Logo
Assurance
Cybersécurité
Sinistres
Courtiers
Ressources
À propos
Lang
Connexion

Privacy Policy

What is the purpose of our Privacy Policy?

STOIK France, which manages the website www.stoik.comla and the Stoik Protect platform, STOIK SAS, STOIK GmbH, STOIK GmbH Austria, STOIK Iberia and STOIK-CERT (hereinafter “STOIK”) attach great importance to the protection and confidentiality of your personal data, which we regard as a mark of our reliability and trustworthiness.

As such, our Privacy Policy clearly demonstrates our commitment to ensuring that STOIK complies with the applicable rules on the protection of personal data and, in particular, those of the General Data Protection Regulation (“GDPR”).

In particular, our Privacy Policy aims to inform you about how and why we process your personal data in connection with the services we provide to you.

Who is our Privacy Policy intended for?

Our Privacy Policy applies to you, regardless of where you live, provided you are at least 15 years old, whether you are one of our customers, a “casual” visitor to the website www.stoik.com, or a user of our Stoik Protect platform.

If you are under the legal age specified above, you are not permitted to use our services without the prior and explicit consent of one of your parents or the person with parental authority, which must be sent to us by email at dpo@stoik.io.

If you believe we hold personal data concerning your children without your consent, please contact us at the dedicated address provided above.

Does our Privacy Policy apply to job applicants?

If you are applying for a position at STOIK, you should consult our “Candidate Policy”, which is available at any time on our dedicated page at www.stoik.com and which details the processing carried out as part of our recruitment process.

Why do we process your personal data and on what basis?

When you are one of our customers or a “casual” visitor to the website www.stoik.com

We process your personal data primarily for the following reasons:

  • to browse our website, benefit from our services (e.g. explore our resources, our cyber security service, etc.) and so that we can respond to your enquiries (e.g. requests for information, complaints, etc.) on the basis of our terms and conditions of use and our legitimate interest in providing you with the best possible service.
  • to manage insurance contracts on the basis of the performance of the contract with the risk-bearing insurer (only where the relevant STOIK entity acts as a joint controller with the risk-bearing insurer)
  • manage our customer service based on the performance of the contract and our legitimate interest in responding as effectively as possible to your enquiries and complaints.
  • keeping you informed of our latest offers and events by telephone, based on our legitimate interest in retaining our customers and attracting new potential customers.
  • to manage invoicing and any outstanding payments, based on our legitimate interest in receiving payment for the provision of our service and in accordance with our terms and conditions.
  • following us and commenting on our posts on social media, based on our legitimate interest in maintaining a dedicated page on social media.
  • receive our newsletter, which keeps you informed of all the latest news regarding our services, based on our legitimate interest in building customer loyalty.
  • send out satisfaction surveys based on our legitimate interest in improving our services.
  • to play videos on our website based on our legitimate interest in providing you with video content.
  • enable the downloading of documents based on our terms and conditions of use.

When you are one of our customers and a user of our Stoïk Protect platform

We process your personal data primarily for the following reasons:

  • To use and benefit from our service and all its features (e.g. managing the phishing simulator, managing emergency calls, etc.) based on our terms and conditions of use.
  • To manage user accounts (e.g. account creation, access to the service and account deletion) in accordance with our Terms and Conditions of Use.
  • To carry out a "scoring" of your profile in order to activate or deactivate features of our services on the basis of our legitimate interest.
  • To provide free-form comments on the management of your files in accordance with our Terms and Conditions of Use.
  • To communicate with our support team via our chat/chatbot in accordance with our Terms and Conditions of Use.
  • To receive our technical emails (e.g. password changes, etc.) essential for the proper functioning of our service, in accordance with our Terms and Conditions of Use.
  • To enable you to upload and import documents onto our platform in accordance with our Terms and Conditions of Use.
  • To ensure and enhance the security and quality of our services on a daily basis (e.g. statistics, data security, etc.) in accordance with our legal obligations, our Terms and Conditions of Use, and our legitimate interest in ensuring the proper functioning of our services.

Your data is collected directly from you when you use our Stoik Protect platform, and we undertake to process your data only for the purposes described above.

How do we process data accessible via Google APIs?

As part of its services, Stoïk provides the Stoïk Protect platform, which includes a module for sending phishing awareness campaigns to the customer’s employees. Through this module, Stoïk processes certain categories of data related to the Google Workspace environment via the Directory API of the Google Admin SDK. In this regard, we inform you that Stoïk acts as a data processor within the meaning of Article 28 of the GDPR, in connection with the provision of the Stoïk Protect platform.

  • Why we process your data and on what legal basis: Stoïk enables the customer to synchronise groups of employees, based on the performance of the contract entered into with the customer.


  • Categories of data processed: Stoïk processes identification data and professional contact details sourced from the customer’s Google Workspace directory (e.g. surname, first name, email address, job title, company, etc.) and retains them for the duration of the service provision.


  • Who may have access to your personal data: Your personal data is processed by our teams, including those of other group entities, and by our technical service providers for the sole purpose of ensuring the operation of our service.

We would like to emphasise that we subject all our technical service providers to a prior assessment before engaging them to ensure that they strictly comply with the applicable rules on the protection of personal data.

As a data processor, Stoïk is contractually obliged to use Google user data solely for the purpose of providing the service and exclusively on the basis of documented instructions from the customer. We therefore guarantee that your data is not sold to third parties.

Our use and transfer of information received from Google APIs complies with Google’s policy regarding API service user data, including limited use requirements.

For further information, please refer to the other sections of this policy.

How do we obtain your personal data when you are one of our customers or a “mere” visitor to the website www.stoik.com?

Your data is collected directly from you when you are a customer of our services or a "casual" visitor to our website www.stoik.com, and we undertake to process your data only for the reasons described above.

It is also possible that your personal data may be processed indirectly in the context of trade fairs or social media (e.g. LinkedIn).

However, when you voluntarily post content on the pages we manage on social media, you acknowledge that you are fully responsible for any personal information you may provide, regardless of the nature and origin of the information supplied.

What personal data do we process and for how long?

When you are one of our customers or a ‘casual’ visitor to the website www.stoik.com

We have summarised below the categories of personal data and their respective retention periods:

  • Professional identification data (e.g. surname, first name, job title, company, etc.) and contact details (e.g. email address and work telephone number, etc.) are retained for the entire duration of the service provision, plus the statutory limitation periods, which are generally five years.
  • Data relating to the management of insurance contracts  is retained for the entire duration of the insured parties’ cover, plus the statutory limitation periods, which are generally set at five years. (Only where the relevant STOIK entity acts as a joint data controller with the risk-bearing insurer.)
  • Where there is confusion between the name of your organisation and your personal name (e.g. sole trader, micro-enterprise, etc.), economic and financial data (e.g. bank account number, verification code, etc.) are retained for the period necessary to complete the transaction and manage invoicing and payments, plus the statutory limitation periods, which are generally between 5 and 10 years.
  • Telephone number used in connection with our telephone-based sales prospecting campaigns is retained for a maximum period of 3 years from the date of our last contact with you.
  • Email address for receiving our newsletter: retained until you unsubscribe from the newsletter.
  • Statistical data relating to the viewing of our videos, which is anonymised and retained indefinitely.
  • Connection data (e.g. logs, IP address, etc.) is retained for a period of 1 year.
  • Cookies, which are generally retained for a maximum of 13 months. For further details on how we use your cookies, please consult our cookie policy, which is available at any time on our website.

When you are one of our customers and a user of our Stoïk Protect platform

  • Professional identification data (e.g. surname, first name, job title, company, etc.) and contact details (e.g. email address and work telephone number, etc.) are retained for the entire duration of the service provision, plus the statutory limitation periods, which are generally 5 years.
  • Email address used to receive our technical messages, retained until your account is deleted.
  • Connection data (e.g. logs, IP address, etc.) is retained for a period of 1 year.

Once the applicable retention periods have expired, the deletion of your personal data is irreversible and we will no longer be able to provide it to you after this period. At most, we may only retain anonymous data for statistical purposes.

Please also note that in the event of a dispute, we are obliged to retain all personal data concerning you for the entire duration of the case, even after the expiry of the retention periods described above.

What rights do you have to control the use of your personal data?

The applicable data protection regulations grant you specific rights which you may exercise at any time and free of charge to control how we use your data.

  • The right to access and obtain a copy of your personal data, provided that such a request does not conflict with trade secrets, confidentiality, or the secrecy of correspondence.
  • The right to rectify personal data that is inaccurate, out of date or incomplete.
  • Right to object to the processing of your personal data for marketing purposes, as well as to processing based on our legitimate interests, unless there are legitimate and compelling reasons justifying such processing that override your interests, rights and freedoms.
  • Right to request the erasure (“right to be forgotten”) of your personal data that is not essential to the proper functioning of our services.
  • Right to restrict the processing of your personal data, which allows you to monitor the use of your data in the event of a dispute regarding the lawfulness of processing.
  • Right to data portability, which allows you to retrieve some of your personal data so that you can easily store or transfer it from one information system to another.
  • The right to provide instructions regarding the handling of your data in the event of your death, either directly or through a trusted third party or a beneficiary.

For a request to be considered, it is essential that it is made directly by you or your representative at dpo@stoik.io.

Requests cannot be made by anyone other than you or your representative. We may therefore ask you to provide proof of identity if there is any doubt as to the identity of the applicant, as well as proof of representation.

We will respond to your request as soon as possible, within a maximum of one month from receipt, unless the request is technically complex or we receive a large number of requests at the same time. In such cases, the response time may be up to three months.

Please note that we may refuse to respond to any excessive or unfounded requests, particularly if they are repetitive in nature.

Who has access to your personal data?

Your personal data is processed by our teams, including those of other group entities, and by our technical service providers for the sole purpose of operating our service.

As part of our service, your personal data may be passed on to underwriting insurers, acting as joint data controllers, in connection with the implementation of the co-designed insurance cover. The broad outlines of the proposed relationship will be communicated to you where applicable.

As part of our brokerage activities, your personal data may be transferred to co-brokers, acting as separate data controllers, in order to facilitate the connection of prospective customers with STOIK.

We would like to point out that we vet all our technical service providers before engaging them to ensure that they strictly comply with the applicable rules on personal data protection.

FURTHERMORE, WE GUARANTEE THAT WE NEVER TRANSFER OR SELL YOUR DATA TO THIRD PARTIES OR BUSINESS PARTNERS.

Can your personal data be transferred outside the European Union?

When you are one of our customers or a ‘casual’ visitor to the website www.stoik.com

The personal data processed by our website is hosted on servers located outside the European Union. In order to protect your personal data, we take great care to ensure that our hosting provider implements the appropriate safeguards required to ensure the confidentiality and protection of your data.

We may also use technical tools located outside the European Union. If this is the case, we guarantee that they strictly comply with the applicable rules on data transfers to ensure the confidentiality and adequate protection of your personal data.

When you are one of our customers and a user of our Stoik Protect platform

The personal data processed by our Stoik Protect platform is hosted exclusively on servers located within the European Union.

Furthermore, we do our utmost to use only technical tools whose servers are also located within the European Union. Should this not be the case, however, we take great care to ensure that they implement the appropriate safeguards required to guarantee the confidentiality and protection of your personal data.

How do we protect your personal data?

We implement all the technical and organisational measures required to guarantee the security of your personal data on a daily basis and, in particular, to combat any risk of destruction, loss, alteration or disclosure.

Do we use cookies when you browse our website?

We guarantee that we do not use any advertising cookies for the operation of this website.

However, we would like to inform you that we do use statistical cookies when you browse our website. For further information, please see our Cookie Policy.

Who can you contact for more information about the use of your personal data?

To ensure the best possible protection and integrity of your data, we have officially appointed an independent Data Protection Officer (“DPO”) with our supervisory authority.

You may contact our DPO at any time, free of charge, at dpo@stoik.io to obtain further information or details on how we process your data.

How can you contact the CNIL?

You may contact the “Commission nationale de l’informatique et des libertés” or “CNIL” at any time using the following contact details: CNIL Complaints Department, 3 place de Fontenoy – TSA 80751, 75334 Paris Cedex 07 or by telephone on 01.53.73.22.22.

Can the Privacy Policy be amended?

We may amend our Privacy Policy at any time to bring it into line with new legal requirements and any new data processing activities we may implement in the future.

Certified compliant by Dipeeo ®

Last update on 23/03/26