Version 1.0 · Last updated January 5, 2026
Privacy Policy
The company MEDALTIK, a simplified joint-stock company (SASU) registered with the Trade and Companies Register of Besanรงon, FRANCE under number 995 319 761 (hereinafter "MEDALTIK") is committed to protecting the personal data of users of the MYBOXSCANNER platform in the course of their professional activity (hereinafter the "Platform").
In the context of using the Platform, MEDALTIK may process personal data.
MEDALTIK, in its capacity as data controller and processor, undertakes to protect the data collected and processed in compliance with the applicable regulations and in particular Regulation (EU) No. 2016/679 of April 27, 2016 known as the "General Data Protection Regulation" or "GDPR", and Law No. 78-17 of January 6, 1978 known as the "Data Protection Act" as amended (hereinafter referred to as the "Applicable Regulations").
This document constitutes the personal data protection policy implemented by MEDALTIK and aims to inform the user of the Platform about the commitments and practical measures taken to ensure compliance with and protection of personal data (hereinafter referred to as "Policy").
For any questions about this policy, you can contact MEDALTIK:
- By email: myboxscanner@medaltik.com
- By postal mail: 45 Chemin des Ragots, 25000 BESANCON
Definitions
The words and expressions used in this Policy have the meaning given to them by the Applicable Regulations, whether used in the singular or plural:
- Personal Data: refers to any information relating to a directly or indirectly identified or identifiable natural person;
- Data Subject: refers to an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity;
In practice, this will be the user of the Platform ("User").
- Data Controller: refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing;
- Processor: refers to a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller;
- Processing: refers to any operation or set of operations which is performed on data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Capitalized terms not defined in this policy have the meaning given to them in MEDALTIK's General Terms of Use.
Personal Data Collected and Purposes of Processing
MEDALTIK may process the following Personal Data on the basis of the consent of the Data Subject (Art. 6.1.a GDPR), for the needs of its activity and the performance of a contract (Art. 6.1.b GDPR) and in the context of its role as processor:
- For the purpose of creating and managing the User's account, in their capacity as a MEDALTIK customer - performance of a contract**:**
- Email address,
- Username and password,
- For the purpose of monitoring the User's activity when linked to a MEDALTIK customer, i.e. when invited by the latter to use the Platform in the course of their professional activity - processing**:**
- First and last name,
- Email address,
- Any data related to the scanning of Products by the User.
In this case, Personal Data is stored in encrypted form.
- For the purpose of sending to the User, in their capacity as a MEDALTIK customer, non-personal data resulting from the scanning of Products by Users (such as trends of scanned products, scan dates or names of scanned Products) - performance of a contract:
- Email address
- For the purpose of contacting the User on the Platform at the request of the User who wishes to report an anomaly - consent**:**
- Email address,
- Any other Personal Data that may be communicated to MEDALTIK in the context of reporting and processing the anomaly.
Outside of the above cases, the use of the Platform does not require the creation of an account or the communication of Personal Data.
The User is simply invited to indicate the country and region in which they carry out their professional activity. When this information is not associated with other data enabling their identification, it does not constitute Personal Data because it is impossible for MEDALTIK to directly or indirectly identify the User.
Similarly, data resulting from Product scans performed by the User and used by MEDALTIK to establish statistics, including on trends of scanned Products, scan dates and number of scanned Products, are not considered Personal Data because it is impossible for MEDALTIK to directly or indirectly identify the User.
When Personal Data processing is subject to the consent of the Data Subject, no processing is carried out by MEDALTIK without the prior consent of the Data Subject. The refusal of the Data Subject to the processing of certain of their Personal Data may result in an inability to access certain services offered by the Platform and subject thereto.
The information provided by the Data Subject must be accurate and up to date. The Data Subject is invited to inform MEDALTIK in the event that their Personal Data needs to be updated.
The Data Subject is informed that the Platform is not hosted by an HDS-certified provider (health data host). Consequently, no Personal Health Data is processed by the Platform. The User must therefore ensure that the information they enter does not contain Personal Health Data.
Retention Period
MEDALTIK only retains the Personal Data of Data Subjects for the time necessary for the operations for which they were collected and in compliance with the Applicable Regulations.
In its capacity as data controller:
The Personal Data of the Data Subject processed by MEDALTIK is retained for the duration of the contractual relationship with the customer, then archived for five (5) years. It is then destroyed without retention of copies.
Any billing Personal Data that may be associated with the customer's account is retained for ten (10) years.
Information processed by MEDALTIK in the context of reporting an anomaly is retained for a period of two (2) years from the date of the last exchange.
Recipients
Within the framework of a strict access management and confidentiality policy, only recipients duly authorized by MEDALTIK may access the information that the Data Subject may have communicated.
Internal Recipients
The Personal Data collected may possibly be used by MEDALTIK staff. This staff may only access the Personal Data that concerns them.
Processors and External Service Providers
The Personal Data collected may also be transmitted to MEDALTIK's Processors and service providers, within the limits provided by the Applicable Regulations and in accordance with this Policy, in particular for the purpose of guaranteeing an optimal experience for Data Subjects in the context of using the Platform.
These Processors may process this Personal Data on behalf of the Data Subject, according to their instructions, in particular in the context of the management and hosting of the Platform, security, or in the context of statistics and surveys.
| Processor Identity | Capacity | | --- | --- | | LARAVEL CLOUD | Publisher and maintainer of the Platform | | AMAZON WEB SERVICES | Host of the Platform | | PUSHER | Notification service |
Third Parties Authorized by Law, such as Judicial or Administrative Authorities
MEDALTIK may share with third parties, other than those identified, anonymized or aggregated data for statistical purposes, without it being possible for these third parties to identify the Data Subject in any way.
Transfer and Hosting of Personal Data
In order to deliver and guarantee optimal quality of service on the Platform, MEDALTIK may need to transfer Personal Data outside the territory of the European Union.
In this case, MEDALTIK guarantees that said transfers are executed to States that are subject to an adequacy decision by the European Commission, demonstrating an adequate level of protection within the meaning of Article 45 of the GDPR.
In the absence of an adequacy decision, MEDALTIK may transfer Personal Data outside the European Union to Processors under the conditions provided for in Article 46 of the GDPR, in particular through the use of standard contractual clauses approved by the European Commission.
Security Measures Implemented
MEDALTIK undertakes to ensure the security and integrity of the Personal Data of the Data Subject.
To this end, MEDALTIK implements and maintains technical and organizational security measures for the Platform and its information system appropriate to the nature of the Personal Data and the risks presented by their processing.
These measures aim to:
- protect the Personal Data of the Data Subject against their destruction, loss, alteration, disclosure to unauthorized third parties,
- ensure the restoration of the availability of the Personal Data of the Data Subject and access thereto within appropriate timeframes in the event of a physical or technical incident.
The servers hosting the Personal Data of the Data Subject are protected against physical (by access control) and logical (Firewalls) malicious acts.
Rights of the Data Subject
In accordance with the Applicable Regulations, the Data Subject may exercise at any time their rights of access, rectification, portability and deletion of the Personal Data concerning them, as well as rights of restriction or opposition to the Processing, by contacting MEDALTIK via the following email address: myboxscanner@medaltik.com.
The Data Subject also has the right to lodge a complaint with any competent supervisory authority, such as the CNIL (https://www.cnil.fr/fr/plaintes), if they consider that a Processing of their Personal Data infringes the requirements of the Applicable Regulations.
MEDALTIK reserves the right to request any information from the Data Subject before providing the elements relating to their request, and in particular: their email address, proof of identity and/or the encrypted identifier associated with their account where applicable, the subject of their request.
MEDALTIK is required to respond to the Data Subject within a maximum period of thirty (30) days, except in the case where a large number of requests are made simultaneously, or when the search for information requires additional time.
Cookie Management
A cookie is a text file that may be stored on the computer, tablet or smartphone of an internet user, when consulting and using a website.
MEDALTIK does not use cookies on the Platform.
Modification of the Policy
This Policy may be modified depending on the development of the Platform and the services offered by MEDALTIK, but also in the event of legal, case law, CNIL decisions and recommendations or usage changes.
The version of the Privacy Policy is the one applicable on the day of use of the Platform by the User.