Personal data management policy

Effective date: April 2026 | Last updated: April 2026

SuperGrid Institute places the highest importance on the protection of your personal data and the respect of your privacy. This Personal Data Management Policy (hereinafter “the Policy”) informs you, in a clear and transparent manner, of how we collect, use, store and protect your personal data, in accordance with EU Regulation 2016/679 of 27 April 2016 (GDPR) and the French Data Protection Act n° 78-17 of 6 January 1978 (“Loi Informatique et Libertés”) as amended.

This Policy applies to any person who visits our website, fills in a contact form, including to request information about our services, applies for a job, or registers for a training course.

1. Who is the data controller for my personal data?

Company name: SuperGrid Institute

Legal form: SAS

Registered office: 23 rue Cyprian, 69100 Villeurbanne, France

Company registration RCS: Lyon n°799 482 153

Website: https://www.supergrid-institute.com

General contact: contact@supergrid-institute.com

2. How can I contact the Data Protection Officer (DPO)?

We have appointed a Data Protection Officer (DPO) responsible for ensuring compliance with data protection regulations. You may contact the DPO for any question relating to the processing of your personal data:

E-mail address: dpo@supergrid-institute.com

Postal address:

SuperGrid Institute
Att: DPO
23 rue Cyprian
69100 Villeurbanne, France

3. What personal data do you collect?

The personal data we collect varies depending on the nature of your interaction with our website. In general, we collect the personal data that you provide via the forms you complete and submit on the website: https://www.supergrid-institute.com. The categories of data collected are as follows:

3.1 Generic contact form
When you use our general contact form:

  • First name and last name
  • E-mail address
  • Phone number
  • Company / organisation name
  • Job title / function
  • Subject and content of your message

3.2 Service-specific contact form
When you express interest in one of our services (testing, expertise, training, innovation, etc.):

  • First name and last name
  • E-mail address
  • Phone number
  • Company name
  • Job title / function
  • Description of your need or project (message content)

3.3 Training registration (in-person or e-learning)
When you register for one of our training courses (in-person or via our e-learning platform):

  • First name and last name
  • E-mail address
  • Company / organisation name and address
  • Selected training(s), session and chosen modalities
  • Comment (message content)

3.4 Job application
When you apply for a job posted on our website:

  • First name and last name
  • E-mail address
  • Phone number
  • Curriculum vitae (CV / résumé)
  • Cover letter
  • Any other information you choose to provide in your application

3.5 Website browsing
When you browse our website, we automatically collect:

⚠️ We do not collect ‘special categories’ of personal data as defined under Article 9 of the GDPR (data revealing racial or ethnic origin, political opinions, religious beliefs, health data, etc.).

4. On what legal basis do you process my personal data?

In accordance with Article 6 of the GDPR, every processing of personal data is based on one of the following legal grounds:

Context / Form Applicable legal basis GDPR Article
Website browsing Legitimate interest (security, site improvement, audience analytics) / Consent (non-essential cookies) Art. 6(1)(f) / Art. 6(1)(a)
Generic contact form Legitimate interest (responding to your request) / Consent (commercial follow-up & newsletter) Art. 6(1)(f) / Art. 6(1)(a)
Service-specific form Legitimate interest (processing commercial request) / Consent (commercial follow-up & newsletter) Art. 6(1)(f) / Art. 6(1)(a)
Job application Pre-contractual measures at the request of the data subject / Legitimate interest Art. 6(1)(b) / Art. 6(1)(f)
Training registration Performance of a contract / Consent (commercial follow-up & newsletter) Art. 6(1)(b) / Art. 6(1)(a)
Subscription to the newsletter Explicit consent of the data subject Art. 6(1)(a)

Where processing is based on your consent, you are free to withdraw it at any time, without affecting the lawfulness of processing carried out prior to such withdrawal.

5. For what purposes do you use my personal data?

Your personal data is processed exclusively for the following purposes:
5.1 Managing contact requests

  • Processing your enquiry and providing an appropriate response
  • Managing the relationship with you, in our legitimate interest
  • Recording your details in our CRM to manage the client relationship
  • Offering you our services that may be of interest to you; or our newsletter

5.2 Business development and client relations

  • Contacting you to present our new services, publications or events
  • Sending you our external newsletter
  • Managing your specific service requests (testing, expertise, R&D, etc.)
  • Centralising and managing your contact details and our exchange history
  • Following up on your requests and respond to them efficiently

You may withdraw your consent to marketing communications at any time by:

  • Clicking the “Unsubscribe” link our newsletter e-mails
  • Contacting our DPO directly at the address mentioned in Article 2
  • Exercising your right to object (see Article 9)

Withdrawal of your consent does not affect the lawfulness of processing carried out prior to such withdrawal. It does not mean the immediate deletion of your contact record, unless you also exercise your right to erasure (see Article 9).

5.3 Recruitment

  • Reviewing your application in response to a posted job offer or unsolicited application
  • Organising interviews and assessing skills

5.4 Training management

  • Processing your registration for an in-person or online training course
  • Sending you practical information regarding the training
  • Issuing certificates of participation or completion
  • Improving our educational offering based on participant feedback
  • Managing invoicing and associated accounting obligations

5.5 Website navigation

  • Ensure the website functions properly
  • Analyse visitor data and improve the user experience
  • Ensure the security of the website and detect any fraudulent activity
  • For more information, please read our cookie policy

6. Who within SuperGrid Institute receives my data?

Access to your personal data is strictly limited to those who need it as part of their role:

  • Sales and marketing teams: for managing contact requests and prospects
  • Human resources team: for processing applications
  • Training team: for managing registrations and educational follow-up
  • Senior management and DPO: for oversight and compliance purposes
  • Technical and IT teams: for system maintenance and operation

All staff members with access to your personal data are bound by a confidentiality obligation.

7. Is my data shared with third parties or transferred outside the EU?

SuperGrid Institute may engage technical third-party service providers (processors within the meaning of the GDPR) for the hosting, maintenance or operation of digital tools. These processors act solely on SuperGrid Institute’s instructions and are bound by contractual confidentiality and security obligations in line with the GDPR.

We never sell, rent or otherwise transfer your personal data to third parties for commercial purposes.
As a general rule, your personal data is processed and stored within the European Union or the European Economic Area (EEA).

8. How long do you retain my personal data?

Your personal data is retained for as long as strictly necessary for the purposes for which it was collected, in compliance with applicable legal and regulatory obligations:

Data category / Processing Active retention period Intermediate archiving
Contact form data (generic or service) 3 years from last contact
Job application 2 years from last contact (except other agreement with the candidate) Not applicable
Training registration (contractual data) 5 years from end of training (on site)

Or 2 years after your last connection to the e-learning platform

 10 years (accounting obligations)
Newsletter (active subscribers) Until unsubscription or withdrawal of consent 1 year after unsubscription (then deletion)

9. What are my rights and how can I exercise them?

Under the GDPR and the French Data Protection Act, you have the following rights over your personal data:

  • Right of access (Art. 15): you may obtain confirmation that we are processing your data and receive a copy of it.
  • Right to rectification (Art. 16): you may request the correction of inaccurate or incomplete data about you.
  • Right to erasure (Art. 17): you may request the deletion of your data, subject to our legal retention obligations.
  • Right to restriction of processing (Art. 18): you may request the temporary suspension of the processing of your data in certain circumstances provided for by the GDPR.
  • Right to data portability (Art. 20): you may retrieve your data in a structured, machine-readable format (applicable to automated processing based on contract or consent).
  • Right to object (Art. 21): you may object to the processing of your data based on legitimate interest, in particular for direct marketing purposes.
  • Right to withdraw consent (Art. 7): you may withdraw your consent at any time where processing is based on it, without prejudice to prior processing.
  • Right to give post-mortem instructions (Art. 85 French DPA): you may define directives relating to the fate of your data after your death.

How to exercise your rights?
To exercise any of these rights or if you have any question on the personal data processing at SuperGrid Institute, you may:

  • Contact our DPO by e-mail at: dpo@supergrid-institute.com
  • Send a letter to:

SuperGrid Institute
Att: DPO
23 rue Cyprian
69100 Villeurbanne, France

For any further information or complaints, for example if you consider that your rights are not being respected, or that the processing of your data infringes your privacy, you have the right to lodge a complaint with the competent supervisory authority. In France, this is the Commission Nationale de l’Informatique et des Libertés (CNIL), more information at www.cnil.fr.

This Policy is governed by French law, to the exclusion of any conflict-of-laws rules.

10. What is your cookie policy?

When you browse our website, cookies and trackers may be placed on your device. Some are strictly necessary for the operation of the website and do not require your consent. Others (analytics, personalisation or targeting cookies) are only activated with your prior agreement.

You may manage your cookie preferences at any time via the cookie management banner on our website, or by directly configuring your browser settings.

For more information, please read our cookie policy.

11. What is your policy in the event of a personal data breach?

In the event of a personal data breach, in accordance with Articles 33 and 34 of the GDPR, SuperGrid Institute undertakes to minimise the risks and to report any breach to the CNIL within a maximum of seventy-two (72) hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the personal data breach is likely to result in a high risk to the rights and freedoms of a natural person, SuperGrid Institute undertakes to inform the person(s) as soon as possible, describing the nature of the breach, its potential consequences and the measures taken or proposed to address it.

SuperGrid Institute also documents any personal data breach, including the facts, its effects and the corrective measures taken, in accordance with applicable legal obligations.

12. Can this Policy be amended?

SuperGrid Institute reserves the right to update this Policy at any time, in particular to take account of changes in regulations, our practices or our tools.

The date of the last update is indicated at the top of this Policy. We encourage you to consult it regularly.