GDPR

BlablaDeal is fully committed to compliance with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), which is the cornerstone of data protection law in the European Union.

We process personal data in accordance with the following core principles:

• Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner. We clearly inform you about how and why your data is processed.
• Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes, and do not further process it in a manner incompatible with those purposes.
• Data Minimisation: We collect only the personal data that is necessary for the purposes for which it is processed.
• Accuracy: We take reasonable steps to ensure that personal data is accurate and kept up to date.
• Storage Limitation: We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
• Integrity and Confidentiality: We implement appropriate technical and organisational measures to ensure the security of personal data.
• Accountability: We are responsible for, and are able to demonstrate compliance with, the GDPR.

For full details on our data processing practices, please refer to our Privacy Policy.

Under the GDPR, you have the following rights with respect to your personal data. These rights are summarised below, with references to the relevant GDPR articles and our full Privacy Policy for detailed information.

• Right of Access (Art. 15): You can request a copy of the personal data we hold about you, along with information about how it is processed.
• Right to Rectification (Art. 16): You can request the correction of inaccurate personal data or the completion of incomplete data.
• Right to Erasure / Right to Be Forgotten (Art. 17): You can request the deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected.
• Right to Restriction of Processing (Art. 18): You can request that we limit the processing of your personal data in certain circumstances, such as while we verify the accuracy of your data following a challenge.
• Right to Data Portability (Art. 20): You can request to receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.
• Right to Object (Art. 21): You can object to the processing of your personal data where the processing is based on legitimate interests or is for direct marketing purposes.

These rights are not absolute and may be subject to limitations and conditions under applicable law. For example, the right to erasure does not apply where data retention is required by a legal obligation.

To exercise any of your data subject rights, you may contact us using the following methods:

• Email: Send your request to [email protected] with the subject line "GDPR Data Subject Request".
• Account Settings: Certain rights, such as rectification and account deletion, can be exercised directly through your account settings on the Platform.

Processing Your Request

• We will acknowledge receipt of your request within five (5) business days.
• We will respond substantively to your request within thirty (30) days of receipt. If your request is particularly complex or if we receive a large number of requests, this period may be extended by an additional sixty (60) days. In such cases, we will inform you of the extension and the reasons for it within the initial thirty-day period.
• Our response will be provided free of charge. However, if your request is manifestly unfounded or excessive (in particular, if it is repetitive), we may charge a reasonable fee based on administrative costs or refuse to act on the request, in accordance with Article 12(5) of the GDPR.

Identity Verification

To protect your personal data, we may need to verify your identity before processing your request. We may ask you to provide additional information to confirm your identity, such as confirming details associated with your account.

Under Article 20 of the GDPR, you have the right to receive the personal data that you have provided to BlablaDeal in a structured, commonly used, and machine-readable format.

When you submit a data portability request, we will provide your data in JSON format, which is a widely used, open-standard file format. The export will include:

• Your account information (name, email, profile data)
• Your Group membership history (Groups created or joined)
• Your transaction history (payments made and received through the Platform)
• Your communication data (messages sent and received through the Platform)

Delivery: Your data export will be delivered to the email address associated with your account within thirty (30) days of your verified request. The data will be provided in a secure, downloadable format.

Transmission to Another Controller: Where technically feasible and upon your request, we will transmit your personal data directly to another data controller.

To request a data export, contact us at [email protected] or use the export feature in your account settings (where available).

You have the right to request the deletion of your personal data from BlablaDeal's systems, subject to certain legal exceptions.

How to Request Account Deletion

• Via Account Settings: Navigate to your account settings and use the "Delete Account" option. You will be asked to confirm your decision.
• Via Email: Send an account deletion request to [email protected].

What Happens When You Request Deletion

• Your account will be deactivated immediately upon confirmation.
• Your personal data will be permanently deleted from our active systems within thirty (30) days of your confirmed request.
• Any active Group participations (as Owner or Joiner) will be cancelled. If you are an Owner, Joiners in your Groups will be notified.

Data We Are Required to Retain

Certain data cannot be deleted immediately due to legal obligations:

• Transaction Records: Retained for ten (10) years as required by French commercial and tax law (Code de commerce, Art. L.123-22).
• Data Required for Legal Proceedings: If there is an ongoing legal dispute or investigation, relevant data may be retained until the matter is resolved.

Retained data is securely stored with restricted access and is used only for the specific legal purpose for which it is retained. Once the retention obligation expires, the data is permanently deleted.

BlablaDeal respects your communication preferences. We distinguish between two categories of communications:

Transactional Emails

These are emails that are necessary for the operation of the Platform and cannot be opted out of while you maintain an active account. They include:

• Payment confirmations and receipts
• Group join/leave notifications
• Account security alerts (e.g., password changes, suspicious login activity)
• Important service announcements (e.g., changes to Terms of Service)

Marketing Emails

These are promotional communications about new features, special offers, or platform updates. You can opt out of marketing emails at any time by:

• Clicking the "Unsubscribe" link at the bottom of any marketing email;
• Adjusting your communication preferences in your account settings;
• Contacting us at [email protected].

Your opt-out request will be processed within ten (10) business days. Opting out of marketing emails will not affect your receipt of transactional emails.

We will only send marketing emails where you have provided your prior opt-in consent, in accordance with the GDPR and the EU ePrivacy Directive.

If you have any questions, concerns, or requests regarding the processing of your personal data or the exercise of your GDPR rights, you may contact our Data Protection Officer (DPO):

• DPO Name: [TODO: DPO name]
• Email: [email protected]

Our DPO is responsible for overseeing BlablaDeal's data protection strategy and ensuring compliance with the GDPR. The DPO is available to:

• Answer questions about how your personal data is collected, used, and stored;
• Assist with the exercise of your data subject rights;
• Address complaints or concerns about our data processing practices;
• Liaise with supervisory authorities on data protection matters.

We are committed to responding to all DPO inquiries promptly and transparently.