Privacy Policy

Privacy Policy for Shine Platform

The current version of this document is applicable from 2025-10-07.

 

Previous versions can be viewed here.

 

1. Purpose of the Present Policy

This Privacy Policy describes how Shine Platform ("we", "us", or "our") processes personal data in its capacity as a data controller.

 

Its purpose is to inform you about the measures we implement to process your personal data, with the utmost respect for your rights.

 

We are committed to complying, in our processing of your personal data, with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”), as well as with all applicable national regulations.

2. Identity of the Data Controller

The entity responsible for collecting and processing your personal data is:

 

Ageras A/S

Fiolstræde 17B, 1171 Copenhagen, Denmark (hereinafter referred to as "we", "Shine", or "the Shine Platform").

 

The Data Protection Officer (DPO) acts as a shared contact point for all Shine group entities. You may contact the DPO at: dpo@shine.fr 

3. Roles in Data Processing

In the context of providing the services referred to in this agreement, Shine acts both as a data controller and as a data processor, in accordance with Regulation (EU) 2016/679 ("GDPR").

 

When Shine Acts as Data Controller

 

Shine is the data controller when we process personal data for our own purposes, such as Employee data, Client and prospect information, Platform usage analytics for service improvement, etc.

 

In these cases, this Privacy Policy applies, outlining :

 

  • The purposes and legal basis of the processing
  • Your rights as a data subject
  • The security measures we implement to protect your personal data

 

When Shine Acts as Data Processor

Shine is a data processor when we process personal data on behalf of our clients.

 

In this context:

 

  • We process personal data strictly in accordance with the client's instructions
  • The processing is governed by a Data Processing Agreement (DPA), available in the General Terms and Conditions of the Solution.

 

4. Data source, Categories and Mandatory Nature of Data Collected

Sources of Personal Data

  • We collect your personal data from the following sources:
  • Directly from you, when you create an account, use our services, fill out forms, or communicate with us
  • Automatically, through your use of our website or platform (e.g. cookies, usage logs, device data)
  • From third parties, such as public sources (e.g. LinkedIn), partners, service providers, and financial institutions where required
  • Via affiliates, when you interact with our content on partner websites (e.g. ad clicks, referral data)

Categories of Personal Data Collected

We process the following categories of personal data, depending on the service you use and your relationship with us:

 

  • Identification and contact data: First and last name; Email address; Phone number (mobile or landline); Postal address and country; Preferred language; VAT number (if applicable)
  • Professional data: Job title and function; Company name and sector; Contact person information (for corporate clients)
  • Technical and usage data: IP address; Browser type, operating system and device identifiers; Login timestamps and activity logs; Interaction and navigation data on the platform; Cookies and similar tracking data (see Cookie Policy)
  • Transactional and financial data (where applicable): Information about subscriptions and payment status; Invoices and billing records; Payment token identifiers from external payment providers (we do not store card details); Click and conversion data from affiliate programs
  • Communication and preference data: Marketing preferences and consent status; Communication history (e.g. support tickets, chat logs, feedback forms); Data from recorded phone or video calls (if applicable, with prior notice); Direct marketing opt-in/opt-out choices

Whether the collection of data is mandatory or optional is specified at the time of collection. Data marked as mandatory is required to properly deliver our services. Without this information, your request may not be processed, or access to the service may be restricted.

5. The purpose of processing personal data

Service Provision and Customer Relationship Management:

 

We process your personal data to:

 

  • Register and manage your user account
  • Deliver the services you have subscribed to via the Shine platform
  • Manage client contracts, orders, invoicing and follow-up of the commercial relationship
  • Identify and authenticate you before providing access to your account
  • Respond to your service inquiries and provide customer support
  • Manage unpaid invoices and legal disputes related to the use of our services

 

We use external payment service providers to process transactions. This means we do not store your credit card or bank information; all payment data is encrypted and handled securely by our providers.

 

Legal basis:

  • Article 6(1)(b) GDPR (contract),
  • Article 6(1)(f) GDPR (legitimate interest),
  • and Article 6(1)(c) GDPR (legal obligation)

 

Commercial Communication and Marketing:

We may use your personal data for:

 

  • Sending newsletters and promotional content
  • Contacting you to schedule a meeting or follow up on a request
  • Direct marketing and customer acquisition activities
  • Segmenting our audience to personalize communications
  • Managing your subscription preferences and consent

 

These communications may be:

 

  • Sent by email, SMS, or other electronic channels
  • Personalized based on your profile and preferences
  • Adjusted according to your language settings and business profile

 

If you are a journalist or press contact, we may also add you to our press distribution list, subject to your consent.

 

Legal basis: Article 6(1)(f) GDPR (legitimate interest), or Article 6(1)(a) GDPR (consent for newsletters and press mailing list).

 

You can unsubscribe from marketing communications at any time using the opt-out link included in each message. If we introduce new forms of direct marketing, we will inform you in advance and give you the opportunity to object.

 

Analytics and Service Improvement

 

We may process data to:

  • Gather feedback on your experience with our services
  • Record phone calls or digital meetings for quality assurance and training
  • Compile commercial and visitor statistics related to the use of our services and websites
  • Develop and improve our platform features, performance, and content
  • Conduct satisfaction surveys or internal performance analysis
  • Generate anonymized or aggregated statistics for business intelligence

 

Legal basis : Article 6(1)(f) GDPR (legitimate interest)

 

Regulatory Compliance and Risk Management

 

Depending on the market in which the service is offered and the type of product commercialized, we may process personal data to:

  • Comply with anti-money laundering (AML) and Know Your Customer (KYC) obligations
  • Prevent fraud and misuse of regulated services
  • Respond to lawful requests from supervisory or regulatory authorities
  • Retain accounting records and meet financial reporting requirements
  • Conduct internal audits and ensure compliance with applicable financial or sector-specific regulations

 

These processing activities apply only to specific services and jurisdictions where such obligations are required under local law or regulatory frameworks. You will be informed when such obligations apply to the service you use.

 

Legal basis : Article 6(1)(c) GDPR (compliance with a legal obligation), Article 6(1)(f) GDPR (legitimate interest)

 

Security of Our Services and Infrastructure

 

We implement measures to ensure the security and continuity of our services, which involves processing personal data to:

  • Detect and block suspicious activity or cyber threats
  • Manage logs, authentication and access control systems
  • Perform backups and system integrity checks
  • Ensure secure hosting and encryption of communications

Legal basis : Article 6(1)(f) GDPR (legitimate interest)

 

Optional Integrations (e.g. Gmail, Accounting Tools)

 

In certain markets, we offer an optional feature allowing you to connect your Gmail account to automate the retrieval of invoices and receipts for accounting purposes.

 

We only access Gmail content with your explicit consent and solely for the purposes of:

  • Identifying attachments such as receipts or invoices
  • Downloading them securely to your account
  • Assisting in classification for your bookkeeping

 

We do not access or use Gmail data for any other purpose. Unidentified or invalid receipts are deleted immediately. Rejected receipts are stored for up to 6 months before permanent deletion.

 

We do not use Gmail or Google Workspace API data to train generalized AI or machine learning models. All access is secured and restricted to authorized personnel only.

 

Legal basis : Article 6(1)(a) GDPR (consent)

 

Management of our website and cookies

For more information on the processing related to the management of our website and cookies, please refer to our Cookie Policy.

 

Recruitment

For more information on the processing of your personal data, please refer to the privacy policy available on our Careers website.

 

Personal data is retained for the time strictly necessary to fulfill the above purposes and in accordance with legal requirements. Specific retention periods can be obtained upon request.

6. Recipients of Personal Data

We also may engage authorized service providers, acting as data processors on our behalf, to support the delivery, operation, security, and improvement of our services. These providers may access personal data only to the extent strictly necessary for the performance of their tasks, in accordance with our documented instructions and applicable data protection laws.

 

These providers include, but are not limited to:

  • Hosting and cloud service providers for the operation and maintenance of our servers and infrastructure;
  • Software development providers for the programming, development, maintenance, and support of our digital applications;
  • Email service providers for sending transactional emails and other communications related to our contractual services;
  • Email marketing providers for managing and delivering newsletters and promotional campaigns;
  • Push notification and communication service providers;
  • Customer relationship management (CRM) platforms;
  • Audience measurement and web analytics providers for assessing the performance and usage of our website and services;
  • Advertising and tracking technology providers;
  • Electronic signature solutions;
  • Remote identity verification service providers;
  • Affiliate program management platforms;
  • Invoicing and payment processing service providers;
  • Ticketing and internal issue tracking systems;
  • Data visualization and business intelligence platforms;
  • IT security service providers to ensure the integrity and protection of our systems and data;
  • Online surveys and conversational bots to improve our services and better understand user needs.

 

Each service provider is subject to strict confidentiality.

 

Strictly within the scope of their respective duties, we may also grant access to your personal data to the following recipients :

  • Internal teams responsible for the administration and management of the Solution;
  • Audit and control authorities, including statutory auditors;
  • Payment service providers, including account managers and card issuers, for the purpose of processing payments or transfers;
  • Advertising platforms, for the purpose of displaying personalized advertisements based on your interests.

 

As part of the Shine Group, your personal data may also be shared with other group entities, exclusively when such sharing is necessary to comply with our legal obligations or to provide you with services tailored to your specific needs. The list of Shine group entities that may act as recipients of your personal data is available upon request at: dpo@shine.fr

 

Finally, your personal data may be disclosed to public authorities (e.g., tax or social security bodies) upon request, to comply with legal obligations; to judicial authorities, legal professionals, or debt recovery agencies in the context of legal proceedings or enforcement measures.

7. Your rights under the GDPR

As a data subject under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access: You can request access to the personal data we hold about you.
  • Right to rectification and erasure: You can request the correction of inaccurate data and the deletion of your personal data where applicable.
  • Right to restrict or object to processing: You can object to the processing of your data and request that its use be restricted in certain circumstances.
  • Right to object to direct marketing: You have the absolute right to object to the use of your personal data for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to data portability: You may request to receive your personal data in a structured, commonly used and machine-readable format.
  • Right to lodge a complaint: You can file a complaint with your national data protection authority (e.g. the Danish Data Protection Agency, the CNIL in France, the BfDI in Germany, or the AP in the Netherlands).
  • Right to define post-mortem instructions:: In some countries, you may have the right to give instructions regarding the handling of your personal data after your death. This depends on applicable national laws and the status of the person submitting the request.

To exercise any of these rights, please contact us at dpo@shine.fr 

 

Please note that the exercise of these rights may be subject to legal conditions or limitations.

8. Data Security and Use of Artificial Intelligence

We process your personal data securely and confidentially in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

 

We have implemented appropriate technical and organisational measures to protect your data against accidental or unlawful destruction, loss, alteration, publication, unauthorised disclosure or access, misuse, or any other form of unlawful processing. 

 

These measures are designed to ensure the ongoing security, integrity, and confidentiality of your personal data. We also use secure payment systems that comply with current industry standards and legal requirements.

 

Additionally, please note that Shine and its processors may occasionally use artificial intelligence (AI) tools, which may involve the processing of your personal data through algorithms. 

In such cases, we ensure that your data is not used either directly or indirectly for the development, training, or improvement of AI technologies, except when strictly necessary for the provision of our services.

9. Hosting and Transfers Outside the European Union

We inform you that your data is stored and retained, for the duration of its retention period, on the servers of Google Cloud and Amazon Web Services, located within the European Union.

 

As part of the tools we use to deliver our services, some of your data may be transferred outside the European Union, including to the United States, by our processors.

 

Such data transfers are secured through the following safeguards:

 

The data is transferred to a country that has been deemed to offer an adequate level of protection by a decision of the European Commission;

 

Or, the data is transferred to a country whose level of data protection has not been recognized as adequate under the GDPR: in such cases, the transfers are based on appropriate safeguards as provided under Article 46 of the GDPR, which are tailored to each service provider. 

 

These may include, but are not limited to, the use of Standard Contractual Clauses approved by the European Commission, the implementation of Binding Corporate Rules, or adherence to an approved certification mechanism;

 

Or, the data is transferred based on one of the derogations provided for under Article 49 of the GDPR.

 

For more information about the hosting and international transfers of your personal data, you may contact us at dpo@shine.fr

 

10. Sale of Personal Data

Your personal data will not be sold, rented, or exchanged for the benefit of third parties.

 

No personal data is transferred to third parties in exchange for financial or other valuable consideration.

 

Should this practice change in the future, you will be expressly informed and provided with the opportunity to opt out, in accordance with the legal requirements in force.

 

11. Cookies

For more information about cookies, please refer to our Cookie Policy.

12. Data Protection Agency

For any complaint regarding your personal data, you have the right to lodge a complaint with the competent data protection authority.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons.

 

When we make changes, we will revise the “Last updated” date at the top of this page. If the changes are significant, we will notify you through appropriate means, such as by email or via a notice on our website, before they take effect.

 

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.