Skip to Content

PRIVACY POLICY

Last updated: June 2026

In accordance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and amended Law No. 78-17 of 6 January 1978 on data processing, data files, and civil liberties

1. Introduction and identity of the data controller

This Privacy Policy describes how FAVAUNE collects, uses, retains, and protects the personal data of users of the favaune.com website, hereinafter referred to as "the Site".

In accordance with Article 4(7) of the GDPR, the data controller is:

Company: FAVAUNE — SASU with share capital of €1,000
Registered office: 6 rue d'Armaillé, 75017 Paris
Main establishment: 2A rue du Doubs, 67100 Strasbourg
SIREN: 992 218 107 R.C.S. Paris
Legal representative: Sébastien Schwaab, Chairman
DPO / personal data contact: info@favaune.com
Phone: +33 1 89 31 63 88

FAVAUNE is not required to appoint a mandatory Data Protection Officer (DPO) within the meaning of Art. 37 GDPR, in the absence of large-scale processing of sensitive data. The contact above is nevertheless the preferred point of contact for any question concerning your data.

2. Personal data collected

FAVAUNE collects the following categories of data depending on the user's interactions with the Site:

2.1 Data collected directly from you

When creating a customer account: first name, last name, email address, password (stored in encrypted form), phone number.
When placing an order: first name, last name, billing address, delivery address, phone number, order history and products purchased.
When making a payment: banking data (card number, expiry date, CVV) is collected and processed directly and exclusively by our payment provider Stripe Inc. FAVAUNE does not store, see, or process any banking data.
When making contact: first name, last name, email address, message content.
When subscribing to the newsletter: email address and, if voluntarily provided, first and last name.

2.2 Data collected automatically

While you browse the Site, the following data may be collected automatically:

–       IP address
–       Browser type and version
–       Operating system
–       Pages visited, time spent, browsing path
–       Date and time of connection
–       Site performance and usage data

This data is collected using the Google Analytics and Plausible Analytics tools, as well as through the technical mechanisms of the Site.

2.3 Data we do not collect

FAVAUNE does not collect any "sensitive" data within the meaning of Article 9 of the GDPR: health data, ethnic or racial origin, political opinions, religious or philosophical beliefs, genetic or biometric data, or data relating to sex life or sexual orientation.

3. Purposes of processing and legal bases

In accordance with Article 6 of the GDPR, each processing activity is based on one of the following legal bases:

Purpose of processing

Legal basis (Art. 6 GDPR)

Detail

Creation and management of the customer account

6.1.b — Performance of the contract

Necessary for the contractual relationship

Order processing and tracking

6.1.b — Performance of the contract

Management of purchases, confirmations, invoices

Delivery of products

6.1.b — Performance of the contract

Transmission to carriers

Secure payment processing

6.1.b — Performance of the contract

Via Stripe Inc. (processor)

After-sales service and complaints

6.1.b / 6.1.f — Contract / Legitimate interest

Management of returns, refunds, disputes

Sending newsletters and marketing emails

6.1.a — Consent

Only with explicit opt-in

Traffic analysis and Site improvement

6.1.a — Consent (cookies)

Google Analytics, Plausible Analytics

Accounting and tax obligations

6.1.c — Legal obligation

Invoice retention 10 years

Fraud prevention and security

6.1.f — Legitimate interest

Security of transactions and of the Site

Defence of legal rights

6.1.f — Legitimate interest

In the event of a dispute

 

4. Data retention periods

FAVAUNE applies the principle of data minimisation and only retains personal data for the period strictly necessary for the purposes for which it was collected.

Data category

Active retention period

Legal basis / reference

Customer account data

Duration of the business relationship + 3 years of inactivity

CNIL recommendation

Order and billing data

10 years from the end of the financial year

Art. L.123-22 of the Commercial Code

Payment data (Stripe)

Managed by Stripe under its own policy

Stripe / PCI-DSS agreement

Marketing data (newsletter)

3 years from the last contact or until consent is withdrawn

CNIL recommendation

Browsing data / analytics cookies

13 months maximum

CNIL Deliberation 2020-091

Contact / after-sales service data

5 years from the closure of the file

Art. 2224 of the Civil Code (limitation period)

Fraud prevention data

5 years from the closure of the file

Art. 2224 of the Civil Code

Once these periods have expired, the data is either permanently deleted or irreversibly anonymised.

5. Recipients and processors

FAVAUNE may need to transfer your personal data to the following categories of recipients, in strict compliance with the GDPR and on the basis of processing agreements compliant with Article 28 of the GDPR:

Processor / Recipient

Role

Location

IONOS SARL

Hosting of the Site and the entire infrastructure (including Odoo servers)

France (Sarreguemines)

Stripe Inc.

Secure online payment processing

United States (EU Standard Contractual Clauses)

Google LLC — Google Analytics

Audience measurement and traffic analysis

United States (EU Standard Contractual Clauses)

Carriers / delivery providers

Delivery of orders

France / EU

Accountants / lawyers

Legal obligations and defence of rights

France

Competent authorities

Legal obligations, judicial proceedings

France / EU

No personal data is sold, rented, or transferred to third parties for commercial purposes.

6. Data transfers outside the European Union

Two of our processors are established outside the European Union and are subject to specific safeguards:

6.1 Stripe Inc. (United States)

Stripe processes your payment data in the United States. This transfer is governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission, in accordance with Article 46 of the GDPR. Stripe is also certified PCI-DSS Level 1, guaranteeing the highest level of security for payment data. Stripe privacy policy: https://stripe.com/en/privacy

6.2 Google LLC — Google Analytics (United States)

Google Analytics may transfer data to the United States. This transfer is governed by the Standard Contractual Clauses and the EU-US Data Privacy Framework which Google has adhered to since July 2023. FAVAUNE has enabled IP address anonymisation (IP masking) and does not authorise Google to use data for personalised advertising purposes. Google privacy policy: https://policies.google.com/privacy

7. Your rights over your personal data

In accordance with Articles 15 to 22 of the GDPR and the French Data Protection Act, you have the following rights:

7.1 Right of access (Art. 15 GDPR)

You can obtain confirmation that data concerning you is being processed and, where applicable, receive a copy along with information on the conditions of processing.

7.2 Right to rectification (Art. 16 GDPR)

You can request the correction of any inaccurate or incomplete data concerning you.

7.3 Right to erasure — "right to be forgotten" (Art. 17 GDPR)

You can request the deletion of your data in the cases provided for by the GDPR, in particular when the data is no longer necessary for the purposes for which it was collected, or when you withdraw your consent. This right does not apply where processing is necessary to comply with a legal obligation.

7.4 Right to restriction of processing (Art. 18 GDPR)

You can request the restriction of the processing of your data in certain cases (disputing accuracy, unlawful processing, etc.).

7.5 Right to data portability (Art. 20 GDPR)

You can receive the data you have provided to us in a structured, commonly used, and machine-readable format, and transmit it to another data controller.

7.6 Right to object (Art. 21 GDPR)

You can object at any time to the processing of your data based on FAVAUNE's legitimate interest or for commercial prospecting purposes. In the event of an objection to prospecting, your data will no longer be used for this purpose.

7.7 Right to withdraw consent (Art. 7 GDPR)

Where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal. For newsletters, you can unsubscribe at any time via the unsubscribe link included in each email.

7.8 Right not to be subject to automated decision-making (Art. 22 GDPR)

FAVAUNE does not carry out any processing based exclusively on automated decision-making, including profiling, that produces legal effects concerning you or significantly affects you.

7.9 How to exercise your rights

To exercise any of these rights, send your request:

–       By email: info@favaune.com
–       By post: FAVAUNE — 6 rue d'Armaillé, 75017 Paris

Please attach a copy of a valid ID document to your request. FAVAUNE undertakes to respond within one month of receipt of your request (Art. 12 GDPR). This period may be extended by a further two months in the case of a complex or high volume of requests, with prior notice.

If you believe your rights are not being respected, you have the right to lodge a complaint with the competent supervisory authority: Commission Nationale de l'Informatique et des Libertés (CNIL) — 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr.

8. Data security

FAVAUNE implements appropriate technical and organisational measures to ensure the security, integrity, and confidentiality of your personal data, in accordance with Article 32 of the GDPR. These measures include in particular:

–       Encryption of communications via HTTPS (TLS)
–       Encryption of stored passwords (hashing)
–       Data access restricted to authorised personnel only
–       Secure hosting by IONOS SARL (France)
–       Payment processing by Stripe, PCI-DSS Level 1 certified
–       Regular data backups

In the event of a personal data breach likely to result in a high risk to your rights and freedoms, FAVAUNE undertakes to inform you as soon as possible, in accordance with Article 34 of the GDPR.

9. Protection of minors

The favaune.com Site is intended for an adult audience. FAVAUNE does not knowingly collect personal data relating to children under 15 without the prior, verifiable consent of their parents or legal guardians, in accordance with Article 8 of the GDPR and Article 45 of the French Data Protection Act. Should FAVAUNE learn that it has inadvertently collected data from a child under 15, it will delete it as soon as possible.

10. Changes to this policy

FAVAUNE reserves the right to modify this Privacy Policy at any time, in particular to comply with legislative and regulatory developments, CNIL decisions, or changes to its processing practices. Any substantial change will be brought to your attention by email or by a notice visible on the Site before it takes effect. The "Last updated" date at the top of the document will be systematically updated.