PRIVACY POLICY
Last updated: June 2026
In accordance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and amended Law No. 78-17 of 6 January 1978 on data processing, data files, and civil liberties
1. Introduction and identity of the data controller
This Privacy Policy describes how FAVAUNE collects, uses, retains, and protects the personal data of users of the favaune.com website, hereinafter referred to as "the Site".
In accordance with Article 4(7) of the GDPR, the data controller is:
Company: FAVAUNE — SASU
with share capital of €1,000
Registered office: 6 rue
d'Armaillé, 75017 Paris
Main establishment: 2A
rue du Doubs, 67100 Strasbourg
SIREN: 992 218 107
R.C.S. Paris
Legal representative: Sébastien
Schwaab, Chairman
DPO / personal data
contact: info@favaune.com
Phone: +33 1 89 31
63 88
FAVAUNE is not required to appoint a mandatory Data Protection Officer (DPO) within the meaning of Art. 37 GDPR, in the absence of large-scale processing of sensitive data. The contact above is nevertheless the preferred point of contact for any question concerning your data.
2. Personal data collected
FAVAUNE collects the following categories of data depending on the user's interactions with the Site:
2.1 Data collected directly from you
When creating a
customer account: first name, last name, email address, password (stored
in encrypted form), phone number.
When placing an order:
first name, last name, billing address, delivery address, phone number,
order history and products purchased.
When making a payment: banking
data (card number, expiry date, CVV) is
collected and processed directly and exclusively by our payment
provider Stripe Inc. FAVAUNE does not store, see, or process any
banking data.
When making contact:
first name, last name, email address, message content.
When subscribing to the
newsletter: email address and, if voluntarily provided, first and last name.
2.2 Data collected automatically
While you browse the Site, the following data may be collected automatically:
–
IP address
–
Browser type and version
–
Operating system
–
Pages visited, time spent, browsing
path
–
Date and time of connection
–
Site performance and usage data
This data is collected using the Google Analytics and Plausible Analytics tools, as well as through the technical mechanisms of the Site.
2.3 Data we do not collect
FAVAUNE does not collect any "sensitive" data within the meaning of Article 9 of the GDPR: health data, ethnic or racial origin, political opinions, religious or philosophical beliefs, genetic or biometric data, or data relating to sex life or sexual orientation.
3. Purposes of processing and legal bases
In accordance with Article 6 of the GDPR, each processing activity is based on one of the following legal bases:
|
Purpose of processing |
Legal basis (Art. 6 GDPR) |
Detail |
|
Creation and management of the customer account |
6.1.b — Performance of the contract |
Necessary for the contractual relationship |
|
Order processing and tracking |
6.1.b — Performance of the contract |
Management of purchases, confirmations, invoices |
|
Delivery of products |
6.1.b — Performance of the contract |
Transmission to carriers |
|
Secure payment processing |
6.1.b — Performance of the contract |
Via Stripe Inc. (processor) |
|
After-sales service and complaints |
6.1.b / 6.1.f — Contract / Legitimate interest |
Management of returns, refunds, disputes |
|
Sending newsletters and marketing emails |
6.1.a — Consent |
Only with explicit opt-in |
|
Traffic analysis and Site improvement |
6.1.a — Consent (cookies) |
Google Analytics, Plausible Analytics |
|
Accounting and tax obligations |
6.1.c — Legal obligation |
Invoice retention 10 years |
|
Fraud prevention and security |
6.1.f — Legitimate interest |
Security of transactions and of the Site |
|
Defence of legal rights |
6.1.f — Legitimate interest |
In the event of a dispute |
4. Data retention periods
FAVAUNE applies the principle of data minimisation and only retains personal data for the period strictly necessary for the purposes for which it was collected.
|
Data category |
Active retention period |
Legal basis / reference |
|
Customer account data |
Duration of the business relationship + 3 years of inactivity |
CNIL recommendation |
|
Order and billing data |
10 years from the end of the financial year |
Art. L.123-22 of the Commercial Code |
|
Payment data (Stripe) |
Managed by Stripe under its own policy |
Stripe / PCI-DSS agreement |
|
Marketing data (newsletter) |
3 years from the last contact or until consent is withdrawn |
CNIL recommendation |
|
Browsing data / analytics cookies |
13 months maximum |
CNIL Deliberation 2020-091 |
|
Contact / after-sales service data |
5 years from the closure of the file |
Art. 2224 of the Civil Code (limitation period) |
|
Fraud prevention data |
5 years from the closure of the file |
Art. 2224 of the Civil Code |
Once these periods have expired, the data is either permanently deleted or irreversibly anonymised.
5. Recipients and processors
FAVAUNE may need to transfer your personal data to the following categories of recipients, in strict compliance with the GDPR and on the basis of processing agreements compliant with Article 28 of the GDPR:
|
Processor / Recipient |
Role |
Location |
|
IONOS SARL |
Hosting of the Site and the entire infrastructure (including Odoo servers) |
France (Sarreguemines) |
|
Stripe Inc. |
Secure online payment processing |
United States (EU Standard Contractual Clauses) |
|
Google LLC — Google Analytics |
Audience measurement and traffic analysis |
United States (EU Standard Contractual Clauses) |
|
Carriers / delivery providers |
Delivery of orders |
France / EU |
|
Accountants / lawyers |
Legal obligations and defence of rights |
France |
|
Competent authorities |
Legal obligations, judicial proceedings |
France / EU |
No personal data is sold, rented, or transferred to third parties for commercial purposes.
6. Data transfers outside the European Union
Two of our processors are established outside the European Union and are subject to specific safeguards:
6.1 Stripe Inc. (United States)
Stripe processes your payment data in the United States. This transfer is governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission, in accordance with Article 46 of the GDPR. Stripe is also certified PCI-DSS Level 1, guaranteeing the highest level of security for payment data. Stripe privacy policy: https://stripe.com/en/privacy
6.2 Google LLC — Google Analytics (United States)
Google Analytics may transfer data to the United States. This transfer is governed by the Standard Contractual Clauses and the EU-US Data Privacy Framework which Google has adhered to since July 2023. FAVAUNE has enabled IP address anonymisation (IP masking) and does not authorise Google to use data for personalised advertising purposes. Google privacy policy: https://policies.google.com/privacy
7. Your rights over your personal data
In accordance with Articles 15 to 22 of the GDPR and the French Data Protection Act, you have the following rights:
7.1 Right of access (Art. 15 GDPR)
You can obtain confirmation that data concerning you is being processed and, where applicable, receive a copy along with information on the conditions of processing.
7.2 Right to rectification (Art. 16 GDPR)
You can request the correction of any inaccurate or incomplete data concerning you.
7.3 Right to erasure — "right to be forgotten" (Art. 17 GDPR)
You can request the deletion of your data in the cases provided for by the GDPR, in particular when the data is no longer necessary for the purposes for which it was collected, or when you withdraw your consent. This right does not apply where processing is necessary to comply with a legal obligation.
7.4 Right to restriction of processing (Art. 18 GDPR)
You can request the restriction of the processing of your data in certain cases (disputing accuracy, unlawful processing, etc.).
7.5 Right to data portability (Art. 20 GDPR)
You can receive the data you have provided to us in a structured, commonly used, and machine-readable format, and transmit it to another data controller.
7.6 Right to object (Art. 21 GDPR)
You can object at any time to the processing of your data based on FAVAUNE's legitimate interest or for commercial prospecting purposes. In the event of an objection to prospecting, your data will no longer be used for this purpose.
7.7 Right to withdraw consent (Art. 7 GDPR)
Where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal. For newsletters, you can unsubscribe at any time via the unsubscribe link included in each email.
7.8 Right not to be subject to automated decision-making (Art. 22 GDPR)
FAVAUNE does not carry out any processing based exclusively on automated decision-making, including profiling, that produces legal effects concerning you or significantly affects you.
7.9 How to exercise your rights
To exercise any of these rights, send your request:
–
By email: info@favaune.com
–
By post: FAVAUNE — 6 rue d'Armaillé, 75017 Paris
Please attach a copy of a valid ID document to your request. FAVAUNE undertakes to respond within one month of receipt of your request (Art. 12 GDPR). This period may be extended by a further two months in the case of a complex or high volume of requests, with prior notice.
If you believe your rights are not being respected, you have the right to lodge a complaint with the competent supervisory authority: Commission Nationale de l'Informatique et des Libertés (CNIL) — 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr.
8. Data security
FAVAUNE implements appropriate technical and organisational measures to ensure the security, integrity, and confidentiality of your personal data, in accordance with Article 32 of the GDPR. These measures include in particular:
–
Encryption of communications via HTTPS
(TLS)
–
Encryption of stored passwords (hashing)
–
Data access restricted to authorised
personnel only
–
Secure hosting by IONOS SARL (France)
–
Payment processing by Stripe, PCI-DSS
Level 1 certified
–
Regular data backups
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, FAVAUNE undertakes to inform you as soon as possible, in accordance with Article 34 of the GDPR.
9. Protection of minors
The favaune.com Site is intended for an adult audience. FAVAUNE does not knowingly collect personal data relating to children under 15 without the prior, verifiable consent of their parents or legal guardians, in accordance with Article 8 of the GDPR and Article 45 of the French Data Protection Act. Should FAVAUNE learn that it has inadvertently collected data from a child under 15, it will delete it as soon as possible.
10. Changes to this policy
FAVAUNE reserves the right to modify this Privacy Policy at any time, in particular to comply with legislative and regulatory developments, CNIL decisions, or changes to its processing practices. Any substantial change will be brought to your attention by email or by a notice visible on the Site before it takes effect. The "Last updated" date at the top of the document will be systematically updated.
