ARTICLE 1 – Definitions of personal data processing

Personal data is defined by Article 4 of the GDPR. It refers to “any information relating to an identified or identifiable natural person”.

A person is considered to be an “identifiable natural person” when they can be “identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific elements that are characteristic of their physical, physiological, genetic, mental, economic, cultural or social identity”.

Processing is also defined by Article 4 of the GDPR as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

 

ARTICLE 2 – Legal basis justifying the processing of personal data

The Company has the right to collect and process personal data provided by the Client based on the consent given by the Client.

The Client consents to the processing of their personal data by checking the box “I accept the general terms and conditions of sale”, which is a prerequisite to finalize the order and proceed to payment.

The Client is free to also consent to receiving commercial emails from the Company by checking the box “I accept to receive promotional offers from CONTINENTAL DESIGN”.

The commercial emails, also known as “newsletters”, contain information about new Creations available on the website www.collective-y.com as well as occasional promotional offers that the Company may propose.

Furthermore, the Client is also free to consent to receiving commercial emails from partners of the Company by checking the box “I accept to receive promotional offers from partners of CONTINENTAL DESIGN”.

The Client may decide at any time to no longer receive commercial emails from the Company and/or its partners by directly modifying their communication preferences on their customer account on the website www.collective-y.com or by clicking on the link entitled “Unsubscribe” contained in each commercial email.

Finally, the Client is free to consent to the use of cookies, in whole or in part.

Cookies are trackers that analyze the browsing, movements, and consultation or consumption habits of the Internet user to allow the display of targeted advertisements. Some are essential for the use of the website www.collective-y.com, others are optional and the Client is free to consent to their use.

A special window appears for this purpose on the website www.collective-y.com. The Client can then check “Accept All”, “Reject All”, or specifically select independently the cookies they authorize based on their purpose.

 

ARTICLE 3 – Entity responsible for processing personal data

The Company is the entity responsible for the computer processing of personal data. It is responsible for collecting, storing, and securing this data.

The Client may request information, access, rectification, or deletion of their personal data from the Company at any time by email at shop@collective-y.fr.

The Client can also contact the Company by post at the following address: 12 rue de Lota, 75116 Paris, France.

 

ARTICLE 4 – Personal data collected

The Company collects the following personal data provided by the Client:

• Last name
• First name
• Date of birth
• Shipping address
• Billing address
• Email address
• IP address
• Telephone number
• Login credentials

 

The Client’s data is stored in the data storage system and databases of the APR Digital company. The Client’s data is stored on a secure server protected by a firewall.

 

ARTICLE 5 – Purposes of the data processing

The personal data mentioned in the previous article are collected in order to enable online purchase of Creations and the execution of the contract between the Client and the Company.

This data provides the Company with the necessary information to ensure the fulfillment of its obligations, including the management of the customer account on the website www.collective-y.com, the preparation, shipment, and delivery of the Creations ordered by the Client.

The Client will find below the details of how the Company uses each of their personal data:

• The name and first name are used to individualize the order and deliver the Creations to the Client, avoiding any third party from picking it up on their behalf;
• The date of birth is used to send a gift (for example, a discount voucher valid on the website www.collective-y.com) to the Client on that date via email;
• The email address is used to send any necessary communication to the Client regarding their order, including the order confirmation and the preparation, shipment, and delivery stages. If the Client has given their express consent for the sending of commercial emails, the email address is also used for this purpose;
• The postal address provided is used as the delivery location for the order. The delivery address is also used as the billing address, unless the Client has provided a different billing address than the delivery address;
• The IP address allows the Company to gather information about the location of the user of the website www.collective-y.com in order to better target its advertisements;
• The phone number is used to inform the Client about the various stages of the preparation of their order as well as for commercial prospecting purposes;
• The login credentials are used to allow the Company to update information on the status of the Client’s order in their “My Account” area.

 

The Company will also use the collected data for statistical purposes. Personal data will then be anonymized and will not allow identification of an identifiable natural person.

 

ARTICLE 6 – Mandatory or optional nature of the collection of personal data

The Client must provide their name, first name, postal address, phone number, and email address when placing an order. This information is essential to allow the Company to prepare and deliver the order.

The collection of the aforementioned data is therefore mandatory to allow the Client to place an order on the website www.collective-y.com. If the Client does not provide this information, they will not be able to place an order.

However, the Client is not obliged to create an account on the website www.collective-y.com. Login credentials will only be collected if the Client chooses to create an account.

 

ARTICLE 7 – Recipients of Personal Data

The Company receives and accesses the personal data provided by the Client throughout the entire period of their storage. The data controller is the Company itself (cf. Article 3 – Data Controller).

In addition, the Company’s internal services and external service providers to which it has recourse have access to the collected personal data, particularly the transportation company, which requires the Client’s contact details to deliver the ordered Creations.

 

ARTICLE 8 – Storage of Personal Data

The personal data collected by the Company is stored for a strictly necessary period for the purposes for which it was collected, in accordance with applicable legal requirements.

The storage periods may vary from one processing to another, depending on the pursued purpose and the legal basis that may justify these storage periods.

1. Billing and order data is kept for a period of ten (10) years for legal compliance and customer account management purposes;
2. Navigation and analysis data is kept for a period of twelve (12) months for site performance improvement and user behavior analysis purposes;
3. Contact data, including email addresses and phone numbers, are kept as long as the user account is active and for a period of twenty-four (24) months from account deletion for further communication with Clients; and
4. Payment data is kept in accordance with applicable security standards and for a period of two (2) years to enable payment processing and claim management.

 

At the end of the storage period, personal data will be securely erased or anonymized, unless a legal or regulatory obligation requires their further storage.

 

ARTICLE 9 – Client Rights

 

9.1. Right to object

The Client has a right to object to the use of his/her personal data in accordance with Article 21 of the GDPR. The Client may exercise this right at any time by sending an email or letter to the Company.

However, the Company may refuse the Client’s objection request when it does not concern commercial prospecting, for the following reasons:

• There are legitimate and compelling reasons to process the data;
• The data is necessary for the establishment, exercise or defense of legal claims;
• The Client has consented to the use of the data – he/she must then withdraw this consent;
• A contract binds the Client to the Company, such as the CGV;
• A legal obligation requires the Company to process the Client’s data;
• The processing is necessary for the protection of the vital interests of the Client or another natural person.

 

9.2. Right of access

The Client has the right to access his/her personal data at any time in accordance with Article 15 of the GDPR. The Client can access it from his/her “My Account” space on the website www.collective-y.com. The Client may also access his/her personal data by requesting it from the Company by email or letter.

 

9.3. Right to rectification

The Client has the right to rectify his/her personal data himself/herself from his/her “My Account” space or to request rectification from the Company by email or letter, in accordance with Articles 16 and 19 of the GDPR.

 

9.4. Right to erasure

The Client has the right to request the erasure of his/her personal data by sending a simple request to the Company, by email or letter, in accordance with Article 17 of the GDPR.

 

9.5. Complaint

The Client has the possibility to file a complaint with the National Commission for Informatics and Liberties, hereinafter referred to as “CNIL”, if he/she is unable to exercise his/her “Data Protection” rights and/or wishes to report a breach of personal data protection rules.

The complaint can be submitted directly on the CNIL website, through the online complaint service for certain specific cases, or through a complaint form accessible through the “Need help” service for other cases.

The complaint can also be submitted by postal mail by writing to: CNIL – Complaints Department – 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07.

The complaint must be accompanied by any document attesting to the facts described in the complaint (for example, a copy of the letter, which has remained unanswered, that you sent to the Company in order to exercise your right of access more than a month ago).

The Client will find all useful information on the CNIL website at the following link: https://www.cnil.fr/fr/cnil-direct/question/adresser-une-reclamation-plainte-la-cnil-quelles-conditions-et-comment.

 

ARTICLE 10 – Disclosure of personal data

The Company may disclose the personal data collected if required to do so by law.

The Company may also disclose the personal data collected to its external service providers (see Article 7 – Recipients of personal data and Article 11 – Services provided by external service providers).

 

ARTICLE 11 – Services provided by external service providers

The external service providers used by the Company have their own privacy policies. Clients are advised to read them carefully.

In general, external service providers will only collect, use, and disclose the Client’s personal data to the extent necessary to perform the services they provide to the Company.

When the Client leaves the Company’s site and is redirected to a third-party website or application, the processing of their data is no longer governed by this Privacy Policy.

The Company assumes no responsibility for the processing of Clients’ data by external service providers.

Some providers may be located or have facilities located in a jurisdiction other than that of the Company or the Client, possibly outside the European Union. The information collected may then be governed by the laws of the jurisdiction in which this provider is located or in which its facilities are located.

The Client’s personal data may therefore be transferred to countries outside the European Union whose legislation on the protection of personal data is not governed by the GDPR.

 

ARTICLE 12 – Payment data

If the Client makes their purchase through a direct payment gateway, in this case, APR Digital will store the Client’s credit card information. This information is encrypted in accordance with the data security standard established by the payment card industry (PCI-DSS standard). Information about their purchase transaction is kept for as long as necessary to complete their order. Once the order is completed, information about the purchase transaction is kept in accordance with applicable security standards and for a period of two (2) years to allow payment processing and claims management.

 

All direct payment gateways comply with the PCI-DSS standard, managed by the PCI Security Standards Council, which is the joint effort of companies such as Visa, MasterCard, American Express, and Discover.

The requirements of the PCI-DSS standard ensure the secure processing of credit card data by the website www.collective-y.com and its service providers.

 

ARTICLE 13 – Security of personal data

The Company takes all reasonable precautions required by the GDPR to protect the collected personal data.

Furthermore, the Company only collects personal data necessary for its activity and justified by the service provided to the Client.

If the Client provides their credit card information to the Company, it will be encrypted using the SSL security protocol and stored with AES-256 encryption. Although no method of transmission over the Internet or electronic storage is 100% secure, the Company follows all PCI-DSS standard requirements and implements additional industry-recognized standards.

 

ARTICLE 14 – Age of consent

By browsing the Company’s website, the Client declares to be of legal age in their state of residence.

The consent of minors to the processing of their personal data is only lawful if they are at least 16 years old, in accordance with Article 8 of the GDPR. If the minor is under 16 years old, the consent of the person holding parental responsibility is required. The data controller must make every effort to verify, to the extent possible, in such cases, that consent is given or authorized by the holder of parental responsibility for the child, taking into account available technological means.

However, the GDPR allows European Union member states to provide for a lower age for the consent of minors, provided that this lower age is not below 13 years.

In France, the “Informatique et Libertés” law provides that minors aged 15 or over can consent themselves to the processing of their personal data.

If the minor is under 15 years old, the “Informatique et Libertés” law requires the joint consent of the child and the person holding parental responsibility for the child.

 

ARTICLE 15 – Changes to this Privacy Policy

The Company reserves the right to modify this Privacy Policy at any time. The changes will become effective upon their publication on the website www.collective-y.com. Therefore, it is recommended that the Client regularly consult it.

If the Company is acquired by or merged with another company, Client information may be transferred to the new owners so that the Company can continue to sell its Creations to the Client.