Personal data protection policy

PERSONAL DATA PROTECTION POLICY

 

The intuis group (the “Group”) specialises in thermal comfort and designs and manufactures thermal equipment (heating, cooling, domestic hot water) for sustainable buildings (residential, commercial and industrial).

Muller Services (“Muller Services”) is one of the Group entities (the “Entities”) and produces radiators, air-to-air and air-to-water heat pumps, thermodynamic water heaters, pulsating-combustion boilers, 4-in-1 systems and solar systems.

The mobile applications or websites and corresponding sub-domains accessible at the following addresses (the “Service(s)”) are published by Muller Services to provide information about the Group’s product and service offerings and under the processing responsibility of Muller Services:

Intuis website: https://www.intuis.fr
Auer website: https://www.auer.fr/
Campa website: https://campa.fr/
Muller Intuitiv website: https://www.muller-intuitiv.com/
Noirot website: https://www.noirot.fr/
France Energie website: https://www.france-energie.fr/
Intuis Services Pro mobile application.
In addition to Muller Services, the data controllers listed below differ depending on the relevant Service or off-Service activities:

For the Intuis website and the Intuis Services Pro mobile application:
MULLER SERVICES, a simplified joint stock company (SAS) with share capital of €800,000, registered in the Trade and Companies Register under number 394 885 990 RCS Nanterre, with registered office at 28 rue de Verdun – 92150 Suresnes, France.
For the Auer website:
SOCIETE INDUSTRIELLE AUER, a simplified joint stock company (SAS) with share capital of €5,280,000, registered in the Trade and Companies Register under number 722 041 845 RCS Nanterre, with registered office at 28 rue de Verdun – 92150 Suresnes, France.
For the Campa, Noirot and Muller-Intuitiv websites:
MULLER INTUITIV, a single-member simplified joint stock company (SASU) with share capital of €16,422,181, registered in the Trade and Companies Register under number 334 981 958 RCS Nanterre, with registered office at 28 rue de Verdun – 92150 Suresnes, France.
For the France Energie website:
FRANCE ENERGIE ET CIE, a simplified joint stock company (SAS) with share capital of €112,000, registered in the Trade and Companies Register under number 342 366 085 RCS Laval, with registered office at Parc d'Activités des Morandières, Rue Copernic – 53810 Changé-les-Laval, France.
For activities outside the Services:
All the entities listed above, as well as
SOCIETE MULLER ET COMPAGNIE, a public limited company with a board of directors (SA) with share capital of €12,250,752, registered in the Nanterre Trade and Companies Register under number 602 053 761, with registered office at 28 rue de Verdun – 92150 Suresnes, France, represented by its legal representative domiciled for this purpose at the said registered office.
This personal data protection policy (the “Policy”) describes how Muller Services or these other Entities (“we”, “us”, “our”) process the personal data of users of the Services, or personal data that the Entities collect directly or indirectly (“Users”, “you”, “your”) via the Services and/or outside the Services (for example, during offline activities).

Respect for your privacy and your personal data is a priority for us. We undertake to process your data in compliance with French Law No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties as amended, Regulation (EU) 2016/679 of 27 April 2016 (the “GDPR”), and the related CNIL standards and recommendations (together, the “Applicable Regulations”).

 
Article 1. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER
Muller Services, or the other relevant Entity, acts as data controller for all Users’ personal data it collects via the Service(s). In addition, each Entity may act as data controller for all Users’ personal data it collects itself, via another Entity, or via third parties, outside the Services (for example, for the performance of a contract with you as a supplier or customer, for messages sent to you, or for marketing activities conducted by that Entity or another Entity).

For more information about the different Entities acting as data controllers and their contact details (each a “Data Controller”), please consult each of the following links:

https://www.intuis.fr
https://www.auer.fr/
https://campa.fr/
https://www.muller-intuitiv.com/
https://www.noirot.fr/
https://www.france-energie.fr/
If you wish to exercise any of your rights under the Applicable Regulations, as set out in Article 6 of this Policy, you may contact the Data Controller using one of the methods below, specifying your identity and the precise subject of your request (proof of identity may be requested where there is doubt as to the requester’s identity).

For any question regarding the use of your personal data and your rights, you can contact the Data Controller using one of the following methods, depending on the Entity concerned:

By email (all Entities): dpo@groupe-intuis.fr (to optimise handling of your request, please specify the Entity and, where applicable, the relevant Service or other activity).
By post, depending on the Data Controller for your data (according to the relevant Service or for processing outside the Services):

MULLER SERVICES, 28 rue de Verdun – 92150 Suresnes, France
SOCIETE INDUSTRIELLE AUER, 28 rue de Verdun – 92150 Suresnes, France
MULLER INTUITIV, 28 rue de Verdun – 92150 Suresnes, France
FRANCE ENERGIE ET CIE, Parc d'Activités des Morandières, Rue Copernic – 53810 Changé-les-Laval, France
SOCIETE MULLER ET COMPAGNIE, 28 rue de Verdun – 92150 Suresnes, France
 
Article 2. DATA COLLECTED
In the course of its processing activities, the Data Controller may collect your personal data, notably during professional meetings, dealings, partnerships, applications, commercial operations, when you visit the Data Controller’s premises, when you use a Service (including when you complete a contact form), when handling a request you send to the Data Controller, or when you exercise your rights under the Applicable Regulations.

Such data includes:

Identification data (surname, given name(s), IP address, date of birth, unique GUID generated by the Data Controller’s information system to identify certain data flows relating to you, and, where applicable, SIRET number);
Contact details (postal address(es), email address(es), telephone number(s), etc.);
Professional data (your occupation, your interest in a partnership or investment, the company for which you work or that you represent, your professional registration number where applicable, your SIRET and VAT numbers, the SIRET number of the company for which you work or that you represent, etc.);
Login and browsing data, including notably:

Cookies and the visitor cookie identifier (e.g., Google Analytics or Matomo “client ID”);
Your IP address;
Information on your browser and operating system (user-agent, screen size, language);
The domain name or URL of each site page you visit;
The page referrer where applicable;
Optionally, a user ID assigned by the site publisher;
Event/activity information (e.g., “page view” or order information);
Geolocation of your IP address by Google and within the site form to find the nearest installer, after your consent;
Data arising from your use of one of our Services, obtained notably from scripts, pixels and/or redirects from third-party sites. These technologies enable our service providers to collect certain information such as your browser type and the web page that referred you to our Services. These third-party providers process the information they collect notably for security, audit, statistics and research purposes, and to report, where necessary, information on our Services or in connection with advertisements viewed thereon. We do not share your identification data with these third parties.
Your selection of topics relating to the Group’s activities when you choose to share such information with the Data Controller;
The content of any message you send via a Service contact form or otherwise;
Bank details (IBAN, card identifiers);
Data relating to goods or services subscribed to with, or marketed by, an Entity (e.g., energy consumption, equipment operation, invoicing data, payment of invoices, customer relationship follow-up, posted reviews, handling of complaints, etc.).
In no event may the Data Controller be held liable for any breach of the Policy by the User or by a third party that is not a processor of the Data Controller.

 
Article 3. PURPOSES AND LEGAL BASES OF PROCESSING
3.1. Necessity of data collection
When you use the Service, complete a contact form, enter into a contractual/professional or user relationship with the Data Controller or another Entity, apply for a position with the Data Controller, or visit its premises, you may be required to provide certain personal data (enabling you to be identified directly or indirectly). If you do not provide the requested information, you may not be able to access certain parts or features of the Service, or certain other activities of the Data Controller (e.g., recruitment).

Whether the requested personal data is mandatory or optional is specified at the time of collection.

3.2. Processing purposes and corresponding legal bases
Users’ personal data are collected for specific, explicit and legitimate purposes. Depending on the case, personal data may be used for the following purposes:

Managing your membership of any loyalty programmes (consent or performance/ preparation of the loyalty contract and management of your account and associated benefits);
Managing your participation in any competitions (consent or performance of the participation contract and management of your account and associated benefits);
Creating and administering your account when using a Service and ensuring the Service’s optimised, secure operation and continuous improvement (consent or legitimate interests of Muller Services to ensure optimal operation and quality, including usage statistics and security measures);
Creating and administering your account for activities outside the Services and ensuring optimised, secure operation and continuous improvement of that activity (consent or legitimate interests of the Data Controller as above);
Responding to your requests for information or content (consent as evidenced by sending your request);
Conducting statistical analyses, studies and other promotional actions (legitimate interests of the Data Controller to best promote its activities, or consent where required by the Applicable Regulations). Where your connection data are used, they will be anonymised before being retained for statistical purposes. [DGFLA1]
Providing information about the Data Controller or another Entity, or about their activities, products and services or their partners, and promoting them (legitimate interests or consent where required);
Carrying out commercial operations, including with partners, relating to the sale and use of products and services marketed by any Group Entity and/or such partners, in collaboration with an Entity (legitimate interests to promote and improve quality, or consent where required);
Managing relationships with customers, partners or suppliers (performance of pre-contractual steps or a contract for independent counterparties, or legitimate interests/consent; for legal representatives or other natural persons acting on behalf of such counterparties who interact with the Data Controller, legitimate interests to ensure optimal products/services, or consent). In this context, the Data Controller may notably:

Monitor your orders;
Where appropriate, put you in contact with installers or other providers/partners related to the products or services marketed by the Data Controller;
Provide after-sales service;
Managing and responding to requests to exercise your rights (legal obligation);
Enabling detection of potential abusive or fraudulent activity on the Service or within another activity (legitimate interests to ensure security);
Enabling the Data Controller to comply with its legal obligations;
Managing disputes or litigation (legal obligation or, where applicable, legitimate interests to defend itself in court);
Communicating with you or welcoming you during visits to the Data Controller’s premises (consent, or legitimate interests to ensure security of premises, or contract/pre-contractual steps, or legal obligation);
Managing recruitment processes if you apply for a position (consent to take part in the selection process or legitimate interests to respond to your request).
 
Article 4. DATA RETENTION PERIOD
The Data Controller retains Users’ personal data only for the time necessary to achieve the purposes pursued, subject to lawful archiving possibilities and obligations to retain certain data (in particular, in the event of litigation or pre-litigation, or to respond to requests from competent authorities) and/or to anonymise personal data. Retention periods may vary depending on the purpose. In particular, the Data Controller applies the following periods (without prejudice to the above archiving/retention obligations unless the data are instead deleted):

Identification and contact data linked to your information requests: retained while you remain active, up to three (3) years from your last contact request.
Rights-request management: retained for the time necessary to handle the request.
Tracking tools and data collected via such tools: information stored on the User’s terminal or any other identifier enabling tracking, as well as raw traffic data associated with an identifier, are retained for a maximum of thirteen (13) months from the cookie’s placement.
IP addresses: immediately anonymised after collection for statistical purposes. [DGFLA2]
Contact form data (identity, contact details, professional data, etc.): retained for the time necessary to manage the subject of the message sent via the form.
Customer/partner/supplier relationship data: retained for three (3) years from the last contact or end of the relevant contract.
Recruitment data (candidate selection form/CVs): all CVs received are automatically deleted after two (2) yearsfrom receipt, unless you request earlier deletion. If you wish your CV to remain in the Data Controller’s database after this period, you must send your updated CV again.
 
Article 5. RECIPIENTS WITH ACCESS TO THE DATA
Your data may be disclosed only to the following recipients or categories of recipients, within the limits of their responsibilities and where transmission is strictly necessary to achieve the purposes set out in Article 3 of this Policy:

Authorised staff of the Data Controller’s marketing, administrative, legal, compliance, finance and IT departments;
Persons responsible for internal and external control missions;
Other Entities of the Group;
Installer partners of products or subcontractor providers of services marketed by an Entity, or other service providers related to such products or services;
Third-party social network providers (such as Google, LinkedIn, Facebook, Pinterest, etc.) for custom audience targeting via social media platforms;
The host for the Auer, Campa, Muller Intuitiv and France Energie websites:
UNYC, SAS with share capital of €104,925, registered office at 52 boulevard Robert Jarry – 72000 Le Mans, France, 478 041 064 RCS Le Mans, represented by its President, Adista Group, SAS with share capital of €154,923,182, registered office at 9 rue Blaise Pascal – 54320 Maxeville, France, 900 198 722 RCS Nancy.
The host for the Intuis and Noirot websites:
AMAZON WEB SERVICES EMEA SARL, a Luxembourg company with share capital of €25,000, 831 001 334 RCS Nanterre, registered office at 38 avenue John F. Kennedy – L-1855 Luxembourg, LUXEMBOURG.
We may also disclose data to respond to legal or regulatory requests, court decisions, subpoenas or legal proceedings, where required by applicable law, and where the Data Controller transfers all or part of its assets to a third-party company.

Under no circumstances does the Data Controller sell or rent your personal data to third parties for their own purposes.

 
Article 6. USERS’ RIGHTS
6.1. Your rights regarding the processing of your data
In accordance with the Applicable Regulations, and under the conditions and limits provided therein, each User has some or all of the following rights:

Right of access to obtain confirmation as to whether data concerning them are being processed and, where they are, access to such data and certain information about their processing (Art. 15 GDPR);
Right to rectification of inaccurate or incomplete data (Art. 16 GDPR);
Right to erasure of data (in the cases provided for in Art. 17 GDPR);
Right to withdraw consent (only where processing is based on consent) (Art. 7 GDPR);
Right to restriction of processing (in the cases provided for in Art. 18 GDPR);
Right to object to processing (only where processing is based on the legitimate interests of Muller Services and subject to reasons relating to the User’s particular situation) (Art. 21(1) GDPR);
Right to object to processing for direct marketing, including profiling (Art. 21(2) GDPR);
Right to data portability for data the User has provided (only where processing is based on consent; note that contract, another possible legal basis for portability, is not applicable here) (Art. 20 GDPR);
Right to define instructions regarding their data after death and to choose whether Muller Services should communicate their data to a third party previously designated by them (Art. 85 of the French Data Protection Act).
6.2. How to exercise your rights
If you wish to exercise any of the above rights, contact the Data Controller using one of the methods below, specifying your identity and the precise subject of your request (proof of identity may be requested where there is doubt as to the requester’s identity).

For processing on the Services or outside the Services, you may contact the Data Controller using one of the following methods, depending on the Entity concerned:

By email (all Entities): dpo@groupe-intuis.fr (to optimise handling of your request, please specify the Entity and, where applicable, the relevant Service or other activity).
By post, depending on the Data Controller (Service concerned or processing outside the Services):

MULLER SERVICES, 28 rue de Verdun – 92150 Suresnes, France
SOCIETE INDUSTRIELLE AUER, 28 rue de Verdun – 92150 Suresnes, France
MULLER INTUITIV, 28 rue de Verdun – 92150 Suresnes, France
FRANCE ENERGIE ET CIE, Parc d'Activités des Morandières, Rue Copernic – 53810 Changé-les-Laval, France
SOCIETE MULLER ET COMPAGNIE, 28 rue de Verdun – 92150 Suresnes, France
For managing cookies and other tracking tools, please see Article 7 below.

The Data Controller undertakes to respond as soon as possible, and in any event within one (1) month of receipt of your request.

Where necessary, this period may be extended by two (2) months, given the complexity and number of requests. In such case, you will be informed of the extension and the reasons for the delay.

If your request is submitted electronically, the information will also be provided electronically where possible, unless you expressly request otherwise.

If we are unable to respond positively to your request, we will inform you of the reasons. You will then have the option of lodging a complaint with a supervisory authority and/or seeking a judicial remedy.

In particular, if—after contacting the Data Controller and despite its efforts—you still believe your rights are not being respected, you may lodge a complaint with the competent supervisory authority. In France, this is the Commission Nationale Informatique et Libertés (CNIL): https://www.cnil.fr/fr/plaintes.

 
Article 7. COOKIES
When browsing any of the Services, cookies may be placed on your device (computer, mobile, tablet), subject to the choices you have expressed, which you may change at any time.

A cookie is a small text file containing information about browsing a website, the primary purpose of which is to improve your experience and enable the provision of personalised services.

Some tracking tools are strictly necessary for the operation of the Service and are therefore exempt from consent, as they are needed to ensure access to and stable operation of the Service. Others are subject to the User’s consent.

On a computer, cookies are managed by the web browser. Cookies may be session cookies (deleted automatically when the browser is closed) or persistent cookies (stored on the device until their expiry date).

Cookies used by our Services include:

Mandatory cookies: login-related cookies;
YouTube;
Google reCAPTCHA;
i18n: cookie used to store the User’s preferred language;
cookie_brands: functional cookie to display or not the Group brands’ pop-in;
Matomo;
Google Analytics.
How to accept or refuse cookies?

You can configure your browser so that cookies are stored on your device or rejected, either systematically or depending on the issuer, or so that you are informed when a cookie is stored, allowing you to accept or refuse it.

Deleting all cookies used by your browser—including those used by other websites—may alter or remove certain settings or information.

Browser configuration varies. Please follow your browser publisher’s instructions (main links available at the date this page was last updated):

Internet Explorer: click this link to learn more.
Safari: click this link to learn more.
Chrome: click this link to learn more.
Mozilla Firefox: click this link to learn more.
Opera: click this link to learn more.
For more information about cookies and their impact, please consult the “Comment ça marche” section of the CNILwebsite available here.

 
Article 8. TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION
For some of the purposes set out in Article 3.2 of this Policy, we may transfer your personal data (connection and browsing data) to recipients located in countries other than your country of residence and, in particular, outside the European Union.

Such transfers are made notably to offer you our products and services, to perform your contract(s) with an Entity, to conduct custom audience targeting, or because certain Group service providers operate from countries outside the European Union, including the United States of America.

Where such transfers are necessary, the Data Controller undertakes to ensure that the recipient is located in a country that is the subject of a European Commission adequacy decision, or that appropriate technical and organisational measures are implemented to ensure that Users’ personal data transferred to these countries benefit from adequate protection in accordance with the Applicable Regulations.

 
Article 9. UPDATING OF THE POLICY
The Data Controller reserves the right to amend or update this Policy at any time. Changes or updates take effect immediately once published on the Services or, in the context of a contractual relationship, once communicated by any means, in particular by email. Where such changes are significant/affect your obligations, the Data Controller will inform you and seek your consent if required by the Applicable Regulations. You agree to consult this Policy on each visit to a Service. The version in force is that available on the date of your visit.

 
Article 10. APPLICABLE LAW AND DISPUTE RESOLUTION
This Policy is governed by French law, unless mandatory provisions of the law of another country in which the User resides provide otherwise.

In the event of a dispute and failing an amicable resolution, the competent court shall be determined in accordance with the applicable procedural rules.

 
Notes:
[DGFLA1] To be confirmed in practice, in line with the updated GDPR policy and use of Google Analytics.
[DGFLA2] To be confirmed in practice, in line with the updated GDPR policy and use of Google Analytics.