Hereby, Santafoo, a single-shareholder simplified joint stock company with a capital of 100,000 €, having its head office at 1517, Chemin Vignats in Jurançon (64110), registered at the commercial registry and associations of Pau under number 899 940 209 (hereinafter referred to as “Santafoo“) undertakes to protect the personal data and to respect the privacy of users of the Application and of the Services (as these terms are defined below) (hereinafter referred to as the “Client (s)“.
This policy (as well as our general conditions of sales) applies to your use of:
- the Santafoo mobile application software (hereinafter referred to as the “Application“) once you have downloaded the Application to your mobile phone or any other portable device (hereinafter referred to as the “Device“).
- all the services accessible through the Application or the website of the Santafoo company (hereinafter referred to as the “Services”).
This policy defines the basis upon which personal data collected by Santafoo from its Clients, or provided by them (hereinafter referred to as “Data”), will be processed by Santafoo. The Application is not intended for children use thus Santafoo does not knowingly collect data relating to children. Clients are encouraged to read the following carefully to understand Santafoo’s practices regarding their personal data and how it will be processed.
2. INFORMATION ABOUT SANTAFOO AND ITS CONTACT DETAILS
Email address: email@example.com
Head office: 1517, Chemin Vignats in Jurançon (64110),
3. CLIENT PERSONAL DATA COLLECTED BY SANTAFOO
The type of Client personal data collected by Santafoo, the collection methods, as well as the purpose of this collection are described below:
3.1 How does Santafoo collect information from its Clients?
Santafoo collects the personal data of its Clients in several ways:
- when the Client subscribes to the Services;
- when an order is placed by the Client through Santafoo;
- when an order is delivered to the Client by Santafoo;
- when the Client interacts with Santafoo’s Services, in particular in the context of monitoring orders and any complaints;
- when the Client contacts Santafoo by e-mail, mobile number or via the contact form; or via cookies, in particularly when the Client browses the Santafoo website..
3.2 What are the collected personal data?
● When accessing the Santafoo website, the Application or using other Services, Santafoo or its internet hosting provider on its behalf, collect data on the basis of each access to the server (server log files). Server log files can include the following information:
- the types and versions of browsers used;
- the operating system used by the access system;
- the date and time of an access;
- the Service pages visited;
- Referrer URL (the previously visited page)
- Internet protocol (IP address);
- unique device identifiers and other diagnostic data;
- information concerning the location of the Client.
● When the Client accesses the Service on or through a website, Device or Application, Santafoo may automatically collect certain information, including, but not limited to,
- the type of mobile device used by the Client;
- the unique identifier of the Client’s mobile device;
- the IP address of the Client’s mobile device;
- the Client’s mobile operating system;
- the type of mobile internet browser;
- unique device identifiers and other diagnostic data.c.
Processing of location data: In the context of the use of the Application, location data as collected by the device or as otherwise entered by the user may be processed if the Client has activated this option on their device. The use of location data is only used to provide the Services provided on the Application.
When the Client creates a Client or user account via the Services or if they engage with Santafoo in associated contractual or pre-contractual actions and communications, Santafoo collects the following data from Clients:
- Identity data (e.g. name, addresses);
- Contact data (e.g. e-mail, mobile numbers);
- Delivery and billing address;
- Payment data (e.g. credit card, PayPal, invoices, payment history, etc;)
- Data usage (e.g. websites visited, interest in content)
- The information and data exchanged with the Services, particularly in the event of a complaint
- Communication metadata (e.g. device information, IP address).).
3.3. For what purposes and on what basis does Santafoo process the personal data of its Clients?
Santafoo processes the personal data of its Clients in compliance with the amended law n ° 78-17 of January 6, 1978 relating to computers, files and freedoms and in compliance with the European Regulation n ° 2016/679 of April 27, 2016 relating to the protection of individuals with regard to the processing of personal data and the free movement of such data (hereinafter collectively referred to as the “Data Protection Laws”).
The Data will only be collected and processed by Santafoo if an appropriate and relevant legal basis allows it.
Santafoo may process the personal data of its Clients for the following purposes:
- To provide its Clients with contractual services and Client service, correctly deliver and optimize the content of its Services and ensure the long-term viability and technical security of its systems. This processing is based on the legitimate interest of Santafoo in accordance with Article 6 paragraph 1 f of the GDPR. The Client is invited to consult the glossary of legal bases at the end of this policy for more information.
- Santafoo uses the information concerning the location of its Clients to provide features to Clients who use its Services. The legal basis for this processing is the consent of the Clients in accordance with Article 6 paragraph 1 a of the GDPR.
- To enable Clients to select, purchase or order the selected products, goods and related services, as well as the payment modality, the delivery, performance or other services. The legal basis for this is the execution of a contract and the prior requests (Article 6 paragraph 1 b GDPR).
- To respond to Client requests and to communicate with them. The legal basis for this is the execution of a contract and the prior requests (Article 6 paragraph 1 b GDPR).
- For the processing of payment transactions, Santafoo uses bank services and payment service providers. Required data is identified as such during the ordering or comparable purchasing process and includes data required for delivery, or other form of product provision and billing, as well as contact information. Santafoo processes the payment data of its Clients for the purpose of making payment for services on the basis of the execution of the contract (article 6 paragraph 1 b of the GDPR). Certain transaction data may also be retained due to legal obligations legally incumbent on Santafoo (article 6 paragraph 1 c GDPR).
- For the purposes of managing the commercial relationship between Santafoo and its Clients, on the basis of Santafoo’s legitimate interest (article 6 paragraph 1 f of the GDPR).
- To improve and optimize the Services of Santafoo, on the basis of the legitimate interest of Santafoo (article 6 paragraph 1 f of the GDPR).
- For commercial prospecting purposes (marketing) by personalizing the content that Santafoo or its partners offer to Clients on the basis of Santafoo’s legitimate interest in developing its activity;
- For statistical purposes, on the basis of Santafoo’s legitimate interest in improving its business and its services (article 6 paragraph 1 f of the GDPR);
- For the purposes of combating fraud, on the basis of the legitimate interest of Santafoo (article 6 paragraph 1 f of the GDPR)
3.4 Single signature authentication
“Single sign-on” or ” authentication or single sign-on ” are procedures that allow users to log into Santafoo’s online services using a user account with a single sign-on service provider (for example, a social network). The prerequisite for single signature authentication is that users are registered with the respective single signature service provider and enter the required access data in the online form provided for this purpose, or that they are already logged in to the single sign-on service provider and confirm the single sign-on via the button.
Authentication takes place directly with the relevant single sign-on provider. In the framework of this authentication, Santafoo receives a user ID with the information that the user is logged in with the respective single sign-on provider under that user ID and an ID that cannot be used for other purposes (the “user handle”). The receipt of other data depends only on the single sign-on procedure used, the data selected for authentication and the data that users have released under privacy measures or other settings of the user account with the single sign-on provider. Depending on the single sign-on provider and user choice, there may be different data, usually this data includes the email address and the username. The password entered by the single sign-on provider as part of the single sign-on process is not visible and is not archived by Santafoo.
Users are kindly requested to note that their data stored at Santafoo may be automatically logged into their user account with the single sign-on provider, but this is not always possible. If, for example, users’ email addresses change, users must manually change them in their user account at Santafoo.
Santafoo reserves the right to use single sign-on, provided that it has been conveyed with users as part of the pre-execution or execution of the contract, as part of the processing of consent and the otherwise use on the basis of Santafoo’s legitimate interests and the interests of users in an efficient and secure authentication system.
If users decide to no longer use their user account link with the single sign-on provider for the single sign-on process, they should remove this link in their user account with the single sign-on provider.
Cookies are text files that are stored on a computer system through an Internet browser. Cookies are mainly used to store information about a user during or after their visit to an online service. The information stored may include, for example, the language settings of a website, the connection status or a shopping cart. The term “cookies” also includes other technologies that perform the same functions as cookies (for example, if user information is stored using pseudonymous online identifiers, also known as “user IDs”).
a) The following types and functions of cookies are distinguished:
- Temporary cookies (also: session cookies): temporary cookies are deleted at the latest after a user has left an online service and has closed their browser.
- Permanent cookies: permanent cookies remain stored even after closing the browser. For example, the login status can be saved or the preferred content can be displayed directly when the user visits a website again. User interests that are used for the measure of reach or marketing purposes may also be stored in such a cookie.
- First-Party cookies: first-party cookies are set by Santafoo.
- Third-Party cookies: Third-party cookies are mainly used by advertisers to process user information.
- Necessary cookies (also: essential): Cookies may be necessary for the operation of a website (for example, to save logins or other user inputs or for security reasons).
c) Storage duration
Unless Santafoo provides its Clients with explicit information on the storage period of permanent cookies, the storage period may be up to two (2) years.
d) General information regarding the withdrawal of consent and opposition to the use of tracers (Opt-Out)
e) Processing of data relating to cookies on the basis of consent
To find out more about how cookies work and how to object to them, the Client can go to the following link: https://www.santafoo.fr/en/cookie-policy/
5. HOW LONG IS CLIENT DATA ARCHIVED?
Client Data will be kept for a period that will not exceed that necessary for the fulfillment of the purposes set out herein.
Personal data collected in order to process Clients’ contact requests will only be kept for a period of one (1) year following the Client’s request.
In the event of a contractual relationship being established between the Client and Santafoo for the purpose of providing its Services, the Data will be collected throughout the duration of the contractual relationship plus a period of five (5) years in intermediate archiving.
As soon as the Data will no longer be useful for the accomplishment of these purposes, it will be deleted or kept anonymously.
Santafoo is likely to keep the Data beyond the aforementioned periods (i) to ensure compliance with legal, accounting and tax retention obligations, (ii) for the preservation of evidence during the applicable limitation periods, (iii) for Santafoo to exercise its rights in the event of a litigation or legal action during the entire period of the procedure or the investigation.
6. WITH WHOM IS THE DATA SHARED?
Santafoo will share the Data with its authorized internal staff and certain authorized third parties who store the Data on their servers. The types of third parties with which Santafoo shares Data include:
- external service providers or other subcontractors (for example, for the processing and hosting of Data, for maintenance, for the processing and execution of orders, payment providers, feedback providers and inquiries, Client service and call centers;
- other external bodies, provided that the person in concern has given their consent or has authorized the transfer for reasons of legitimate interest, for example for information on creditworthiness, for the electronic transfer of information, and for quality assurance purposes;
- public bodies if the appropriate legal provisions exist (for example, judicial, tax and customs authorities).
The information provided by Clients to payment service providers in the context of payment processing will not be transmitted to Santafoo by the later. Santafoo will only receive the information that a payment transaction was successful.
Santafoo may transfer personal data to other companies in its group of companies or grant them access to such Data. Insofar as this disclosure is for administrative purposes, the disclosure of the Data is based on the legitimate commercial and economic interests of Santafoo or also, if it is necessary to fulfill the contractual obligations of Santafoo, if the consent of the person in concern has been obtained or if a legal obligation requires it.
Santafoo only shares Client Data with its staff and with staff from other companies in the group to which it belongs if this is necessary for the purposes described above.
Santafoo can also share the Data of its Clients if it were to create a business, buy, sell or merge with another company. In this case, the Data could be shared with the target company, the new Santafoo business partners or the owners or their advisers.
7. INTERNATIONAL DATA TRANSFERS
In some cases, personal data collected from Clients may be processed outside the European Economic Area (EEA). These countries may not have the same level of data protection as France. However, Santafoo is obligated to ensure that Personal Data processed by Santafoo and its partners outside of the EEA is protected in the same way as if it were processed in the EEA. Therefore, if the Data is processed outside the EEA, certain safeguards are implemented. Santafoo provides similar protection by ensuring that at least one of the following safeguards is implemented:
- Personal Data will be transferred to countries whose level of data protection is considered appropriate by France;
- Santafoo uses standard contractual clauses approved by the European Commission, where applicable, supplemented by additional measures to ensure the level of data protection.
Clients can obtain more information on the abovementioned safeguards by writing to firstname.lastname@example.org
- Santafoo uses developed technologies and policies to ensure that the personal data held is adequately protected.
- Santafoo protects the Data by taking measures against unauthorized access and illegal processing, accidental loss, destruction and damage.
- Unfortunately, data transmission over the internet is not completely secure. Although Santafoo takes measures to protect the Personal Data of its Clients, Santafoo cannot guarantee the security of information transmitted by its Clients, hence any transmission is considered being at their own risk. Once Santafoo receives information from its Clients, Santafoo applies strict procedures and security measures to prevent unauthorized access.
9. CLIENT RIGHTS
In accordance with data protection legislation, Clients have a number of rights with regard to Data held by Santafoo. Clients wishing to exercise one of these rights can contact Santafoo by sending an email to the following email address: email@example.com
- The right of access. The Client has the right to access their Data (if they are processed by Santafoo). This will allow the Client, for example, to verify that Santafoo is using the Data in accordance with data protection legislation.
- The right to modification. The Client has the right to have their Data modified if they are inaccurate or incomplete. The Client has the right to ask Santafoo to correct any error in the Data held.
- The right to deletion. This “right to be forgotten” allows the Client to request the deletion or elimination of certain Data stored about them by Santafoo. This right is not absolute and is only applicable in certain circumstances.
- The right to restrict processing (data blocking). The Client has the right to “block” or “restrict” the further use of their Data. If the processing is restricted, Santafoo can still store the Data of its Clients, but they will no longer be processed.
- The right to data portability. The Client has the right to obtain their personal data in an accessible and transferable format in order to be able to reuse them for their own purposes with different service providers. However, this is not an absolute right and there are exceptions.
- The right to file a complaint. The Client has the right to file a complaint regarding the way through which Santafoo processes Data with a competent data protection authority.
- The right to withdraw consent. The Client has the right to withdraw any consent they have given to Santafoo (if the consent acts as a legal basis for Santafoo to process certain data) at any time with effect for the future. The legality of the processing carried out on the basis of the consent before the withdrawal is not affected.
- The right to object to processing. The Client has the right to object to the processing of Personal Data concerning them for processing based on the legitimate interest of Santafoo (Article 6 paragraph f of the GDPR). This also applies, among other things, to any direct marketing, analysis and monitoring based on these provisions.
- Automated decision in individual cases. The Client has the right not to be the subject of a decision based solely on automated processing, including profiling, which has a legal effect on them or which could significantly affect them in a similar way. This does not apply if the decision:
- is necessary for the conclusion or implementation of a contract between Santafoo and the Client;
- is authorized by the legislation of the European Union or of the Member States and contains adequate measures to safeguard the rights and freedoms of the Client and their legitimate interests;
- is based on the explicit consent of the Client.
Santafoo does not use the automatic decision making or profiling described above.
- The right to define guidelines as to the fate of the Data after the death of the Client. The Client has the right to define guidelines for the retention, erasure and communication of Data after their death.
If the Client is not satisfied with Santafoo’s response to a complaint or if the Client believes that the processing of the Data does not comply with data protection legislation, the Client can lodge a complaint with the French Data Protection Authority (CNIL), being the French authority responsible for regulating data protection issues.
12. GLOSSARY OF LEGAL BASIS
“GDPR“ means Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, as applied in French law.
“Consent” (article 6, paragraph 1, point a) of the GDPR) means the processing of Personal Data when the Client has indicated their agreement by a declaration or a clear acceptance of the processing for a specific purpose. The consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what the Client wants. The Client can withdraw their consent at any time by contacting Santafoo.
The “legitimate interest” (article 6, paragraph 1, point f) of the GDPR) refers to the interest of Santafoo in carrying out and managing its activity to enable it to offer itself the best service / product and the best and most secure experience. Santafoo makes sure to consider and balance any potential impact on its Clients (both positive and negative) and their rights before processing their personal data for its legitimate interests. Santafoo does not use the personal data of its Clients for activities whose impact on them outweighs the interests of Santafoo (unless Santafoo has obtained the consent of its Clients or if the law requires or authorizes Santafoo to do so). Clients can obtain further information on how Santafoo assesses its legitimate interests against any potential impact on its Clients in connection with specific activities by contacting Santafoo.
“Contract implementation” (article 6, paragraph 1, point b) of the GDPR) means the processing of Data when it is necessary for the execution of a contract to which the Client is a party or to take measures at the request of the Client before entering into such a contract.
“Comply with a legal obligation” (article 6, paragraph 1, point c) of the GDPR) means processing the Client’s personal data when this is necessary to comply with a legal obligation to which Santafoo is subject to.
Last updated on November 2021