Confidentiality policy: what should your site contain?

Updated March 2026 - A privacy policy is not just standard text stuck at the bottom of a site. It serves to clearly inform people about the data processed, the purposes, the legal basis, the recipients, the retention periods and their rights. As an accounting firm, Hayot Expertise applies these principles to its own processing and supports its clients in their GDPR compliance.

In accordance with articles 13 and 14 of the GDPR, any confidentiality policy must clearly identify:

• what data is collected: precise categories of personal data;
• why they are: each purpose must be explicit and documented;
• on what legal basis is the processing based: consent, performance of a contract, legal obligation or legitimate interest;
• how long they are kept: precise durations, not vague wording;
• who has access: internal recipients and external subcontractors.

Many sites mix legal notices, cookies and confidentiality policies. These are close subjects, but not interchangeable:

• the legal notices identify the publisher and host of the site (LCEN obligation);
• the cookie policy governs the deposit and reading of trackers on the terminal;
• the confidentiality policy covers all processing of personal data.

Treating these three documents as a single document exposes you to risks of non-compliance during a CNIL inspection.

Data provided directly

When you contact us via our forms, by telephone or by email, we collect:

• first and last name
• professional or personal email address
• telephone number
• company name and SIRET number of your company
• information related to your service request (tax, accounting, social situation)
• supporting documents transmitted as part of our mission

Data collected automatically

When you browse our site, certain information is recorded:

• anonymized IP address
• browser type and operating system
• pages visited and duration of consultation
• date and time of connection
• cookie data (see the dedicated section below)

Each data processing is based on a legal basis provided for by Article 6 of the GDPR:

Respond to your contact requests

Legal basis: execution of pre-contractual measures (article 6-1-b of the GDPR).

When you fill out a contact or quote form, we use your contact details to respond to your request and, where appropriate, offer you our services.

Carry out our accounting missions

Legal basis: execution of a contract (article 6-1-b) and legal obligation (article 6-1-c).

As accountants, we process personal data as part of bookkeeping missions, preparation of annual accounts and tax declarations. These treatments are essential to the execution of our mandate.

Send you relevant information

Legal basis: consent (article 6-1-a) or legitimate interest (article 6-1-f).

If you have subscribed to our newsletter, we send you content related to tax, accounting and legal news. You can unsubscribe at any time.

Improve our services and our website

Legal basis: legitimate interest (article 6-1-f).

Analysis of navigation on our site allows us to identify the most viewed content and improve the user experience. This data is aggregated and anonymized.

Respect our legal and regulatory obligations

Legal basis: legal obligation (article 6-1-c).

The firm is required to retain and communicate certain data, particularly in the context of the fight against money laundering (AML-FT) and controls by the Order of Chartered Accountants.

We only keep your data for as long as is strictly necessary for the purposes pursued:

At the end of these deadlines, the data is irreversibly deleted or anonymized.

Your personal data are intended primarily for the firm's employees authorized to process them as part of their duties.

We may be required to share some of your data with:

• our technical subcontractors: site host, CRM tool, online accounting software, each bound by a processing contract compliant with article 28 of the GDPR;
• the competent administrations: General Directorate of Public Finances (DGFiP), URSSAF, commercial court registries, as part of our reporting obligations;
• our legal and technical partners: only when necessary to carry out the mission you have entrusted to us.

No data is transferred outside the European Union without appropriate guarantee (standard contractual clauses or adequacy decision of the European Commission).

In accordance with European Regulation 2016/679 and the Data Protection Act of January 6, 1978 as amended, you have the following rights:

• Right of access: obtain confirmation that processing exists and access your data;
• Right of rectification: correct inaccurate or incomplete data;
• Right to erasure: request the deletion of your data when it is no longer necessary or when the processing is unlawful (subject to our legal retention obligations);
• Right to limitation of processing: temporarily suspend processing in certain cases provided for by Article 18 of the GDPR;
• Right to portability: receive your data in a structured and machine-readable format, for processing based on your consent or a contract;
• Right of opposition: object to the processing of your data, in particular for commercial prospecting purposes.

To exercise any of these rights, contact us at the address mentioned below. We undertake to respond within a maximum of one month, in accordance with article 12 of the GDPR.

Our site uses cookies and similar technologies. In accordance with the CNIL guidelines of September 2020, we distinguish:

• cookies strictly necessary for the operation of the site: they do not require your consent;
• audience measurement cookies: they require your consent, which you can give or refuse via the banner presented during your first visit;
• social network and sharing cookies: they are placed by third parties and subject to their own confidentiality policy.

You can modify your cookie preferences at any time by clicking on the "Cookie Management" link at the bottom of each page of our site.

Protecting your data is a priority for Hayot Expertise. We implement appropriate technical and organizational measures, in accordance with Article 32 of the GDPR:

• encryption of sensitive data during transmission and storage;
• access control by reinforced authentication for the firm's employees;
• regular backups and disaster recovery plan;
• ongoing training of our teams in data protection best practices;
• regular audits of our information systems.

To complete, see DPO: mandatory or not.

Hayot Expertise Advice: GDPR compliance is not an option. It is a legal obligation which engages the responsibility of each professional. In 2026, the CNIL has strengthened its controls and sanctions can reach 4% of global turnover or 20 million euros. Don't take this risk.

We undertake to process your request as quickly as possible.

If you believe, after contacting us, that your rights are not respected, you can send a complaint to the National Commission for Information Technology and Liberties (CNIL):

• Website: www.cnil.fr
• Address: CNIL, 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07

The CNIL is the competent supervisory authority in France to ensure compliance with obligations regarding the protection of personal data.

You can extend with tax or social security question, public billing portal and the many advantages of a GED for a company.

In 2026, a useful privacy policy must be both compliant, concrete and aligned with the reality of your processing. The real risk comes from the gap between text and practice.

Do you want to secure your information obligations without copying a generic model?
We can support you.

We can help you reread your privacy policy based on your actual processing.

👉 Discover our legal support