Privacy Policy

1.    Preamble

1.1.   This Privacy Policy forms an integral part of the General Terms and Conditions, and the definitions used in these Terms and Conditions are reused in this Privacy Policy.

1.2.   This Privacy Policy is intended to inform Customers about how their Personal Data is collected from the Website, how it is processed by the Data Controller and finally Customers’ rights regarding such processing as set out hereafter.

2.    2. Definitions

2.1.   The following terms in this Privacy Policy, whether used in the singular or plural, will have the following definition:

 

Temporary storage:

means the transfer of Personal Data that still has an administrative value for the Data Controller (for example in the event of disputes/or for legal reasons) into a physically or logically separate database and access to which is restricted under all circumstances. This storage is a temporary step before the relevant Personal Data is deleted or anonymised;

 

TC:

means the General Terms and Conditions;

Privacy Policy:

means this Privacy Policy and the protection of Customers’ Personal Data implemented by the Data Controller;

Customer:

means the individual, aged at least 15 years, browsing the Website and for whom the processing of their Personal Data by the Data Controller is governed by the Privacy Policy. Consequently, the Customer guarantees, in the event that they are aged under 15 years, that they have obtained consent from the holder of parental rights to process their Personal Data as defined in the Privacy Policy;

Account:

means the Customer’s personal account accessible on the Website using personal and confidential login details that the Customer cannot communicate to a third party and from which they can place an order;

Personal Data:

means the Customer’s personal data, in the sense of the Personal Data Regulations, collected and processed by the Data Controller as part of using of the Website;

Special rights:

means the rights granted by the Personal Data Regulations to Customers in relation to the processing of their Personal Data and set out in Article 9 of the Privacy Policy;

Personal Data Regulations:

means Act no. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties, pursuant to the European Regulation of 27 April 2016 published in the Official Journal of the European Union on 4 May 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR” for General Data Protection Regulation);

Data Controller:

means the company referred to in the legal information accessible here: Legal information;

Website:

means the Website on which this Privacy Policy is hosted;

Terminal(s):

means the hardware (computer, tablet, smartphone, telephone, etc.) used by the Customer to view or display the Website.

3.    The legal bases for processing

3.1.   In accordance with the Personal Data Regulations, the processing activities set out in this Privacy Policy are supported by a specific legal basis.

3.2.   The Customer has agreed to the processing of their Personal Data for one or more of the specific purposes.

3.2.1.  The Website required the express consent of the Customer in order to carry out specific processing activities that were explained when obtaining consent.

3.3.   The processing is necessary for the execution of a contract to which the Customer is party or in order to take pre-contractual steps at the Customer's request.

3.3.1.  In order to use the Website and its services, the Customer has at least accepted the TC. These documents formalise a contractual relationship between the Customer and the Data Controller, and in particular act as a legal basis for the collection and processing of the Customer’s Personal Data by the Data Controller.

3.3.2.  This Data is required for several processes related to the execution of the contractual relationship between the Customer and the Data Controller, the purposes of which are detailed in Paragraph 4 – The purposes of processing.

3.4.   Processing is necessary in order to comply with a legal obligation to which it is subjected.

3.4.1. The processing of Personal Data may also be necessary in order to comply with a legal obligation to which the Data Controller may be subject, for example, the storage of access logs to the Website in accordance with Decree no. 2011-219 of 25 February 2011 on the retention and communication of data allowing the identification of any person who has contributed to the creation of online content.

3.5.   Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, unless the Customer’s interests or fundamental freedoms and rights that require the protection of personal data prevail, particularly when the Customer is a child.

3.5.1.   The Data Controller may have a legitimate interest justifying the processing of the Customer’s Personal Data, such as processing Data expressly required for the purposes of fraud prevention.

3.5.2.   In this case, the Data Controller ensures that the processing at issue is indeed necessary for the purposes of its legitimate interest and assesses the consequences of this processing activity on the Customer, taking particular account of the nature of and how such Data is processed.

3.5.3.   The Data Controller is careful not to infringe the interest or fundamental rights and freedoms by allowing the Customer to object to all or part of the processing described in this Privacy Policy, at any time, as well as implementing their Special Rights under the conditions of Paragraph 10 – Exercising the Special Rights of Customers.

4.    The purposes of processing

The Customer’s Personal Data is necessary in order to provide access to the Website and for its use and improvement and to enable the Data Controller to:

  • Carry out operations relating to its commercial relationship with the Customer, i.e. relating to invoices, accounting, monitoring the “customer relationship” with a Customer, such as conducting satisfaction surveys, complaints management, use of the Website and more generally services, etc.;
  • Personalise its communication to Customers, particularly information emails, according to their stated preferences, their use of the services and/or the Website;
  • Be able to monitor the delivery of products and the placing of an order;
  • Conduct sales operations;
  • Produce sales statistics, analyses and marketing tools (especially classification, scores, etc.);
  • Allow access to the Customer’s Account and provide them with all the information appearing within it such as their orders, address book, saved products;
  • Optimise the Customer's navigation of the Website by storing their preferences and simplifying any subsequent purchases on the Website;
  • Manage requests to exercise the Special Rights under the conditions of Paragraph 10 – Exercising the Special Rights of Customers;
  • Manage the after-sales service;
  • Manage debts and disputes;
  • Prevent disputes with the Customer;
  • Combat fraud and money laundering; and
  • Comply with their legal obligations, particularly in terms of accounting and taxation.

5.    Storage of Personal Data

5.1.   The Website is hosted with the company whose contact details are available by clicking here: Contacts

5.2.  All reasonable precautions have been taken to store Customers’ Personal Data in a secure environment and prevent it from becoming corrupted, damaged or accessible to unauthorised third parties. The information sent by the Customer will never be sent to third parties for commercial purposes, or sold or exchanged.

6.    Collection of Personal Data on the Website

6.1.  When an Account is created and information is added to over time, the Data Controller collects the following Personal Data that the Customer provides or spontaneously communicates when browsing. This data is stored for a period of three (3) years, in an active database, from the time of the Customer’s last connection to the Website:

  • Last name,
  • First name,
  • Email address,
  • Postal delivery address,
  • Invoice address, 
  • Telephone number,
  • Company name, where applicable,
  • Content saved in the Customer Account,
  • Where applicable, the reason(s) for exclusion (all the elements that can be used to demonstrate events that are less than one month old and which justify the exclusion),
  • The Customer’s connection data (date, time, IP address, pages viewed) as they browse the Website.

The Personal Data above is also stored in temporary storage for an additional period of two (2) years, in accordance with the general limitation period.

  • Invoices;
  • Information relating to an order;
  • The amount of the transactions made and the date and time of these transactions.

The Personal Data above is also stored in temporary storage for an additional period of seven (7) years, in accordance with the Data Controller’s taxation and accounting obligations.

6.2.  All Personal Data indicated as such in the Account creation form is required in order to benefit from the Data Controller’s services.

6.3.  Where applicable, when the Customer exercises their Special Rights, the Data Controller collects a copy of the Customer’s proof of identity indicated in Article 10.2 and stores it for one (1) year in the active database from the date of its receipt.

7.    Data recipients or categories of data recipients if applicable

Categories of data recipients

Purpose of the planned transfer

Hosting services provider

Host the Website

 

Website developer and manager

 

Administration of the Website’s “back office” and management of the database containing Customers’ Personal Data

IT integrator and maintenance

Remote maintenance of the Data Controller’s information system, including the Website

Publisher of customer management software

Used to manage Customer relationships

Email routing provider

 

Allows newsletters to be sent

Telephone call flow manager

Allows monitoring of different telephone calls and call flows

Consultancy service for the Website and user experience

Receive digital communication advice

Electronic document management provider

Electronic invoice management

Publisher of IT tools for economic analysis

Provide sales forecasts

Payment services provider

Allows payments on the Website

Publisher of warehouse logistics management software

Allows the computer system to be connected with the warehouses

Parcel shipping service provider

Allows the products ordered by Customers to be sent

7.1.  In the event of a transfer of Personal Data to a recipient based in a country that is not based in the EEA and which is not subject to an adequacy decision of the European Commission, the Data Controller agrees to take all appropriate safeguards to ensure the legality of it, by checking that Customer has enforceable rights and legal procedures against the recipient and obtaining the prior and express consent of the Customer for the aforementioned transfer of Personal Data.

7.2.  The Data Controller will not obtain the prior and express consent of the Customer for the transfer of their Personal Data if:

-       the Data Controller ensures

  • that it concludes standard contractual clauses proposed by the European Commission with the recipient of the Personal Data; or
  • that the recipient of the Personal Data is subject to the privacy shield principles (for transfers to the United States); or
  • that it takes every appropriate measure to make the transfer of Personal Data legal outside the European Union, in accordance with the Personal Data Regulations.

-       or if the aforementioned transfer is necessary:

  • to comply with the obligations for the establishment, exercise or defence of legal claims;
  • for the execution of a contract between the Data Controller and the recipient made at the Customer’s request;
  • for the conclusion or execution of a contract agreed or to be agreed, in the interest of the person concerned, between the Data Controller and the recipient.

8.    Security of internet transactions

8.1.  In accordance with the TC, the Website uses the technology of the company CREDIT LYONNAIS SA to secure Customers’ bank transactions.

8.2.  Thus, when making a payment on the Website, the Customer’s bank details are encrypted and sent to CREDIT LYONNAIS SA.

8.3.  In order to exercise their rights, such as those identified in Paragraph 9 – Special Rights, relating to their credit or debit card details, the Customer is asked to contact CREDIT LYONNAIS SA directly.

9.    Special Rights

9.1.  In accordance with the Personal Data Regulations, the Customer may, at any time, benefit from the following Special Rights to:

-        access,

-        correct,

-        erase,

-        restrict processing,

-        portability,

-        object,

-        post-mortem instructions,

9.2.  Right of access

9.2.1.   The Customer can obtain confirmation from the Data Controller whether or not their Personal Data is processed and, when it is processed, access the aforementioned Personal Data and the following information:

a)    the purposes of the processing;

b)    the categories of Personal Data;

c)    the data recipients or categories of data recipients to which the Personal Data has been or will be sent;

d)    where possible, the planned retention period of the Personal Data or, where this is not possible, the criteria used to determine this period;

e)    the existence of the right to ask the Data Controller to correct or erase the Personal Data, or restrict the processing of their Personal Data or the right to object to such processing;

f)    the right to submit a complaint with the supervisory authority for personal data (in the United Kingdom, the Information Commissioner's Office; in France, the CNIL);

g)    where Personal Data is not collected from the Customer, all available information as to its source;

h)    the existence of an automated decision-making process, including profiling and, at least in such cases, useful information concerning the underlying logic and the importance and expected consequences of this processing for the Customer;

9.2.2. When Personal Data is transferred to a third party country or an international organisation, the Customer is entitled to be informed of the appropriate guarantees in relation to this transfer.

9.2.3. The Data Controller provides a copy of the Personal Data that is subject to processing.

9.2.4. The Data Controller may require the payment of reasonable fees based on the administrative costs for any additional copy requested by the Customer or in the event of a request to send Personal Data on paper and/or a physical medium.

9.2.5. When the Customer makes their request electronically, the information is provided in a commonly-used electronic format, unless requested otherwise.

9.2.6. The Customer’s right to obtain a copy of their Personal Data must not infringe the rights and freedoms of others.

9.3.  Right to correct

9.3.1.  The Customer can, without undue delay, have the Data Controller correct their Personal Data which is inaccurate. They can also have incomplete Personal Data completed, including by providing an additional declaration.

9.4.  Right to erase

9.4.1.  The Customer can, without undue delay, have the Data Controller erase their Personal Data when one of the following reasons applies:

a)    The Personal Data is no longer needed for the purposes for which it was collected or otherwise processed by the Data Controller;

b)    The Customer withdraws their consent for processing their Personal Data and there is no other legal basis for the processing activity;

c)    The Customer exercises their right to object under the conditions referred to hereafter and there is no compelling legal reason for the processing activity;

d)    The Personal Data has been subject to an illegal processing activity;

e)    The Personal Data must be erased to comply with a legal obligation;

f)    The Personal Data has been collected from a child.

9.5.  Right to restriction

9.5.1.  The Customer can, without undue delay, have the Data Controller restrict the processing of their Personal Data when one of the following reasons applies:

a)       The Data Controller checks the accuracy of the Personal Data following a dispute by the Customer as to the accuracy of the Personal Data;

b)       The processing is illegal and the Customer objects to the erasure of the Personal Data and demands instead a restriction on its use;

c)       The Data Controller no longer needs the Personal Data for processing purposes but it is still needed by the Customer for the establishment, exercise or defence of legal claims;

d)       The Customer objects to processing under the conditions referred to hereafter and the Data Controller considers whether the legitimate reasons prevail over the alleged reasons.

9.6.  Right to Data portability

9.6.1.  The Customer may receive the Personal Data relating to them from the Data Controller, in a structured, commonly used and machine readable format when:

a) The processing of Personal Data is based on consent or on a contract; and

b) Processing is carried out using automated procedures.

9.6.2.  When the customer exercises their right to portability, they are entitled to have their Personal Data sent directly by the Data Controller to another data controller that they appoint when this is technically possible.

9.6.3.  The right to the portability of the Customer's Personal Data must not infringe the rights and freedoms of others.

9.7.  Right to object

9.7.1.  The Customer can, at any time, for reasons pertaining to their specific situation, object to the processing of their Personal Data based on the legitimate interest of the Data Controller. The Data Controller will then no longer process the Personal Data, unless it can be demonstrated that there are compelling and legitimate reasons for the processing that prevail over the interests and the rights and freedoms of the Customer, or may store it for the establishment, exercise or defence of legal claims.

9.8.  Post-mortem Instructions

9.8.1.  The Customer can give the Data Controller instructions relating to the storage, erasure and communication of their Personal Data after their death, such instructions may also be registered with a “certified digital trusted third party”. These instructions, a sort of “digital will” can designate a person responsible for their execution; failing that, the Customer's heirs will be appointed.

9.8.2.  In the absence of any instructions, the Customer’s heirs can contact the Data Controller in order to:

-     access the processing of Personal Data allowing “the organisation and settlement of the deceased’s estate”;

-     receive communication of the “digital assets” or “data relating to family memories, transmissible to the heirs”;

-     have the Customer’s Account closed on the Website and object to any further processing of their Personal Data.

9.8.3.  In any case, the Customer can indicate to the Data Controller, at any time, that in the event of their death, they do not wish their Personal Data to be sent to a third party.

10.  Exercising the Special Rights of Customers

10.1.               These Special Rights can be exercised, at any time, by contacting the Data Controller:

-        By email at the following address:

contact@couventminimes.com

-        By letter at the following address:

Le Couvent

Service Consommateurs

79 rue de Miromesnil

75008 Paris

10.2.                For the purposes of asserting their Special Rights in accordance with the conditions referred to above, the Data Controller can ask the individual to prove their identity by providing their last name, first name, email address and sending a copy of a valid proof of identity with their request along with any other information or document that would allow their identity to be checked.

10.3.               A response will be sent to the Customer within one (1) month of the receipt date of the request.

10.4.               If necessary, this period can be extended to two (2) months by the Data Controller who will inform the Customer and this, given the complexity and/or number of requests.

10.5.               In the event of a Customer request to delete their Personal Data and/or in the event of a Customer exercising their right to ask for the erasure of their Personal Data, the Data Controller can however store such data in the form of Temporary Storage for the period necessary to satisfy the Data Controller's legal obligations or for evidential purposes during the applicable limitation period.

10.6.                The Customer can also lodge a complaint with the relevant supervisory body (the ICO in the United Kingdom; in France, the CNIL).

11.  Password security

11.1.                The Data Controller takes all necessary precautions to ensure the secure storage of the Customer's password for accessing their Account.

11.2.                However, the security of this password also depends on its strength when created.

11.3.                So, the Customer is reminded that for their password to be valid, it must contain at least 8 characters with at least 3 of the 4 following character types: uppercase, lowercase, figures, special characters.

11.4.                Mnemonics can be used to create complex passwords, such as:

  • Only using the first letters of the words in a phrase, for example, the phrase “One password to remember!” corresponds to the password 1pw2r!
  • By using an uppercase letter if the word is a noun (e.g. Word)
  • By keeping the punctuation marks (e.g. !)
  • By expressing numbers using the digits from 0 to 9 (e.g. One -> 1, to -> 2)

12.  Cookies stored on the Customer's Terminal after browsing the Website

12.1.               The Website uses cookies.

12.2.               A cookie is a piece of information deposited on the Terminal that the Customer uses to access the Website.

12.3.               Cookies are related to the Customer’s navigation of the Website and are used to determine the pages that have been viewed and the date and time they were viewed.

12.4.               At no time do these cookies enable the Data Controller to identify the Customer personally.

12.5.               The storage period for these cookies on the Customer’s Terminal does not exceed thirteen (13) months.

12.6.               More specifically, Personal Data collected from cookies issued by the Data Controller or third parties are used:

-        to draw up statistics and traffic and usage volumes for the Website in order to improve the attractiveness and user-friendliness of the services;

-        to adapt the Website's presentation to the display preferences of the Customer's Terminal (language used, display resolution, operating system used, etc.);

-        to remember information relating to a form completed by the Customer on the Website (registration or access to your Account);

-        to implement security measures, for example when the Customer is asked to log on to a new Website after a certain period of time;

-        to monitor the business relationship with the Customer.

12.7.               Using cookies, the Data Controller collects and processes, for the purposes defined above, all or some of the following Data:

  • Information related to the Customer's Terminal:

-      The internet service provider (for example Virgin, BT, Gigaclear, etc., in the UK; Orange, SFR, Bouygues, Free, etc., in France);

-      The advertising ID related the Terminal’s operating system;

-      The Terminal’s IP address;

-      The Terminal’s geolocation data;

  • Information about the Customer’s browsing and behaviour on the Website:

-      Statistics on the consultation of the Website’s different pages, the session duration;

-      Complete URL tracking to, via and from the Website;

  • Information about the Customer (last name and first name, age or age bracket, gender, declared and/or assumed socio-professional category, email address, etc.) relating to their activity on the internet and communicated by third parties (advertisers, advertising networks, etc.).

13.  Cookies

Cookie name

Publisher

Function

Storage time on the Terminal

PHPSESSID

Magento

 

Needed to provide the Magento services

1 hour

Form_key

Magento

 

Prevents fraudulent requests (CSRF)

Duration of the session or 1 hour

mage-banners-cache-storage

Magento

Back-office and CRM operations

Duration of the session

mage-translation-storage

Magento

Back-office and CRM operations

Duration of the session

mage-cache-sessid

Magento

Back-office and CRM operations

Duration of the session

mage-cache-storage

Magento

Back-office and CRM operations

Duration of the session

mage-cache-storage-section-invalidation

Magento

Back-office and CRM operations

Durée de la session

mage-messages

Magento

Back-office and CRM operations

Duration of the session

mage-translation-file-version

Magento

Back-office and CRM operations

Duration of the session

mage-translation-storage

Magento

Back-office and CRM operations

Duration of the session

private_content_version

Magento

Cache memory data management and private content version

13 months

user_allowed_save_cookie

Magento

Consent for the use of cookies

1 year

section_data_ids

Magento

Stores information from the Magento sections

Duration of the session

popupNewsletter

Le Couvent

Displays the pop-up to obtain consent to receive the newsletter

1 day

14.  Disable cookies

14.1.                The Customer is informed on their first visit that they can prevent the registration of cookies which are ancillary to the Website’s operation by configuring their web browser or by exercising their choices on this page (see below).

14.2.                 On the Website, the Customer browses information that is likely to be registered on, or read from, their Terminal, subject to their choices.

14.3.                The Customer can find more assistance on their browser's dedicated pages (the most common browsers are given below):

14.4.                The Customer can also configure their browser so that it sends a code indicating to websites that they do not want to be tracked (“Do Not Track” option):