WILL data protection policy

Last update: April 2025

1. Presentation of the company

WILL, represented by Pierre Fournier (President and Data Protection Officer), is a human-sized company specializing in management training and personal development through a web application. We are currently a team of two employees, supported by an independent IT service provider, Robin Fourratier.

2. General commitment

WILL is committed to complying with the provisions of the General Data Protection Regulation (GDPR) and guaranteeing confidentiality, security and transparency in the processing of its users' personal data.

We adopt a reasoned approach proportionate to our size and risks, while implementing the best practices available at our level.

3. Data collected

a. Basic personal data

When users create an account on our https://app.will-agent.com application , we collect :

• Last name, first name
• Email address
• Password (encrypted)
• Organization (company, group)

This data is required for secure access to the user's personal space.

b. Sensitive data (professional behavior)

When using the WILL method, users may be asked to :

• Complete exercises relating to their managerial posture
• Describe professional situations
• Record personal reflections or assessments

This data is potentially sensitive, as it relates to professional experience. They are entered voluntarily by users and are not subject to any automated analysis or profiling.

4. Data security

• Data is hosted in a secure environment with password authentication.
• Access is restricted to authorized persons (employees and IT service provider only if required for maintenance).
• All exchanges are HTTPS encrypted.
• No sensitive data is stored in cleartext.

5. Retention period

• Accounts that have been inactive for more than one year will be cleaned automatically from June 2025.
• Users may request deletion of their account at any time via contact@will-agent.com.

6. Subcontractors and service providers

We work with the following service providers, all RGPD-compliant and based in the European Union or with Privacy Shield certification (or equivalent) if based outside the EU:

7. User rights

Each user has :

• Right of access to his/her data
• Right of rectification
• Right to object
• Right to limitation
• Right to erasure

Requests can be sent to: will@will-agent.com or via the contact form.

Each request is :

• acknowledged within 48 hours
• analyzed within a maximum of one month (in compliance with the RGPD),
• and processed manually with the support of our IT service provider Robin Fourratier if necessary (e.g. account deletion or data extraction).

The actions carried out are traced in a request tracking register, which we maintain internally for compliance purposes.

8. Data controller / DPO

The data controller is:Pierre Fournier

Chairman and DPO

contact@will-agent.com

9. Changes to the policy

This policy may be updated at any time. Users will be informed by email or directly via the application in the event of substantial modification.

Appendix 1: Simplified data processing register

As a company with fewer than 250 employees, we are not required to keep an exhaustive data processing register, except in the case of sensitive or non-occasional processing.

However, as part of our approach to RGPD compliance, we keep a simplified register of processing carried out as part of our services, particularly for our https://app.will-agent.com application , which may involve sensitive data (behavior at work).

This register lists:

• The purposes of the processing operations (educational exercises, user monitoring)
• The categories of data concerned
• Security measures in place
• Retention periods
• Subcontractors involved (Bubble, Dendréo, Mailchimp, etc.).

Appendix 2: Privacy by design

As a small organization (2 employees), we have not set up a formalized and systematic Privacy by Design / by Default compliance analysis process such as may exist in large organizations.

However, we apply these principles right from the design stage of our processing operations, taking into account their purpose and potential sensitivity, and systematically limiting :

• the quantity of data collected (minimization),
• the duration of storage (automatic cleaning after 12 months of inactivity),
• recipients (access strictly restricted to in-house teams and IT service providers),
• visibility (no data exposed without authentication).

For example:

• Our https://app.will-agent.com web application requires authentication to access any personal or sensitive data.
• Potentially sensitive data (linked to work behaviors) is entered voluntarily by the user and is not visible by default to the support team.
• Functionality development is systematically evaluated with our service provider (Robin Fourratier) from the point of view of security and confidentiality.

We document these considerations on an ongoing basis in our simplified processing register and in our exchanges with our service provider. An annual review process is planned.

Appendix 3: Management of incidents and data breaches

We have put in place a proportionate data incident and breach management process, adapted to the size of our organization.

This process is based on the following principles:

1. Detection and reporting

Any incident or suspected security breach is immediately reported by our IT service provider (Robin Fourratier) or by a team member to our DPO (Pierre Fournier).

2. Qualification of the incident

The DPO analyzes the facts to determine whether the incident is :

• a simple, non-critical bug,
• or a personal data breach within the meaning of the RGPD.

3. Notification (if necessary)

In the event of a risk to the rights and freedoms of the persons concerned, a notification :

• is made to the CNIL within 72 hours, if necessary,
• and to the persons concerned, in a clear and transparent manner.

4. Traceability and improvement

• Every incident is recorded in an internal register.
• Corrective measures are defined with our service provider to avoid recurrence.

To date, we have never experienced a data breach requiring notification. However, we have tested this process internally to ensure its responsiveness.

Appendix 4: Data retention policy

We have implemented a data retention policy adapted to our activities and the nature of the data processed.

Retention periods:

• Inactive accounts: automatic purge after 12 months of inactivity (implemented in 2025).
• Training data: retained for 5 years, in accordance with our legal obligations (via Dendréo).
• Sales data (CRM): retained 3 years after last active contact.

For information, sales data is managed via Pipedrive, which does not natively offer automatic purging by date of inactivity.

However, we have put in place an internal policy of annual cleansing, combined with customized filters, to identify contacts with no activity for 3 years. These contacts can be :

• manually deleted en masse,
• or anonymized via export/processing.

We are also able to automate this process via a Make or Zapier scenario if required by a client.

Purging mechanisms:

• ✅ Automatic: via a rule programmed into our app for inactive accounts.
• ✅ Manual: possible at any time by our DPO or IT provider at the request of the user or customer.
• ✅ O n demand / mass: processing possible on specific request (e.g. batch of accounts to be anonymized or deleted).
• 🛡️ Anonymization:
• Manual anonymization is possible for pedagogical feedback or statistical exports, on request.
• We do not yet have a large-scale automatic anonymization mechanism, but this option could be considered as part of a specific collaboration.

Customized retention periods:

Retention periods can be adjusted by a client, within reason, particularly for shorter periods or anonymization on expiry.