your device when you use the Greenfox Mobile Application (Greenfox App), including your unique device identifier, device manufacturer and model, operating system name and version, and Media Access Control (MAC) address. We use this data for the purpose of determining and/or improving compatibility between your mobile device and the Greenfox App as well as system administration.

- Log and usage data: In order to help us improve our service, when you download and use Greenfox, we automatically record and store certain usage data, such as your device’s Internet Protocol (IP) address, browser type and version, and browser language as well as the pages that you visit, the dates and times of your visits, and the information and files that have been downloaded.

- Location-based data: If you give us permission, when you use the Greenfox App we may receive data about the imprecise geolocation (latitude and longitude) of your mobile device through various means depending on the device you are using, including Global Positioning System (“GPS”), Bluetooth, or Wi-Fi signals/connections. We collect this data in order to be able to know the country you belong to for audience measurements purposes. We do not store your IP address and do not share it with third-parties.

- Cookies and similar technologies: We may use cookies (small data files placed on your device for recordkeeping and other purposes) and similar technologies to enable certain features and functionality and collect additional data that helps us improve Greenfox and better deliver our services to you. Specifically, we may use cookies to identify your web browser or device, display information more effectively, provide you with tailored content, and gather statistical data about how you use Greenfox. We may also use cookies and other data collection technologies (e.g., web beacons, pixels, or tags) for security purposes and to detect against fraud and other risks in order to protect Greenfox’s users. If you do not wish to have data collected from your device by cookies and/or similar technologies, most browsers and mobile settings allow you to decline the use of cookies. Please note, however, that by doing so, some features of Greenfox may not work properly.

- We use cookies, web beacons, and other similar technologies from third-party partners such as Google Analytics to monitor and analyze the use of our Service. Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of Greenfox. You can opt-out of having made your activity on the Greenfox available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics from sharing information with Google Analytics about visits activity. For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: https://policies.google.com/privacy

If you are based in the European Union (“EU”)/European Economic Area (“EEA”)/United Kingdom (UK), we will process your personal data for the purposes outlined in this Privacy Policy based on one or more of the legal bases listed below.

- Consent: We collect and use your personal information with your consent. We will rely on your consent to the Privacy Policy as a legal basis in relation to processing extracted transactional data.

- Necessary for the performance of a contract to which user is a party. In this case, as necessary to provide you with the Greenfox service to allow you to resell and/or donate second-hand items based on the online purchase history.

- Legitimate interests: We rely on our legitimate interests, provided that such interests shall not be overridden by your interests, fundamental rights, or freedoms. In particular, we may process your personal data in reliance on a legitimate interest in: (i) communicating relevant information to you; (ii) managing, maintaining, and operating our IT and security systems; (iii) adequately protecting, defending, and safeguarding our networks; (iv) managing and enhancing protection against fraud, spam, harassment, intellectual property infringement, and risks to which we are exposed (e.g., crime and security risks); (v) complying with laws and regulations to which we are subject, including, where applicable, laws and regulations of countries other than your country of residence; and (vi) meeting our obligations and enforcing our legal rights.

- Compliance with legal obligations: We may process your personal data if necessary for us to comply with a legal obligation arising under applicable law to which we are subject.

If you have any questions or concerns about the legal basis upon which we collect and use your personal data, please email us at support@greenfox.io.

We process your personal data for the following purposes:

- managing your registration with Greenfox,
- providing the online purchase history service
- management of the relationship and exchanges with you,
- management of requests to add or delete a mailbox associated with Greenfox.
- management of your requests to delete your Greenfox account.
- improving our services and audience measurements and, if necessary, satisfaction surveys.
- realization of statistical reports marketed to various economic operators for statistical purposes, research, education and investment. We access information from transaction
-related email account(s) and retail account(s) to develop and prepare statistical reports with the assistance of, and in combination with, data that is available to our parent company, our affiliate companies, and other trusted business partners. We undertake a process that is designed to obfuscate or replace directly identifiable information with a unique identifier. We may further combine or aggregate this extracted information with other information available to us or our trusted business partners; and once the information is processed, and we use this extracted information as part of our statistical reports.The statistical reports that we prepare are for purposes such as:

- understanding industry and business trends;
- improving the goods, services or offers provided to customers;
- improving business operations;
- understanding the competitive landscape;
- understanding where to make investments;
- orgaining other business insights.

The GDPR defines the recipients of data as natural or legal persons who receive communication of personal data, whatever their capacity as data controller or data processor.

As such, the recipients of your data, who benefit from an authorization or a legal entitlement to access them, can be internal or external:

- members of our staff who are authorized to process your data according to their respective skills.
- our subcontractors (e.g. data host), or the authorized services in charge of control (auditors), the administration, the judicial authorities and auxiliaries of justice within the framework of their mission if necessary.
- relevant third parties as part of a corporate transaction, such as a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceeding).
- our parent company, which helps us develop measurement products and datasets;
- our affiliated companies, which enhance our measurement capabilities by combining the information that we collect with other information available to them.
- competent governmental and public authorities, in each case to comply with legal or regulatory obligations or requests or for the purposes of reporting any actual or suspected breach of applicable law.
- other third parties as we believe necessary (e.g., in order to protect the rights, property, operations, health, or safety of you, us, or others) or appropriate for legal purposes (e.g., in connection with claims, disputes, or litigation or in order to enforce our legal rights).
- We may share pseudonymized (de-identified) personal data with our clients in such a manner that the personal data can no longer be attributed to you without the use of additional information, as the information that could identify you is replaced by “pseudonyms” or “identifiers”. The tools and methods we use to pseudonymize your personal data are proven and are designed to ensure that there is no reasonable possibility of identifying you. This pseudonymized (de-identified) personal data will not be shared with clients for advertising, direct marketing, or reidentification purposes.

Your data is processed for a limited period of time, which we determine in the light of the legal and contractual constraints on us and, failing that, according to our needs.

We retain your data for the following periods:
- if your account is deleted: immediate deletion of your data.
- in case of inactivity on your part without deletion of your account: 3 years as from your last activity on your account or the last contact with you.

You have choices about how your personal data is handled, and we are committed to providing you with reasonable access to your personal data and the ability to review and limit the use of such data in accordance with applicable law. 

Depending on your country of residence, under applicable law you may have the right to with respect to your personal data:
- a right to ask us to confirm that data concerning you is being processed, to access this data and to request a copy (right of access and copy).
- a right to rectify any data concerning you that is incorrect or obsolete (right of rectification).
- a right to request the deletion of your data if you no longer wish to use Greenfox (right to erasure).
- a right to receive the data about you that you have provided to us in a structured, commonly used and machine-readable format (right to portability).
- a right to formulate instructions concerning the processing of your data in the event of your death (post-mortem right).
- a right not to be subject to automated individual decision-making. The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
- a right to object. The right to object at any time to your personal information being processed for direct marketing (including profiling); in certain other situations to our continued processing of your personal information.
- a right to restriction of processing. The right to require us to restrict processing of your personal information—in certain circumstances, e.g. if you contest the accuracy of the data

Your Rights Under the CCPA. If you are resident of California, you have the right under the CCPA and certain other privacy and data protection laws, as applicable, to exercise free of charge:
Disclosure of Personal Information We Collect About You
• The categories of personal information we have collected about you;
• The categories of sources from which the personal information is collected;
• Our business or commercial purpose for collecting or selling personal information;
• The categories of third parties with whom we share personal information, if any; and
• The specific pieces of personal information we have collected about you. Please note that we are not required to:
• Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained;
• Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; or
• Provide the personal information to you more than twice in a 12-month period.

The right to erasure is implemented automatically from the moment you delete your Greenfox account, as this results in an immediate and automatic deletion of your personal data, unless you instruct otherwise.

With respect to the right to data portability, there is a feature on Greenfox that allows you to exercise your right to data portability and to retrieve any data you provided to us when you registered with Greenfox.

Finally, we provide you with the right to opt out of the panel of users whose transactional data we use to compile anonymized statistical reports for our customers under the "Settings" section of your Greenfox account.

The other rights mentioned above must be exercised exclusively by you and must be expressed in writing, either by e-mail to contact@greenfoxapp.com or by mail to Foxintelligence 1 rue de Metz 75010 Paris.

If we have any doubts about your identity, we reserve the right to ask you to provide proof of identity, which will be immediately deleted after we have verified your identity.

The GDPR defines a processor as any natural or legal person who processes personal data on behalf of the controller. Should we decide to use any subcontractor of our choice in the processing of your data, we will ensure that the subcontractor complies with its obligations under the GDPR and will undertake to sign a written contract with the subcontractor that imposes obligations with at least the same level of data protection on the subcontractor as we impose on ourselves with respect to data protection. In addition, we reserve the right to audit our processors to ensure compliance with their obligations.

We implement technical and organizational measures that we deem appropriate to protect against accidental or unlawful destruction, loss, alteration or unauthorized disclosure of personal data.

These measures include, but are not limited to:
- management of authorizations and restrictions of access rights to data
- Use of secure identification processes such as an application password to synchronize the user's mailbox with Greenfox,
- the use of proven data pseudonymization and anonymization techniques, it being specified that anonymization is mandatory before any communication of statistical study reports to economic operators
- the implementation of safeguard measures,
- the implementation of encryption measures (private keys),
- the implementation of traceability measures for each database.

In the event of recourse to a subcontractor, we undertake to contractually impose security guarantees through appropriate technical and organizational measures.

We will retain your data in a form that permits identification only for as long as necessary for the fulfillment of the purposes set out in this Privacy Policy, unless a longer retention period is required under applicable law or is necessary in order to resolve disputes, protect our legal rights, or otherwise to comply with our legal or professional obligations. To determine the appropriate retention period for data, we consider the amount, nature and sensitivity of the personal data. We also consider the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and by looking at applicable legal requirements.

Where we are processing your personal data based on our legitimate interests, we generally will retain your data for a reasonable period of time based on the particular interest, taking into account your interests, fundamental rights, and/or freedoms.

Where we are processing your personal data based on your consent, we generally will retain such data for the period of time necessary to carry out the processing activities to which you have consented, subject to your right, under certain circumstances, to have certain of your personal data erased.

We have appointed as responsible for data protection, Mr Louis BALLADUR, whom you can contact at the following address for any request relating to your data: louis@foxintelligence.io.In addition, we have hired a lawyer, Mr. Eric BARBRY, to act as DPO in complete independence. He can be reached at the following address: dpo-foxintelligence@racine.eu

Due to the international nature of our business, the disclosures described above may result in the transfer of your personal data to countries or regions with data protection laws that differ from those in your country of residence, and in some instances provide a lesser level of data privacy protection. By providing us with or access to your personal data and/or using the Greenfox service, you are acknowledging that your personal data may be transferred to countries outside of your country of residence. In cases where your personal data is transferred outside of your country of residence, we will ensure that there are adequate safeguards in place to protect your personal data.

We reserve the right to implement cross-border flows of the data we process outside the EU, of which you will be informed. In such a case, we will ensure that your rights are respected and, if necessary, we will sign one or more contracts allowing us to manage these flows with the recipient country(ies) in accordance with the requirements of the applicable regulations.

We keep an up-to-date register of processing operations available to the CNIL, in which the processing of data of the users of the Greenfox application is recorded.

If you have any questions about the processing of your data, you can contact us at contact@greenfoxapp.com.

You may also contact our Data Protection Officer, Mr Eric BARBRY.  He can be contacted at dpo-foxintelligence@racine.eu. As authorized by law, you may also contact the Cnil at the following address Cnil Complaints Department, 3 place de Fontenoy TSA 80751, 75334 Paris Cedex 07 or by telephone at 01.53.73.22.22.

In the event of changes in applicable law or the implementation of new features on Greenfox that would affect the processing of your data, we reserve the right to modify this policy. You will be notified of any new policy before it becomes effective.