PRIVACY POLICY

• Article 1. Parties to this Privacy Policy
  Between the undersigned:

   

  1° The French company BA&SH, having a share capital of €1 000 000, registered in the Trade and Companies Registry of Paris under number 449 158 898, having its registered office at 67 Avenue Raymond Poincaré 75016 Paris, France, and having the VAT number FR42449158898.

   

  Hereinafter referred to as the "Data Controller", on the one hand,

   

  And

   

  2° The individual

   

  Browsing, reading, reserving, ordering and/or buying a good or a service offered on the Seller’s website.

   

  Hereinafter referred to as the "Data Subject", on the other hand,

   

  It has been agreed as follows: .
• Article 2. Object
  This Privacy Policy applies, without restriction or reservation, between the Data Subject and the Data Controller.

   

  Its purpose is to provide information on the way in which the Data Controller collects and processes certain personal data concerning the Data Subject, in accordance with the applicable laws and in particular European Regulation n°2016/679 and Federal Data Protection Act of 30 June 2017 (hereinafter referred to as the "Legislation"), in relation to the use of the website www.ba-sh.com/de (hereinafter referred to as the "Site") by the Data Subject.

   

  This Privacy Policy is part of the Data Controller’s General Terms and Conditions of Sale. .
• Article 3. Definitions
  Browsing means the consultation, review, order and/or purchase of Products on the Site by the Data Subject.

   

  Consent means any freely given, specific, informed and unambiguous indication by which the Data Subject agrees, by a statement or by a clear affirmative action, to the Processing by the Data Controller of Personal Data relating to him or her.

   

  Cookie means a file that makes it possible to trace the journey of the Data Subject on the Site.

   

  Data Controller means the French company BA&SH, having a share capital of €1 000 000, registered in the Trade and Companies Registry of Paris under number 449 158 898, having its registered office at 67 Avenue Raymond Poincaré 75016 Paris, France, and having the VAT number FR42449158898.

   

  Data Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.

   

  Data Subject means any individual who browses the Site, provided that he or she can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more elements specific to his or her physical, physiological, genetic, psychological, economic, cultural or social identity.

   

  DPO means the data protection officer of the Data Controller, namely Cabinet Bouchara - Avocats (17 rue du Colisée – 75008 Paris - FRANCE, info@cabinetbouchara.com).

   

  File means any structured set of Data accessible according to specific requirements, whether centralized, decentralized or distributed in a functional or geographical manner.

   

  Legislation means any applicable law and regulation relating to Personal Data protection, and in particular European Regulation No. 2016/679.

   

  Personal Data means any information relating to the Data Subject.

   

  Processing means any operation or set of operations which are performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

   

  Products means the products offered for sale on the Site by the Data Controller to the Data Subject.

   

  Pseudonymisation means the processing of Personal Data in such a way that it can no longer be attributed to the Data Subject without the use of additional information.

   

  Recipient means a natural or legal person, public authority, agency or another body, to which the Personal Data is disclosed, whether they are a third party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry shall not be regarded as Recipients.

   

  Site means the infrastructure developed by the Data Controller in accordance with the IT formats that can be used on the Internet, including data of various kinds, and in particular texts, sounds, static or moving images, videos, databases, intended to be consulted by the Data Subject to know, book, order and/or purchase Products (www.ba-sh.com/uk).

   

  - Supervisory Authority means the Federal Commissioner for Data Protection and Freedom of Information (BfDI), an independent German public authority for the regulation of data protection.

   

  Third Party means a natural or legal person, public authority, agency or body other than the Data Subject, the Data Controller, the Data Processor and persons who, under the direct authority of the Data Controller or the Data Processor, are authorized to Process Personal Data, and in particular tour operators, travel agencies and booking systems.

   

• Article 4. Principles relating to Processing
  In accordance with the Legislation, the Data Controller undertakes to respect the following principles for each Processing:

   

  • Lawfulness;
  • Fairness;
  • Transparency;
  • Purpose limitation;
  • Data minimization;
  • Accuracy;
  • Storage limitation;
  • Integrity;
  • Confidentiality;
  • Accountability.

   

• Article 5. Personal Data processed
  In the frame of Browsing, the Data Controller is required to collect and process a certain number of Personal Data, and in particular:

   

  Personal information (surname, first name, gender, postal address, email address, telephone number, date of birth, age, date of registration and un-subscription to the client account and to the newsletter of the Data Controller, messages exchanged with the Data Controller, telephone conversations with the Data Controller);

   

  Bank information (means of payment, credit card number);

   

  Information about orders (product ordered, delivery address, delivery tracking number, order price, purchase history);

   

  Technical information (browsing behavior on the Site, IP address, products added to the shopping cart, collection of consent).

   

• Article 6. Context of the Processing
  The Personal Data may be collected and processed by the Data Controller on various occasions, including:

   

  • Purchase of Products on the Site;
  • Contact with the Data Controller;
  • Subscription to the newsletter;
  • Creation of a client account;
  • Navigation on the Site.

   

• Article 7. Processing Details

  Purpose of the Processing	Data concerned	Legal basis of the Processing	Data Retention Period
  Management of Product purchases, deliveries, invoicing and accounting standards	First name, last name, email address, postal address, telephone number, delivery address, order placed, delivery tracking number, date of registration and un-subscription, payment method, credit card number	Contract, legal obligation and legitimate interest of the Data Controller to establish, exercise and defend his rights in legal proceedings	10 years from the purchase of the Product EXCEPT 15 months from the purchase of the product for the bank data (immediately for the visual cryptogram)
  Creation and management of client accounts	First name, last name, email address, postal address, telephone number, date of creation of the customer account, collection of consent	Consent of the Data Subject	3 years from the last connection of the Data Subject to his/her client account
  Commercial relationship management	First name, last name, email address, postal address, telephone number, date of creation and deletion of the customer account, purchase history, shopping cart	Legitimate interest of the Data Controller in managing the customer relationship	3 years from the last contact by the Data Subject
  Commercial marketing	First name, last name, email address, shopping carts, postal address, telephone number, purchase history, collection of consent	Consent of the Data Subject or legitimate interest of the Data Controller to promote the Products	3 years from the last contact by the Data Subject
  Newsletter management	Email address	Consent of the Data Subject	3 years from the last contact by the Data Subject
  Securing and improving the Site	IP address, Navigation data	Legitimate interest of the Data Controller in improving the Site and managing the Site, securing and administrating the Site, preventing fraud and malicious acts.	13 months
  Claims and client service management	First name, last name, email address, postal address, telephone number, purchase history, exchanges, IP address, consent collection	Consent of the Data Subject and legitimate interest of the Data Controller to improve its Products and client service.	3 years from the last contact by the Data Subject
  Site Statistics and Customized Advertising	IP address, navigational data, collection of consent	Consent of the Data Subject	13 months

   

  The Data Controller reserves the right to anonymize the Personal Data processed before deleting it.

   

  Anonymized data may then be processed for statistical purposes.
• Article 8. Data Recipients
  As a matter of principle, the Controller is the sole Recipient of the Personal Data.

   

  However, the Data Controller may transfer the Data to Recipients, in particular in the context of the management of Product purchases by the Data Subject, and/or to any public authority that may request it, in particular in the context of a fact-finding mission.

   

  The following Recipients may process your data, as Subcontractors, on behalf of the Data Controller:

   

  The following Recipients may process your Personal Data, as Processor, on behalf of the Data Controller:

   

  • OMETRIA
  • MENTION ME
  • CAPTAIN WALLET
  • SPLIO
  • SALESFORCE
  • SALESCYCLE
  • CALENDLY
  • CEGID
  • ZENDESK
  • TRUEFIT

  This list of the Data Controller's Processors is subject to change at any time.

   

  The Data Controller undertakes to require its Processors to provide sufficient guarantees as to the implementation of appropriate technical and organisational measures so that the Processing complies with legal and regulatory requirements and guarantees the protection of the Data Subject's rights, in particular in the event of transfer of the Personal Data outside the outside the European Economic Area and Switzerland.

   

  In addition, the Data Controller may share the Personal Data subject with any Recipient or Third Party for Processing when a legal obligation to do so is in force or when the Data Controller considers in good faith that this is necessary in order to:

   

  Respond to any claim against him;

   

  Comply with the requirements of the judiciary and/or administrative order and/or the Supervisory Authority;

   

  • Enforce any contract to which the Data Subject is a party;
  • Safeguard the vital interests of any individual;
  • The performance of a public interest mission.

   

  In the event of the purchase of the Data Controller by a Third Party, the Data Controller reserves the right to share the Personal Data with the Third Party purchaser, subject to compliance with this Privacy Policy by such Third Party.

   

• Article 9. Rights of the Data Subject
  The Data Controller has designated a DPO to the French Supervisory Authority (CNIL), which is the lead authority for the Data Controller, whose contact details are:

  CABINET BOUCHARA – AVOCATS

  17 rue du Colisée – 75008 PARIS - FRANCE

  The Data Subject has a number of rights over the Personal Data that he or she can exercise, unless there is an applicable legal exception, by submitting a request to the DPO at the following email address:

  dpo@ba-sh.com

  If needed, the DPO will assist the Data Subject in the exercise of his or her rights before the Data Controller.

   

  In case of reasonable doubt regarding the identity of the Data Subject exercising his or her rights over the Personal Data, the DPO may request a copy of an official identity document in support of the request.

   

  Requests will be processed as soon as possible and at the latest in accordance with the deadlines set by the Legislation.

   

• Article 9.1. Right of access
  The Data Subject shall have the right to obtain from the Data Controller confirmation as to whether or not Personal Data concerning him or her is being processed, and, where that is the case, access to the Personal Data and the following information: The purposes of the Processing;

   

  • The categories of Personal Data concerned;
  • The Recipients or categories of Recipient to whom the Personal Data have been or will be disclosed, in particular Recipients in third countries or international organisations;
  • Where possible, the foreseeable period for which the Personal Data will be stored, or, if not possible, the criteria used to determine this period;
  • The existence of the right to request from the Data Controller rectification or deletion of Personal Data or restriction of processing of Personal Data concerning the Data Subject or to object to such processing;
  • The right to lodge a complaint with the Supervisory Authority;
  • Where the Personal Data is not collected from the Data Subject, any available information as to its source;
  • The existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the foreseeable consequences of such Processing for the Data Subject.

   

  The Data Controller shall provide a copy of the Personal Data being processed and reserves the right, in return for providing such a copy, to pay a reasonable fee based on the administrative costs for any additional copy requested by the Data Subject.

   

• Article 9.2. Right of rectification and erasure
  The Data Subject has the right to obtain from the Data Controller the rectification and/or deletion of inaccurate or obsolete Data as quickly as possible, unless otherwise hindered by a situation that prevents the exercise of this right, and in particular:

   

  • The exercise of the freedom of expression and information;
  • Compliance with a legal obligation;
  • Public interest in the area of public health, archives, scientific or historical or statistical research;
  • The establishment, exercise or defence of legal rights.

   

• Article 9.3. Right to object
  The Data Subject has the right to object at any time, for reasons relating to his or her particular situation, to Personal Data Processing based on the performance of a task in the public interest or the necessity of the legitimate interest of the Data Controller.

   

  The Data Controller then undertakes not to further process the Personal Data, unless it can be demonstrated that there are legitimate and compelling reasons for the Processing that prevail over the interests and rights and freedoms of the Data Subject, or for the establishment, exercise or defence of legal rights.

   

  In addition, the Data Subject has the right to object at any time to the Personal Data Processing carried out for the purpose of prospecting by the Data Controller, insofar as the Data Subject is linked to such prospecting.

   

  Finally, when Personal Data is processed for scientific or historical research purposes or for statistical purposes, the Data Subject has the right to object, for reasons relating to his or her particular situation, to the processing of the Personal Data, unless the Processing is required for the performance of a public interest task.

   

• Article 9.4. Right to restriction
  The Data Subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit this Personal Data to another controller without hindrance from the Data Controller, where:

   

  The Processing is based on the Consent of the Data Subject or on the performance of a contract to which the Data Subject is a party;

   

  The Processing is carried out using automated processes.

   

  The Data Subject, when exercising his or her right to the portability of the Personal Data, has the right to have the Personal Data transmitted directly from the Data Controller to another controller, when this is technically possible.

   

• Article 9.6. Right to file a complaint to the Supervisory Authority
  The Data Subject has the right to file a complaint before the Supervisory Authority if he/she considers that he/she is the subject of unlawful Personal Data Processing by the Data Controller.
• Article 9.7. Right to define guidelines on the future state of the Personal Data
  The Data Subject has the right to define guidelines on the future state of the Personal Data after his death to the Data Controller who will use all his technical means to ensure that this will be respected.
• Article 10. Data Security
  The Data Controller shall take appropriate technical and organisational measures to protect the Personal Data against destruction, loss, alteration, misuse and unauthorised access, modification or disclosure, whether such actions are voluntary or accidental.

   

  These technical and organizational measures are intended to ensure the confidentiality, integrity, availability and resilience of the Site and the IT systems where the Files are stored.

   

  In order to secure the Data Subject’ Browsing, the Site is encrypted SSL (Secure Socket Layer).

   

• Article 11. Amendment to the Privacy Policy
  The Data Controller reserves the right to amend this Privacy Policy from time to time, in particular the list of Recipients set out in Article 8.

   

  In the event of a material change to this Privacy Policy, the Data Subject will be informed personally of the new Privacy Policy.

   

  The Data Subject is advised to consult this Privacy Policy regularly to be aware of any changes to it.

   

  The Data Subject may send questions about this Privacy Policy to the Data Controller at the following address: dpo@ba-sh.com.

   

• Article 12. Invalidity of the Privacy Policy
  If any provision of this Privacy Policy shall be deemed invalid under any applicable law or court decision that has been made final, it shall be deemed unwritten, without invalidating the entire Privacy Policy or altering the validity of any other provisions of this Privacy Policy.

• Article 13. Cookie management

  When browsing the Site, the Data Subject is required to consent or oppose the the installation of Cookies on their computer terminal.

  We inform you that third parties, such as Google, may also collect data from our Site via cookies, third-party modules and widgets. These third parties collect data directly from your browser and the processing of this data is subject to their own personal data protection charters. We use cookies and tags to track how our Site is used, understand your preferences (such as country and language), provide services and improve your online experience. We also use cookies and tags to obtain general information about Site traffic and your interactions, to identify trends and obtain statistics, and to improve our Site.

  Three categories of cookies are generally used on our Site:

  - Functional cookies: These cookies are required for the basic functionality of the Site and are therefore always active. This includes cookies that enable you to be recognised when you visit our Site during the same session or, if you wish, from one session to the next. They enable us to set up your shopping basket and the payment procedure, while guaranteeing the security of exchanges and compliance with regulations.

  - performance cookies: These cookies enable us to improve the functionality of our Site by tracking usage. In some cases, these cookies enable us to improve the speed with which we process your request, and to remember the preferences you have selected. Rejecting these cookies may result in less relevant recommendations and a slowdown in the performance of the Site.

  - Social network and advertising cookies: Social network cookies enable you to connect to your social networks and share content from our Site on social networks. Advertising cookies (from third parties) collect information to enable us to better tailor advertising to your areas of interest, both on and off our Site. In some cases, these cookies require personal data to be processed. Rejecting these cookies may result in the display of advertisements that are not adapted to your interests or prevent you from effectively connecting to Facebook, Twitter or other social networks and/or prevent you from sharing content on social networks.

  In general, Cookies record information relating to the navigation of computers on the Site (the pages consulted, the date and time of the consultation, etc.), information that can be read during the subsequent visits of the Data Subject to the Site with transmission of the Data to the Data Controller. The installation of these non-functional Cookies requires the consent of the Data Subject.

  Some Cookies are essential for the proper functioning of the Site and do not require the consent of the person concerned before they are installed, in which case they are referred to as functional Cookies.

  In accordance with Article 7.of this Privacy Policy, non-functional Cookies are automatically deleted within six (6) months from their installation if the Data Subject does not renew his/her consent before the expiry of this period.

  The Data Subject may refuse to give his/her consent to the installation of non-functional Cookies, withdraw his/her consent and/or configure the Cookies at any time by using the Data Controller's Cookie Manager or by configuring his/her browser as follows:

  For Mozilla Firefox:

• Choose the "tool" menu then "Options"
• Click on the "privacy" icon 12
• Locate the "cookie" menu and select the options that suit you

• For Opera 6.0 and beyond:

• Choose the "File" menu>"Preferences" 
• Privacy

• For Netscape 6.X and 7. X :

• Choose the "Edit" menu>"Preferences"
• Privacy & Security
• Cookies

• For Microsoft Internet Explorer 5:

• Choose the "Tools" menu, then "Internet Options".
• Click on the "Privacy" tab
• Customize the level" using the slider

• For Microsoft Internet Explorer 6.0:

• Choose the "Tools" menu, then "Internet Options".
• Click on the "Privacy" tab
• Select the desired level using the slider.