Privacy Policy
Last updated October 2025
As an online purchasing and subscription hub, NORMADOC collects and processes certain personal data (the “Data”) relating to its prospects, clients, users and partners (the “Data Subjects”).
This privacy and data protection policy (the “Privacy and GDPR Policy”) is intended to inform Data Subjects about:
- the processing operations carried out by NORMADOC,
- their purposes,
- as well as the rights available to Data Subjects under the applicable legislation on personal data protection, including the GDPR.
This Privacy Policy applies to all processing operations carried out by NORMADOC through its two websites:
- the online sales site https://www.normadoc.com/ and
- the subscription site https://subscriptions.normadoc.com/,
as well as to any other service offered online or offline by the company.
Access to NORMADOC’s services is reserved for persons of legal age.
This Policy may evolve in order to remain compliant with legal and regulatory requirements. In the event of any material update, the new version will be communicated to users through NORMADOC’s services or by any other appropriate means. The revision date is indicated at the top of this document.
1. Points of contact
Data Controller(s): NORMADOC, a société par actions simplifiée (SAS) with share capital of €7,622.45, registered with the Paris Trade and Companies Register under number 380 700 708 (Paris B), with registered office at 44 Rue Liancourt, 75014 Paris, France.
NORMADOC acts as the data controller for personal data collected through its websites, applications and services.
Where NORMADOC acts as a data processor, the applicable special terms, general terms of sale or general terms of use for the relevant site, product, solution or service shall apply.
For online payment operations, Stripe acts as an independent data controller in accordance with its own privacy policy.
Personal Data Contact. The person in charge of data protection at NORMADOC can be contacted at: gdpr@normadoc.com.
No Data Protection Officer (DPO) has been appointed to date; the above email address constitutes the internal point of contact for any questions relating to personal data protection.
2. Principles and measures applied
In the course of collecting and processing Data, NORMADOC complies with the following principles:
• Lawfulness: Data are collected for specified, explicit and legitimate purposes, based on an appropriate legal basis.
• Transparency: Data Subjects are informed of each processing operation via available information notices. No processing is carried out without their knowledge.
• Data minimisation: NORMADOC only collects and processes Data that are strictly necessary for the purposes pursued.
• Data protection by design and by default: NORMADOC integrates data protection measures at the design stage of its services and ensures that its partners comply with the same requirements.
• Security: NORMADOC implements technical and organisational measures in line with applicable standards for each type of processing. Payment information is processed through PCI DSS-compliant providers (Payment Card Industry Data Security Standard).
• Commitment of processors: NORMADOC carefully selects its providers and partners, imposes an equivalent level of security and restricts any use of Data to the strict performance of the services entrusted.
3. Data Used
NORMADOC collects and uses, in particular:
• Civil status and identification data (such as surname, first name(s), title, home or professional address, personal or professional e-mail address, personal or professional telephone number);
• Professional data (such as job title, department, company or organisation, status as professional, private individual or student);
• Payment data;
• Login data (identifiers, dates, IP addresses, logs, etc.);
• Browsing data, order history, preferences and customer history;
• Service interaction data (newsletter, support, training, webinars, etc.);
• Exchanges with customer service or training personnel.
No “special category” data (ethnic origin, political opinions, health, etc.) are processed.
4. Means of Collection
Data are collected :
- when creating or modifying an account, order or subscription,
- when subscribing to a newsletter or registering for an event,
- when browsing NORMADOC websites,
- or via third-party sources (social networks, partners, training bodies, certification bodies, etc.).
5. Mandatory or optional
Mandatory fields are marked with an asterisk (*). Failure to provide such Data may prevent the requested service from being supplied.
Absence of cookies. At this time, no cookies or trackers are placed via NORMADOC websites.
The only automatically collected data relate to email opens and clicks through tracking pixels and tagged links, without the use of cookies.
Should cookies be introduced in the future, NORMADOC undertakes to update this Policy and obtain the user’s prior consent in accordance with applicable regulations (cookie banner and preference settings).
6. Legal Basis for Data Processing
Processing operations are based on the legal grounds provided for in Article 6 of the GDPR:
- performance of a contract (order, subscription, customer support);
- NORMADOC’s legitimate interests (B2B prospecting, service improvement, account security);
- Data Subject consent (non-professional electronic marketing);
- legal obligations (billing, accounting, professional training requirements).
A table setting out the purposes of processing and the corresponding legal bases is provided below.
Purposes of processing | Legal basis (article 6 GDPR) |
Management and monitoring of the contractual relationship (quotes, contracts, orders, subscriptions, recurring payments, deliveries, management of the customer or user account, withdrawal requests, complaints, customer support). | Performance of a contract or pre-contractual measures (Article 6(1)(b) GDPR). |
Banking and payment data – additional details (one-off payment, subscription with or without automatic renewal, claims management, fraud prevention). | Performance of a contract (Article 6(1)(b) GDPR). Legal obligation for fraud prevention and anti-money laundering requirements (Article 6(1)(c) GDPR). |
Sending personalised information and newsletters based on the organisation’s activity and regulatory updates. Some communications related to a subscription are inseparable from the provision of the service. | Performance of a contract (Article 6(1)(b) GDPR). Legitimate interest of NORMADOC for B2B commercial prospecting (Article 6(1)(f) GDPR). |
Debt collection and management of unpaid invoices. | Legitimate interest of NORMADOC in recovering outstanding payments (Article 6(1)(f) GDPR). |
Customer or prospect relationship management (surveys, studies, satisfaction feedback, events). | Legitimate interest of NORMADOC in improving its services (Article 6(1)(f) GDPR). |
Preparation of commercial statistics. | Legitimate interest (Article 6 §1 f GDPR) and performance of the contract (Article 6 §1 b GDPR) when statistics are delivered upon client’s request. |
Analysis of the use of websites and services (views, duration, clicks, etc.). | Legitimate interest (Article 6(1)(f) GDPR). |
Commercial prospecting to professional customers and prospects (B2B). | Legitimate interest (Article 6(1)(f) GDPR). |
Commercial prospecting to non-professional prospects (B2C). | Consent (Article 6(1)(a) GDPR). Legitimate interest for postal solicitations or non-automated phone calls (Article 6(1)(f) GDPR). |
Marketing analysis and non-automated profiling (preferences, browsing data, interactions). | Legitimate interest (Article 6(1)(f) GDPR). |
Management of disputes and litigation. | Legitimate interest (Article 6(1)(f) GDPR). |
Securing access to subscriber areas and documentation. | Performance of a contract (Article 6(1)(b) GDPR) and legitimate interest (Article 6(1)(f) GDPR). |
Management of invoicing and accounting. | Legal obligation (Article 6(1)(c) GDPR). |
Gestion des formations professionnelles. | Legal obligation (Article 6(1)(c) GDPR). |
Management of consent and requests to exercise data protection rights. | Legal obligation (Articles 12 to 22 GDPR). |
Profiling: NORMADOC may carry out profiling operations within the scope of the processing activities described above.
Such operations consist of analyzing certain browsing data, as well as email opens and clicks, solely to personalize communications and offer content tailored to user interests.
These analyses do not produce any legal effects nor automated decision-making within the meaning of Article 22 of the GDPR.
Data Subjects may object at any time by contacting the address indicated in section 10 of this Policy.
7. Recipients of the Data Collected and/or Processed
Personal Data collected and/or processed by NORMADOC may be communicated to the following recipients, within the scope of their responsibilities and the purposes pursued:
• Internal NORMADOC teams (e.g. sales, accounting, support, marketing), duly authorised within the context of their duties;
• Entities (companies, groups, organisations) that have entered into an agreement with NORMADOC granting their authorised users access to its products or services, solely for such users’ Data and within the performance of the relevant contract;
• NORMADOC Partners, distributors and subprocessors involved in hosting, maintenance, support, payment processing, delivery or the provision of technical services. The main processors to date are:
– Stripe Payments Europe Ltd. (payment processing);
– INPEC (France – Evry B 404 151 003) for maintenance and backups;
– Human’s Connexion (France – Toulouse B 513 792 119) for administration of subscriber and client areas;
– as well as the providers listed in section 8.1.
These processors act in accordance with NORMADOC’s instructions and undertake to comply with applicable data protection regulations;
• Legally authorised bodies, authorities and third parties, including judicial, administrative or regulatory authorities, bailiffs, experts, lawyers, auditors and statutory auditors, as part of their duties or legal proceedings;
• Successors and assigns or any entity involved in corporate restructuring (merger, acquisition, investment, partial asset transfer, etc.), provided that the recipients undertake to comply with the obligations set out herein.
NORMADOC never sells or rents personal data to third parties.
8. Data Storage Locations
8.1 Hosting and Back-up within the EEA
Data collected and processed by NORMADOC are hosted within the European Economic Area (EEA), primarily in France and Germany, through providers offering a high level of security and compliance:
• Ethersys (France – Toulouse B 808 364 095): hosting of NORMADOC websites and associated services;
• OVH (Germany – Lille Métropole B 424 761 419): hosting of NORMADOC email inboxes and related data;
• Brevo (France – Paris B 498 019 298): hosting of prospect and customer mailing lists.
NORMADOC ensures that these providers implement technical and organisational measures compliant with the GDPR.
8.1 bis. Payment Data Processed by Stripe
Payment data are processed by our secure payment provider, Stripe, which may use servers located within the EEA and/or in countries outside the EEA.
Where such transfers occur, Stripe implements appropriate safeguards, such as the European Commission’s Standard Contractual Clauses, available at:
https://stripe.com/legal/privacy-center
NORMADOC does not directly store complete card numbers. Such data are encrypted and processed exclusively by Stripe in compliance with PCI-DSS standards.
Stripe acts as an independent data controller for payment data processed through its platform and is solely responsible for the fulfilment of its legal and regulatory data protection obligations.
8.2 Distributors and Partners Located Outside the EEA
Certain commercial distributors or partners of NORMADOC may be located outside the EEA. In such cases:
• these distributors act as independent data controllers for data relating to their own clients;
• their clients access the NORMADOC platform hosted within the EEA;
• data flows therefore originate from non-EEA territories towards the EEA, and not the reverse.
These operations do not constitute a data transfer outside the EEA within the meaning of the GDPR, but rather inbound access to a platform hosted in Europe.
NORMADOC requires such distributors to comply with the data protection regulations applicable in their country of establishment and to inform their customers of the data processing and transmission conditions applicable towards the EEE.
8.3 Potential Future Transfers Outside the EEA
Should NORMADOC, in the future, transfer personal data to a country outside the EEA, such transfers will be governed by appropriate safeguards, such as:
• the European Commission’s Standard Contractual Clauses,
• an adequacy decision by the European Commission,
• or any other mechanism compliant with applicable regulations.
Data Subjects will be informed of any material change concerning the destination, nature of data transferred or safeguards implemented.
9. Rights of Data Subjects & How to exercise them
9.1 Main Rights of Data Subjects
In accordance with the GDPR and the French Data Protection Act, each Data Subject has the following rights regarding their Data:
• Right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing already carried out (Article 7(3) GDPR);
• Right of access to their Data and to information about the processing carried out by NORMADOC (Article 15);
• Right to rectification of inaccurate or incomplete Data (Article 16);
• Right to erasure (“right to be forgotten”) in the cases provided for by law (Article 17);
• Right to restriction of processing in the situations defined in Article 18;
• Right to data portability of Data provided to NORMADOC, in a structured, commonly used and machine-readable format, where processing is based on consent or contract and carried out by automated means (Article 20);
• Right not to be subject to a decision based solely on automated processing, including profiling, producing legal effects or significantly affecting them (Article 22).
Currently, NORMADOC does not carry out any such automated decision-making.
9.2 Right to object
Under Article 21 GDPR, each Data Subject has:
• the right to object, on grounds relating to their particular situation, to processing based on NORMADOC’s legitimate interests, unless compelling legitimate grounds justify continuation;
• the right to object at any time to processing carried out for direct marketing purposes, including profiling related to such marketing.
Marketing-related rights vary depending on the Data Subject’s status (see table).
Prospecting Channel | Non-customer Subject / acting as a consumer (B2C) | Customer Subject or acting in a professional capacity (B2B) |
By electronic means (e-mail) | NORMADOC will only send commercial prospecting e-mails after obtaining the prior consent of the individual. The individual may withdraw their consent at any time by unsubscribing via the link included in each message or by contacting NORMADOC at the postal or electronic addresses indicated below. | NORMADOC may send commercial prospecting e-mails without prior consent where the individual is acting in a professional capacity or is already a customer, provided that the communication relates to similar products or services and that the individual can object at any time. Unsubscribing is possible via the link included in each message or by contacting NORMADOC at the postal or electronic addresses indicated below. Certain messages (including subscription-related newsletters) are considered necessary for the performance of the contract and cannot be deactivated without affecting the service. |
By telephone (non-automated calls) | NORMADOC may contact the individual by telephone for commercial prospecting purposes unless they object. The individual may object: (i) directly to NORMADOC (using the contact details below), or (ii) more generally by registering their number free of charge on the French national opt-out list Bloctel : www.bloctel.gouv.fr. | NORMADOC may contact the individual by telephone for commercial prospecting purposes unless they object, using the same means (unsubscription or direct request). |
9.3 Post-Mortem rights
Under Article 85 of the French Data Protection Act, any Data Subject may define, amend or revoke instructions relating to the retention, erasure and communication of their Data after death.
• Specific instructions may be communicated directly to NORMADOC and apply only to Data that it processes.
• General instructions may be registered with a certified trusted digital third party (pending implementing decree).
Data Subjects may also designate a third party authorized to receive their Data after death. In such cases, they undertake to inform that third party and provide them with this Policy.
9.4 Exercising Rights
Any request to exercise rights may be addressed to NORMADOC:
• By post: NORMADOC – GDPR Service, 44 Rue Liancourt, 75014 Paris, France;
• By email: gdpr@normadoc.com
NORMADOC may request proof of identity to verify the requester’s identity, in accordance with Article 12 GDPR.
Requests are processed within one (1) month, extendable by two (2) months depending on complexity.
• Data Subjects may also lodge a complaint with the competent supervisory authority:
Commission Nationale de l’Informatique et des Libertés (CNIL) – www.cnil.fr
• or, for non-French / non-EU residents, with their local data protection authority.
10. Data retention periods
Data are retained for the duration necessary for the purposes for which they are used. Retention periods vary depending on each purpose, as follows:
Purpose of data processing | Retention period |
Management and monitoring of the contractual relationship (quotes, subscriptions, recurring payments, invoicing, user account). | Contract data: duration of the contractual relationship + 5 years (civil and commercial limitation period). |
Bank data – additional details (one-off payment, subscription with or without tacit renewal, claims management, fraud prevention). | - One-off payment: time necessary to complete the transaction + applicable withdrawal period. - Subscription without renewal: until the final instalment is paid. - Subscription with tacit renewal: until cancellation of the subscription. - Claims management: 13 months after debit (15 months for deferred-debit cards). - Anti-money laundering: until account closure, then kept in legal archival records. |
Sending information and newsletters (customers, prospects, subscribers). | Information newsletter: for the duration of the contractual relationship or until objection/withdrawal of consent. Inactive prospects: 3 years from last contact. Subscription newsletters: deleted upon termination. |
Debt recovery and management of unpaid amounts. | Until full recovery of the debt, then 5 years (limitation period). |
Customer and prospect relationship follow-up (surveys, studies, satisfaction, events). | 2 years from collection or last contact. |
Commercial statistics. | 3 years after the end of the commercial relationship. |
Website and service usage analytics and statistics. | Up to 25 months for browsing data (CNIL recommendation). |
Commercial prospecting (B2B customers and prospects). | Customers: 3 years after the end of the commercial relationship. Prospects: 3 years from last contact or until objection. |
Commercial prospecting (B2C prospects). | Customers: 3 years after the end of the commercial relationship. Prospects: 3 years from last contact or until objection. |
Marketing analysis and non-automated profiling. | 3 years after the end of the commercial relationship or last contact. |
Management of disputes/litigation | For the duration of the proceedings, then 5 years (limitation period). |
Securing access to subscriber areas and documentation. | Client data: duration of the contract + 5 years. Technical logs: up to 12 months maximum (access logs stored 2 days on NORMADOC connection environments). |
Invoicing and accounting management. | Current financial year + 10 years from closing. |
Management of professional training. | Duration necessary to manage the training, then archived up to 10 years according to applicable regulation. |
Management of consents and data-subject rights requests. | Data relating to objections: 6 years. Other rights requests: 5 years. |
Where a personal data item is processed for several purposes, it is retained until the longest applicable retention or archiving period has expired.
At the end of the above periods, Data are either deleted or anonymised.
11. Security of Communications
NORMADOC implements appropriate technical and organisational security measures to protect Personal Data.
However, given the inherent characteristics of the Internet and electronic communication networks, NORMADOC cannot guarantee absolute security for data transmissions carried out online.
Users are therefore encouraged to take appropriate measures to protect their own devices and data (e.g., using up-to-date security solutions and ensuring careful management of login credentials).
12. Links to Third-Party Websites
NORMADOC websites and services may contain links to websites or services operated by third parties.
NORMADOC has no control over the data protection practices of such third parties and cannot be held responsible for their privacy or data processing policies.
Users are strongly encouraged to review the privacy policies of any third-party websites or services they visit.