Personal Data Privacy Policy – COLORS-THAT-LAST

Personal Data Privacy Policy

Latest version:  June, 14 2021


ARTICLE 1. DATA CONTROLLER

Your personal data (hereafter “Data”) is collected and processed by GLOBAL BIOENERGIES, registered in the Trade and Companies Register of Evry under the number 508 596 012, and whose registered office is located 5 rue Henri Desbruères – 91000 Evry-Courcouronnes, France (hereafter “LAST”).

As data controller, LAST endeavors to best protect your privacy and ensure your Data security in accordance with current regulations, particularly regulation n°2016/679 of the European Parliament on the protection of natural persons with regard to the processing of personal data and the free movement of such data as of April, 27 2016.

Hereafter you will find LAST’s policy in terms of Data protection.


ARTICLE 2. DATA COLLECTION

Your Data is collected from the online shopping website colors-that-last.com (hereafter “Website”), through its customer service and the social media pages managed by LAST.

LAST namely collects your Data during the following operations:

- website browsing using cookies placed on your device;

- website transactions;

- creating a personal account on the Website;

- subscribing to the LAST newsletter;

- interactions with LAST customer service;

- browsing and subscribing on social media pages managed by LAST;

- participating in a game or contest.


ARTICLE 3. DATA INFORMATION COLLECTED

The Data collected mainly include your last name, name, gender, birth date, postal and electronic address, phone number, personal account username and password as well as your social media usernames. Certain Data is mandatory, other is optional.

LAST may also be brought to process your Data relating to:

- your browsing of the Website and social media pages managed by LAST, namely meaning your IP address, viewed pages, visits frequency;

- payment and any bank transaction;

- your purchase, research and saved articles history;

- your beauty profile;

- your comments and other contributions published on the Website or social media pages managed by LAST;

- your social media accounts, if they are linked to the personal account created on the Website.


ARTICLE 4. PURPOSE OF THE COLLECTED DATA

The Data collected can be used for the following purposes:

- processing and shipping the Orders you place on the Website, as well as the ensuing customer service;

- customer relationship management and customizing LAST communications;

- improving and customizing LAST special offers;

- sending the LAST newsletter and other information relating to LAST products and services;

- establishing business development operations and developing marketing tools;

- establishing statistics and analyses as well as performance indicators (audience, visits) and evaluating how the components of the Website are used (browsed sections and contents, journey…) as well as social media pages managed by LAST to improve their relevance and ergonomic design so as to improve your experience on the Website and social media as well as LAST’s customer service quality;

- performing technical operations relating to the above-listed purposes;

- the respect of LAST’s legal and regulatory obligations.


ARTICLE 5. LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

In compliance with current regulations, your Data is processed based on specific legal grounds, namely:

- your explicit consent given to LAST to, on one hand, send you its newsletter and/or keep you updated on its latest news via social media and, on the other hand, share some of your Data to certain service providers or subcontractors;

- the respect of a legal obligation requiring LAST to process your Data, such as, for instance, order n°2011-219 from February, 25 2011 relating to keeping and sharing Data to identify any person who has contributed to creating a content published online;

- the presence of a legitimate interest for LAST to process your Data to best manage its relationship with the general public and promote its products.


ARTICLE 6. DATA RETENTION PERIOD

The retention period of your Data is determined according to its purposes and LAST’s legal obligations.

The Data collected upon your LAST newsletter subscription, your subscription to social media pages managed by LAST or your creation of a personal account on the Website are kept for the entirety of said subscription or existence of the said personal account. After unsubscribing or deleting your personal account, your Data may be kept and processed for a period of three years. At the end of this time frame, your Data will either be deleted or made anonymous.

The Data collected when placing a purchase order on the website is kept and processed for a period of three (3) years. At the end of this time frame, your Data will either be deleted or made anonymous.

The Data collected when browsing the Website or on social media pages managed by LAST is kept and processed for a period of thirteen months. At the end of this time frame, your Data will either be deleted or made anonymous. However, after the above mentioned periods, including as long as need be from the time of your termination request, your Data may be processed for intermediary archiving in order to comply with LAST’s legal and regulatory obligations.


ARTICLE 7. DATA RECIPIENTS

All your Data is strictly confidential, meaning that LAST shall not share it with any third party that may use it for personal purposes, without your explicit consent. However, your Data may be shared, securely and for the above mentioned purposes, with LAST service providers and subcontractors to process and ship orders or execute technical, marketing or advertising services. LAST is committed to taking all the necessary precautions to share Data in compliance with current regulations. For this matter, LAST specifies that some of its service providers may resort to subcontractors located outside the European Union, namely in the United States, and commits to implementing all necessary guarantees to ensure Data sharing is done in compliance with current regulations. Consequently, you explicitly grant LAST and its service providers the right to share your Data outside the European Union. As a result, your Data may be shared to respond to a court or administrative order.


ARTICLE 8. YOUR RIGHTS

In compliance with current regulations, you have the right to:

- withdraw your consent;

- demand access to, amendment of or deletion of part or all of your Data;

- limit one of its processing;

- contest one of its processing;

- data portability.


You can perform your rights by written request and with proof of identity, all sent via e-mail to dpo@colors-that-last.com. We will reply within a month upon reception of your request. If needed, LAST may extend this period to two months and will send you written notification.

Should LAST not provide a satisfactory answer to your requests, you can file a complaint to the French National Commission on Informatics and Liberty (CNIL), located 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07. Phone: 01.53.73.22.22.

1. You have the right to withdraw your consent, at any given moment, when it has been requested. However, this withdrawal will not affect the legal consent-based Data processing done prior to this withdrawal.

2. You have the right to get confirmation from LAST that your Data is or is not processed and, when it is, to have access to your Data as well as the following information:

     - the purpose of its processing;

     - the categories of Data being processed;

     - the recipients or categories of recipients your Data is or will be shared with;

     - when possible, the estimated retention period of your Data or, when it is not   possible, the criteria used to determine this period;

     - the existing right to ask LAST to change or delete all or part of your Data or restrict the processing of your Data or the right to contest this processing;

     - the right to file a complaint to a supervisory authority;

when your Data has not been collected from the Data Subject, any available information as to its source

whether automated decision-making is implemented, including profiling, and in any such case, useful information about its underlying logic, as well as the importance and expected consequences of this processing for you.

When your Data is shared with a third country or international organization, you have the right to remain informed about applicable guarantees relating to this Data sharing. LAST delivers a copy of your processed Data, which can require payment of a reasonable fee based on administrative costs for any additional copy requested. When submitting your request electronically, the information will be delivered via common electronic means, unless requested otherwise.

3. You have the right, in a timely manner, to get LAST to change incorrect Data. You can also get incomplete Data to be completed, including by providing a complimentary statement.

4. You have the right to get LAST to delete your Data, as quickly as possible, when one of the following reasons apply:

     - your Data is no longer necessary for the purposes for which it was collected or otherwise processed;

    - you withdraw consent on which the processing is based on and there is no other existing legal ground to the processing;

     - you object to the processing under the conditions in item 6 and there is no legitimate compelling reason for the processing;

     - your Data has been illegally processed;

     - your Data must be deleted to comply with a legal obligation

     - your Data has been collected from a child.

However, this right to deletion does not apply when processing is necessary:

     - to perform the right to freedom of expression and information;

     - to comply with a legal obligation requiring such processing to fulfill a task in the public interest or relating the exercise of public authority the data controller is vested with;

     - for public interests specifically relating to public health purposes;

     - for filing purposes of public interest, for scientific research or historic or statistical purposes;

     - for the establishment, exercise or protection of rights before courts;

5. You have the right to get LAST to restrict Data processing when one of the following elements apply:

     - until LAST can check the exactitude of your Data following a dispute issued from your end;

     - the processing being illegal, you object to the deletion of your Data and, instead, demand the limitation of its use;

     - LAST no longer needs your Data for processing purposes but it is still required for you to establish, exercise or protect your rights before courts;

     - during the time required to check if the legitimate purposes sought by LAST prevail over yours following a dispute issued from your end under the conditions stated in item 6.

Once processing has been restricted, your Data may only be treated, with the exception of retention, (i) with your consent or (ii) for the establishment, exercise or protection of rights before courts or (iii) to protect another natural or legal person’s rights or (iv) for important reasons of public interest for the European Union or a Member State.

6. You have the right to object, at any given moment, for personal reasons, to the processing of your Data based on public interest of legitimate interests sought by LAST.

LAST shall therefore no longer process your Data, unless LAST demonstrates the existence of legitimate and compelling reasons for processing that prevail over your interests and rights and freedoms or the establishment, exercise or protection of rights before the courts.

Furthermore, at any given moment you have the right to object to the processing of your Data for commercial purposes.

7. You have the right to receive your Data from LAST, in a structured format, commonly used and machine-readable, to share them with another data collector when:

- the processing is based on your consent or a contract, and

-  the processing is executed through automated processes.

- In this matter, you have the right to get your Data directly transferred by LAST to another data collector when it is technically possible.


ARTICLE 9. SECURITY MEASURES

Considering the nature of the Data and the risks associated to its processing, LAST takes all technical, physical and organizational measures required to safeguard the security and confidentiality of said Data and prevent it from being distorted, damaged or made accessible to unauthorized third parties.

LAST selects subcontractors and service providers who offer guarantees in terms of quality, security, reliability and resources to ensure the implementation of technical and organizational measures, including those relating to the safety of Data processing.


ARTICLE 10. SOCIAL MEDIA

LAST is present on social media (Facebook, Twitter, YouTube, Instagram…) and reminds you that access to social media requires your approval of their legal conditions including provisions regarding regulations on their Data processing done independently of social media pages managed by LAST.

For more information on the protection of your Data when browsing social media, LAST encourages you to read their privacy policies.