top of page
logo-resonance

Lien vers la version en langue française (à venir)

Our personal data protection policy

We are committed to ensuring the highest level of protection of your personal data in accordance with the applicable legal framework, and especially, with The General Data Protection Regulation (GDPR) 2016/679 of the European Parliament and of the Council.

Your personal data is collected and processed in compliance with the applicable legal framework. For further information regarding the protection of personal data, you can consult the website of your data protection authority.

Resonance recruits participants to conduct qualitative and quantitative research.

Resonance undertakes to protect the confidentiality of data as well as ensuring that the processing of personal data carried out as part of its activity, complies with European Regulation No. 2016/679, known as the General Data Protection Regulation (GDPR) and the French Data Protection Act of January 6, 1978.

Resonance’s data processing complies with the principles of data minimization, transparency and storage limitation.

Who is Resonance?

In accordance with Article 4 of the GDPR, personal data is any information that can be used to directly or indirectly identify a person.

Resonance will act as a data controller only for its own data processing, such as contacts with its clients.

The processing of personal data by Resonance

Screenshot 2025-07-14 at 14.17.14.png

In some cases, Resonance may transfer personal data outside the European Union particularly for leading the user research projects with clients and partners.

Resonance will only proceed with such transfers if:

  • The country of destination has been recognized by the European Commission as ensuring an adequate level of protection, or

  • Legal instruments such as Binding Corporates Rules (BCR) or Standard Contractual Clauses (CCT) have been put in place, or

  • There is a GDPR adequacy decision.

 

Resonance processed personal data are hosted by default on Google Workspace platform except when otherwise specified.

Data transfers

Resonance ensures that your data is adequately protected, and that technical and organizational security measures are in place to guarantee its availability, confidentiality and integrity.

Google Workspace is certified under ISO/IEC 27001, 27017, 27018, and 27701, as well as other frameworks like GDPR and HIPAA.

Encryption: all data is encrypted both while stored and during transmission between Google’s servers and users’ devices.  Enhanced email security through Secure/Multipurpose Internet Mail Extensions for message encryption and digital signature (S/MIME for Gmail)

Access controls and authentication: extra layer of protection by requiring a second form of verification for account access (Two-Factor Authentication)

Data loss prevention: restricts actions such as downloading, printing, or copying files, and allows setting expiration dates for access (Information Rights Management)

Device and Endpoint Management: disable offline document access to prevent local copies of sensitive data (offline access control)

Personal data security

Pursuant to Articles 12 to 22 of the GDPR, any data subject whose personal data has been collected by Resonance as a data controller has the right to exercise the following rights:

  • The right of access: you have the right to obtain access to your information in a clear and comprehensible format. The aim is to ensure that you are aware of and can verify that we are using your information in accordance with data protection laws.

  • The right of rectification: you have the right to correct your information if it is inaccurate or incomplete.

  • The right to erasure: this right is also known as the "right to be forgotten" and allows you to request the erasure or deletion of your data where there is no compelling reason for us to continue using it. However, this right is not absolute, and we reserve the right to refuse your request for legal or legitimate reasons.

  • The right to restrict processing: you have the right to "block" or delete any further use of your information. When processing is restricted, we can store your data, but cannot continue to use it. We keep a list of people who have requested that the further use of their data be blocked, to ensure that the restriction is respected.

  • The right to data portability: you have the right to receive the data you have provided to us, in a structured, commonly used and machine-readable format, for your personal use or to pass it on to a third party of your choice. This right applies only where the processing of your data is based on your consent or on a contract to which you are a party, and where the data relates to you.

  • The right to object: you may object at any time to the processing of your data if this is based on a mission of public interest or the legitimate interest of the Data Controller. This right is not absolute, and we reserve the right not to respond favorably to your request in the event of the Data Controller's legitimate interest.

  • The right to withdraw your consent: if you have given your consent to the processing or use of your personal data, you may withdraw it at any time (although, if you do so, this does not mean that everything we have done with your consent up to that point has been unlawful). This includes your right to withdraw consent to the use of your personal data for commercial purposes.

Exercising individuals rights

Screenshot 2025-07-14 at 14.17.51.png

Below is a table provided by the CNIL setting out the rights you may exercise over your data depending on the legal basis used for the processing concerned by your request. You can check the legal basis in section ‘2. Processing of personal data by RESONANCE’ of this privacy policy

Your rights may be exercised directly with Resonance at the following e-mail address: dpo-resonance@uxalliance.com

 

Resonance undertakes to reply within one (1) month of receiving your request to exercise your rights.

If you do not receive a reply within this period, or if you are not satisfied with the reply you receive, you may lodge a complaint with the data protection authority, the CNIL, via the following link: https: //www.cnil.fr/fr/plaintes

In accordance with article 40-1 of the French Data Protection Act of January 6, 1978, you may give instructions concerning the retention, deletion and communication of your personal data after your death.

If you contact Resonance to exercise any of these rights in respect of your data that has been processed, Resonance will transfer this request to the data controller

We may occasionally modify this policy, in particular in order to comply with any regulatory, case law, editorial or technical developments.

Where appropriate, we will change the date of the privacy policy update and indicate the date on which the changes were made. We advise you to consult this page regularly for any changes or updates to our policy.

Modification of the present policy

Date: 15th of July, 2025

bottom of page