Welcome to our Privacy Policy. This document provides all the information regarding the data processing activities we carry out. If you have any questions on this subject, please feel free to contact us.
Our Contact Information
Name: DASTRA SAS
Address: 14 Avenue du Général de Gaulle – 94160 Saint-Mandé
Email: contact@dastra.eu
What Information Do We Collect?
As the data controller, we collect and process different categories of personal data, including:
- Identity and professional contact details: name, surname, job title, company, email address, phone number.
- Organizational and contractual information: data relating to your organization, subscriptions, transactions, invoicing.
- Technical and browsing data: IP address, logs, session identifiers, cookies, and other trackers (statistics, marketing, social networks).
- Commercial and marketing interactions: contact history, responses to our campaigns, open and click rates, information from collaborative or prospecting spaces (digital sales rooms, prospecting sequences, scoring).
- Applications and recruitment: CV, cover letter, professional information shared during a recruitment process.
- Data from public or partner sources: accessible professional contact details (directories, open data, platforms such as LinkedIn) or data shared by business partners.
How Do We Obtain These Data and Why Do We Process Them?
Direct Sources
Most data are provided directly by you, for example when you:
- fill in a contact form on our website,
- send us a business inquiry,
- share your information at events or meetings organized by Dastra,
- subscribe to our newsletter,
- create a user account or purchase a subscription,
- are a partner of Dastra,
- apply for a job.
Indirect Sources
We may also collect some data:
- through your browsing on our website (cookies and trackers),
- via third parties or business partners,
- from publicly accessible professional sources (directories, open data, professional social networks),
- through B2B enrichment and prospecting platforms (e.g., lead generation, sales engagement solutions).
What Legal Bases Do We Rely On?
In accordance with the GDPR, we process your data based on the following legal grounds:
- Your consent: newsletter subscription, use of non-essential cookies/trackers.
- Performance of a contract: management of subscriptions, provision of our services, partnership management.
- Legal obligation: invoicing, accounting, handling rights requests.
- Our legitimate interest: B2B prospecting with professionals, managing relationships with prospects/partners, improving and securing our services, recruitment.
What We Do With Your Personal Data
We use the information we collect for the following purposes:
1. Communication and Prospecting
- B2B commercial prospecting: promoting our services to professionals, including through prospecting and sales engagement tools, based on our legitimate interest.
- Responding to your information and contact requests: based on our legitimate interest in communicating with visitors and prospects.
- Managing and following up on unsolicited applications: based on our legitimate interest in recruiting.
- Handling applications for published job offers: based on pre-contractual measures necessary to evaluate your application.
2. Provision of Our Services
- Performance and management of contracts (T&Cs, partnerships): based on contract performance.
- Managing relationships with our partners: based on contract performance.
- Handling rights requests (GDPR): based on our legal obligation (Articles 12 and following of the GDPR).
- Providing support and assistance services (e.g., online chat): based on our legitimate interest in providing efficient customer service.
3. Improving and Securing Our Services and Website
- Traffic, audience, and website usage analysis: based on your consent, where required, or our legitimate interest.
- Service satisfaction and improvement assessments: based on our legitimate interest.
- Browsing behavior analysis to enhance user experience and communication relevance: based on your consent, where required.
- Measuring and optimizing the effectiveness of advertising campaigns: based on your consent.
- Security: preventing, detecting, and protecting against cyberattacks and fraud, based on our legitimate interest in protecting our systems.
4. Legal and Regulatory Obligations
- Compliance with applicable legal and regulatory obligations (invoicing, accounting, data protection, etc.): based on our legal obligation.
5. Sharing with Our Service Providers
| Purpose | Providers | Main location | Transfer outside EEA/UK | Safeguards |
|---|---|---|---|---|
| Hosting | Microsoft Azure | European Union | No | Data hosted in Europe |
| Office collaboration / Messaging | Microsoft 365 (Exchange, OneDrive, Teams...) | European Union | No | |
| Newsletter sending | Brevo | European Union | No | |
| Website access security | Cloudflare | EU / USA | Yes | DPF + SCC |
| Statistical analysis | PiwikPro (EU), Google Analytics (USA) | EU / USA | Yes (Google) | DPF + SCC, IP anonymization |
| CRM management | ZohoCRM (EU / India), Hubspot (USA) | EU / India / USA | Yes | SCC (India); DPF + SCC (USA) |
| B2B prospecting | Lemlist (EU), Lusha (USA / IL), Topo (France), Dropcontact (France) | EU / USA / Israel | Yes (Lusha) | SCC for USA/Israel |
| Advertising tools | Microsoft Clarity (USA), Google Ads (USA) | USA | Yes | DPF (Microsoft, Google) + SCC |
| Recruitment | Welcome to the Jungle | France | No | |
| Social media & multimedia | YouTube (Google, USA) | USA | Yes | DPF (Google) + SCC |
We strive to obtain the best possible data protection guarantees from each of our providers, notably via the Data Privacy Framework certification or the signature of the European Commission’s Standard Contractual Clauses.
Data Storage, Transfers, and Retention
Storage Locations
Your data are mainly stored on servers located in the European Union (particularly in France).
Transfers outside the EEA/UK
In some cases, certain data may be transferred outside the EEA/UK (e.g., when our providers are based or host their data in the United States or other countries). Such transfers are covered by adequate safeguards:
- Standard Contractual Clauses adopted by the European Commission and/or the UK regulator (SCC/UK Addendum), and
- where applicable, Data Privacy Framework (DPF) certification for U.S. providers.
Retention Periods
| Purpose / Data type | Retention period | Legal basis / Reference |
|---|---|---|
| Data linked to a contract or subscription | Contractual relationship duration + 5 years (civil/commercial statute of limitations) | Contract + legal obligations |
| Data from contact form | 1 year | Legitimate interest to respond |
| Data used for prospecting | 3 years from last contact by the person or end of contractual relationship | Legitimate interest (B2B prospecting) |
| Browsing data (statistical & marketing cookies/trackers) | Maximum 13 months | Consent (non-essential cookies) |
| Consent cookies | 6 months | CNIL recommendation |
| Security data and technical logs | Duration necessary for security purposes (≤ 12 months) | Legitimate interest (security) |
| Job applications | 2 years after last contact with candidate | CNIL recommendation |
After these periods expire, your data are either deleted or irreversibly anonymized.
Security and Confidentiality Measures
We implement appropriate technical and organizational measures to ensure a level of security adapted to the risks associated with processing your personal data.
Certifications: Dastra is certified:
- ISO/IEC 27001: Information security management system
- ISO/IEC 27701: Privacy extension for personal data management
These certifications demonstrate that our data security and privacy practices are regularly audited by an independent body and comply with the most demanding international standards.
Technical and Organizational Measures
- Encryption: communications in transit (TLS 1.2+), sensitive data at rest (AES-256 or equivalent)
- Access controls: multi-factor authentication, strict permission management, principle of least privilege
- Logging and monitoring: tracking and analysis of access, incident detection and rapid remediation
- Backups and resilience: regular backups, restoration tests, business continuity and disaster recovery plans
- Testing and audits: periodic security audits, ongoing evaluation of critical providers, regular penetration tests
- Contractual safeguards: SCCs and DPF for transfers outside the EEA, providers’ commitment to act only under documented instructions
Incident Management
In the event of a personal data breach, we commit to:
- notify the CNIL and, where applicable, the concerned individuals within the legal deadlines,
- document the incident and corrective measures implemented,
- cooperate with competent supervisory authorities.
Your Data Rights
Under data protection regulations (GDPR, French Data Protection Act), you have the following rights:
- Right of access: obtain confirmation that we process your data and receive a copy.
- Right to rectification: correct or complete inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): obtain deletion of your data in certain circumstances (e.g., consent withdrawal, legitimate objection, unnecessary data).
- Right to restriction: temporarily suspend processing of your data in certain conditions.
- Right to object: object at any time to processing based on our legitimate interest, in particular B2B marketing.
- Right to portability: receive the data you provided in a structured, commonly used, machine-readable format, or request direct transfer to another controller.
- Right to define post-mortem instructions: decide the fate of your data after death (retention, deletion, disclosure).
- Right to withdraw consent: withdraw your consent at any time for processing based on it (e.g., newsletter, non-essential cookies).
How to Exercise Your Rights
You can exercise your rights:
- via our online service, or
- by mail at the following address: DASTRA SAS – 14 Avenue du Général de Gaulle, 94160 Saint-Mandé - France
You will not have to pay any fee to exercise your rights. We will respond within one month of receipt (extendable by two months in case of complexity or numerous requests, in accordance with Article 12 GDPR).
Data Protection Officer
We have appointed a DPO who can be contacted via our online form.
Complaints to the Supervisory Authority
If you believe your rights have not been respected, you may file a complaint with the CNIL (www.cnil.fr) or any other competent supervisory authority.
Cookies
When browsing, various cookies and trackers may be placed on your device. You can manage your preferences at any time via our cookie settings screen.
1. Strictly Necessary Cookies
These cookies are essential for the website’s operation and cannot be disabled.
- Cloudflare: site security and protection against attacks / spam in forms
- Hubspot (client chat): operation of the site’s integrated instant messaging
- Google Tag Manager: centralized management of technical tags and scripts required for the site
2. Statistics Cookies
These cookies help us understand how visitors interact with our site, in an aggregated and anonymous way.
- Google Analytics: audience analysis and visit tracking
- Piwik Pro: collection of usage information for analysis and reporting
3. Marketing Cookies
These cookies are used to track visitors across websites and display relevant ads.
- Microsoft Clarity: user behavioral analysis and targeted advertising via Microsoft Advertising
- Google Ads: measurement of advertising conversions and campaign tracking
- Hubspot Marketing: traffic analysis and integration of data into our marketing CRM
4. Social Media Cookies
These cookies enable social and multimedia features on our site.
- YouTube: display and playback of videos hosted on YouTube
Note: This English version of the Privacy Policy is provided for convenience only. In case of discrepancies, the French version shall prevail.
Last updated: September 4, 2025
