WILL data protection policy
Last update: April 2025
1. Presentation of the company
WILL, represented by Pierre Fournier (President and Data Protection Officer), is a human-sized company specializing in management training and personal development through a web application. We are currently a team of two employees, supported by an independent IT service provider, Robin Fourratier.
2. General commitment
WILL is committed to complying with the provisions of the General Data Protection Regulation (GDPR) and guaranteeing confidentiality, security and transparency in the processing of its users' personal data.
We adopt a reasoned approach proportionate to our size and risks, while implementing the best practices available at our level.
3. Data collected
a. Basic personal data
When users create an account on our https://app.will-agent.com application , we collect :
- Last name, first name
- Email address
- Password (encrypted)
- Organization (company, group)
This data is required for secure access to the user's personal space.
b. Sensitive data (professional behavior)
When using the WILL method, users may be asked to :
- Complete exercises relating to their managerial posture
- Describe professional situations
- Record personal reflections or assessments
This data is potentially sensitive, as it relates to professional experience. They are entered voluntarily by users and are not subject to any automated analysis or profiling.
4. Data security
- Data is hosted in a secure environment with password authentication.
- Access is restricted to authorized persons (employees and IT service provider only if required for maintenance).
- All exchanges are HTTPS encrypted.
- No sensitive data is stored in cleartext.
5. Retention period
- Accounts that have been inactive for more than one year will be cleaned automatically from June 2025.
- Users may request deletion of their account at any time via contact@will-agent.com.
6. Subcontractors and service providers
We work with the following service providers, all RGPD-compliant and based in the European Union or with Privacy Shield certification (or equivalent) if based outside the EU:
Purpose | Service provider | Data concerned |
CRM | Pipedrive | Customer contacts (B2B) |
Relationship emailing | Mailchimp | Email, first name |
Transactional emailing | Sendgrid | Email, technical ID |
Web application (frontend) | Bubble | User session data |
Training center management | Dendréo | Participants, certificates, e-signature, replays |
7. User rights
Each user has :
- Right of access to his/her data
- Right of rectification
- Right to object
- Right to limitation
- Right to erasure
Requests can be sent to: will@will-agent.com or via the contact form.
Each request is :
- acknowledged within 48 hours
- analyzed within a maximum of one month (in compliance with the RGPD),
- and processed manually with the support of our IT service provider Robin Fourratier if necessary (e.g. account deletion or data extraction).
The actions carried out are traced in a request tracking register, which we maintain internally for compliance purposes.
8. Data controller / DPO
The data controller is:Pierre Fournier
Chairman and DPO
contact@will-agent.com
9. Changes to the policy
This policy may be updated at any time. Users will be informed by email or directly via the application in the event of substantial modification.
Appendix 1: Simplified data processing register
As a company with fewer than 250 employees, we are not required to keep an exhaustive data processing register, except in the case of sensitive or non-occasional processing.
However, as part of our approach to RGPD compliance, we keep a simplified register of processing carried out as part of our services, particularly for our https://app.will-agent.com application , which may involve sensitive data (behavior at work).
This register lists:
- The purposes of the processing operations (educational exercises, user monitoring)
- The categories of data concerned
- Security measures in place
- Retention periods
- Subcontractors involved (Bubble, Dendréo, Mailchimp, etc.).
Processing name | Purpose | Data categories | Legal basis | Retention period | Subcontractors |
User account management | Access to WILL application and educational content | Last name, first name, email, password (encrypted) | Contract / consent | 1 year after last activity | Bubble, Sendgrid |
Pedagogical exercises and self-assessments | Personalized management support | Content voluntarily entered by the user (behavior, thoughts) | Explicit consent | 1 year after last activity | Bubble |
Sending emails (transactional and relational) | Usage notifications, reminders, educational content | Email, first name, technical identifier | Legitimate interest / contract | Duration of user relationship | Mailchimp, Sendgrid |
Administrative management of training courses | Management of registrations, signatures, certificates | Name, email, attendance, signatures, replays | Legal obligation / contract | 5 years (legal archiving of training courses) | Dendréo |
B2B sales follow-up | Prospecting and follow-up of corporate customers | Surname, first name, professional e-mail address, job title | Legitimate interest | 3 years after last contact | Pipedrive |
Appendix 2: Privacy by design
As a small organization (2 employees), we have not set up a formalized and systematic Privacy by Design / by Default compliance analysis process such as may exist in large organizations.
However, we apply these principles right from the design stage of our processing operations, taking into account their purpose and potential sensitivity, and systematically limiting :
- the quantity of data collected (minimization),
- the duration of storage (automatic cleaning after 12 months of inactivity),
- recipients (access strictly restricted to in-house teams and IT service providers),
- visibility (no data exposed without authentication).
For example:
- Our https://app.will-agent.com web application requires authentication to access any personal or sensitive data.
- Potentially sensitive data (linked to work behaviors) is entered voluntarily by the user and is not visible by default to the support team.
- Functionality development is systematically evaluated with our service provider (Robin Fourratier) from the point of view of security and confidentiality.
We document these considerations on an ongoing basis in our simplified processing register and in our exchanges with our service provider. An annual review process is planned.
Appendix 3: Management of incidents and data breaches
We have put in place a proportionate data incident and breach management process, adapted to the size of our organization.
This process is based on the following principles:
1. Detection and reporting
Any incident or suspected security breach is immediately reported by our IT service provider (Robin Fourratier) or by a team member to our DPO (Pierre Fournier).
2. Qualification of the incident
The DPO analyzes the facts to determine whether the incident is :
- a simple, non-critical bug,
- or a personal data breach within the meaning of the RGPD.
3. Notification (if necessary)
In the event of a risk to the rights and freedoms of the persons concerned, a notification :
- is made to the CNIL within 72 hours, if necessary,
- and to the persons concerned, in a clear and transparent manner.
4. Traceability and improvement
- Every incident is recorded in an internal register.
- Corrective measures are defined with our service provider to avoid recurrence.
To date, we have never experienced a data breach requiring notification. However, we have tested this process internally to ensure its responsiveness.
Appendix 4: Data retention policy
We have implemented a data retention policy adapted to our activities and the nature of the data processed.
Retention periods:
- Inactive accounts: automatic purge after 12 months of inactivity (implemented in 2025).
- Training data: retained for 5 years, in accordance with our legal obligations (via Dendréo).
- Sales data (CRM): retained 3 years after last active contact.
For information, sales data is managed via Pipedrive, which does not natively offer automatic purging by date of inactivity.
However, we have put in place an internal policy of annual cleansing, combined with customized filters, to identify contacts with no activity for 3 years. These contacts can be :
- manually deleted en masse,
- or anonymized via export/processing.
We are also able to automate this process via a Make or Zapier scenario if required by a client.
Purging mechanisms:
- ✅ Automatic: via a rule programmed into our app for inactive accounts.
- ✅ Manual: possible at any time by our DPO or IT provider at the request of the user or customer.
- ✅ O n demand / mass: processing possible on specific request (e.g. batch of accounts to be anonymized or deleted).
- 🛡️ Anonymization:
- Manual anonymization is possible for pedagogical feedback or statistical exports, on request.
- We do not yet have a large-scale automatic anonymization mechanism, but this option could be considered as part of a specific collaboration.
Customized retention periods:
Retention periods can be adjusted by a client, within reason, particularly for shorter periods or anonymization on expiry.