Privacy Policy

The data controller responsible for the processing of your personal data is:

• Company Name: [TODO: company name]
• Registered Address: [TODO: company address]
• Registration Number (RCS): [TODO: RCS number]
• Share Capital: [TODO: share capital]
• Email: [email protected]

As the data controller, BlablaDeal determines the purposes and means of the processing of personal data collected through the Platform, in accordance with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and applicable French data protection legislation, including the Loi Informatique et Libertés (Law No. 78-17 of 6 January 1978, as amended).

BlablaDeal has designated a Data Protection Officer to oversee compliance with data protection obligations. You may contact the DPO for any inquiries or requests relating to the processing of your personal data or the exercise of your data subject rights:

• DPO Name: [TODO: DPO name]
• Email: [email protected]

The DPO is available to assist you with questions regarding how your data is collected, stored, used, or shared, and to facilitate the exercise of your rights under the GDPR.

We collect and process the following categories of personal data:

Account Data

• Full name, email address, and password (hashed) provided during registration
• City or region of residence (optional, for display purposes)

Profile Data

• Profile photo (if uploaded), display name, and any additional information you choose to add to your profile

Usage Data

• IP address, browser type and version, device type, operating system
• Pages visited, time spent on pages, referral source, click patterns
• Date and time of access, session identifiers

Payment Data

• Payment transactions are processed by Stripe. BlablaDeal does not store your credit card numbers, CVV, or other sensitive payment credentials. We receive from Stripe: transaction identifiers, payment status, billing amounts, and a truncated card reference (last four digits) for your records.

Communication Data

• Messages exchanged between Users through the Platform's messaging features
• Correspondence with our support team (emails, support tickets)

Cookie and Tracking Data

• Cookies and similar technologies as described in our Cookie Policy

In accordance with Article 6 of the GDPR, we process your personal data on one or more of the following legal bases:

• Contractual Necessity (Art. 6(1)(b)): Processing is necessary for the performance of our contract with you — namely, to provide the Platform services, manage your account, process payments, and facilitate subscription-sharing Groups.
• Consent (Art. 6(1)(a)): Where we rely on your consent, such as for sending marketing communications or setting non-essential cookies, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Legitimate Interest (Art. 6(1)(f)): Processing is necessary for our legitimate interests, including improving the Platform, ensuring security, preventing fraud, and conducting analytics. We carry out a balancing test to ensure our interests do not override your fundamental rights and freedoms.
• Legal Obligation (Art. 6(1)(c)): Processing is necessary to comply with a legal obligation to which BlablaDeal is subject, such as tax reporting, anti-money laundering requirements, and responding to lawful requests from public authorities.

We process your personal data for the following purposes:

• Providing the Service: Creating and managing your account, enabling you to create or join sharing Groups, displaying relevant Group listings, and facilitating communication between Group members.
• Processing Payments: Collecting payments from Joiners, disbursing funds to Owners, charging Commission fees, managing billing cycles, and processing refund requests via Stripe.
• Communication: Sending you transactional emails (payment confirmations, Group updates, account notifications), and, where you have opted in, marketing communications about new features or promotions.
• Platform Improvement: Analysing usage patterns to improve the user experience, develop new features, optimise performance, and personalise content.
• Fraud Prevention & Security: Detecting and preventing fraudulent activity, enforcing our Terms of Service, monitoring for suspicious behaviour, and protecting the security and integrity of the Platform.
• Legal Compliance: Fulfilling our legal and regulatory obligations, including tax reporting, maintaining transaction records, and responding to lawful requests from competent authorities.

When you participate in a sharing Group, certain limited information may be visible to other Group members:

• First name (or display name)
• City (if provided in your profile)

The following personal data is never shared with other Users:

• Email address
• Phone number
• Payment details
• Full address
• IP address or device information

Owners and Joiners in the same Group may communicate through the Platform's messaging system, but your contact details remain private unless you choose to share them voluntarily.

We may share your personal data with the following categories of third-party recipients, solely for the purposes described in this Privacy Policy:

• Stripe (Stripe, Inc.) — Payment processing. Stripe processes your payment data in accordance with its own privacy policy. For more information, see Stripe's Privacy Policy.
• Hosting Provider — [TODO: hosting provider] — Our hosting infrastructure provider, which stores and processes data on our behalf under a Data Processing Agreement (DPA).
• Analytics Provider — We use analytics services to collect anonymised and aggregated data about Platform usage. This data does not identify individual users.
• Legal and Regulatory Authorities — We may disclose personal data to law enforcement, regulators, or courts where required by applicable law or to protect our legal rights.

All third-party recipients are contractually bound to process personal data only in accordance with our instructions, and to implement appropriate technical and organisational security measures.

Your personal data is primarily stored and processed within the European Union / European Economic Area (EU/EEA).

Where personal data is transferred to recipients located outside the EU/EEA (for example, Stripe's operations in the United States), we ensure that appropriate safeguards are in place, including:

• EU Adequacy Decisions: Transfers to countries that the European Commission has recognised as providing an adequate level of data protection (e.g., under the EU-US Data Privacy Framework).
• Standard Contractual Clauses (SCCs): Where an adequacy decision does not exist, we rely on Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented by additional safeguards where necessary following a transfer impact assessment.

You may request a copy of the relevant safeguards by contacting us at [email protected].

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Account Data: Retained for the duration of your account plus three (3) years after account closure, in accordance with the French statute of limitations for contractual claims.
• Transaction Data: Retained for ten (10) years from the date of the transaction, as required by French commercial and tax law (Code de commerce, Art. L.123-22).
• Usage Logs: Retained for thirteen (13) months from the date of collection, in accordance with recommendations from the French data protection authority (CNIL).
• Communication Data: Retained for the duration of your account plus one (1) year after account closure, unless a longer retention period is required for the resolution of disputes.
• Cookie Data: Retained in accordance with the durations specified in our Cookie Policy.

After the applicable retention period expires, personal data is securely deleted or anonymised.

Under the GDPR, you have the following rights in relation to your personal data:

• Right of Access (Art. 15): You have the right to obtain confirmation of whether your personal data is being processed and, if so, to access that data along with information about the processing.
• Right to Rectification (Art. 16): You have the right to request the correction of inaccurate personal data and to have incomplete data completed.
• Right to Erasure (Art. 17): You have the right to request the deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where the data has been unlawfully processed.
• Right to Restriction of Processing (Art. 18): You have the right to request the restriction of processing in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interests.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to Object (Art. 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes.
• Right Regarding Automated Decision-Making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within thirty (30) days, extendable by sixty (60) days for complex requests. Identity verification may be required.

If you believe that your personal data has been processed in violation of the GDPR or applicable data protection law, you have the right to lodge a complaint with a supervisory authority.

The lead supervisory authority for BlablaDeal is:

• [TODO: CNIL or relevant DPA]
• Website: https://www.cnil.fr

You also have the right to lodge a complaint with the supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged infringement.

We encourage you to contact us first at [email protected] so that we may attempt to resolve your concern before you escalate to a supervisory authority.

BlablaDeal does not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, as described in Article 22 of the GDPR.

We may use basic automated processes for fraud detection and platform security (e.g., flagging unusual login patterns), but these processes do not result in decisions that have legal or similarly significant effects on you without human review.

BlablaDeal implements appropriate technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption in Transit: All data transmitted between your browser and the Platform is encrypted using TLS (Transport Layer Security) 1.2 or higher.
• Encryption at Rest: Personal data stored in our databases is encrypted at rest using industry-standard encryption algorithms.
• Access Controls: Access to personal data is restricted to authorised personnel on a need-to-know basis. All access is logged and auditable.
• Password Security: User passwords are hashed using strong, salted hashing algorithms. Plaintext passwords are never stored.
• Regular Security Audits: We conduct periodic security assessments and vulnerability testing to identify and address potential risks.
• Incident Response: We maintain an incident response plan to detect, investigate, and report personal data breaches in accordance with Article 33 of the GDPR (notification to the supervisory authority within 72 hours) and Article 34 (notification to affected data subjects where required).

While we strive to protect your personal data, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security.

The Platform is not directed at, and is not intended for use by, persons under the age of eighteen (18). We do not knowingly collect personal data from children under 18.

If we become aware that we have inadvertently collected personal data from a person under 18, we will take prompt steps to delete such data from our systems. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at [email protected] so that we can take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or business operations.

• Material Changes: For material changes that affect how we process your personal data, we will notify you at least thirty (30) days in advance by email and/or by a prominent notice on the Platform. Where required by law, we will seek your consent before implementing material changes.
• Non-Material Changes: For minor or clarifying changes, we may update the Privacy Policy without prior notice.
• Effective Date: The updated Privacy Policy will display the new effective date at the top of the document.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. Your continued use of the Platform after any changes take effect constitutes your acknowledgement of the updated Privacy Policy.