Privacy Policy

  • ‍ ‍

    The Provenance for Trust website, accessible at https://www.provenance4trust.org/, is published by the association Provenance4Trust, an entity established in France, which acts as the data controller within the meaning of Regulation (EU) 2016/679 of 27 April 2016 (“GDPR”) and amended Law No. 78-17 of 6 January 1978 (“French Data Protection Act”).

    Contact details:
    • “Provenance for Trust” refers to Provenance4Trust, an association governed by the French Law of 1 July 1901, registered at XXX under number XXXX (in the process of being established).
    • Registered office address: 37 Rue Raffet, 75016 Paris, France.
    • General contact (email): dpo@provenance4trust.org
    • Where applicable, contact details of the Data Protection Officer (DPO).

  • Depending on how the Provenance for Trust website and services are used, the following categories of data may be collected:
    Identification data: last name, first name, job title, organization, account identifier, username.
    Contact data: professional or personal email address, telephone number, country.
    Connection and browsing data: connection logs, IP address, device identifiers, data relating to cookies and trackers (pages visited, timestamps, browser type, etc.).
    Content-related data: provenance metadata associated with your digital content (photos, videos, audio, text), C2PA identifiers, licensing information, information on distribution platforms, labeling logs (who labeled what, when and how).
    Contractual and commercial relationship data: history of requests, exchanges with support, billing data if you hold a paid account.

    As a rule, the association Provenance4Trust is not intended to collect “sensitive” data within the meaning of Article 9 GDPR (health data, political opinions, etc.) and asks users not to include such information in the content processed.

  • The data processing activities carried out pursue the following purposes:

    1. Website and user account management
      o Creation, management and security of accounts.
      o Provision of labeling, provenance verification and investigation services (fake news, AI-generated content).
      Legal basis: performance of a contract (Article 6(1)(b) GDPR) and legitimate interest of the data controller (Article 6(1)(f) GDPR).

    2. Combating disinformation and protecting content provenance
      o Implementation of the C2PA standard and application of provenance labels to content (photo, video, audio).
      o Traceability of labeling, verification, reporting or alteration operations.
      Legal basis: performance of a contract and legitimate interest in ensuring the integrity, reliability and traceability of content.

    3. Customer relationship and support
      o Management of requests for information, demonstrations or subscriptions.
      o Monitoring of the commercial relationship, billing and accounting.
      Legal basis: performance of a contract and compliance with legal obligations (accounting, tax).

    4. Service improvement and security
      o Audience analysis, performance measurement, improvement of website and tool ergonomics.
      o Detection of fraudulent activities, attacks or attempts to alter content.
      Legal basis: legitimate interest (security, continuous improvement) and consent for certain non-essential cookies/trackers.

    5. Marketing and communications
      o Sending information about services, updates, events or awareness campaigns (journalism, institutions, brands, artists).
      Legal basis: consent for electronic marketing to individuals, legitimate interest for B2B marketing subject to the right to object.

  • Personal data may be disclosed, within the scope of their respective responsibilities:
    • To internal departments of Provenance for Trust (product, support, sales, legal, technical teams).
    • To technical service providers and subcontractors (hosting, analytics tools, email delivery, C2PA integration, etc.), acting on the instructions of Provenance for Trust under contracts compliant with Article 28 GDPR.
    • Where applicable, to editorial or institutional partners involved in content verification projects, in compliance with the legal bases and the rights of individuals.

    Data is in principle hosted within the European Union. In the event of transfers to a third country, the association Provenance4Trust implements the appropriate safeguards provided for in Articles 44 et seq. of the GDPR (standard contractual clauses, supplementary measures, etc.).

  • Data is retained for limited periods, strictly necessary for the purposes pursued:
    Account data: for the entire duration of use of the Services, then in intermediate archives for the applicable statutory limitation period.
    Billing and accounting data: statutory retention period (generally 10 years under French law).
    Technical logs and security data: from a few months up to a maximum of two years, depending on security and evidentiary requirements.
    Marketing data: 3 years from the last active contact or the end of the commercial relationship, then deletion or anonymization.

    Provenance metadata attached to content may, depending on the service architecture, be retained for a longer period in order to ensure traceability and proof of authenticity, subject to the rights to erasure and objection of the data subjects.

  • ‍ ‍

    In accordance with the GDPR and the French Data Protection Act, data subjects have the following rights in relation to their data:
    • Right of access and to obtain a copy.
    • Right to rectification of inaccurate or incomplete data.
    • Right to erasure (“right to be forgotten”) under the conditions set out in Article 17 GDPR.
    • Right to restriction of processing.
    • Right to object, in particular to marketing or to certain processing based on legitimate interest.
    • Right to data portability of data provided, where processing is carried out by automated means on the basis of consent or performance of a contract.
    • Right to define instructions regarding the handling of data after death (under French law).

    These rights may be exercised by contacting the association Provenance4Trust (dpo@provenance4trust.org) and providing proof of identity. Data subjects also have the right to lodge a complaint with the CNIL (www.cnil.fr).

  • The website may use cookies and other trackers to:
    • Ensure the operation of the website and user authentication (“strictly necessary” cookies).
    • Measure audience and improve performance.
    • Personalize certain features or communications.

    In accordance with CNIL guidelines, an information banner allows users to:
    • Accept all cookies.
    • Refuse all non-essential cookies.
    • Configure their choices in a granular manner.

    The placement of non-essential cookies is based on the user’s prior consent, which may be withdrawn at any time.

  • The association Provenance4Trust implements appropriate technical and organizational measures to ensure a level of security appropriate to the risks, including:
    • Access controls, authorization management, traceability.
    • Encryption of certain data and flows, backups.
    • Procedures for detecting and managing security incidents.

    In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, the association Provenance4Trust will notify the CNIL and, where applicable, the data subjects, in accordance with Articles 33 and 34 GDPR.

  • This privacy policy may be updated, in particular to reflect legislative and regulatory changes or developments in the Services. Any updated version will be published on the website with a date of last update and may, where appropriate, be notified to users by any appropriate means.

Créer