Website privacy policy

Last update: March 2025

The Centre Hospitalier Joël Beaugendre (hereinafter “the Establishment”) attaches fundamental importance to the protection of its users’ personal data. This policy describes how we collect, use and protect your data as part of your browsing on the http://chcbe-gpe.fr website , in accordance with the General Data Protection Regulation (RGPD – EU Regulation 2016/679) and the French Data Protection Act of January 6, 1978, as amended.

1. Data controller

2. Data Protection Officer (DPO)

In accordance with Article 37 of the RGPD, and as a public health establishment, the Centre Hospitalier Joël Beaugendre has appointed a Data Protection Delegate:

If you have any questions about the protection of your personal data or wish to exercise your rights, you can contact our DPO directly at the above address.

3. Collected data

3.1 Browsing data (analytical cookies)

When using Google Analytics / GA4, we collect, subject to your consent:

• Anonymized IP address
• Page views and visit duration
• Browser type and operating system
• Source of visit (search engine, direct link, etc.)
• Anonymous session identifiers

This data is only collected with your explicit consent via the cookie banner.

3.2 Data not collected

This site does not include a contact form or an appointment form. No patient health or medical data is collected via this website.

4. Purposes and legal basis of processing

4.1 Audience measurement (Google Analytics / GA4)

4.2 Technical server logs

5. Data recipients

Your data may be transmitted to the following recipients:

• Google Ireland Limited (for Google Analytics GA4) – web analytics provider
• PlanetHoster (site host) – technical log hosting
• Katchak Digital Agency (web maintenance provider) – for site maintenance only
• Chatbase Inc (AI instant messaging tool) – management of the chatbot integrated into the site
• OpenAI, LLC (language model) – processing chatbot requests

No data is sold or transferred to third parties for commercial purposes.

6. Transfers outside the European Union

6.1 PlanetHoster – Canada

The site is hosted by PlanetHoster, a company whose servers are located in Canada. Canada has been granted an adequacy decision by the European Commission, which means that it offers a level of personal data protection recognized as equivalent to that in force within the European Union. This transfer does not therefore require any additional guarantees.

6.2 Google Analytics – United States

The use of Google Analytics involves the transfer of data to the United States. Although the EU-US Data Privacy Framework led to a partial recognition of adequacy at the end of 2023, CNIL remains vigilant about the conditions of use of American audience measurement tools.

In the meantime, transfers to Google are governed by the European Commission’s standard contractual clauses. You can consult the guarantees put in place by Google at: https: //policies.google.com/privacy

Référence CNIL : Audience measurement and data transfer – compliance

6.3 Chatbase and OpenAI – United States

The site integrates an instant messaging tool powered by Chatbase Inc (San Francisco, California), which uses theOpenAI, LLC (San Francisco, California) language model to generate its responses. Both service providers are based in the United States, a country which has not been granted a general adequacy ruling by the European Commission.

The data exchanged in the chatbot (messages entered by users) are transmitted to Chatbase servers hosted on the AWS infrastructure (us-east-1 region), then processed by OpenAI to generate responses.

The guarantees governing these transfers are as follows:

• Standard contractual clauses (SCCs) in compliance with Article 46 of the RGPD, integrated into Chatbase’s contractual conditions.
• RGPD and SOC 2 Type II certification for Chatbase
• No use of data to drive AI models (contractual commitment by Chatbase and OpenAI)
• Encryption of data in transit and at rest

For more information: Chatbase Privacy Policy – Chatbase Security – Trust Center

7. Your rights

The rights available to you vary according to the legal basis of the processing concerned. Below you will find details of the rights applicable to each purpose.

7.1 Consent-based processing – Audience measurement (GA4)

Legal basis: Art. 6.1.a of the RGPD

7.2 Processing based on legitimate interest – Technical server logs

Legal basis: Art. 6.1.f of the RGPD

7.3 How to exercise your rights

In order to respond to a request to exercise rights, the request must be :

• Formulated by the person concerned, his or her legal representative (parent or guardian) or a proxy ;
• Accompanied by proof of identity if there is any doubt about the applicant’s identity;
• Sent to the management secretariat by e-mail: secretariat.direction@chcbe-gpe.fr.

Although it is advisable to send the request for exercising rights to the above e-mail address, it may be sent directly to a department, by post, by telephone, on site or by any other means, or to the DPO via :

Your request will be processed within one month of receipt. This period may be extended by a further two months in the case of complex or large-scale requests.

8. Right to lodge a complaint

If you feel that your rights have not been respected, you have the right to lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés) :

9. Data security

The Establishment implements appropriate technical and organizational measures to ensure the security of your personal data, including:

• Secure HTTPS connection (SSL/TLS encryption)
• Access to data restricted to authorized persons only
• Hosting on secure servers

10. Policy update

This Privacy Policy may be updated at any time to reflect legal developments or changes in our practices. The date of the last update is indicated at the top of the page.