CALEBASSE is a société par actions simplifiée (simplified joint stock company) with a share capital of 10,000 euros, headquartered at 15 rue de la Vistule 75013, Paris, France, and registered with the Registre du Commerce et des Sociétés de Paris under number 41522831100015.
In accordance with its values, CALEBASSE attaches great importance to protecting the personal data of its customers and Internet users.
Thus, CALEBASSE undertakes to comply with the legislation in force in France and Europe (Regulation 2016/679 of April 27, 2016), to ensure the protection, confidentiality and security of personal data, as well as to ensure respect for privacy.
This Personal Data Protection Policy (hereinafter "the Policy") describes the manner in which CALEBASSE collects and processes the Personal Data of all persons concerned by the Processes it implements.
The Policy also specifies the legal grounds on which it relies to process Personal Data, the persons with whom such data is shared, and how it is stored.
In any case, whatever the processing carried out, CALEBASSE undertakes to respect the following principles:
- The Data processed is used solely for explicit, legitimate and specific purposes related to the various services offered by CALEBASSE. It is processed lawfully and fairly;
- Only Data required for these purposes is collected;
- Each Person concerned by the processing is informed, in a clear and transparent manner, of the purpose for which his or her Data is used, the optional or compulsory nature of his or her answers in the forms, and of his or her rights in terms of data protection.
Article 1 - Definitions
Personal data " : Refers to any information relating to an identified or identifiable natural person, either directly (e.g. by surname or first name) or indirectly (e.g. by reference to an identifier, location data, previous creations or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity);
Health data " : Refers to any information relating to a person's physical or mental state of health, in particular the data mentioned in therapists' prescriptions transmitted to CALEBASSE by the Persons concerned;
Processing " : Refers to any operation or set of operations applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, limitation, erasure or destruction ;
Data subject " : Refers to any identified or identifiable natural person whose personal data is processed by CALEBASSE in accordance with this Policy;
Data Controller ": Refers to any natural or legal person, who alone or jointly with others, determines the purposes and means of the processing of Personal Data. This is the company CALEBASSE;
Sub-processor ": Refers to any natural or legal person who processes Personal Data on behalf of the Data Controller;
Site ": Refers to the website accessible at the following URL address and published by CALEBASSE: https://calebasse.com/;
Cookie ": Refers to tracers that allow access to information stored in the terminal equipment of a visitor to the Site;
Recipient ": Refers to any natural or legal person who receives communication of personal data, whether a third party or not;
Third party " : Refers to any authorized natural or legal person, public authority, service or organization other than the data subject, the data controller, the data processor and persons who, under the direct authority of the data controller or data processor, are authorized to process personal data.
Breach of personal data ": Refers to any breach which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
Article 2 - Sources and categories of data likely to be processed
2.1. When a Data Subject browses and uses the Site's functionalities or creates a personal account on the Site, the following information may be collected:
- Identification data and contact details (e-mail address) via the collection forms on the Site;
- Connection and audience measurement data when browsing the Site, using cookies and tracers;
- Data relating to the Person's terminal when connecting to the Site. This data may include the device applications used by the Person concerned to browse and use the Site, the browser version (or type), the plug-ins used or the operating system.
2.2. When a Data Subject contacts CALEBASSE to order a product offered for sale on the Site, the following Personal Data may be collected:
- Identification data (surname, first name, marital status, etc.) ;
- Contact details (e-mail address, postal address, telephone number, etc.);
- Banking and financial data (bank details, billing address);
- Order tracking data (order number, products ordered, promotional code, order history, complaints, etc.).
2.3. When a Data Subject contacts CALEBASSE to request a quote or information:
- Identification data (surname, first name, marital status, etc.) ;
- Contact details (e-mail address, postal address, telephone number, etc.);
- Health data if the person concerned spontaneously transmits to CALEBASSE information on his/her state of health or various prescriptions from therapists in order to place an order or obtain a quote.
It is understood that CALEBASSE never requests the transmission of Health Data to respond to the various requests of the Persons concerned.
Article 3 - Legal basis for processing
In compliance with the regulations in force and its values, CALEBASSE collects and processes Personal Data only under the following conditions:
- When the Data Subject gives his/her free, specific and informed consent to the processing of his/her Data;
- When this is necessary for the performance of a contract or in the context of commercial relations;
- When it is necessary to comply with legal or regulatory obligations, for example with regard to payroll management, the fight against fraud and corruption;
- When the legitimate interests of CALEBASSE justify the processing of the Personal Data of the Person concerned.
Article 4 - Purposes of processing
Personal Data collected from the Person concerned and processed by CALEBASSE are collected for specific, explicit and legitimate purposes and are likely to vary depending on the context of the collection, namely for the following purposes:
- Provision and improvement of content on the Site;
- Creation of a personal account on the Site;
- Compiling statistics, in particular relating to Site traffic;
- Development and management of communication and canvassing operations, whatever the means used;
- Management of requests for information or quotations sent via the Site or by e-mail;
- Follow-up and management of orders placed with CALEBASSE and follow-up of the contractual relationship.
Depending on the circumstances, CALEBASSE may also use the Personal Data of the Persons concerned for purposes imposed by the regulations in force.
In any case, the Data is collected directly from the Persons concerned by the Data processing.
When an order is placed, certain data are mandatory, in particular to enable contractual execution and delivery of the various products.
If this data is not provided, it is understood that CALEBASSE will not be able to execute the contract or respond to the request of the Person concerned.
Article 5 - Data retention period
CALEBASSE keeps personal Data only for the time strictly necessary to achieve the purposes of the processing.
The Data of the Person concerned may be kept for a longer period only with the express authorization of the latter.
The length of time Personal Data is kept varies according to the purposes for which it is collected and processed:
|Purposes||Collected data||Legal basis||Retention period|
|Identification and contact data||Consent||Up to 3 years from the last contact with the data subject/prospect.||Management of prospects via forms and/or e-mail.|
|Pre-contractual measures||Up to 3 years from the last contact with the prospect.||Contract management and relationship management||Up to 3 years from the last contact with the prospect.|
|Contract management and relationship with CALEBASSE||Identification, contact and bank details, as well as any health data. Contract||Duration linked to that of the contract (if a contract is concluded), and during the applicable prescription periods.|
|Retention of accounting data||Banking data||Duration of ten (10) years from the close of the financial year.|
Article 6 - Recipients of data
Only those persons who need to know Personal Data in the course of their duties have access to it. This includes
- CALEBASSE's partners and subcontractors, in particular IT, accounting and financial partners;
- Authorized CALEBASSE employees;
- Administrative and judicial authorities to meet legal and regulatory obligations.
Article 7 - Transfer of data outside the European Union
In principle, CALEBASSE does not transfer data outside the European Union.
If ever a transfer of Personal Data involves a transfer outside the European Union, the Person concerned will be informed and these transfers will be carried out in return for appropriate guarantees in terms of data confidentiality and security, in compliance with the applicable regulations and will not concern the Health Data of the Persons Concerned.
Article 8 - Rights of the person concerned
In accordance with the regulations in force, the Data Subject has the right to object to and limit the processing of Personal Data concerning him or her, as well as the right to access, rectify, portability and erasure of his or her Personal Data, and the right to give instructions concerning the fate of his or her Data after his or her death.
Where processing is based on consent, the Data Subject may withdraw his or her consent at any time.
In any event, the Data Subject may exercise his/her rights by sending a request to the following e-mail address: firstname.lastname@example.org or by post to the following address: CALEBASSE - 15 rue de la Vistule 75013 Paris.
CALEBASSE undertakes to reply to any request as soon as possible, and in any event within one (1) month of receipt of the complete request.
In accordance with regulations, the response time may be extended by two (2) months in view of the complexity and number of requests for the exercise of rights made to CALEBASSE.
In order to dispel any doubt concerning the identity of the person exercising his/her right, he/she may be asked to include a copy of his/her identity card with his/her request.
It is understood that CALEBASSE will proceed with this request for a copy of an identity document only in cases where there is reasonable doubt as to the identity of the person concerned and there are no other possibilities for verification.
Right to information
CALEBASSE undertakes to inform the Person concerned of the collection and use of Personal Data concerning him or her and thus undertakes to produce concise, transparent and accessible information on the terms and conditions of the collection and processing of Personal Data.
Right of access
The Data Subject has a right of access enabling him or her to obtain information on the existence of a Processing operation and its procedures. He or she also has the right to obtain a copy of the Personal Data, by making a request to CALEBASSE following the contact procedures defined above.
Right of rectification
The Person concerned may also request CALEBASSE to rectify his/her Personal Data, in particular if it is no longer up to date. This rectification may also be carried out via the personal account of the person concerned accessible via the Site.
Right to object
The Data Subject has the right to object at any time, for reasons relating to his or her particular situation, to the processing of Personal Data concerning him or her. The right to object is limited in particular by CALEBASSE's legitimate interest in processing personal data.
In any case, the Data Subject has the right not to be subject to a decision based exclusively on automated processing, including profiling, producing legal effects concerning him or her or significantly affecting him or her in a similar way.
Right to erasure of Data (or "right to be forgotten")
Subject to applicable laws and regulations.
Subject to the regulations in force, and in particular to the exceptions (for example, with regard to the retention necessary to comply with a legal obligation), the Data Subject may request the erasure of Personal Data relating to him or her, when :
- The Personal Data is no longer required for the purposes for which it was collected or otherwise processed;
- He/she withdraws the consent on which the processing is based and no other legal basis for the processing exists;
- You consider that the processing of your Personal Data constitutes unlawful processing;
- The Personal Data must be erased by virtue of a legal obligation provided for by Union law or the law of the Member State to which the Data Controller is subject, i.e. France.
In any case, CALEBASSE will be the sole judge of the merits of the requests.
CALEBASSE may, if necessary, oppose the request on the grounds of a legitimate interest or compelling reasons when the applicable legislation so provides.
Right to limitation of processing
The Data Subject may obtain from CALEBASSE the limitation of the Processing when one of the following applies:
- Where the accuracy of the Personal Data is contested, and for a period of time allowing CALEBASSE to verify the accuracy of the Personal Data;
- When the Data Subject objects to the erasure of his or her Data and demands, instead, the limitation of the Processing;
- When the Data is no longer necessary for the purposes for which it was collected, but the Data Subject needs it for the establishment, exercise or defense of legal claims;
- Where the Data Subject objects to processing that would be based on CALEBASSE's legitimate interest during the verification as to whether the legitimate grounds pursued by CALEBASSE prevail over those of the Data Subject.
Right to Data Portability
The Data Subject may, in certain situations, obtain the Personal Data previously provided to CALABASSE in a structured, commonly used and machine-readable format.
He or she may also transmit this Data to another data controller or request that the Personal Data concerning him or her be directly transmitted by CALEBASSE to another data controller, if this is technically possible.
Right to withdraw consent
The Person concerned may, using the means implemented by CALEBASSE, withdraw his/her consent at any time when the Data are processed on the basis thereof.
Withdrawal of consent by the Data Subject is valid only for the future, and does not call into question the lawfulness of the processing carried out prior to such withdrawal.
Right to lodge a complaint with a supervisory authority** **Right to object to the processing of personal data
If the Data Subject considers that his or her rights have not been respected, he or she may lodge a complaint with a supervisory authority, such as the Commission Nationale Informatique et Libertés (CNIL) in France.
Right to decide what to do with your Data after your death*** The Data Subject also has the right to have his or her Data handled by the Data Controller.
The Data Subject also has the right to organize the fate of his/her Data post-mortem by adopting general or specific directives.
To find out more about his or her rights, the Person concerned is invited by CALEBASSE to consult the CNIL website, accessible at the following URL address: www.cnil.fr/fr/comprendre-vos-droits
Article 9 - Third-party websites
If the Person concerned uses the links present on the Site in order to consult third party sites, CALEBASSE recommends that he/she acquaint him/herself with the data protection policies of the sites consulted, as well as their policies relating to cookies and tracers.
CALEBASSE cannot be held responsible for the collection or processing of personal data by third-party websites.
Article 10 - Security
CALEBASSE implements all the technical and organizational measures necessary, with regard to the nature, scope and context of the collection and processing of Data, to ensure the security of the Personal Data of the Person concerned and in particular to avoid any risk of loss, destruction, disclosure, intrusion or unauthorized access to the Personal Data concerning him/her.
To this end, CALEBASSE has selected its subcontractors, and in particular its ISO 27001-certified hosting provider, to ensure the complete security of the Data relating to the Persons concerned.
When using a service provider or sub-contractor, CALEBASSE will only communicate Personal Data to them after requiring them to respect these security principles.
Article 11 - Modification of the policy
Updated on 29/06/2023