Privacy policy.

Last update: January 22, 2025

1. Introduction

At Octopus Community (“we” or “Octopus Community”), we are firmly committed to protecting the privacy of our clients (“Clients”) and their users (“Users”) and ensuring complete transparency regarding how their personal data is collected, used, and shared.

By "personal information" or "personal data," we mean any information that can directly identify you (e.g., your photo, name, or email address) or indirectly identify you (e.g., your user ID, location, or technical details about your device).

This Privacy Policy provides information about the data processing practices applicable to our services, including those delivered via our SDKs, APIs, or administration tools (collectively referred to as “Services”), as well as our websites (“Sites”), including www.octopuscommunity.com and admin.octopuscommunity.com.

This Privacy Policy is supplemented by a Cookie Policy, which details the use of cookies and similar technologies on our Sites and Services.

This policy does not apply to the processing of data related to our own employees.

By using our Services, you agree to the practices described in this Privacy Policy. If you have any questions, please contact us at contact@octopuscommunity.com.

2. About Us

Octopus Community is a technology company that offers a community platform to be integrated into the mobile applications of its Clients, with the aim to:

  • enable the Users of these applications to interact by creating content, reading it, reacting to it, or responding to it;

  • analyze User activity and engagement to provide Clients with usage metrics and data insights.

The Client is the publisher of one or more applications in which they wish to use our Services. The implementation of these Services is carried out through the integration of Octopus Community’s Software Development Kits (SDKs) into their applications.

Octopus Community acts as the data controller for the personal data it processes on its websites and/or for its own purposes.

When our SDKs are integrated into an application by a Client, the Client acts as the data controller for the personal data collected through the application. In this case, Octopus Community acts as a data processor in accordance with a data processing agreement concluded with each Client, ensuring that data is processed solely under the Client’s instructions and in compliance with the GDPR.

Octopus Community SAS is headquartered at 14 Avenue du Général de Gaulle, 94160 Saint-Mandé, France, and is registered with the Créteil Trade and Companies Register under the number 929385888.

Contact: contact@octopuscommunity.com

3. Data We Collect

We process data related to:

  • Users of our Sites and Services;

  • Our suppliers and business partners;

  • Prospects and Clients;

  • Job applicants at Octopus Community.

3.1 Data Collected When You Create a Client Account or Contact Us

To create your Client account or subscribe to one of our offerings, you must provide personal data: your first and last name, professional contact information (company name, job title, email address, postal address, and phone number).

We also collect your data when you contact us: through a contact form submission, during a phone call, or when you share your contact details or business card at events such as trade shows.

During phone or video calls, we may record conversations for the purpose of staff training and improving service quality. You will be informed of the recording and may object by notifying the person you are speaking with.

In the context of a Client or Supplier relationship, we retain billing, transaction, and payment information, as well as any other information shared with us during the relationship.

3.2 Data Provided by Users When Using the Services

Registration Data: To use our Services, Users must create a community account (“Community Account”). For this, we require basic personal information: an email address and date of birth, used to calculate their age. Our Services are not accessible to individuals under 16 years of age.

When creating a Community Account, Users must choose a username. Optionally, they can add a profile picture and write a short description about themselves (“Bio”), which may include links to other profiles or websites.

For Services accessed via SSO (Single Sign-On), the Client’s authentication system enables access. The Client may provide information necessary for creating a Community Account, such as the email address, age, username, profile picture, or Bio.

Content Shared with the Community: When Users use our Services, we process and store the content they share (photos, videos, messages) as well as their interactions within the community (reactions, shares, responses to polls).

We also process technical data associated with the content or actions they perform (e.g., date, device information, IP address).

Any content shared on our platforms may be visible to other Users. These Users may save the content on their devices (e.g., via screenshots). Such content may also be indexed by search engines and become accessible beyond our platforms.

We advise Users against sharing sensitive information, such as their ethnic origin, political opinions, religious beliefs, health status, sexual orientation, or private life details. Should they choose to share such information, they acknowledge making it publicly available.

Direct Interactions with Us: If a User reports another User or content, requests help, submits a complaint, or exercises their data-related rights, we process the information provided in these interactions. This data is not shared with other Users.

Access to Camera and Photos: To allow Users to upload and send photos from their devices, we require their permission to access their media and camera.

3.3 Data We Collect Automatically During the Use of Our Services

Device and Hardware Data: We collect the following information about the device used to access our Services:

  • IP address,

  • Device brand and model,

  • Application bugs and crashes,

  • Version and language,

  • Country,

  • Operating system and browser,

  • User ID,

  • Installation ID, which is reset with each reinstallation of the mobile application hosting our Services.

Information on User Community Activity:

  • Application performance statistics,

  • Connection and disconnection dates and times,

  • Settings, such as notification or display preferences,

  • Interactions with community features and other Users, such as likes, shares, groups visited, content viewed, app openings, reporting of content or Users – along with the dates and times of these actions.

Information on Client or Site User Activity

While browsing our sites, we automatically collect certain information, such as:

  • The device and browser used,

  • IP address,

  • Date and time of browsing,

  • Pages visited, browsing history,

  • Use of Site features, such as content creation or moderation.

For more details on the cookies and similar technologies we use, including their purposes and management options, please refer to our Cookie Policy.

3.4 Data Received from Third Parties

Other Users: We may receive information from other Users, particularly through user-generated content, support requests, or reports.

Business Partners: We may receive information from partners such as app stores, operating system providers, analytics providers, or other publishers or social networks.

Simplified Registration or Login: For simplified registration and login to our Services via Single Sign-On, we may receive personal data from the partner (example: Google, Apple, Meta), such as the email address.

4. How Data Is Used

We process data for the following purposes:

4.1 Client Account Management, Service Access, and Client Relations

  • Creation, verification, and management of Client accounts,

  • Access to and delivery of Services: creating, managing, and moderating community(ies), publishing content, interacting with Users, and accessing analytical community usage reports,

  • Support and assistance: handling and responding to requests, inquiries, or complaints addressed to our customer service team.

Legal Basis: We rely on our Terms of Use and Terms of Sale as the legal basis for processing your personal data under this Section 4.1 in the context of a commercial relationship with a Client.

4.2 Community Account Management, Service Access, and User Relations

  • Creation, verification, and management of Community Accounts for our Users,

  • Access to community features: publishing content, interacting with other users, sending and receiving private messages, etc.,

  • Support and assistance: handling and responding to requests, inquiries, or complaints addressed to our customer service team,

  • Communicating with Users via private messages and emails, respecting their consent to receive notifications and emails.

Legal Basis: We rely on our Terms of Use as the legal basis for processing your personal data under this Section 4.2.

4.3 Statistics, Audience Measurement, and Service Improvement

  • Measuring the use of our Services, creating statistics, and analyzing them to enhance the overall experience,

  • Developing new features and conducting A/B testing to assess their performance,

  • Identifying and resolving technical issues,

  • Improving the user experience, optimizing the technical performance of the application, and enhancing communication features within the application,

  • Evaluating service quality and user satisfaction through reviews and surveys,

  • Sending information about updates to our services,

  • Collecting and considering user feedback on the Application and its services via optional satisfaction surveys,

  • Performing audience and usage activity analyses to create usage statistics,

  • Establishing audience statistics for community content,

  • Analyzing audience and usage habits to personalize content display and suggest tailored content to Users based on their interactions and history.

Legal Basis: We rely on Octopus Community’s legitimate interests as the legal basis for processing your personal data under this Section 4.3.

4.4 Personalized Services and Communications

  • Personalizing Services based on browsing and interaction history,

  • Accessing Users’ photo albums and camera to share images with the community,

  • Measuring the performance and attribution of communication campaigns,

  • Sending push notifications and/or emails containing information about our services, community updates, security, and interactions with other Users.

Legal Basis: We rely on User consent as the legal basis for processing this personal data under this Section 4.4 when required by law.

Users may withdraw their consent at any time or object to data processing (as permitted by applicable laws). For any consent-related inquiries, please contact us at contact@octopuscommunity.com.

4.5 Online Security

  • Enforcement of policies to moderate content and profiles that violate the Community Rules established for each community. These rules can be consulted within the Client's applications (Settings > Community Rules). We may review User profiles and activity and take action in cases of security concerns. This may include issuing warnings, removing or filtering inappropriate content, or temporarily or permanently suspending Community Accounts. Significant actions, such as permanent bans, are made by human moderators in accordance with our internal policies. Certain content may be automatically filtered to prevent exposure to Users.

  • Development and use of automated technologies to detect violations of Community Rules and/or illegal content. These technologies analyze content to identify rule violations and help us quickly address issues such as violence, drug use, child abuse, spam, or explicit, hateful, or discriminatory content.

  • Development and implementation of procedures and technologies to combat fraudulent profiles.

  • Monitoring accounts: We log every report made by Users or internal moderators, enabling our moderators to investigate and take action as needed.

  • Evaluating the performance of our security procedures, policies, and technologies mentioned in this Section 4.5 to improve them, including reviewing the quality of work performed by moderators and support specialists and refining our automated technologies to enhance their accuracy over time.

Legal Basis: We rely on Octopus Community’s legitimate interests and applicable legal obligations as the legal basis for processing personal data under this Section 4.5 to ensure our communities remain safe and respectful spaces and to maintain User trust.

We also rely on our Terms of Use to enforce them in cases of violations of our Terms or Community Rules.

Moderation of content and profiles is conducted in compliance with the Community Rules, accessible within the Clients’ applications. These rules detail prohibited content, possible moderation actions (warnings, content removal, account suspension, etc.), and available remedies. Users are encouraged to review these rules to better understand the applicable standards.

4.6 Compliance

  • User or content reporting: Allowing Users to report content or profiles they believe violate Community Rules. Reports will be reviewed by our moderators, who will take action against the reported content or User if necessary.

  • Law enforcement and moderation of illegal content: Prompt removal or disabling access to illegal content upon discovery, notifying authorities of certain offenses, and retaining data for investigations at their request.

  • Compliance with any applicable legal or regulatory obligations, including processing your requests related to exercising your privacy rights, as outlined in Section 7.

  • Supporting users and reporting to authorities: Reporting to authorities in situations or content representing threats to life (e.g., self-harm or violence).

Legal Basis: We rely on applicable legal obligations as the legal basis for processing your personal data under this Section 4.6.

4.7 Management of Client, Partner, and Supplier Relations

  • Handling complaints, inquiries, and contact requests via phone, email, or contact forms.

Legal Basis: We rely on the performance of contractual or pre-contractual measures as the legal basis for processing personal data under this Section 4.7.

4.8 Electronic Commercial Prospecting

  • Announcing new products and/or Services,

  • Promotional communications,

  • Invitations to events (trade shows, networking events, webinars, conferences, etc.),

  • Distribution of satisfaction surveys and polls to improve our products and Services,

  • Prospecting for new clients.

Legal Basis: We rely on consent as the legal basis for processing this personal data under this Section 4.8, where required by law.

4.9 Recruitment Campaign Management

  • Receiving and processing applications.

Legal Basis: We rely on Octopus Community’s legitimate interests in filling positions as the legal basis for processing your personal data under this Section 4.9.

5. Data Retention

5.1 Community Account Validity Period

We retain the personal information of our Users for as long as necessary to enable the use of our Services.

A Community Account is deleted if:

  • The User has been inactive for 3 years, meaning they have not accessed the Services or contacted us for a continuous period of 3 years;

  • The User requests the deletion of their account.

When a Community Account is deleted:

  • The Services are no longer accessible, and the User profile is no longer accessible or visible to other Users;

  • Public interactions with the community (e.g., likes, posts, comments, or photos) are anonymized but not deleted;

  • Data used for analytical or statistical purposes (as detailed in Section 4.3) is anonymized;

  • Other data are deleted.

These provisions are subject to data that we are legally required to retain, such as under the French LCEN (Law on Confidence in the Digital Economy), which will be deleted as soon as the legal retention period expires.

5.2 Specific Retention Periods for Community Accounts

The following data types have specific maximum retention periods:

  • Moderated content or User profiles: 3 years after the moderation decision or account ban,

  • Data related to contact with our Customer Service (inquiries, complaints, etc.): 3 years after the message is sent or the last activity on the account,

  • Data processed as part of a request to exercise a right: 3 years after the request,

    • If an ID document is provided as proof of identity to process a request, it will be deleted after the request is processed.

  • Online browsing data collected through cookies or analytics software: 13 months after consent.

Notwithstanding Sections 5.1 and 5.2, we may retain certain personal data for a longer period if required by law. We may also retain personal information as necessary to resolve disputes or to exercise or defend our legal rights.

Beyond these maximum retention periods, the data will be permanently deleted or fully anonymized.

5.3 Retention Period for Client, Prospect, and Supplier Data

  • Website browsing data: 13 months,

  • Client and Supplier data: Personal data is retained for the duration of the contractual relationship and for a maximum of 5 years after its termination, unless legal obligations require longer retention (e.g., tax or accounting documents such as invoices and contracts, which must be retained for 10 years in accordance with Article L123-22 of the French Commercial Code).

  • Prospect data: Data is retained for a maximum of 3 years after the last contact or interaction, unless explicit consent is provided for an extended period.

At the end of these periods, the data will be deleted or anonymized for statistical purposes, unless ongoing legal obligations or disputes require longer retention.

5.4 Retention Period for Recruitment Candidate Data

Personal data of candidates applying for positions within our company is retained for the duration necessary to process their application. If no employment contract is concluded, the data is retained for a maximum of 2 years after the last contact with the candidate, unless the candidate objects or provides explicit consent for a longer retention period.

At the end of this period, the data will be deleted or anonymized for statistical purposes.

If the candidate is hired, their personal data will be included in their HR file and retained according to the provisions applicable to employees.

6. Sharing Your Data

We only share your data when necessary, including:

  • Octopus Community staff. Authorized employees have access to your personal data and process it only to the extent necessary to achieve the purposes listed in Section 4 above. They are bound by confidentiality obligations and access restrictions based on their roles.

  • Third-party service providers. We share your personal data with providers who assist us in operating and improving our services. These providers may host our services, monitor their performance, moderate content or detect violations of Community Rules, store support tickets and/or assist users, or offer additional features. We only select providers that offer strong data protection guarantees, ensuring that data security is upheld under conditions at least as stringent as those implemented by Octopus Community.

  • Change of ownership. In the event of bankruptcy, merger, acquisition, reorganization, or another change of control, your personal data may be transferred to the relevant entity as part of the transaction.

  • Affiliates. We may disclose personal data to companies affiliated with Octopus Community to operate the services or for any other purpose listed in Section 4 above.

  • Enforcement of legal rights. If necessary to defend our legal rights, enforce an agreement (such as our Terms of Use), prepare a defense, or initiate litigation, we may share data with competent courts, public authorities, legal advisors, and/or experts.

  • Legal obligations and public safety. We may share personal data with judicial, administrative, or other authorities in response to legal orders, subpoenas, or warrants, to protect the safety or integrity of an individual, to safeguard the security and integrity of the services, or to protect the rights, freedoms, or property of ourselves or other users.

7. Your Privacy Rights

You have the following rights regarding your personal data:

  • Right of access and data portability, allowing you to receive a copy of your data in a commonly used format.

  • Right to rectification of your personal data if it is inaccurate, incomplete, or outdated. You can update certain data directly in your account.

  • Right to erasure of your personal data. You may also request the deletion of your account.

  • Right to withdraw consent if data processing is based on your consent. In most cases, you can withdraw consent through the application or device settings.

  • Right to object to the processing of your personal data for reasons related to your particular situation.

  • Right to restrict processing in certain circumstances, such as when disputing the accuracy of your data, if the processing is unlawful, or if you need the data to establish, exercise, or defend legal claims.

  • Right to define post-mortem instructions regarding the retention, deletion, and disclosure of your personal data after your death.

To exercise these rights, contact us at contact@octopuscommunity.com.

The conditions for exercising these rights may vary depending on applicable laws and regulations. These rights may be limited by current laws, the rights and freedoms of others, our confidentiality obligations, trade secrets, and/or intellectual property rights. We may retain certain personal data if required by law or if it is necessary to resolve a dispute or exercise or defend our legal rights. Where applicable, you will be informed of the reasons why we could not fully or partially fulfill your request.

To process your request, Octopus Community may ask for a copy of your ID or another document to verify your identity if reasonable doubts exist.

If you believe your rights have been violated, you can file a complaint with the relevant French authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), via their website (https://www.cnil.fr) or by mail at: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France.

8. Data Security

We take all necessary measures to maintain a level of security appropriate to the risks. We use advanced technical security measures to protect personal data, such as encrypted communications with TLS 1.3.

We also ensure long-term security through:

  • Secure deployment processes, including peer reviews and CI/CD pipelines for frequent updates, including security patches.

  • Rigorous evaluation of external tools and libraries to meet security standards.

  • Regular updates to maintain the highest security standards and adherence to OWASP MASVS guidelines for mobile application security audits.

  • Regular audits to assess our security practices.

  • Access control: limiting employee access to sensitive data.

We have a data breach notification process in compliance with GDPR requirements, ensuring notifications within 72 hours if necessary.

9. Children's Privacy Protection

Our services are not intended for children under the age of 16. During registration, age verification is conducted to ensure this condition is met. If we discover that a minor has circumvented this verification, their account will be immediately deactivated and their data deleted.

10. International Data Transfers

We ensure that all processed data remains within the European Economic Area (EEA) or in countries deemed to provide an adequate level of personal data protection, in accordance with Article 45 of the GDPR. Our servers are hosted in data centers compliant with GDPR security and data protection standards.

In some cases, personal data may be transferred to partners located outside the EEA. These transfers strictly adhere to GDPR rules, including specific agreements (known as Standard Contractual Clauses) that ensure a high level of data protection:

  • If the third country does not benefit from an adequacy decision by the European Commission, transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission or another authorized transfer mechanism.

  • We ensure that these subcontractors implement appropriate security measures to guarantee the confidentiality and protection of the transferred personal data.

Additionally, we require all our subcontractors, whether located within the EEA or in third countries, to comply rigorously with GDPR through detailed contractual agreements that specify:

  • Obligations regarding data protection.

  • Standards of legality, transparency, and data minimization.

  • Mechanisms for monitoring and audits that we may perform to verify their compliance.

These provisions ensure strict compliance with GDPR data transfer requirements while providing the highest level of data protection for our users.

11. Changes to This Policy

We will update this Privacy Policy from time to time to reflect technological, economic, regulatory, or legal developments, or if we modify our practices regarding the processing of personal data, including to comply with changes in applicable laws and regulations.

We will notify you in advance, via email or in-app notification, of significant changes to this Privacy Policy. Following such notification, your continued use of any website or application operated by Octopus Community signifies your acceptance of these changes.

12. Contact Us

If you have any questions regarding this Privacy Policy or any requests related to your personal data, you can contact us by emailing contact@octopuscommunity.com.