Purpose and Scope of the Policy
Rennes School of Business places the utmost importance on privacy and the protection of Personal Data, as well as compliance with applicable regulations.
The Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (known as the “GDPR”) provides that personal data must be processed lawfully, fairly, and transparently. This Privacy Policy (hereafter referred to as the “Policy”) is intended to provide you with clear and simple information about how your Personal Data is processed in the context of your use of our website and digital services.
Data Controller
When using the PUMAPP application, we collect and use personal data related to you as an individual (“Data Subject”).
For all processing, Rennes School of Business, an association located at 2 Rue Robert d’Arbrissel, Rennes (35000), determines the means and purposes of the Processing.
We therefore act as the Data Controller, within the meaning of applicable data protection laws, including the GDPR.
What Personal Data Do We Collect and How?
By using our website or subscribing to our services, you provide us with certain information about yourself, some of which may identify you (“Personal Data”). This happens when you browse our site, fill in online forms, or become a customer.
Types of data collected include:
· Identification data: gender, last name, first name, phone number, date of birth, photograph, ID document copy, student number, nationality, email, postal address, emergency contact, parental info, residence information for international students.
· Login data: username, password, and any other information required to access your personal account.
· Technical data: IP address, login times, browser and OS used, server responses, email open timestamps, click activity, visited URLs, device ID – for maintenance and statistics.
· Financial and banking data: for billing or scholarship purposes.
· Education data: academic background, grades, assessments, diplomas, attendance, language tests, CVEC number.
· Documents: PDFs, Office files, images related to your academic activity.
· Web navigation data: interaction with the website.
Why Do We Collect Your Personal Data and How?
Your data is processed for specific purposes and based on different legal grounds:
· For contract performance or pre-contractual measures:
o Timetable management
o Enrollment and attendance tracking
o Access to courses, grades, school email, and student directory
· Based on your consent:
o Notification and preference management
o Access to your academic info
o Uploading information about you
· Based on legitimate interest:
o User access logging
o IT and network security
o Access to school or student organization event information
o Student practical guide
· Based on legal and regulatory obligations
Do We Share Your Personal Data?
Your data may be shared with:
· Authorized Rennes School of Business staff depending on their responsibilities.
· Service providers and subcontractors acting on our behalf.
· Legally authorized public authorities (courts, regulators).
· Regulated professionals (lawyers, bailiffs) for dispute management.
We ensure that third parties process your data only for intended purposes and maintain confidentiality and security. No data is sold.
Are Your Personal Data Transferred Outside the EU?
No. All data are hosted in Europe. Servers are located in France via Microsoft, ensuring compliance with GDPR. No transfers are made outside the EU, especially to countries without adequate protection.
How Long Do We Retain Your Personal Data?
Purpose | Retention |
Timetable | During enrollment |
Enrollment, attendance | 10 years after graduation |
Courses | During enrollment |
Grades | 50 years after graduation |
@rennes-sb.com emails | Indefinitely or |
Directory | During enrollment |
Notification preferences | During enrollment |
Academic info | 50 years after graduation |
Event info | 3 years |
User access logs | 1 year |
IT & network security | Up to 12 |
We retain data only as long as needed for the purposes collected and in accordance with legal obligations:
How Do We Ensure Data Security?
We implement technical and organizational security measures based on the nature of data and associated risks:
· Limited access based on job roles
· Pseudonymization and encryption
· Regular review and update of security practices
· Secure authentication, backups, and software protocols
What Are Your Rights?
Under GDPR, you have the following rights:
· Right to information
· Right of access
· Right to rectification
· Right to erasure
· Right to object
· Right to withdraw consent
· Right to restriction of processing
· Right to data portability
· Right not to be subject to automated decision-making
· Right to define post-mortem data instructions
To exercise your rights, contact:
DPO – Secrétariat Général
2 Rue Robert d’Arbrissel, 35065 Rennes
Email: dpo@rennes-sb.com
You may also lodge a complaint with CNIL: https://www.cnil.fr
Cookies Policy
We use Matomo Analytics, a GDPR-compliant tool approved by CNIL. It is configured to be exempt from consent:
· Collects only essential anonymous statistics
· Anonymizes IP addresses
· Stores data for 13 months max
· No cross-analysis with other databases
· Hosted securely within the EU
More info: https://matomo.org/privacy-policy
List of Subcontractors
Subcontractor | Activity | Hosting |
Auriga | School ERP data hosting | France |
Fullfabric | Enrollment data hosting | EU |
Hubspot France | CRM data hosting | EU |
Moodle | Learning platform | EU |
OVH | School ERP data hosting | France |
Microsoft France | Staff and | France |
Policy Updates
This Policy may be updated to reflect regulatory changes.
Last updated: 07/04/2025
