Privacy Policy
This personal data policy has been drafted by société par actions simplifiée Enroll, registered with the Paris Trade and Companies Register under number 992 744 847, whose registered office is located at 9 rue des colonnes, Paris (75002) (hereinafter "Enroll").
Enroll is a company that develops a software solution whose purpose is to automate the administrative work of HR teams with the help of artificial intelligence.
This privacy policy is intended solely to describe the personal data processing carried out by Enroll as a data controller. The policy is published and accessible at any time on the website.
This privacy policy is established in light of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR", or "RGPD" in French), as well as Law No. 78-17 of 6 January 1978 on data processing, data files and individual liberties in its latest version (together, the "Personal Data Rules").
1. Definitions
The following definitions apply to this entire privacy policy:
"Data Subject": means a Visitor, a client's employee, a prospect, or any other person whose personal data would be processed by Enroll as a data controller.
"Website": means Enroll's website accessible at https://enroll.work/ as well as its subdomains.
"Solution": means the software solution developed by Enroll, whose purpose is to automate the administrative work of HR teams with the help of artificial intelligence.
"Visitor": means any person consulting or browsing the Website.
Unless otherwise required by the context, definitions in the singular include the plural, and vice versa.
2. Personal data collected
Enroll may process the following personal data, which will be processed for the purposes mentioned below:
- General information (first and last name(s), email address, telephone number);
- Information related to the company associated with the Data Subject;
- Navigation data within the Solution or the Website;
- Data relating to the Data Subject's consent to receive emails from Enroll;
- Visitors' browsing preferences on the Website (language and display preferences);
- Data related to the signing and performance of contracts;
- Data exchanged during interactions with Enroll's customer support (e.g., issues encountered, solution proposed by Enroll).
3. Processing activities, purposes and legal bases
| No. | Processing | Purpose | Legal basis |
|---|---|---|---|
| 1 | Contacting interested Visitors | Contacting Visitors who left their contact details | Consent |
| 2 | Newsletter | Informing any interested person about Enroll news | Consent |
| 3 | Handling support requests | Responding to support requests and enabling the client to benefit from the services as contractually agreed | Performance of the contract |
| 4 | Prospecting | Developing Enroll's customer base | Legitimate interest |
| 5 | Visit statistics | Producing statistics about Website Visitors (e.g., number of Visitors per page) | Consent |
| 6 | Navigation analysis | Analyzing navigation on the Website and/or the Solution | Consent |
| 7 | Contract tracking | Tracking and keeping evidence of acceptance of contracts entered into between Enroll and its clients or partners | Performance of the contract |
| 8 | Business relationship management | Managing the business relationship with Enroll's clients and partners | Legitimate interest |
| 9 | Disputes | Enabling Enroll to organize its defense in the event of a dispute or pre-litigation | Enroll's legitimate interest in defending itself |
| 10 | Compliance with legal obligations | Ensuring Enroll's compliance with legal obligations | Legal obligations |
4. Recipients of the personal data processed
The personal data collected about Data Subjects and processed are necessary for pursuing all the purposes listed above and are intended exclusively for Enroll's internal management departments and, where applicable, its processors.
The categories of processors to whom personal data may be disclosed are as follows:
- Day-to-day operations: processors providing digital solutions useful for Enroll's daily operations, such as data hosting solutions, error/bug detection for the Solution or the Website, monitoring usage of the Solution and the Website, updates, and ensuring proper operation of the Solution or the Website.
- Marketing and communication operations: processors offering online communication solutions and social media services, and enabling data analysis notably for marketing purposes.
- Maintenance operations: processors that have access to Enroll's technology to perform maintenance operations or address technical issues affecting the Solution or the Website in an emergency.
- Management and advisory operations: processors supporting Enroll in its compliance management (whether accounting, legal, financial, or audit-related).
It is specified that neither Enroll nor its processors sell, in any way whatsoever, Data Subjects' personal data.
5. Retention of personal data
Data Subjects' data are not retained beyond the period strictly necessary for the purposes pursued and set out in Article 3 of this privacy policy, in particular:
- Data processed in connection with support requests are retained for the time needed to handle the request.
- Prospects' data are retained until consent is withdrawn or the prospect objects, or for 3 years from the prospect's last contact.
- Data related to the signing and performance of contracts are retained for the entire duration of the relationship with the client or partner.
- Cookies are retained for up to 13 months, subject to the limitations imposed by your browser.
Enroll anonymizes, archives, or deletes Data Subjects' data as soon as the purpose and retention period expire, subject to the time needed to comply with its legal obligations, in particular in light of civil and commercial limitation periods.
6. Transfer of personal data
Personal data processed by Enroll are hosted on Google Cloud Platform, whose primary servers used by Enroll are located in the United States, with backups in Europe. Additional details specific to the Gmail integration are set out in Article 11.
This transfer of personal data outside the European Union relies on the European Commission's standard contractual clauses and on Google's adherence to the EU–U.S. Data Privacy Framework.
Some personal data processed by processors may be transferred outside the European Union, in particular to the United States. In such a case, if transfers are made to countries that do not benefit from an adequacy decision, Enroll ensures that the relevant processors implement appropriate legal, technical, and organizational measures to govern any transfer of personal data, notably by using standard contractual clauses adopted by the European Commission.
7. Cookies and other trackers
Enroll uses cookies and trackers, which are small computer files stored on your devices in order to collect data related to your browsing habits, indicate your visit to a given page, and provide an additional service such as improving your browsing comfort.
In accordance with Article 82 of the French Data Protection Act (Loi informatique et libertés), any subscriber or user of an electronic communications service must be informed clearly and comprehensively, unless they have been informed beforehand, by the data controller or its representative, (i) of the purpose of any action intended to access, by electronic transmission, information already stored on their terminal equipment or to store information in their terminal equipment, and (ii) of the means available to refuse it. Such access or storage may only take place provided that the subscriber or user has given their consent after receiving this information. Data Subjects may withdraw their consent to the use of these trackers by clicking here.
It is also provided that these rules do not apply if access to information stored in the user's terminal equipment or the storage of information in the user's terminal equipment (i) has the sole purpose of enabling or facilitating electronic communications, or (ii) is strictly necessary for providing an online communication service at the user's express request.
Within the scope of this exception, Enroll uses the following types of cookies:
- Cookies for detecting errors and malfunctions of the Solution. These cookies are retained for approximately thirty (30) days from their placement.
- The choice expressed regarding the placement of cookies. This preference is stored locally in your browser (via local storage) until you clear site data or withdraw your consent.
8. Data subjects' rights
8.1 Nature of the rights
In accordance with the Personal Data Rules, the Data Subject has rights over their personal data, namely:
- Right of access: any Data Subject may know what personal data Enroll holds about them and obtain a copy.
- Right to rectification and erasure: any Data Subject may request that inaccurate or outdated personal data concerning them be rectified, and that such data be deleted.
- Right to object and to restrict processing: any Data Subject may object to the way Enroll processes their personal data or request that processing concerning them be restricted, insofar as possible and subject to any compelling legitimate grounds Enroll may have to continue processing, such as legal obligations regarding anti-money laundering and counter-terrorist financing.
- Right to withdraw consent: any Data Subject may withdraw their consent for processing carried out on that basis.
- Right to data portability: any Data Subject may request that Enroll send their personal data in a structured, commonly used and machine-readable format so that it can be transmitted to another data controller, provided this is possible.
- Right to set instructions for the handling of personal data after death: any person may provide Enroll with instructions regarding the handling of their data in the event of death, including whether their data should be communicated to third parties.
- Right to lodge a complaint with a supervisory authority: any Data Subject may contact the CNIL or any other competent supervisory authority if they consider that Enroll has not complied with certain rules provided by the Personal Data Rules (information on how to refer a matter to the CNIL is available on its website).
8.2 Exercising rights
For any questions regarding the processing of their personal data or to exercise their rights, Data Subjects may contact Enroll at the following addresses:
- By email: writing to dpo@enroll.work.
- By post: ENROLL, 39 rue des colonnes, 75002 Paris, France.
The exercise of rights granted by the Personal Data Rules is not unlimited (Enroll is entitled not to respond to requests that are manifestly unfounded or excessive) and each of these rights is subject to conditions imposed by the Personal Data Rules. In this respect, the following points are specified:
- Identity: any Data Subject must prove their identity and indicate the address at which they wish to be contacted.
- Response time: requests are handled by Enroll within a reasonable timeframe, taking into account the complexity, the number of requests made, and the Personal Data Rules.
- Free of charge: exercising rights is in principle free of charge. Where a request would entail significant costs, the Data Subject may be required to bear fees.
These requirements must be complied with; otherwise requests may not be processed.
9. Security measures
Enroll takes all physical, logical, and organizational security measures to ensure a high level of security for the protection of personal data and in particular to prevent such data from being altered, damaged, or disclosed to unauthorized persons. If the means used to ensure the security of personal data are modified, Enroll undertakes not to reduce the level of security.
10. Changes to the privacy policy
In such a case, Data Subjects will be informed of updates either by email or by means of a notice in the Solution or on the Website, at least fifteen (15) days prior to any material change to the policy.
11. Google API Services — Limited Use
Enroll offers an optional Gmail integration that lets Data Subjects build a private knowledge base from their own corporate email. Activating this feature requires the Data Subject to grant Enroll read-only access to their Gmail account; Enroll never sends, modifies, archives, or deletes any messages.
Enroll's use and transfer to any other application of information received from Google APIs adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular, Enroll:
- does not transfer Gmail data to third parties except as needed to provide user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with the Data Subject's explicit consent;
- does not use Gmail data for advertising of any kind;
- does not allow humans to read Gmail data unless Enroll has the Data Subject's affirmative consent, it is necessary for security purposes, to comply with applicable law, or the data has been aggregated and anonymized;
- does not use Gmail data to train generalized AI/ML models.
Gmail-derived data is hosted on Google Cloud Platform in the United States, with backups in Europe. The Data Subject can disconnect Enroll from their Google account at any time at https://myaccount.google.com/permissions, and can request deletion of all stored data by emailing dpo@enroll.work.