Privacy policy

Water African Project (hereinafter "WAP") pays particular attention to the protection of personal data it processes as part of its activity. This policy is intended to inform data subjects how their data is collected, used, retained and protected, in compliance with Regulation (EU) 2016/679 of 27 April 2016 ("GDPR") and French law no. 78-17 of 6 January 1978 as amended ("Informatique et Libertés").

WAP is a French SME whose business is mainly export-oriented, with a clientele primarily located in Africa and suppliers in Europe and Asia. This policy has been drafted taking into account the operational reality of the company, with a logic of transparency and responsibility (the accountability principle set out in article 5.2 of the GDPR).

Article 1 — Data controller

The controller of personal data is Water African Project (WAP), a société par actions simplifiée whose registered office is at 5 avenue du canal Philippe Lamour, 30660 Gallargues-le-Montueux, France.

For any question or request concerning your personal data, you can use the contact form on the site indicating the subject "Personal data", or contact us by phone on +33 9 73 26 90 30.

Article 2 — Scope

This policy applies to personal data processed by WAP concerning:

• visitors to the website www.waterafricanproject.com
• prospects
• clients
• suppliers and service providers
• partners
• professional contacts encountered during projects

Article 3 — Categories of data processed

The following categories of data may be processed.

3.1 Identification and contact data

Last name, first name, role, company, business postal address, email, phone.

3.2 Commercial relationship data

Written exchanges, quotations, orders, correspondence, history of the relationship.

3.3 Project data

Technical documents, correspondence, files relating to assignments, items required for the preparation, execution and follow-up of operations.

3.4 Supplier and service-provider data

Business contact details, contractual documents, supporting documents.

3.5 Occasional identity documents

For projects involving administrative formalities (invitation letters, visa applications, customs formalities), some identity documents (copy or passport number) may be transmitted by the data subject or their counterparts. These documents are processed solely for the formality concerned and are not subject to structured storage.

3.6 Browsing data

Technical data linked to browsing the site (see article 14 — Cookies).

Article 4 — Processing purposes

Personal data is processed for the following purposes:

• respond to requests received via the site or any other channel
• manage the commercial relationship (prospecting, quotations, orders, projects, invoicing)
• fulfil tax, accounting, customs and administrative obligations
• ensure internal organization and information system security
• carry out project-related formalities (invitations, visas, transport)
• manage cookies and the operation of the site

Article 5 — Legal bases for processing

In accordance with article 6 of the GDPR, the processing operations carried out by WAP rely on the following legal bases:

• Consent (art. 6.1.a) for non-strictly-necessary communications and non-essential cookies
• Pre-contractual or contractual performance (art. 6.1.b) for quotations, orders, projects, invoices and contract-related formalities
• Legal obligation (art. 6.1.c) for accounting, tax and customs retention
• Legitimate interest (art. 6.1.f) for managing the commercial relationship, targeted B2B prospecting, system security and the upkeep of professional contact files

Article 6 — Mandatory or optional nature of the data

Some information is necessary to handle your request or perform the contract. Without it, WAP may not be able to follow up. Other information is optional and you are free to decide whether to provide it.

Article 7 — Origin of the data

The personal data processed by WAP is obtained:

• directly from the data subject
• from colleagues, employers or professional counterparts in the context of a project
• via professional exchanges (emails, messaging, meetings, visits)
• via documents transmitted in the context of projects
• via the website (contact form, browsing)
• via public professional sources (directories, trade fairs, publications)

Article 8 — Recipients of the data

Personal data may be communicated:

• to authorized WAP staff, within the limits of their duties
• to technical service providers (see article 9 — Sub-processors)
• to outside advisors (chartered accountant, legal counsel) when necessary
• to suppliers, carriers or partners involved in a project, where strictly necessary for its execution
• to competent authorities in the event of a legal obligation

Article 9 — Sub-processors

WAP's main technical sub-processors are:

• Microsoft Ireland Operations Ltd — for Microsoft 365, Exchange Online, Microsoft Teams, OneDrive, SharePoint and Dynamics 365 services
• OVH SAS / OVHcloud — for website hosting

These sub-processors are bound to WAP by a data processing agreement compliant with article 28 of the GDPR (Data Processing Agreement), published and publicly accessible on the respective platforms of these providers.

Article 10 — Data location

Data at rest for the main services used by WAP is located in France:

• Exchange Online (mail) — France
• Microsoft Teams — France
• OneDrive — France
• SharePoint — France
• Dynamics 365 — WAP Crm PROD environment — France
• Exchange Online Protection — European Union / EFTA
• Viva Connections — European Union / EFTA

This location has been verified by WAP in the Microsoft administration interfaces (Microsoft 365 Admin Center and Power Platform Admin Center). Supporting documents may be provided on motivated request.

Article 11 — Transfers of data outside the European Union

WAP's activity is mainly export-oriented, with clients located primarily in Africa and providers in Europe and Asia. As part of this, certain data transmissions (business contact details, project documents, identity documents for administrative formalities) may be made to countries outside the European Union.

WAP does not maintain any organized primary storage outside the European Union. Transmissions are occasional and strictly limited to what is necessary for the project concerned.

11.1 Applicable legal framework

When such transfers are made to a country that does not benefit from an adequacy decision of the European Commission, they fall under the derogations provided for by article 49 of the GDPR, in particular:

• necessity for the performance of a contract between the data subject and WAP (art. 49.1.b)
• necessity for the performance of a contract concluded in the interest of the data subject (art. 49.1.c)
• explicit consent of the data subject when they themselves transmit their documents for that purpose (art. 49.1.a)

11.2 Standard Contractual Clauses

Where Standard Contractual Clauses (SCCs) adopted by the European Commission (implementing decision 2021/914 of 4 June 2021) are available through the providers concerned, WAP relies on them.

11.3 Information of data subjects

You can request communication of the safeguards implemented by contacting us via the site form indicating the subject "Personal data".

Article 12 — Retention periods

WAP does not apply automatic purging. Data retention follows a pragmatic, realistic logic aligned with actual professional needs, in line with the principles of minimization and storage limitation (article 5 of the GDPR).

• Professional contacts — as long as useful to the relationship. Deletion or update when the contact becomes manifestly obsolete (change of role, departure, decease, end of activity, prolonged absence of exchange).
• Project data — indefinite duration as long as still useful (technical reference, potential project resumption, warranty or claim obligations, documentary value). Basis: art. 5.1.e GDPR.
• Occasional data in mail — progressive deletion over time, without a uniform guaranteed period.
• Accounting documents — 10 years (article L.123-22 of the French Commercial Code).
• Tax documents — 6 years (article L.102 B of the French Tax Procedures Book).
• Cookies — duration not exceeding 13 months, in line with CNIL recommendations.

Article 13 — Data security

WAP implements technical and organizational measures appropriate to the size and nature of its activity. As such:

• access management and partitioning by role
• strong authentication on tools that support it
• workstation protection (updates, antivirus, lockout)
• structured documentary organization via SharePoint and Dynamics 365
• audit enabled on the Dynamics 365 environment with log retention for 365 days
• exclusive use of structured professional tools (Microsoft 365, Dynamics 365) for the main processing

WAP is a small organization, with no dedicated IT department. The above measures reflect operational reality and are proportionate to the risks identified within the scope handled.

Article 14 — Cookies

The site may use:

• strictly necessary cookies required for the site to function (security, consent storage, language preference) — set without prior consent in line with applicable regulations;
• depending on the services enabled, functional, analytics or marketing cookies may also be proposed.

Cookies that are not strictly necessary are subject to your choice via the banner displayed on your first visit: you may accept, refuse or configure them individually. This choice can be changed at any time via the site's settings.

WAP does not actively exploit data from non-necessary cookies. For the detailed list of cookies effectively used, see the cookies policy.

Article 15 — Profiling and automated decisions

WAP does not perform any profiling nor any wholly automated decision producing legal or significant effects in respect of data subjects, within the meaning of article 22 of the GDPR.

Article 16 — Rights of data subjects

In accordance with articles 15 to 22 of the GDPR and the Informatique et Libertés law, you have the following rights over your personal data:

• right of access (art. 15 GDPR)
• right of rectification (art. 16 GDPR)
• right to erasure, under the conditions provided for in the GDPR (art. 17 GDPR)
• right to restriction of processing (art. 18 GDPR)
• right to object, in particular for processing based on legitimate interest (art. 21 GDPR)
• right to data portability, where applicable (art. 20 GDPR)
• right to withdraw your consent at any time, with no retroactive effect
• right to set directives concerning the fate of your data after your death (art. 85 of law no. 78-17)

To exercise these rights, use the contact form on the site with the subject "Personal data" or contact us by phone on +33 9 73 26 90 30. A reply will be provided within one month from the receipt of your request, extendable by two months in the event of a complex request or a high volume of requests.

Article 17 — Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), the French supervisory authority.

Article 18 — Updates to the policy

This policy may be modified at any time to reflect regulatory, technical or organizational changes. The version in force is the one published on the site, with its last update date indicated at the top of the document.

Data subjects are advised to consult this policy regularly to take note of any changes.