Privacy policy

Article 1.  PARTIES TO THIS ACT

Between the undersigned:

1°) The company NODALETO SAS, a simplified joint stock company with a capital of €20,000, registered in the Paris Trade and Companies Registry under number 842 472 664, and whose registered office is located at 9 rue de la Trémoille 75008 Paris, FRANCE and whose VAT number is FR69842472664.

Hereinafter referred to as the "Data Controller", 

On the one hand,

And

2°) Any individual 

Navigating on the website of the Data Controller.

Hereinafter referred to as the "Data Subject", 

On the other hand,

It was outlined and agreed as follows:

 

Article 2.  SUBJECT 

This Privacy Policy applies, without restriction or reservation, between the Data Subject and the Data Controller.

Its purpose is to provide information on the Data Controller’s processing of  the Data Subject’s Personal Data in relation to the use of the websites www.nodaleto.shop and www.nodaleto.com (hereinafter referred to as the "Site") by the Data Subject. Said processing is done in compliance with the legislation in force, particularly the European Regulation n°2016/679 and Law n°78-17 (hereinafter referred to as the "Legislation"). 

Access to and use of the Website are subject to compliance with the General Terms and Conditions of Sale, the Legal Notice and the following Privacy Policy.

ARTICLE 3 - DEFINITIONS

- Supervisory authority means the Commission Nationale de l'Informatique et des Libertés (CNIL), an independent French public authority on the regulation of data protection;


- Consent means any free, specific, enlightened and unambiguous expression of will by which the Data Subject accepts, by a declaration or by a clear positive act, that Data concerning him/her may be processed by the Data Controller. 


- Cookie means a file that allows the Data Subject to trace his or her path on the Site. 


- Recipient means any individual or legal person, public authority, service or other body that receives communication of the Data, whether or not it is a Third Party. However, public authorities that are likely to receive communication of the Data, including in the context of a fact-finding mission, are not considered as Recipients within the meaning of this definition. 


- Data means any information relating to the Data Subject.


- File means any structured set of Data accessible according to determined criteria, whether this set is centralised, decentralised or distributed in a functional or geographical manner. 


- Legislation means any law and regulation relating to Data Protection, and in particular European Regulation n°2016/679 and Law n°78-17. 


- Browsing means the consultation, the knowledge taking, the order and/or the purchase of Products on the Site by the Person concerned.


- Data Subject means any individual who browses the Site, as soon as he or she can be identified, directly or indirectly, including by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more specific elements specific to his or her physical, physiological, genetic, psychological, economic, cultural or social identity. 


- Products means the products offered for sale on the Site by the Data Controller to the Data Subject.


- Pseudonymisation refers to the processing of Data in such a way that it can no longer be attributed to the Data Subject without having recourse to additional information. 


- Data Controller means the company NODALETO SAS, a simplified joint stock company with a capital of €20,000, registered in the Paris Trade and Companies Register under the number 842 472 664, whose registered office is located at 57 rue Pierre Charon 75008 Paris, FRANCE and whose VAT number is FR69842472664, and whom alone determines the purposes and means of the Processing. 


- Site refers to the infrastructure developed by the Data Controller according to the computer formats that can be used on the Internet, including data of various kinds, in particular texts, sounds, still or animated images, videos and databases, intended to be consulted by the Data Subject to find out about, reserve, order and/or purchase Products (www.nodaleto.com and www.nodaleto.shop).


- Processor means any individual or legal person, public authority, service or other body other than the Data Controller who processes the Data on behalf of the Data Controller. 


- Third Party means any natural or legal person, public authority, service or other body other than the Data Controller, the Processor and the persons who, under the direct authority of the Data Controller or the Processor, are authorised to process the Data, and in particular tour operators, travel agencies and reservation systems. 


- Processing means any operation or set of operations, whether or not carried out using automated processes and applied to the Data or sets of Data, such as collection, recording, organisation, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, matching or interconnection, limitation, erasure or destruction. 


AGREEMENT

Article 4.  PRINCIPLES RELATING TO THE PROCESSING

In accordance with the Legislation, the Data Controller undertakes to comply with the following principles for each Processing: 

- Lawfulness;
- Loyalty; 
- Transparency;
- Purpose limitation;
- Data minimisation;
- Accuracy;
- Storage limitation;
- Integrity;
- Confidentiality;
- Accountability.

Article 5.  PROCESSED DATA

In the context of Browsing, the Data Controller is required to collect and process a certain number of Data, in particular:

  • Personal information (surname, first name, height, gender, postal address, email address, telephone number, date of birth, age, date of registration and unsubscription to the client account and to the newsletter of the Data Controller, messages exchanged with the Data Controller);
  • Banking information (means of payment, credit card number);
  • Information about your order (product ordered, delivery address, delivery tracking number, order price, purchase and delivery history);
  • Technical information (browsing behaviour on the Site, IP address, products added to the basket, collection of Consent).

Article 6.  CONTEXT OF THE PROCESSING

The Data may be collected and processed by the Data Controller on various occasions, and in particular:

  • Purchase of Products on the Site;
  • Contact with the Data Controller;
  • Subscribing to the newsletter;
  • Creation of a client account;
  • Publication of notices relating to Products;
  • Browsing on the Site.

Article 7.  DETAILS OF THE PROCESSING

Purpose
of the Processing

Categories
of Data

Legal basis
of the Processing

Data
retention

Management of product Orders and deliveries

First name, last name, email address, postal address, telephone number, delivery address, order placed, delivery tracking number, sizes, products purchased, payment method, order and delivery history, customer ID, credit card number, IP address

Contract

Duration of the contractual relationship (delivery of the Products)

EXCEPT

Immediately for the visual cryptogram

Accounting and tax obligations

First name, last name, email address, postal address, telephone number, delivery address, order placed, delivery tracking number, sizes, products purchased, payment method

Legal requirement

10 years from the purchase of the Product

Management of pre-litigation and litigation

First name, last name, email address, postal address, telephone number, delivery address, order placed, delivery tracking number, sizes, products purchased, payment method, order and delivery history, customer ID, credit card number, IP address

Legitimate interest of the data controller in establishing proof of a right or contract

5 years from the purchase of the Product

Creation and management of client accounts

First name, last name, email address, postal address, telephone number, sizes, customer account creation date, payment method, delivery address, order placed, delivery tracking number, sizes, baskets, products purchased, order and delivery history, customer id, consent collection

Consent

3 years from the last connection of the Data Subject to his/her client account

Retention of the credit card number to facilitate future purchases

First name, last name, customer ID, credit card number, collection of consent

Consent

Until the expiration of the credit card

Commercial prospecting by electronic means and newsletter

First name, last name, email address, consent form

Consent

3 years from the last contact by the Data Subject

Commercial prospecting by mail or human intervention

First name, last name, email address, postal adress

Legitimate interest of the Data Controller to promote its Products

3 years from the last contact by the Data Subject

Commercial prospecting for similar goods and services

First name, last name, email address, phone number, purchase history

Legitimate interest of the Data Controller to promote its Products

3 years from the last contact by the Data Subject

Securing and improving the Site

IP address, Browsing data

Legitimate interest of the Data Controller to improve the Site and to manage the Site, to secure and administer the Site, to prevent fraud and malicious acts

13 months

Complaints and client service management

First name, last name, email address, postal address, phone number, purchase history, exchanges, customer ID, IP address

Legitimate interest of the Data Controller to improve its Products and client service

3 years from the last contact by the Data Subject

Opposition list management

Email adress

Legitimate interest of the Data Controller to control its prospecting campaigns

3 years from the exercise of the right

Site statistics and personalized advertising

IP Address, Browsing Data, Collection of Consent

Consent

6 months

The Data Controller reserves the right to anonymise the Data being processed before deleting it. 

Anonymised Data may then be processed for statistical purposes. 

Article 8.  RECIPIENTS OF THE DATA

As a matter of principle, the Data Controller is the sole Recipient of the Data. 

However, the Data Controller may transfer the Data to Recipients, in particular in the context of the management of purchases of Products by the Data Subject, and/or to any public authority that may request it, in particular in the context of a fact-finding mission.

The Data Controller shall undertake to require from its Processors sufficient guarantees as to the implementation of appropriate technical and organisational measures so that the Processing meets the legal and regulatory requirements and guarantees the protection of the rights of the Data Subject, in particular in the event of transfer of the Data outside the European Union. 

Furthermore, the Data Controller may communicate to any Recipient or Third Party the Data subject to Processing when a legal obligation to do so exists or when the Data Controller considers in good faith that it is necessary in order to :

  • Respond to any claim against him/her;
  • Comply with the requirements of the judicial order and/or the administrative order and/or the Supervisory Authority;
  • Enforce any contract to which the Data Subject is a party;
  • Safeguard the vital interests of any individual;
  • Performing a mission of public interest. 

 In the event that the Data Controller is bought by a Third Party, the Data Controller retains the right to share the Data with the purchasing Third Party, provided the Third Party's has agreed to comply with this Privacy Policy. 

Article 9.  RIGHTS OF THE DATA SUBJECT

The Data Subject has a certain number of rights regarding the Data, which he or she may assert, except in the case of applicable legislative or regulatory exceptions, by making a request to the Data Controller at the following address: 

NODALETO

9 rue de la Trémoill 75008 Paris, FRANCE

bonjour@nodaleto.com

Where there is reasonable uncertainty as to the identity of the Data Subject making a request to exercise his/her rights on the Data, the Data Controller may request to attach a copy of an official identity document in support of the request. 

Requests will be dealt with as soon as possible and at the latest within the time limits established by the Legislation.

Article 9.1. Right of access

The Data Subject has the right to obtain from the Data Controller confirmation as to whether or not Data are being processed and, if so, access to such Data, as well as the following information: 

  • The processing’s purposes;
  • The categories of Data;
  • The Recipients or categories of Recipients to whom the Data has been or will be communicated, in particular Recipients who are established in third countries or international organisations;
  • Where possible, the duration of the Data's storage or, where this is not possible, the criteria used to determine this duration;
  • The existence of the right to ask the Data Controller for the rectification or deletion of the Data, or a limitation of the processing of the Data, or the right to object to such processing;
  • The right to lodge a complaint with a Supervisory Authority;
  • Where the Data is not collected from the Data Subject, any available information as to its source;
  • The existence of automated decision making, including profiling, and, at least in such cases, relevant information on the underlying logic, as well as the importance and intended consequences of such processing for the Data Subject.

The Data Controller provides a copy of the Data being Processed and reserves the right, in consideration of the provision of such copy, to pay a reasonable fee based on administrative costs for any additional copy requested by the Data Subject. 

Article 9.2. Right to erasure and rectification

The Data Subject has the right to obtain from the Data Controller the rectification and/or deletion of inaccurate or obsolete Data as soon as possible, unless a contrary situation prevents the exercise of this right, including but not limited to:

  • The exercise of the right to freedom of expression and information;
  • The respect of a legal obligation;
  • The public interest in the field of public health, archives, scientific, historical or statistical research;
  • The establishment, exercise, or defence of rights in legal proceedings.

Article 9.3. Right of object

The Data Subject has the right to object at any time, for reasons specific to his or her situation, to Data Processing based on the performance of a task carried out in the public interest or the necessity of the legitimate interest of the Data Controller. 

The Data Controller shall undertake to stop any further Processing of the Data, unless he demonstrates that there are legitimate and compelling reasons which prevail over the interests and rights and freedoms of the Data Subject, or for the establishment, exercise or defence of legal rights. 

Furthermore, the Data Subject has the right to object at any time to the Data Processing carried out for prospecting purposes by the Data Controller, insofar as the Data Subject is connected with such prospecting. 

Finally, when Data is processed for scientific or historical research or statistical purposes, the Data Subject has the right to object, for reasons specific to his or her situation, to the Processing of Data, unless the Processing is necessary for the performance of a task carried out for the public interest.

Article 9.4. Right to restriction of processing

The Data Subject has the right to obtain from the Data Controller the restriction of the Data Processing when:

  • The accuracy of the Personal Data is contested by the Data Subject, for a period of time allowing the Data controller to verify the accuracy of the Data;
  • The Processing is unlawful and the Data Subject opposes its deletion and instead demands the limitation of its use;
  • The Data Controller no longer needs the Data for the purposes of the Processing, but the Data is still necessary for the Data Subject to establish, exercise or defend legal claims;
  • The process of verifying whether the legitimate grounds pursued by the Controller prevail over those of the Data Subject is still ongoing after the Data subject opposed the Processing in compliance with Article 9.3.

The Data Subject who has obtained the limitation of the Data Processing shall be informed by the Data Controller before the restriction of the Processing is lifted. 

Article 9.5. Right to Data Portability 

The Data Subject has the right to receive the Data provided by him/her to the Data Controller, in a structured, commonly used and machine-readable format, and has the right to transmit such Data to another Data Controller without the Data Controller's interference, where :

  • The Processing is based on the Consent of the Data Subject or on the performance of a contract to which the Data Subject is a party;
  • The Processing is carried out by means of automated processes.

The Data Subject, when exercising his/her right to Data portability, has the right to obtain that the Data be transmitted directly from the Data Controller to another data Controller, where technically possible. 

Article 9.6. Right to lodge a complaint to the Supervisory Authority

The Data Subject has the right to lodge a complaint to the Supervisory Authority if he or she considers that the Data Processing by the Data Controller is unlawful. 

Article 9.7. Right to define guidelines on the fate of the Data

The Person concerned has the right to define directives regarding the fate of the Data in the event of his death and leave them with the Data Controller, who shall use all his possible measures to enforce this will. 

Article 10.  DATA SECURITY

The Data Controller shall take the appropriate technical and organisational measures to protect the Data against its destruction, loss, alteration, misuse and unauthorised access, modification or disclosure, whether these actions are voluntary or accidental. 

The purpose of these technical and organisational measures is to ensure the confidentiality, integrity, availability and resilience of the Site and the information systems where the Files are stored. 

In order to secure the Subject’s Browsing, the Site is SSL (Secure Socket Layer) encrypted. 

Article 11.  MODIFICATION OF PRIVACY POLICY

The Data Controller retains the right to modify this Privacy Policy from time to time, including the list of Recipients set out in Article 8.  

In the event of a substantial modification of this Privacy Policy, the Data Subject will be personally informed of the new Privacy Policy. 

The Data Subject is invited to regularly check this Privacy Policy to take note of any changes to it. 

The Data Subject may send questions about this Privacy Policy to the Data Controller at the following address: bonjour@nodaleto.com

Article 12.  Nullity of the Privacy Policy

If any provision of this Privacy Policy is found to be invalid under any applicable law or a final court decision, then that provision shall be deemed to be void but shall not invalidate the Privacy Policy itself or affect the validity of any of its other provisions.

Article 13.  COOKIE MANAGEMENT

When Browsing on the Site, the Data Subject is led to consent to the installation of Cookies on his/her computer terminal. 

Generally, Cookies record information relating to the Browsing of computers on the Site (the pages consulted, the date and time of consultation, etc.), information that may be read during subsequent visits of the Data Subject on the Site and transferred of the Data to the Data Controller. The installation of these Cookies requires the Consent of the Data Subject. 

Some Cookies are essential for the proper functioning of the Site and do not require the Consent of the Data Subject before their installation, in which case they are known as Functional Cookies. 

In accordance with Article 7 of this Privacy Policy, Cookies are automatically deleted within thirteen (13) months of their installation as long as the Data Subject does not renew his or her Consent before the expiry of this period.  

The Data Subject may refuse to give his/her Consent to the installation of non-functional Cookies, revoke his/her Consent and/or set the Cookies at any time by using the Cookie Manager of the Data Controller below or by configuring his/her browser as follows: 

For Mozilla Firefox:

  • Select the "Tool" menu then "Options".
  • Click on the icon "privacy".
  • Locate the "cookie" menu and select the options that suit you

For Microsoft Internet Explorer 6.0:

  • Choose the "Tools" menu (or "Tools"), then "Internet Options" (or "Internet Options").
  • Click on the "Confidentiality" (or "Privacy") tab.
  • Select the desired level using the cursor.

For Microsoft Internet Explorer 5:

  • Choose the "Tools" menu (or "Tools"), then "Internet Options" (or "Internet Options").
  • Click on the "Confidentiality" tab
  • Customise the level" using the cursor

For Netscape 6.X and 7. X:

  • Choose the menu "Edit">"Preferences".
  • Privacy and Security
  • Cookies

For Opera 6.0 and beyond:

  • Choose the "File">"Preferences" menu
  • Privacy Policy