Skip to Content

Privacy Policy

Privacy Policy and Personal Data Protection - GDPR

1. Introduction

This Privacy Policy outlines how EDITIONS CARTES D’ART, a company registered in the Paris Trade and Companies Register under number 304 454 341, with its head office located at 6 rue Asseline, 75014 Paris, collects, uses, and protects the personal data of professional visitors and clients (hereinafter referred to as "the User") of the website www.cartesdart.fr (hereinafter referred to as "the Website") in compliance with the General Data Protection Regulation (GDPR).

EDITIONS CARTES D'ART is committed to protecting the privacy of professional users and individual visitors of its website. We handle your data in strict compliance with the GDPR and applicable French laws.

This Privacy Policy details our practices for the collection, processing, and protection of personal data in the context of our commercial activities.

2. Data Controller

The data controller is:

EDITIONS CARTES D'ART ​

 Head Office: 6 rue Asseline, 75014 Paris, France

Contact: rgpd@cartesdart.fr

2. Data Collected

We collect only the data necessary for managing our commercial activities or responding to requests submitted via our contact form. This includes:

3.1. Data Collected Directly from You:

For professionals (clients or prospects):

  • When submitting a contact request (via the contact form):
    • Full name
    • Job title
    • Company name
    • Full business address
    • Phone number and email address
    • Preferred language
    • Official immatriculation number and EU VAT number
  • When placing orders:
    • Purchased products and order history
    • Full delivery address
    • Specific pricing conditions or commercial discounts
    • Delivery methods and conditions
    • Bank details (IBAN and BIC): These are collected solely from professional clients to facilitate SEPA or LCR bank transfers for invoicing and payment.
    • Payment information: For online transactions, we collect credit card details (card number, expiration date, CVV).

For individuals (via the contact form):

  • Full name
  • Email address
  • Phone number (if provided)
  • Content of your message or request

These data are used exclusively to process and respond to your requests. They are not retained beyond the handling of your inquiry unless they result in a commercial relationship or a legal obligation requires their retention.

3.2. Data Collected Automatically via Our Website:

  • Technical information (IP address, browser type, operating system).
  • Cookies necessary for user session management or statistical analysis.

4. Purposes of Data Processing

Your data are collected and processed for the following purposes:

4.1. For professionals:

  • Creation and management of your client account.
  • Order processing, invoicing, and delivery.
  • Handling disputes and debt recovery.
  • Payment management:
    • Collection and processing of bank details (IBAN and BIC) to execute SEPA and LCR payments under commercial agreements.
  • Transaction processing: Secure payment handling for your orders.

4.2. For individuals (via the contact form):

Responding to inquiries or requests submitted via the contact form.

4.3. Compliance with legal obligations:

Retaining invoicing and order data in accordance with accounting and tax obligations.

4.4. Communication and marketing (with prior consent):

a.            Sending newsletters, promotions, or product updates.

b.            Managing your preferences for commercial communications.

4.5. Analysis and improvement:

Enhancing the user experience through anonymized statistics.

5. Data Recipients

Your personal data are accessible only:

    • To our internal teams for account and order management (professionals) and for responding to inquiries (professionals and individuals).
    • To our service providers and subcontractors involved in necessary services (delivery, Odoo hosting, Odoo ERP, accounting firms). These third parties are bound by confidentiality obligations and GDPR compliance.

Your data is never sold to third parties or used for unintended purposes.

Your bank details are accessible only:

    • To our internal teams managing financial and accounting operations, strictly for their professional duties.
    • To our banking service provider for SEPA and LCR payment execution.

Your bank details are never shared for other purposes.

Your payment information is transmitted to our payment service provider:

    • Payment details are transmitted to our payment service provider: Stripe, certified PCI-DSS compliant, ensuring the security of transactions.

Stripe acts as an independent data controller for certain data, determining the purposes and means of processing.

6. Data Hosting and Security

Your data are hosted on servers managed by Odoo S.A. via its platform Odoo.sh. These servers may be located outside the European Economic Area (EEA). Odoo S.A. is committed to implementing necessary measures to ensure data protection and confidentiality in compliance with applicable regulations.
Your data benefit from enhanced security measures, including:

  • Regular backups.
  • Strict access controls.
  • Encryption of sensitive data (e.g., passwords).

We take strict measures to ensure the security of your banking details, including:

  • Secure storage within our Odoo ERP and/or GDPR-compliant tools.
  • Strictly limited access to authorized personnel.
  • Secure protocols for data transfer to our banking service provider.

In case of cash payment by credit card, payment information is processed and stored by Stripe, which implements security measures in accordance with international standards to protect your data:

  • PCI-DSS compliance: Stripe is certified under the PCI-DSS standard, ensuring the security of payment data. ​  
     
  • Secure transmission: Payment details are transmitted directly to Stripe via secure connections and are not stored on our servers.

5. Data Retention

We retain your personal data only as long as necessary for the purposes described above:

  • Billing data: 10 years (legal obligation).
  • Professional account data: Up to 3 years after the end of our commercial relationship.
  • Contact form data (individuals): 6 months after processing the request unless it results in a commercial relationship or a legal obligation.
  • Marketing data (professionals): 3 years after your last interaction unless you object.
  • Bank details (IBAN and BIC):
    • During the commercial relationship.
    • Up to 5 years after the relationship ends, in accordance with accounting and tax obligations, unless you request earlier deletion (unless legally required to retain them).
  • Payment data is retained by Stripe in accordance with its privacy policy and applicable legal obligations.

8. Your Rights

Under the GDPR, you have the following rights concerning your data:

  • Access: Request access to your personal data.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your data unless a legal obligation requires retention.
  • Objection: Object to data processing for direct marketingpurposes.
  • Portability: Request to receive your data in a readableformat.
  • Request the deletion or modification of your bank details, except in the event of a legal obligation to retain them.

You have the following rights regarding your payment data:

  • Access and rectification: You can request access or correction of your data by contacting Stripe or our customer service.
  • Deletion: you can request the deletion of your data, subject to legal retention obligations.

To exercise these rights, contact us at rgpd@cartesdart.fr. Proof of identity may be required to ensure data security.

9. International Data Transfers

Stripe may transfer your data outside the EEA. In such cases, appropriate safeguards are implemented to protect your information.

10. Cookies

Our website uses cookies to:

  • Facilitate navigation and remember your preferences.
  • Generate anonymized audience statistics.

For more information or to manage your preferences, please consult our Cookie Policy.

11. Policy Updates

We may update this policy to reflect changes in legislation or our practices. Substantial updates will be communicated via our website.

11. Contact

For any questions regarding this policy or your personal data, you may contact:

EDITIONS CARTES D'ART ​

 Email: rgpd@cartesdart.fr

Phone: +33 (0)1 42 22 63 03