Private policy

The data controller collects and processes the following personal data according to the methods and principles described below:

• Its domain (automatically detected by the controller's server), including the dynamic IP address ;
• his/her e-mail address if the user has previously revealed it, for example by sending messages or questions on the website, by communicating with the data controller by e-mail, by participating in discussion forums, by accessing the restricted part of the website with

identification, etc. ;

• All the information concerning the pages that the user has consulted on the website;
• any information that the user has given voluntarily, for example in the context of information surveys and/or registrations on the website, or by accessing the restricted part of the website through identification.

The data controller may also collect non-personal data. These data are qualified as non-personal data because they do not allow to identify directly or indirectly a particular person. This data may therefore be used for any purpose, for example to improve the website, the products and services offered or the advertising of the controller.

In the event that non-personal data are combined with personal data in such a way that identification of the data subjects is possible, such data shall be treated as personal data until such time as it is impossible to link them to a specific person.

The data controller collects personal data in the following ways:

• Contact forms
• Newsletter registration
• Creating a customer account 

Personal data are collected and processed only for the purposes mentioned below:

• ensure the management and control of the execution of the services offered;
• sending and follow-up of orders and invoices;
• sending promotional information on the products and services of the controller;
• sending promotional material;
• answering questions from the user;
• to carry out statistics;
• to improve the quality of the website and of the products and/or services offered by the data controller;
• to transmit information on new products and/or services of the data controller;
• for the purpose of commercial prospecting;
• to allow a better identification of the user's interests.

We also collect and process personal data for the following purposes:

• Transfer of data to a business partner

The data controller may carry out processing operations that are not yet provided for in this Policy. In this case, the user will be contacted prior to the re-use of his/her personal data, in order to inform him/her of the changes and to give him/her the possibility, if necessary, to refuse such re-use.

Some of the processing operations carried out by the data controller are based on the legal basis of its legitimate interests. These legitimate interests are proportionate to the respect of the user's rights and freedoms. If the user wishes to be informed of the details of the purposes based on the legal basis of legitimate interests, it is recommended that he/she contact the data controller (see point on "contact data").

In general, the data controller keeps personal data only for as long as is reasonably necessary for the purposes for which it is to be used and in accordance with legal and regulatory requirements.

A customer's personal data is kept for a maximum of 10 years after the end of the contractual relationship between the customer and the controller.

At the end of the retention period, the data controller shall make every effort to ensure that the personal data has been made unavailable and inaccessible.

For all the rights listed below, the data controller reserves the right to verify the identity of the user for the application of the rights listed below.

This request for additional information will be made within one month of the user submitting the request.

The user may obtain free of charge the written communication or a copy of the personal data concerning him/her that has been collected.

The data controller may charge a reasonable fee based on administrative costs for any additional copies requested by the user.
Where the user makes such a request electronically, the information shall be provided in a commonly used electronic form, unless the user requests otherwise.

Unless otherwise provided for in the General Data Protection Regulation, the user will be provided with a copy of his or her data no later than one month after receipt of the request.

The user may obtain, free of charge, as soon as possible and at the latest within one month, the rectification of personal data that are inaccurate, incomplete or irrelevant, as well as the

completion of such data if they are found to be incomplete.

Unless otherwise provided for in the General Data Protection Regulation, the request for application of the right to rectification shall be processed within one month of its submission.

The user may at any time, for reasons relating to his particular situation, object free of charge to the processing of his personal data, when:

• the processing is necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller;
• The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail (in particular where the data subject is a child).

The data controller may refuse to implement the user's right to object when it establishes the existence of compelling and legitimate reasons justifying the processing, which override the interests or rights and freedoms of the user, or for the establishment, exercise or defense of a legal claim. In the event of a dispute, the user may lodge a complaint in accordance with the section on "complaints and claims" of this Policy.

The user may also, at any time, object, without justification and free of charge, to the processing of personal data concerning him/her when his/her data is collected for commercial prospecting purposes (including profiling).

Where personal data are processed for scientific or historical research or statistical purposes in accordance with the General Data Protection Regulation, the user has the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her, unless the processing is necessary for the performance of a task in the public interest.

With the exception of the General Data Protection Regulation, the data controller is obliged to respond to the user's request as soon as possible and at the latest within one month and to state the reasons for its response if it intends not to comply with such a request.

The user may obtain the limitation of the processing of his/her personal data in the cases listed below:

• when the user disputes the accuracy of the data and only for as long as it takes the data controller to check it;
• when the processing is unlawful and the user prefers the limitation of processing to erasure;
• when, although no longer necessary for the purposes of the processing, the user needs it

for the establishment, exercise or defense of his legal rights;

• for the time necessary to examine the merits of a request for opposition made by the user, in other words for the time necessary for the controller to verify the balance of interests between the legitimate interests of the controller and those of the user.

The data controller will inform the user when the processing restriction is lifted.

The user may obtain the deletion of personal data concerning him, when one of the following reasons applies:

• the data are no longer necessary for the purposes of the processing;
• the user has withdrawn his consent to the processing of his data and there is no other legal basis for the processing;
• the user objects to the processing and there is no compelling legitimate reason for the processing and/or the user exercises his/her specific right to object to direct marketing (including profiling);
• the personal data has been processed unlawfully;
• personal data must be erased in order to comply with a legal obligation (under Union or Member State law) to which the controller is subject;
• the personal data were collected in the context of offering information society services to children.

However, the deletion of data is not applicable in the following cases:

• when the processing is necessary for the exercise of the right to freedom of expression and information;
• where the processing is necessary for compliance with a legal obligation requiring the processing laid down by Union law or by the law of the Member State to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller ;
• when the processing is necessary for reasons of public interest in the field of public health;
• when the processing is necessary for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes and insofar as the right to erasure is likely to render impossible or seriously compromise the achievement of the purposes of the processing in question;
• when the processing is necessary for the establishment, exercise or defense of legal claims.

With the exception of the General Data Protection Regulation, the data controller is obliged to respond to the user's request as soon as possible and at the latest within one month and to state the reasons for its response if it intends not to comply with such a request.

The user may, at any time, request to receive free of charge his/her personal data in a structured, commonly used and machine-readable format, in particular with a view to transmitting them to another controller, when:

• the data processing is carried out by means of automated processes; and when
• the processing is based on the user's consent or on a contract concluded between the user and the data controller.

Under the same conditions and in the same way, the user has the right to obtain from the data controller that the personal data concerning him/her be transmitted directly to another data controller, provided that this is technically possible.

The right to data portability does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The recipients of the data collected and processed are, in addition to the data controller itself, its employees or other subcontractors, its carefully selected commercial partners, located in France or in the European Union, and who collaborate with the data controller in the context of marketing products or providing services.

In the event that the data is disclosed to third parties for direct marketing or commercial prospecting purposes, the user will be informed in advance so that he/she can choose to accept the transfer of his/her data to third parties.

As long as this transfer is based on the user's consent, the user can withdraw his or her consent for this specific purpose at any time.

The data controller complies with the legal and regulatory provisions in force and will ensure in all cases that its partners, employees, subcontractors or other third parties having access to this personal data comply with this Policy.

The data controller discloses the user's personal data in the event that a law, legal proceedings or an order from a public authority makes such disclosure necessary.

No transfer of personal data outside the European Union is made by the data controller.

The data controller implements appropriate technical and organizational measures to ensure a level of security of the processing and of the data collected with regard to the risks presented by the processing and the nature of the data to be protected that is appropriate to the risk. He shall take into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks to the rights and freedoms of users.

The controller always uses encryption technologies that are recognized as industry standards within the IT sector when transferring or receiving data on the website.

The data controller has put in place appropriate security measures to protect and prevent the loss, misuse or alteration of the information received on the website.

In the event that personal data under the control of the data controller is compromised, the data controller will act promptly to identify the cause of the breach and take appropriate remedial action.

The data controller shall inform the user of this incident if required by law.

If the user wishes to react to any of the practices described in this Policy, it is advisable to contact the data controller directly.
The user may also lodge a complaint with his or her national supervisory authority, whose contact details can be found on the official website of the European Commission: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.

In addition, the user has the possibility to file a complaint before the competent national courts:

• On the website of the CNIL:
  • in certain specific cases, through the online complaint teleservice;
  • in other cases not covered by the teleservice, by the "Need help" service.
• By mail by writing to : CNIL - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 - FRANCE

For any question and/or complaint, related to this Policy, the user can contact the data controller: By email: infos@varenne.fr.
By mail: 42, rue Barbet de Jouy 75007 Paris .

The data controller reserves the right to change the provisions of this Policy at any time. The changes will be published directly on the website of the controller.

This Policy shall be governed by the national law of the place where the data controller has its principal place of business.

Any dispute relating to the interpretation or execution of this Policy shall be submitted to the jurisdiction of that national law.
This version of the Policy is dated 06/17/2022.