PRIVACY POLICY

 

TITLE 1. PARTIES TO THIS ACT

 

Between the undersigned: 

 

  1. The company BA&SH, French SAS with a capital of €1 000 000, registered in the Paris Trade and Companies Registry under number 449 158 898, whose registered office is located at 67 Avenue Raymond Poincaré 75016 Paris, France, and having the VAT number FR42449158898. 

    Hereinafter referred to as the "Data Controller",


    On the one hand,

    And, 

  2. Any individual

    Browsing the website of the Data Controller;

    Hereinafter referred to as the "Data Subject",

    On the other hand,

    The following has been started and agreed:

 

TITLE 2. PRESENTATION

 

This Privacy Policy applies, without restriction or reservation, between the Data Subject and the Data Controller.

The purpose of this notice is to provide information on the manner in which the Data Controller collects and processes certain personal data relating to the Data Subject, in accordance with the legislation in force and in particular European Regulation No. 2016/679 and Law No.78-17 (hereinafter referred to as the "Legislation"), in relation to the use of the website www.ba-sh.com (hereinafter referred to as the "Site") by the Data Subject.

This Privacy Policy is an integral part of the Data Controller’s General Terms and Conditions of Sale.

 

 

TITLE 3. UNDERSTANDINGS

 

Article 1. Definitions

 

  • Supervisory Authority means the Commission Nationale de l'informatique et des Libertés (CNIL), the French Independent public authority regulating data protectios; 

 

  • Consent means any free, specific, informed and unambiguous expression of will by which the Data Subject accepts, by a declaration or by a clear positive act, that Data relating to him or her may be processed by the Data Controller.

 

  • Cookie means a file that enables the Data Subject's path on the Site to be traced.

 

  • Recipient means any natural or legal person, public authority, service or other body that receives communication of the Data, whether or not it is a Third Party. However, public authorities that are likely to receive communication of the Data, in particular in the context of an investigation mission, are not considered as Recipients within the meaning of this definition.

 

  • Data means any information relating to the Data Subject.

 

  • DPO refers to the Data Protection Officer of the Data Controller, i.e. Cabinet Bouchara - Avocats (17 rue du Colisée - 75008 Paris), in charge of assisting the Data Subject in exercising his or her rights regarding his or her Data with the Data Controller.

 

  • File means any structured set of Data accessible according to determined criteria, whether this set is centralised, decentralised or distributed in a functional or geographical manner.

 

  • Legislation means all laws and regulations relating to data protection, and in particular the European Regulation n°2016/679 and Law n°78-17.

 

  • Browsing means the consultation, review, order and/or purchase of Products on the Site by the Data Subject.

 

  • Data Subject means any individual who browses the Site, provided that he or she can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more elements specific to his or her physical, physiological, genetic, psychological, economic, cultural or social identity.

 

  • Products means the products offered for sale on the Site by the Data Controller to the Data Subject. 

 

  • Pseudonymisation means the processing of Data in such a way that it can no longer be attributed to the Data Subject without the need for additional information.

 

  • Data Controller means the company BA&SH, French SAS, with a capital of €1,000,000, registered in the Paris Trade and Companies Register under number 449 158 898, whose registered office is located at 67 Avenue Raymond Poincaré 75016 Paris, France, and whose VAT number is FR42449158898, which alone or jointly with others, determines the purposes and means of the Processing.

 

  • Site means the infrastructure developed by the Data Controller in accordance with the computer formats usable on the Internet, comprising data of various kinds, in particular text, sound, still or animated images, videos and databases, intended to be consulted by the Data Subject in order to find out about, reserve, order and/or purchase Products (www.ba-sh.com)

 

  • Processor means any natural or legal person, public authority, department or body other than the Data Controller who processes Data on behalf of the Data Controller.

 

  • Third Party means any natural or legal person, public authority, department or other body other than the Data Controller, the Processor and those persons who, under the direct authority of the Data Controller or the Processor, are authorised to process the Data, and in particular tour operators, travel agencies and reservation systems.

 

  • Processing means any operation or set of operations, whether or not carried out by automated means, applied to the Data or sets of Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

 

AGREEMENT

 

Article 2. Treatment principles

 

In accordance with the Legislation, the Data Controller undertakes to respect the following principles for each Processing operation:

  • Legality ;
  • Loyalty ;
  • Transparency ;
  • Purpose limitation ;
  • Data Minimization ;
  • Accuracy ;
  • Limiting conservation ;
  • Integrity ;
  • Confidentiality ;
  • Responsibility.

 

Article 3. Data processed

 

In the context of Browsing, the Data Controller collects and processes a number of Data, including:

 

  • Personal information (surname, first name, gender, postal address, email address, telephone number, date of birth, age, date of registration and unsubscription to the Data Controller's customer account and newsletter, messages exchanged with the Data Controller, telephone conversations with the Data Controller's customer service);
  • Banking information (payment method, credit card number);
  • Information about your order (product ordered, delivery address, delivery tracking number, order price, purchase history);
  • Technical information (browsing behaviour on the Site, IP address, products added to the shopping cart, collection of consent).

 

Article 4. Processing Context

 

Data may be collected and processed by the Data Controller on various occasions, including:

 

  • Purchase of Products on the Site;
  • Contact with the Data Controller ;
  • Subscribe to the newsletter ;
  • Creating a customer account ;
  • Browsing the Site.

 

Article 5. Treatment details

Purpose of the Processing

Data concerned

Legal basis of the processing

Duration of Data Retention

Management of product purchases, deliveries, invoicing and accounting standards

First name, last name, email address, postal address, telephone number, delivery address, order placed, delivery tracking number, date of registration and deregistration, payment method, credit card number

 

Contract, legal obligation and legitimate interest of the Data Controller to establish, exercise and defend his legal rights

 

10 years from the purchase of the Product

EXCEPT

15 months from the purchase of the product for the banking data (immediately for the visual cryptogram)

 

Creation and management of customer accounts

First name, last name, email address, postal address, telephone number, date of creation of customer account, date of deletion of customer account, collection of consent

 

Consent of the Data Subject

3 years from the last time the Data Subject logs on to his/her customer account

 

Commercial relationship management

First name, last name, email address, postal address, telephone number, purchase history, shopping cart, date customer account created, date customer account deleted, consent obtained

 

Legitimate interest of the Data Controller in managing the customer relationship

3 years from the last contact by the Data Subject

Commercial prospecting (e.g. useful information, product advice, shopping cart abandonment reminders, personalised offers)

 

First name, last name, email address, shopping carts, postal address, phone number, purchase history, consent collection

Consent of the Data Subject or legitimate interest of the Data Controller to promote its Products

 

3 years from the last contact by the Data Subject

 

Newsletter management

 

 

 

Email address

Consent of the Data Subject

3 years from the last contact by the Data Subject

 

Securing and improving the Site

IP address, Browsing data

Legitimate interest of the Data Controller to improve the Site and to manage the Site, to secure and administer the Site, to prevent fraud and malicious acts.

 

13 months

Complaints and customer service management

First name, last name, email address, postal address, telephone number, purchase history, exchanges, IP address, consent collection

 

Consent of the Data Subject and legitimate interest of the Data Controller to improve its Products and customer service.

 

3 years from the last contact by the Data Subject

Site statistics and personalised advertising

 

IP address, Browsing data, Collection of consent

Consent of the Data Subject

6 months

 

The Data Controller reserves the right to anonymise the Data being Processed before deleting it.

 

The anonymised Data may then be processed for statistical purposes.

 

Article 6. Data Recipients 

 

As a matter of principle, the Data Controller is the sole Recipient of the Data.

 

However, the Data Controller may transfer the Data to Recipients, in particular in the context of the management of purchases of Products by the Data Subject, and/or to any public authority that may request it, in particular in the context of an investigation mission.

 

The following recipients may process your Data as subcontractors on behalf of the Data Controller:

 

  • Ometria
  • Mention Me
  • Captain Wallet
  • Splio
  • Salesforce
  • Salescycle
  • Calendly
  • Cegid
  • Zendesk
  • True Fit
  • Klarna
  • Oney
  • Salesfloor
  • Afterpay

 

This list of the Data Controller's subcontractors may change at any time.

The Data Controller undertakes to require from its Processors sufficient guarantees as to the implementation of appropriate technical and organisational measures so that the Processing meets the legal and regulatory requirements and guarantees the protection of the rights of the Data Subject, in particular in the event of transfer of the Data outside the European Economic Area and Switzerland.

In addition, the Data Controller may disclose to any Recipient or Third Party the Data being Processed where a legal obligation to do so exists or where the Data Controller considers in good faith that this is necessary to:

  • Respond to any claims against it;
  • Comply with the requirements of the judiciary and/or the administrative order and/or the Supervisory Authority;
  • To enforce any contract to which the Data Subject is a party;
  • Safeguarding the vital interests of all natural persons;
  • The performance of a public interest task.

In the event that the Data Processor is purchased by a Third Party, the Data Processor reserves the right to share the Data with the purchasing Third Party subject to the Third Party's compliance with this Privacy Policy.

 

Article 7. Data Subject's tights to the Data

 

The Data Subject has a number of rights in relation to the Data which he or she may exercise, except in the case of applicable legislative or regulatory exceptions, by making a request to the Data Controller or the DPO at the following address:

 

CABINET BOUCHARA – AVOCATS

17 rue du Colisée – 75008 PARIS - FRANCE

 

The Data Subject has a number of rights in relation to the Data which he or she may exercise, except in the case of applicable legislative or regulatory exceptions, by making a request to the Data Controller or the DPO at the following address:

 

dpo@ba-sh.com

 

Where necessary, the DPO will assist the Data Subject in exercising his or her rights with respect to the Data Controller.

 

In case of reasonable doubt as to the identity of the Data Subject making a request to exercise his/her rights with respect to the Data, the Data Controller and/or the DPO may ask to attach a copy of an official identity document in support of the request.

 

Applications will be processed as soon as possible and at the latest within the time limits set by the Law.

 

Article 7.1. Right of access

 

The Data Subject shall have the right to obtain from the Data Controller confirmation as to whether or not Data are being processed and, where they are, access to such Data and the following information:

  • The purposes of the processing ;
  • The categories of Data ;
  • The Recipients or categories of Recipients to whom the Data have been or will be communicated, in particular Recipients who are established in third countries or international organisations;    
  • Where possible, the length of time the Data will be retained or, where this is not possible, the criteria used to determine this length of time;
  • The existence of the right to request from the Data Controller the rectification or erasure of Data, or a restriction on the processing of Data, or the right to object to such processing;
  • The right to lodge a complaint with a supervisory authority;
  • Where Data is not collected from the Data Subject, any available information as to its source ;
  • The existence of automated decision-making, including profiling, and, at least in such cases, relevant information about the underlying logic and the significance and intended consequences of such processing for the Data Subject.

 

The Data Controller shall provide a copy of the Data being Processed and reserves the right, in consideration of the provision of such copy, to pay a reasonable fee based on administrative costs for any additional copies requested by the Data Subject.

 

Article 7.2. Right of deletion and rectification

 

The Data Subject has the right to obtain from the Data Controller the rectification and/or erasure of inaccurate or outdated Data as soon as possible, unless the contrary situation prevents the exercise of this right, and in particular:

 

  • The exercise of the right to freedom of expression and information ;
  • Compliance with a legal obligation ;
  • Public interest in the field of public health, archives, scientific or historical research or statistics;
  • The establishment, exercise or defence of legal rights.

 

Article 7.3. Right to object

 

The Data Subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the Processing of Data based on the performance of a task carried out in the public interest or the need to meet the legitimate interest of the Data Controller.

 

The Data Controller undertakes not to process the Data any further unless he can demonstrate compelling legitimate grounds for the Processing which override the interests and rights and freedoms of the Data Subject, or for the establishment, exercise or defence of legal claims.

 

Furthermore, the Data Subject has the right to object at any time to the Processing of Data carried out for the purpose of canvassing by the Data Controller, insofar as the Data Subject is linked to such canvassing.

 

Finally, where Data are processed for scientific or historical research or statistical purposes, the Data Subject has the right to object, on grounds relating to his or her particular situation, to the processing of the Data, unless the Processing is necessary for the performance of a task carried out in the public interest.

 

Article 7.4. Right to limitation

 

The Data Subject has the right to obtain from the Data Controller the restriction of the Processing of the Data where:

  • The accuracy of the Personal Data is challenged by the Data Subject, for a period of time allowing the Data Controller to verify the accuracy of the Data;
  • The processing is unlawful and the Data Subject objects to their erasure and demands instead that their use be restricted;
  • The Data Controller no longer needs the Data for the purposes of the Processing, but they are still necessary for the Data Subject to establish, exercise or defend legal claims;
  • The Data Subject has objected to the Processing in accordance with Article 9.3 during the verification as to whether the legitimate grounds pursued by the Data Controller prevail over those of the Data Subject.

The Data Subject who has obtained the restriction of the Data Processing shall be informed by the Data Controller before the restriction of the processing is lifted.

 

Article 7.5. Right to data portability

 

The Data Subject shall have the right to receive the Data he or she has provided to the Data Controller in a structured, commonly used and machine-readable format, and shall have the right to transmit such data to another controller without the Data Controller's interference, where:

 

  • The Processing is based on the Consent of the Data Subject or on the performance of a contract to which the Data Subject is party;
  • The Processing is carried out using automated processes.

 

The Data Subject, when exercising his or her right to Data portability, has the right to have the Data transmitted directly from the Data Controller to another controller, where technically possible.

 

Article 7.6. Right to lodge a complaint with the supervisory authority

 

The Data Subject has the right to lodge a complaint with the Supervisory Authority if he/she considers that he/she has been subject to unlawful Processing of Data by the Data Controller.

 

Article 7.7. Right to define guidelines on the fate of the Data

 

The Data Subject has the right to define directives on the fate of the Data after his/her death with the Data Controller who will use all technical means to ensure that this wish is respected.

 

Article 8. Data Security

 

The Data Controller shall take appropriate technical and organisational measures to protect the Data against destruction, loss, alteration, misuse and unauthorised access, modification or disclosure, whether such actions are intentional or accidental.

 

The purpose of these technical and organisational measures is to ensure the confidentiality, integrity, availability and resilience of the Site and the information systems where the Files are stored.

 

In order to secure the Person's browsing, the Site is SSL (Secure Socket Layer) encrypted.

 

Article 9. Changes to the Privacy Policy

 

The Data Controller reserves the right to modify this Privacy Policy from time to time, in particular the list of Recipients in Article 8.  

 

In the event of a material change to this Privacy Policy, the Data Subject will be informed personally of the new Privacy Policy.

 

The Data Subject is invited to consult this Privacy Policy regularly to take note of any changes to it.

Questions about this Privacy Policy may be sent by the Data Subject to the following address: dpo@ba-sh.com

 

Article 10. Nullity of the Privacy Policy

 

If any provision of this Privacy Policy is found to be invalid by any applicable law or court decision, it shall be deemed to be unwritten, but this shall not invalidate the entire Privacy Policy or affect the validity of the remaining provisions.

 

Article 11. Cookie management

 

When browsing the Site, the Data Subject may consent to or oppose the installation of Cookies on his/her computer terminal.

 

In general, Cookies record information relating to the navigation of computers on the Site (the pages consulted, the date and time of consultation, etc.), information that may be read during the Data Subject's subsequent visits to the Site with transmission of the Data to the Data Controller. The installation of these non-functional Cookies requires the consent of the Data Subject.

 

Some Cookies are essential for the proper functioning of the Site and do not require the consent of the Data Subject before being installed.

 

In accordance with Article 7. of this Privacy Policy, Cookies are automatically deleted within thirteen (13) months of their installation if the Data Subject does not renew his/her consent before the expiry of this period. 

 

The Data Subject may refuse to give his consent to the installation of non-functional Cookies, withdraw his consent and/or set the parameters of the Cookies at any time by using the Cookie Manager of the Data Controller or by configuring his browser as follows:

For Mozilla Firefox :

  • Choose the "Tool" menu and then "Options".
  • Click on the "privacy" icon
  • Locate the "cookie" menu and select the options that suit you

 

For Microsoft Internet Explorer 6.0 :

  • Select the "Tools" menu, then "Internet Options".
  • Click on the "Confidentiality" tab
  • Select the desired level with the cursor.

 

For Microsoft Internet Explorer 5 :

  • Choose the "Tools" menu, then "Internet Options".
  • Click on the "Privacy" tab
  • Customise the level" using the slider

 

For Netscape 6.X and 7. X :

  • Choose the "Edit">"Preferences" menu
  • Privacy and Security
  • Cookies

 

For Opera 6.0 and above :

  • Choose the "File">"Preferences" menu
  • Privacy

 

 

Article 14. Repack service 

 

ba&sh offers to ship orders with help of the returnable and reusable packaging service RePack (a brand from the Finnish company Plan B from Outer Space Ltd.).

This service includes the delivery of the order in reusable packaging Repack.

RePack complies to data protection by a data processing agreement in accordance with EU General Data Protection Regulation (GDPR).

Learn more here.

 

 

Do you have any questions ? 

 

If you would like to provide feedback or if you have any questions or concerns, or if you would like to exercise your rights concerning your personal data, you can contact our data protection officer at the following address : dpo@ba-sh.com