Personal Data Protection Policy – Voteer

Last updated: March 2026

Introduction

The protection and security of personal data are central to the design and operation of the Voteer online voting platform.

This Personal Data Protection Policy applies to all users of the Voteer platform and forms an integral part of the Voteer Terms of Service.

Voteer processes personal data in accordance with the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) and applicable European data protection laws.

When organizations use Voteer to conduct ballots, Voteer acts as a data processor, while the organization conducting the ballot acts as the data controller, as defined under the GDPR.

Personal data processed through the platform is used exclusively for the organization and management of ballots and is never used for commercial purposes.

This page describes the principles applied by Voteer to ensure the protection and security of personal data processed through the platform.

Nature of Processing Activities

The Voteer platform enables organizations to organize and manage secure online ballots.

In this context, Voteer may perform processing operations on behalf of the data controller, including:

  • importing and managing voter lists
  • organizing and configuring ballot parameters
  • managing access to the voting platform
  • processing voter authentication and participation
  • securely storing ballot data during the voting period
  • generating voting results and related reports
  • deleting or returning data according to retention policies.

These processing activities are performed strictly under the instructions of the data controller.

Legal Basis for Processing

Processing carried out through the Voteer platform is generally based on:

  • the performance of a contract between the data controller and Voteer for the organization of the ballot
  • legal obligations applicable to the data controller
  • the legitimate interest of the organization conducting the ballot in ensuring a secure and reliable voting process.

Categories of Personal Data Processed

Depending on the configuration of the ballot, the platform may process the following categories of personal data:

  • voter identification data (name, surname, identifier)
  • professional information when the ballot takes place in a professional context
  • contact details used to notify voters
  • platform connection and authentication data
  • information required to organize the ballot (voter lists, candidates, election officers).

Data collected is strictly limited to what is necessary for the organization and security of the voting process.

Data Protection Principles

Voteer applies the core principles of data protection throughout the lifecycle of the voting process.

Data minimization

Only data strictly necessary for the organization of the ballot is processed.

Privacy by design and by default

The platform is designed to integrate data protection and security principles from the earliest stages of development.

Confidentiality and security

Technical and organizational measures are implemented to protect the confidentiality, integrity and availability of data.

Data segregation

Data associated with each organization is isolated from other customers to prevent unauthorized access or data mixing.

Data Hosting and Location

All data processed through the Voteer platform is hosted and processed in France.

The infrastructure relies on two independent data centers located in France operating in active/active mode, ensuring high availability and service continuity during the entire voting period.

Voteer does not transfer personal data outside the European Union.

Subprocessors

voteer may rely on subprocessors for specific technical services required to operate the platform.

The primary subprocessor used for hosting the infrastructure is:

Amazon Web Services (AWS)

Cloud infrastructure provider used to host and operate the Voteer platform.

The infrastructure is configured so that all data associated with the platform is stored and processed in France.

Voteer ensures that all subprocessors provide appropriate guarantees regarding data protection and security in accordance with Article 28 of the GDPR.

Security Measures

Voteer implements a comprehensive set of technical and organizational measures to protect data processed through the platform.

These measures include:

  • encryption of communications and stored data
  • strict access control mechanisms
  • secure authentication processes
  • logging and monitoring of system activity
  • infrastructure monitoring and anomaly detection
  • regular security testing and vulnerability assessments
  • internal procedures for handling security incidents.

These mechanisms ensure the confidentiality, integrity, availability and traceability of data.

Security Incident Management

In the event of a security incident affecting personal data, Voteer implements procedures designed to:

  • detect and contain the incident
  • assess its impact
  • implement corrective measures
  • inform the data controller without undue delay.

The data controller remains responsible, where applicable, for regulatory notification obligations.

Data Retention and Reversibility

Data associated with the organization of a ballot is retained only for the period necessary to conduct the vote, produce the results and comply with applicable legal obligations.

This may include:

  • voter lists and identification data
  • ballots stored in the ballot box
  • technical logs and connection records
  • reports and files generated during the ballot process.

Voteer guarantees data reversibility, allowing organizations to retrieve their data before deletion when required.

At the end of the retention period defined contractually, data may either be returned to the data controller as part of this reversibility process or deleted in accordance with Voteer’s data deletion procedures.

Data Deletion

Once the retention period has expired, Voteer proceeds with the permanent deletion of all data associated with the ballot stored within its systems.

This includes:

  • personal data of voters
  • ballots stored in the electronic ballot box
  • technical logs and connection records
  • reports and files generated during the voting process.

Deletion operations are carried out using procedures designed to ensure that the data cannot be restored or reused.

Upon request, Voteer may provide a data deletion confirmation to the data controller.

Data Subject Rights

Under applicable data protection laws, individuals whose data is processed may exercise the following rights:

  • right of access
  • right to rectification
  • right to erasure
  • right to restriction of processing
  • right to object to processing.

Requests should generally be addressed to the data controller, which is the organization responsible for conducting the ballot.

Voteer may assist the data controller in responding to such requests where necessary.

Policy Updates

This Personal Data Protection Policy may be updated from time to time in order to reflect:

  • regulatory developments
  • technical changes to the platform
  • updates to data processing practices.

The date of the latest update appears at the top of this page.

Users are encouraged to review this policy regularly.

Contact

For any questions regarding data protection or the processing of personal data through the Voteer platform, you may contact:

Voteer – Data Protection

contact@voteer.com