Privacy policy

OVERVIEW

Your privacy is very important to SU PARIS

SU PARIS is a French joint stock company registered with the Trade and Companies Register of Paris under No. 535 164 933 and having its head-office located at 320 rue Saint Honoré, 75001 Paris, France (referred to in this policy as “we” or “us”).

We take the security and privacy of your data seriously. We need to gather and use information or ‘data’ about you to manage our relationship with you and deliver products and services to you. We will comply with our legal obligations under the Data Protection Act 2018 (the DPA 2018’) and the EU General Data Protection Regulation (‘GDPR’) in respect of your data privacy and security. This policy outlines how we will use, process and store your data and your data rights.

SU PARIS is committed to the privacy and security of your data. Our goal is to help you organize, find, and use your data to potentially provide you with financing facilities while respecting your privacy and honoring the commitments we've made in our Six Laws of Data Protection.

We abide by:

Six data protection principles:

Lawful, fair and transparent data processing
Data collection and processing only for specified, explicit and legitimate purposes
Adequate collection of data which is relevant and limited to what is legally necessary for the purposes for which it is processed;
Keeping accurate and up to date data, deleting inaccurate or outdated data
Limiting the retention of data for active use for the purposes for which permission has been given
Secure processing of data, (including the handling by any 3^rd party partners who help SU PARIS to deliver products and services to you or collect them from you)

1. INTRODUCTION

1.1. In order to service its clients SU PARIS (hereinafter “SU PARIS ” “we” or “us”) needs to collect personal data from our clients and/or potential clients and employees. In light of the above, SU PARIS wants to ensure a high level of data protection as privacy is a cornerstone in gaining and maintaining the trust of our clients, employees and suppliers and thus, ensuring SU PARIS 's business in the future. The protection of personal data requires that appropriate technical and organizational measures are taken to demonstrate a high level of data protection. SU PARIS has adopted a number of internal and external data protection policies, which must be adhered to by employees of SU PARIS. Additionally, SU PARIS will monitor, audit and document internal compliance with the data protection policies and applicable statutory data protection requirements, including the General Data Protection Regulation (“GDPR”). SU PARIS will also take the necessary steps in order to enhance data protection compliance within the organization. These steps include the assignment of responsibilities, raising awareness and training of staff involved in processing operations. Please note that this Privacy Policy will be reviewed from time to time to take into account any new obligations and that any personal data we hold will be governed by our most recent policy.

This Privacy Policy, along with guidelines for processing of personal data, constitutes the overall framework for processing of personal data within SU PARIS.

1.2. “Personal data” is any information which may be related to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, location data, phone number, age, gender, an employee, a job applicant, clients, suppliers and other business partners. This also includes special categories of personal data (sensitive personal data) and confidential information such as health information, account number, identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.3. Although, information regarding companies/businesses is not as such, personal data, please note that information relating to contacts within such companies/businesses, e.g. name, title, work email, work phone number, etc. is considered personal data.

1.4. SU PARIS collects and uses personal data for a variety of legitimate business purposes, including establishment and management of customer and supplier relationships, recruitment and management of all aspects of terms and conditions of employment, communication, fulfillment of legal obligations or requirements, performance of contracts, providing services to clients, etc.

1.5. Personal data shall always be:

processed lawfully, fairly and in a transparent manner in relation to the data subject;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
kept in a form which permits identification of data subjects for no longer than is necessary
for the purposes for which the personal data is processed;
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

1.6. SU PARIS may collect data from you both directly (Online, on the telephone, by e mail related to requests, account set up or ordering) and indirectly (Cookies – please see our Cookies Policy). Depending on what you provide us with, such information may include:

Your identity (including your first name, last name, gender, image, nationality);
Your contact details (including your postal address(es), email address(es), phone number(s));
Your personal status (including your title);
Your purchases (including purchase history, order details);
Your preferences (including your size);
Certain payment information (including billing information, payment type or method, charge or credit card number);
Other information you may provide by filling forms or by contacting us (including your feedbacks, or other communications with us which may include health data relating to possible adverse reactions to our cosmetic products).

The details you share with us allow us to bring you our latest services and offers.

1.7. SU PARIS shall be responsible for and be able to demonstrate compliance with the above as part of SU PARIS's accountability.

1.8. We recognize your data belongs to you. We use your data for specific purposes when you choose to give it to us. The ways in which we use your personal data and information are :

Provision of goods
To improve our website for your easier use
To manage your account – if you choose to create one
To verify your identity and prevent fraudulent activity
To contact you if you give permission about offers, competitions and new services

2. LEGAL BASIS FOR PROCESSING PERSONAL DATA

Processing of personal data requires a legal basis. The most predominant legal basis for processing personal data within SU PARIS are :

Consent from the data subject for one or more specific purposes;
The performance of a contract to which the data subject is party;
A legal obligation or requirement;
Legitimate interests pursued by SU PARIS.

3. PROCESSING AND TRANSFER OF PERSONAL DATA

3.1. SU PARIS as Data Controller

3.1.1. SU PARIS will be considered a data controller to the extent that we decide by which means the data subject’s personal data shall be processed e.g. when a data subject signs an agreement with SU PARIS.

3.2. Use of data processors

3.2.1. An external data processor is a company, which processes personal data on behalf of SU PARIS and in accordance with SU PARIS's instructions, e.g. in relation to HR systems, third party IT providers, etc. When SU PARIS outsources the processing of personal data to data processors, SU PARIS ensures that said company as a minimum applies the same degree of data protection as SU PARIS. If this cannot be guaranteed, SU PARIS will choose another data processor.

3.3. Data processing agreements

3.3.1. Prior to transfer of personal data to the data processor, SU PARIS shall enter into a written data processing agreement with the data processor. The data processing agreement ensures that SU PARIS controls the processing of personal data, which takes place outside SU PARIS for which SU PARIS is responsible.

3.3.2. If the data processor/sub-data processor is located outside the EU/EEA, the conditions of clause 3.4.4 below will apply.

3.4 Disclosure of personal data

3.4.1. Before disclosing personal data to others, it is the responsibility of SU PARIS to consider whether the recipient is employed by us or not. Furthermore, we may only share Personal data within SU PARIS, if we have a legitimate business purpose in the disclosure.

3.4.2. It is SU PARIS's responsibility to ensure that the recipient has a legitimate purpose for receiving the personal data and to ensure that sharing of personal data is restricted and kept to a minimum. This may include third parties carrying out identity checks to verify your identity on our behalf.

3.4.3. SU PARIS must show caution before sharing personal data with persons, data subjects or entities outside of SU PARIS Personal data shall only be disclosed to third parties acting as individual data controllers if a legitimate purpose for such transfer exists. If the recipient is acting as a data processor, please refer to clause 3.2 above.

3.4.4. If the third-party recipient is located outside the EU/EEA in a country not ensuring an adequate level of data protection, the transfer can only be completed if a transfer agreement has been entered into between SU PARIS and the third party. The transfer agreement shall be based on the EU Standard Contractual Clauses.

4. RIGHTS OF THE DATA SUBJECTS

4.1. Duty of information

4.1.1. When SU PARIS collects and registers personal data on data subjects SU PARIS is obligated to inform such persons about:

the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
the categories of personal data concerned; the legitimate interests pursued by SU PARIS, if the processing is based on a balancing of interests;
the recipients or categories of recipients of the personal data, if any;
where applicable, the fact that SU PARIS intends to transfer personal data to a third country and the legal basis for such transfer;
the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
the existence of the right to request from SU PARIS access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
where the processing is based on the data subject’s consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
the right to lodge a complaint with SU PARIS via the correct procedure or with a supervisory authority;
whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

4.2 Right to access

4.2.1. Any person whose personal data SU PARIS is processing, including, but not limited to, SU PARIS employees, job applicants, external suppliers, clients, potential clients, business partners, etc. has the right to request access to the personal data which SU PARIS processes or stores about him/her.

4.2.2. If SU PARIS processes or stores personal data about the data subject, the data subject shall have the right to access the personal data and the reasons for the data to be processed in relation to the criteria set out in 4.1.1.

4.3. The data subject shall have the right to obtain from SU PARIS without undue delay the rectification of inaccurate personal data concerning him or her.

4.4. The data subject shall have the right to obtain from SU PARIS the erasure of personal data concerning him or her and SU PARIS shall have the obligation to erase personal data without undue delay, unless required by law to retain any information for a prescribed period of time, for example, by financial regulators or tax authorities.

4.5. The data subject shall have the right to obtain from SU PARIS restriction of processing, if applicable.

4.6. The data subject shall have the right to receive the personal data registered in a structured and commonly used and machine-readable format, if applicable.

4.7. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on a balancing of interests, including profiling.

4.8. Any requests received from a data subject to exercise the rights in this clause will be answered as soon as reasonably possible, and no later than 30 days from receipt. Requests shall be forwarded without delay to SU PARIS's Service Center. The Service Center will be supported by the SU PARIS's Data Protection Officer to process the request to meet the reply deadline.

5. RECORDS OF PROCESSING ACTIVITIES

5.1. SU PARIS shall, as data controller, maintain records of processing activities under SU PARIS's responsibility. The records shall contain the following information:

the name and contact details of the Data Controller;
the purposes of the processing;
a description of the categories of data subjects and of the categories of personal data;
the recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
where applicable, transfers of personal data to a third country, including the identification of that third country and, if relevant, the documentation of suitable safeguards;
where possible, the envisaged time limits for erasure of the different categories of data;
where possible, a general description of the applied technical and organizational security measures.

5.1.1. SU PARIS shall make the records available to relevant data protection authorities upon request.

6. DELETION OF PERSONAL DATA

6.1 Personal data shall be deleted when SU PARIS no longer has a legitimate purpose for the continuous processing or storage of the personal data, or when it is no longer required to store the personal data in accordance with applicable legal requirements.

6.2 Detailed retention periods with respect to various categories of personal data are specified in SU PARIS's Data Retention and Information Sharing policy.

7. NATIONAL REQUIREMENTS

7.1. SU PARIS shall comply with both the GDPR and national data protection legislation.

7.2. If applicable national legislation requires a higher level of protection for personal data than such policies/guidelines, such stricter requirements are to be complied with. If SU PARIS's policies/guidelines are stricter than the local legislation, our policies/guidelines must be complied with.

8. CONTACT AND COMPLAINTS

8.1. If you have any questions regarding the content of this policy, please contact SU PARIS's Data Protection officer at info@suparis.com.

8.2. If you would like to file a complaint about SU PARIS's processing of personal data, please contact the Information Commissioner’s Office.

INFORMATION ABOUT COOKIES

What is a cookie?

A cookie is a small text file stored on your computer, tablet or mobile phone that makes it possible to save and track data about your use of the website. suparis.com uses cookies to identify you or store your product selection in your basket, for example. Cookies are managed by your Internet browser. By continuing to use the suparis.com website, you consent to our cookie settings and agree that you understand the terms of our cookies policy. You can edit your preferences at any time by going to the "Managing your cookie preferences" section.

There are two types of cookies on our website:

- Cookies strictly necessary for the website to function
These cookies allow you to use the main features of the suparis.com website, such as storing your product selection in your basket. These cookies make browsing easier and are required to make online purchases.

- Third-party cookies
These are particularly statistical analysis cookies that collect information about navigation on our website, thereby enabling us to improve your user experience and tailor the services to your preferences. There are also advertising cookies that aim to personalise and/or improve the content and browsing experience by providing you with interest-based services on other websites. All of the information collected is anonymous. You can edit your preferences at any time by going to the "Managing your cookie preferences" section.

We use the following cookies on our website: https://www.shopify.com/legal/cookies

You can easily disable and/or delete cookies from your computer, tablet or mobile phone by managing your browser settings. We recommend that you do not disable cookies strictly necessary for the website to function (cookie described as "essential" in the "What cookies do we use?" table) because this would prevent you from ordering online and enjoying the services of the suparis.com website.
In order to manage cookies to best suit your needs, please bear in mind the purpose of cookies when setting your browser. Please find instructions about managing and disabling cookies, depending on your browser: https://www.aboutcookies.org/