PRIVACY POLICY BA&SH |
PREAMBLE
Article 1. Parties to this Act
Between the undersigned:
1° The simplified joint stock company BA&SH, with a capital of €1,044,180.00, registered with the Paris Trade and Companies Register under number 449 158 898, whose registered office is located at 67 Avenue Raymond Poincaré 75016 Paris, France, and with a VAT number FR42449158898.
Hereinafter referred to as the " Data Controller ", On the one hand,
And
2° Any natural person Browsing the Data Controller's website; Hereinafter referred to as the " Data Subject ",
Moreover
It was set out and agreed as follows:
Article 2. Object
This Privacy Policy applies, without restriction or reservation, between the Data Subject and the Data Controller.
Its purpose is to provide information concerning the way in which the Data Controller collects and processes certain personal data relating to the Data Subject, in accordance with the legislation in force and in particular European Regulation No. 2016/679 and Law No. 78-17 (hereinafter referred to as the "Legislation"), in relation to the use of the www.ba-sh.com website (hereinafter referred to as the "Site").") by the Data Subject.
This Privacy Policy is an integral part of the Data Controller's General Terms and Conditions of Sale.
Article 3. Definitions
- Supervisory authority means the Commission nationale de l'informatique et des libertés (CNIL), French independent public authority for data protection regulation;
- Consent means any freely given, specific, informed and unambiguous expression of will by which the Data Subject accepts, by a statement or by a clear affirmative act, that Data concerning him or her may be Processed by the Data Controller.
- Cookie refers to a file that makes it possible to trace the Data Subject's path on the Site.
- Recipient means any natural or legal person, public authority, agency or other body that receives the Data, whether or not it is a Third Party. However, public authorities that are likely to receive the Data, in particular in the context of a fact-finding mission, are not considered to be Recipients within the meaning of this definition.
- Data means any information relating to the Data Subject.
- DPO refers to the Data Protection Officer of the Data Controller, namely the Bouchara - Avocats Law Firm (17 rue du Colisée – 75008 Paris), in charge of assisting the Data Subject in the exercise of his or her rights over his or her Data with the Data Controller.
- File means any structured set of Data accessible according to specific criteria, whether this set is centralized, decentralized, or distributed functionally or geographically.
- Legislation means any law and regulation relating to Data Protection, and in particular European Regulation No. 2016/679 and Law No. 78-17.
- Navigation refers to the consultation, acquiescence, ordering and/or purchase of Products on the Site by the Data Subject.
- Data subject means any natural person who browses the Site, as long as he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more elements specific to his or her physical, physiological, genetic, psychological or economic identity, cultural or social.
- Products refers to the products offered for sale on the Site by the Data Controller to the Data Subject. -
- Pseudonymisation means the processing of Data in such a way that it can no longer be attributed to the Data Subject without the need for additional information.
- Data Controller means the simplified joint-stock company BA&SH, with a capital of €1,000,000, registered with the Paris Trade and Companies Register under number 449 158 898, whose registered office is located at 67 Avenue Raymond Poincaré 75016 Paris, France, and having a VAT number FR42449158898, which alone or jointly with others, determines the purposes and means of the Processing.
- Site refers to the infrastructure developed by the Data Controller according to the computer formats usable on the Internet including data of various kinds, and in particular texts, sounds, still or moving images, videos, databases, intended for 4 be consulted by the Data Subject to know, book, order and/or purchase Products (www.ba-sh.com).
- Processor means any natural or legal person, public authority, agency or body other than the Controller who processes the Data on behalf of the Controller.
- Third Party means any natural or legal person, public authority, agency or body other than the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorised to process the Data.
- Processing means any operation or set of operations which is performed or not by automated means and applied to the Data or to the sets of Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or interconnection, restriction, erasure or destruction.
CONVENTION
Article 4. Principles of Processing
In accordance with the Legislation, the Data Controller undertakes to comply with the principles for each Treatment:
- Legality
- Loyalty
- Transparence
- Purpose Limitation
- Data minimization
- Accuracy
- Limiting Retention
- Integrity
- Confidentiality
- Responsibility.
Article 5. Processed data
In the context of Navigation, the Data Controller is required to collect and process a certain amount of Data, and in particular:
- Personal information (surname, first name, gender, postal address, email address, telephone number, date of birth, age, date of registration and unsubscription to the Customer Account and to the Controller's newsletter, messages exchanged with the Data Controller, telephone conversations with the Data Controller's customer service);
- Banking information (means of payment, credit card number);
- Information about your order (product ordered, delivery address, delivery tracking number, order price, purchase history);
- Technical information (browsing behaviour on the Site, IP address, products added to the shopping cart, collection of consent).
Article 6. Context of the Treatment
Data may be collected and processed by the Data Controller on various occasions, including:
- Purchase of Products on the Site;
- Contact with the Data Controller;
- Newsletter subscription;
- Creation of a customer account;
- Navigation on the Site.
Article 7. Detail of the Treatment
Purpose of the Treatment | Data concerned | Legal Basis for Processing | Retention period Data |
Management of Product Purchasing, Deliveries, Invoicing and Accounting Standards | First name, last name, email address, postal address, telephone number, delivery address, order placed, delivery tracking number, date Opt-in and opt-out, payment method, credit card number | Contract, legal obligation and legitimate interest of the Data Controller to establish, exercise and defend its rights in court | 10 years from the purchase of the Product EXCEPT 15 months from the date of purchase of the product for bank details (immediately for the security code) |
Product Reservation Management | First name, last name, email address, telephone number | Contract | Duration of the contractual relationship |
Creation and management of customer accounts | First name, last name, email address, postal address, telephone number, date of creation of the customer account, date of deletion of the customer account, collection of consent | Consent of the Data Subject | 3 years from the last connection of the Data Subject to his/her customer account |
Business Relationship Management | First name, last name, email address, postal address, telephone number, purchase history, shopping cart, date of creation of the customer account, date of deletion of the customer account, collection of consent | Legitimate interest of the Data Controller in managing the customer relationship | 3 years from the last contact made by the Data Subject |
Sales prospecting (e.g. useful information, product tips, cart abandonment reminders, personalized offers) | First name, last name, email address, shopping carts, postal address, telephone number, purchase history, collection of consent | Data Subject's consent or Data Controller's legitimate interest in promoting its Products | 3 years from the last contact made by the Data Subject |
Newsletter management | Email address | Consent of the Data Subject | 3 years from the last contact made by the Data Subject |
Securing and improving the Site | IP address, Browsing data | Legitimate interest of the Data Controller to improve the Site and manage the Site, secure and administer the Site, prevent fraud and malicious acts. | 13 months |
Complaints & Customer Service Management | First name, last name, email address, postal address, telephone number, purchase history, exchanges, IP address, collection of consent | Data Subject's consent and Controller's legitimate interest in improve its Products and customer service. | improve its Products and customer service. |
Site Statistics and Personalized Advertising | IP address, Browsing data, collection of consent | Consent of the Data Subject | 13 months |
The Data Controller reserves the right to anonymize the Data that is the subject of a Processing before deleting them.
The anonymized data may then be subject to Processing for statistical purposes.
Article 8. Recipients of the Data
As a matter of principle, the Data Controller is the sole Recipient of the Data.
However, the Data Controller may be required to transfer the Data to Recipients, in particular in the context of the management of Product purchases by the Data Subject, and/or to any public authority that requests it, in particular in the context of an investigation mission.
The following Recipients may process your data, as Data Processors, on behalf of the Data Controller:
- Ometria
- Mention Me
- Captain Wallet
- Splio • Salesforce
- Salescycle
- Calendly
- Cegid
- Zendesk
- True Fit
- Klarna
- Oney
- Salesfloor
- Afterpay
- Faume
This list of the Data Controller's Data Processors is subject to change at any time.
The Data Controller undertakes to require its Data Processors to provide sufficient guarantees as to the implementation of appropriate technical and organisational measures so that the Processing meets legal and regulatory requirements and guarantees the protection of the rights of the Data Subject, in particular in the event of transfer of Data outside the European Union.
In addition, the Data Controller may communicate to any Recipient or Third Party the Data that is the subject of Processing when a legal obligation to do so exists or when the Data Controller considers in good faith that it is necessary to:
- Respond to any claims against it;
- Comply with the requirements of the judicial and/or administrative order and/or the the Supervisory Authority;
- Enforce any contract to which the Data Subject is a party;
- To safeguard the vital interests of any natural person;
- The performance of a mission in the public interest.
In the event of a purchase from the Controller by a Third Party, the Controller reserves the right to share the Data with the Third-Party purchaser subject to such Third-Party Third-Party compliance with this Privacy Policy.
Article 9. Data Subject's Rights
The Data Controller has appointed a DPO to the Supervisory Authority with the following contact information:
Cabinet Bouchara – Avocats
17 rue du Colisée – 75008 Paris
The Data Subject has a certain number of rights over the Data that he or she may assert, unless there is an applicable legislative or regulatory exception, by making a request to the Data Controller or the DPO at the following address:
As necessary, the DPO will assist the Data Subject in exercising his/her rights over the Data Subject. the Data to the Data Controller.
In the event of reasonable doubt as to the identity of the Data Subject making a request to exercise his/her rights over the Data, the Data Controller and/or the DPO may request to attach a copy of an official identity document in support of the request.
Applications will be processed as soon as possible and at the latest in accordance with the deadlines set by the Legislation.
Article 9.1. Right of access
The Data Subject has the right to obtain confirmation from the Data Controller as to whether or not Data is being processed and, where it is, access to such Data as well as the following information:
- The purposes of the processing;
- Categories of Data;
- The Recipients or categories of Recipients to whom the Data has been or will be communicated, in particular Recipients who are established in third countries or international organizations;
- Where possible, the period for which the Data will be stored or, where this is not possible, the criteria used to determine this period;
- The existence of the right to request from the Data Controller the rectification or erasure of Data, or a restriction of the processing of Data, or the right to object to such processing;
- The right to lodge a complaint with a supervisory authority; • Where the Data is not collected from the Data Subject, any available information as to its source;
- The existence of automated decision-making, including profiling, and, at least in such cases, meaningful information about the underlying logic, as well as the significance and intended consequences of such processing for the Data Subject.
The Data Controller shall provide a copy of the Data subject to Processing and reserves the right, in return for the provision of such copy, to pay a reasonable fee based on administrative costs for any additional copies requested by the Data Subject.
Article 9.2. Right to erasure and rectification
The Data Subject has the right to obtain from the Data Controller the rectification and/or deletion of inaccurate or obsolete Data as soon as possible, unless otherwise prevented from exercising this right, and in particular:
- Exercising the right to freedom of expression and information;
- Compliance with a legal obligation;
- The public interest in the field of public health, archives, scientific research or historical or statistical;
- The establishment, exercise or defence of legal claims.
Article 9.3. Right to object
The data subject has the right to object at any time, on grounds relating to his or her particular situation, to Data Processing based on the performance of a task carried out in the public interest or the need for the legitimate interest of the Data Controller.
The Data Controller then undertakes to no longer process the Data, unless it demonstrates that there are legitimate and compelling grounds for the Processing that prevail over the interests, rights and freedoms of the Data Subject, or for the establishment, exercise or defence of legal claims.
In addition, the Data Subject has the right to object at any time to the Data Processing carried out for direct marketing purposes by the Data Controller, insofar as the Data Subject is linked to such direct marketing.
Finally, when Data is processed for scientific or historical research purposes or for statistical purposes, the Data Subject has the right to object, for reasons relating to his or her particular situation, to the processing of the Data, unless the Processing is necessary for the performance of a task carried out in the public interest.
Article 9.4. Right to Limitation
The Data Subject shall have the right to obtain from the Data Controller the restriction of the Processing of Data when: • The accuracy of the Personal Data is contested by the Data Subject, for a period allowing the Data Controller to verify the accuracy of the Data;
- The processing is unlawful and the Data Subject opposes their erasure and instead requests the restriction of their use;
- The Data Controller no longer needs the Data for the purposes of the Processing, but the Data Subject is still necessary for the establishment, exercise or defence of legal claims;
- The Data Subject has objected to the Processing in accordance with Article 9.3, during the verification of whether the legitimate grounds pursued by the Data Controller prevail over those of the Data Subject.
The Data Subject who has obtained the restriction of Data Processing shall be informed by the Data Controller before the restriction of processing is lifted.
Article 9.5. Right to Data portability
The Data Subject shall have the right to receive the Data provided by he/she to the Data Controller, in a structured, commonly used and machine-readable format, and shall have the right to transmit such data to another Data Controller without hindrance from the Data Controller, where:
- The Processing is based on the Data Subject's Consent or on the execution of a contract to which the Data Subject is a party;
- The Processing is carried out using automated processes.
The Data Subject, when exercising his or her right to data portability, has the right to obtain that the Data be transmitted directly from the Data Controller to another Data Controller, where technically feasible.
Article 9.6. Right to lodge a complaint with the Supervisory Authority
The Data Subject has the right to lodge a complaint with the Supervisory Authority if he/she considers itself to be subject to unlawful Data Processing by the Data Controller.
Article 9.7. Right to set guidelines on the fate of the Data
The Data Subject has the right to define directives on the fate of the Data after his or her death with the Data Controller, who will use all its technical means to ensure that this wishes are respected.
Article 10. Data Security
The Data Controller shall take appropriate technical and organisational measures to protect the Data against destruction, loss, alteration, misuse and unauthorised access, modification or disclosure, whether such actions are voluntary or accidental.
The purpose of these technical and organizational measures is to ensure the confidentiality, integrity, availability and resilience of the Site and the information systems where the Files are stored.
In order to secure the Person's Browsing, the Site is SSL (Secure Socket Layer) encrypted.
Article 11. Changes to the Privacy Policy
The Data Controller reserves the right to modify this Privacy Policy from time to time, in particular the list of Recipients set out in Article 8.
In the event of a substantial change to this Privacy Policy, the Data Subject will be personally informed of the new Privacy Policy.
The Data Subject is invited to regularly consult this Privacy Policy to be aware of any changes to it.
The Data Subject may send questions about this Privacy Policy to dpo@ba-sh.com.
Article 12. Nullity of the Privacy Policy
If any of the stipulations of this Privacy Policy prove to be null and void with regard to a rule of law in force or a court decision that has become final, it will be deemed unwritten, without however entailing the nullity of the entire Privacy Policy or altering the validity of its other provisions.
Article 13. Cookie management
When browsing the Site, the Data Subject is required to consent or oppose the the installation of Cookies on their computer terminal.
In general, Cookies record information relating to the navigation of computers on the Site (the pages consulted, the date and time of the consultation, etc.), information that can be read during the subsequent visits of the Data Subject to the Site with transmission of the Data to the Data Controller. The installation of these non-functional Cookies requires the consent of the Data Subject.
Some Cookies are essential for the proper functioning of the Site and do not require the consent of the person concerned before they are installed, in which case they are referred to as functional Cookies.
In accordance with Article 7.of this Privacy Policy, non-functional Cookies are automatically deleted within six (6) months from their installation if the Data Subject does not renew his/her consent before the expiry of this period.
The Data Subject may refuse to give his/her consent to the installation of non-functional Cookies, withdraw his/her consent and/or configure the Cookies at any time by using the Data Controller's Cookie Manager or by configuring his/her browser as follows:
For Mozilla Firefox:
- Choose the "tool" menu then "Options"
- Click on the "privacy" icon 12
- Locate the "cookie" menu and select the options that suit you
For Microsoft Internet Explorer 6.0:
- Choose the "Tools" menu, then "Internet Options".
- Click on the "Privacy" tab
- Select the desired level using the slider.
For Microsoft Internet Explorer 5:
- Choose the "Tools" menu, then "Internet Options".
- Click on the "Privacy" tab
- Customize the level" using the slider
For Netscape 6.X and 7. X :
- Choose the "Edit" menu>"Preferences"
- Privacy & Security
- Cookies
For Opera 6.0 and beyond:
- Choose the "File" menu>"Preferences"
- Privacy