Privacy Policy
This privacy policy (the "Policy") describes how THINKZ IOT FRANCE SASU processes your personal data when you visit the website spora.thinkz.ai, when you take part in the SPORA survey, and when you receive our communications about the launch of the platform.
We comply with the General Data Protection Regulation (Regulation EU 2016/679, the "GDPR") and the French Data Protection Act (Loi Informatique et Libertés), as amended. This Policy is published in French as the authoritative version; official translations are available in English, German and Dutch. In the event of any inconsistency in interpretation, the French version prevails.
1. Data controller
The controller of your personal data is:
THINKZ IOT FRANCE SASU
Simplified joint-stock company with a sole shareholder (société par actions simplifiée à associé unique), share capital €10,000
Registered with the French Trade and Companies Register (RCS) of Toulouse under number 932 283 161 — EUID: FR3102.932283161
Registered office: 40 rue du Japon, 31400 Toulouse, France
Represented by Mr. Ron Vardinon, Chief Executive Officer, acting as internal data protection lead
For any question about your data or this Policy: info@thinkz.ai
2. Data we collect
We collect different categories of data depending on how you interact with SPORA:
2.1 When you visit spora.thinkz.ai
- Connection data: IP address (anonymized for analytics tools), browser type, operating system, pages viewed, time spent on the site, traffic source.
- Cookie and tracker data: see Article 6 below for the full list and purpose of cookies used.
2.2 When you participate in the SPORA survey
- Identification data: first name, last name, email address.
- Optional data: mobile phone number.
- Survey responses: information about your household and smart home ecosystem (type of housing, smart device brands you own, usage scenarios, preferences).
- Winners only: postal address, provided after notification, solely for the purpose of prize delivery.
2.3 When you receive our communications
- Management data: your email address, your consent status, the history of emails sent and their interactions (open, click).
3. Purposes and legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Measure audience and improve the spora.thinkz.ai user experience | Consent (Art. 6.1.a) — audience measurement cookies |
| Measure the performance of our advertising campaigns | Consent (Art. 6.1.a) — marketing cookies |
| Manage your contest entry and award prizes | Performance of a contract (Art. 6.1.b) — contest rules |
| Send you communications about the launch of the SPORA Alpha version | Consent (Art. 6.1.a) |
| Retain winners' data for accounting and tax compliance | Legal obligation (Art. 6.1.c) — French Commercial Code, French Tax Code |
| Detect and prevent fraud attempts in the contest | Legitimate interest (Art. 6.1.f) — preserving the integrity of the contest |
4. Recipients and processors
Your data is shared only with the recipients listed below, limited to what is strictly necessary for each purpose:
| Recipient | Role | Location |
|---|---|---|
| Typeform | Collection of survey responses | United States |
| HubSpot | Customer relationship management, email delivery, on-site analytics | United States (EU region hosting — Frankfurt) |
| Google Analytics | Anonymized website audience measurement | United States |
| Reddit Inc. | Performance measurement of Reddit Ads campaigns | United States |
| LinkedIn Corporation | Performance measurement of LinkedIn advertising campaigns | United States |
| Meta Platforms Ireland Ltd. (Facebook) | Performance measurement of Meta advertising campaigns | Ireland / United States |
| Postal carrier (winners only) | Prize delivery | European Union |
We never use your data for commercial purposes other than those described in this Policy, and we do not sell it to any third party.
5. International data transfers
Some of our processors are based or operate from the United States. Transfers of your data to these recipients are governed by one of the safeguards set out in Chapter V of the GDPR:
- Data Privacy Framework (DPF): where the processor is certified under the transatlantic data protection framework adopted by the European Commission's adequacy decision of 10 July 2023.
- Standard Contractual Clauses (SCC): in the absence of DPF certification, we enter into the standard clauses adopted by the European Commission (Decision 2021/914) with the processor, supplemented by additional technical and organizational measures.
6. Cookies and trackers
Our site uses cookies and similar technologies for its operation, audience measurement, and advertising performance measurement. In accordance with Article 82 of the French Data Protection Act (transposing Article 5.3 of the ePrivacy Directive), non-strictly-necessary cookies require your prior consent. You can change your preferences at any time through the cookie consent banner accessible from the page footer.
6.1 Essential cookies (always active)
These cookies are strictly necessary for the site to operate and do not require your consent (Article 82, paragraph 2 of the French Data Protection Act).
- Security cookies (protection against automated attacks)
- Language preference cookies
- Cookies that remember your consent choices
6.2 Audience measurement cookies (subject to consent)
- Google Analytics 4: measures website audience with IP anonymization enabled. Retention period: 13 months (consistent with French data protection authority guidance).
- HubSpot: measures on-site engagement and helps personalize email communications. Retention period: 13 months.
6.3 Marketing cookies (subject to consent)
- Reddit Ads (Reddit Pixel): measures the performance of our advertising campaigns on Reddit.
- LinkedIn Insight Tag: measures the performance of our advertising campaigns on LinkedIn.
- Meta Pixel (Facebook): measures the performance of our advertising campaigns on Meta (Facebook and Instagram).
Retention period for marketing cookies: 13 months maximum.
7. Retention periods
| Category of data | Retention period |
|---|---|
| Survey participation data (non-winners) | 24 months from the date of entry |
| Winners' data | 3 years from the date the prize is delivered (accounting and tax obligations) |
| Communication management data (newsletter / Alpha) | Until consent is withdrawn, then 3 years for evidence purposes |
| Audience measurement cookies | 13 months |
| Marketing cookies | 13 months |
| Technical connection data | 12 months (server logs) |
8. Your rights
Under the GDPR and the French Data Protection Act, as amended, you have the following rights regarding your data:
- Right of access (Art. 15 GDPR): obtain confirmation that we process your data, and a copy of the data we hold about you.
- Right of rectification (Art. 16 GDPR): have inaccurate or incomplete data corrected.
- Right to erasure (Art. 17 GDPR): have your data deleted, subject to legal retention obligations (in particular for winners: 3 years for accounting purposes).
- Right to object (Art. 21 GDPR): object to the processing of your data on grounds relating to your particular situation.
- Right to restriction (Art. 18 GDPR): request suspension of processing.
- Right to data portability (Art. 20 GDPR): receive your data in a structured, commonly used, machine-readable format.
- Right to withdraw consent (Art. 7.3 GDPR): at any time, without affecting the lawfulness of processing before withdrawal.
- Right to define post-mortem instructions (Art. 85 of the French Data Protection Act): regarding the fate of your data after your death.
To exercise these rights, email us at info@thinkz.ai. We will respond within one (1) month, in accordance with Article 12.3 GDPR. We may ask for proof of identity in case of reasonable doubt.
9. Minors
SPORA is not intended for children. Participation in the survey and the contest is restricted to persons aged sixteen (16) years or older, in accordance with the contest rules and Article 8 GDPR on the consent of minors. If you are under 16, you must not participate in the survey or submit data via spora.thinkz.ai. If we become aware that we have inadvertently collected data from a child under 16 without the required parental consent, we will delete it promptly.
10. Data security
We implement appropriate technical and organizational measures to protect your data against loss, alteration, disclosure, or unauthorized access. These measures include in particular: encryption of communications (HTTPS/TLS), access control to our systems, careful selection of GDPR-compliant processors, and ongoing data protection awareness within our team.
As no method of transmission over the internet or electronic storage is 100% secure, we cannot guarantee absolute security. In the event of a data breach likely to result in a risk to your rights and freedoms, we will inform you and notify the French Data Protection Authority (CNIL) in accordance with Articles 33 and 34 GDPR.
11. Changes to this Policy
This Policy may be amended at any time, in particular to reflect legal, technical, or organizational developments. The version applicable is the one published on this page at the date of your visit. The "last updated" date is shown at the top of the page. In the event of a material change, we will inform you by appropriate means (notice on the site, email to subscribers).
12. Contact and complaints
For any question about this Policy or to exercise your rights, contact us at info@thinkz.ai.
If you consider that we are not respecting your rights, you have the right to lodge a complaint with a data protection authority:
- France: Commission Nationale de l'Informatique et des Libertés (CNIL), 3 place de Fontenoy, 75007 Paris — www.cnil.fr
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
- Other countries: the data protection authority of your country of habitual residence.