Privacy Policy

3.1 Types of data collected

As part of using our site, we may collect the following data:

Via the contact form:

• Last name* : to identify you
• First name* : to identify you
• Email* : to respond to you
• Phone number (optional) : to contact you if needed regarding your request
• Country (optional) : to direct you to the right contact person
• Request subject* : to categorize and process your request
• Message* : the content of your request
• Newsletter consent (optional) : your agreement to receive our updates
• CAPTCHA verification (Cloudflare Turnstile)* : automatic validation to protect against bots and spam

* Required fields.

Information on data processing: Clear information (short layer) is displayed under the form with a link to this privacy policy, in accordance with GDPR transparency requirements.

Important: Data collected via the contact form is processed ONLY to respond to your specific request. It is not used for any other purpose without your explicit consent.

Bot protection (Cloudflare Turnstile): To secure our forms against spam and abuse, we use Cloudflare's Turnstile service. This system automatically verifies that you are a human user without requiring any action on your part. Cloudflare may collect certain technical data (IP address, browser fingerprint) solely for this security verification.

Other data collected:

• Connection data: IP address, connection logs, browser type, operating system
• Navigation data: pages viewed, products added to wishlist, date and time of consultation
• Preference data: favorite products (wishlist stored locally in your browser via localStorage)
• Geolocation data (optional):
  • GPS coordinates of your position (only if you authorize geolocation)
  • Approximate location to improve partner search near you
• Analytics and behavioral data:
  • Google Analytics: page views, session duration, bounce rate, device type, browser, approximate location
  • PostHog: user behavior, site interactions, user journey, custom events

3.2 Collection methods

Data is collected during:

• Use of the contact form: only data you voluntarily enter
• Newsletter subscription: if you check the dedicated box in the contact form or via a dedicated form
• Creation and management of a wishlist: products you add to your favorites (stored only in your browser via localStorage)
• Use of partner mapping: viewing the partner map and possibly authorizing geolocation
• Site navigation: technical data collected automatically via cookies and analytics services (with your consent)

Your personal data is collected for the following purposes:

• Contact request management: Form data (name, first name, email, phone, country, subject, message) is processed based on our legitimate interest to respond to user requests (art. 6(1)(f) GDPR). This data is used EXCLUSIVELY to process and respond to your specific request, with limited retention period. No commercial or marketing use is made of this data without your explicit consent.
• Newsletter and email prospecting: We send informational emails and offers to people who have given their explicit consent (art. 6(1)(a) GDPR). You can withdraw your consent at any time via the unsubscribe link in each message. We measure our campaign performance (e.g., open and click rates) to improve their relevance; you can opt out at any time by unsubscribing. Important: When the subscriber is under 15 years old, consent must be given or authorized by the legal representative; we may implement reasonable verification means.
• Wishlist management: save your favorite products locally in your browser (localStorage) to facilitate your navigation. This data is not transmitted to our servers.
• Mapping and partner search:
  • Display partner map via OpenStreetMap and Leaflet
  • Improve your search experience by suggesting the closest partners (only if you enable geolocation)
  • Display map data via Stadiamaps.com

  Important: Geolocation is entirely optional. You can use the map without sharing your location.

• Site analysis and improvement:
  • Google Analytics: Measure audience, traffic and site performance
  • PostHog: User behavior analysis, A/B testing, user experience improvement

  Common purposes: understand site usage, identify popular pages, optimize experience, detect technical issues

• Security and spam protection: Use of Cloudflare Turnstile to verify that form submissions come from human users and not automated bots
• Compliance with legal obligations: data retention in accordance with legal requirements

Processing of your personal data is based on:

• Your explicit consent:
  • For newsletter sending (if you checked the dedicated box)
  • For activating geolocation on the partner map (explicit request via your browser)
  • For using analytics services (Google Analytics, PostHog) and analytical cookies
  • For using certain non-essential cookies
• Legitimate interest: to respond to requests via the contact form (short retention period) and for improving our services and site security (anonymized data only)
• Compliance with legal obligations: for retention of certain data

• GLADIUS FRANCE authorized internal services
• Our technical subcontractors:
  • AWS Lightsail (hosting - Paris Region, eu-west-3)
  • GLADIUS FRANCE (site maintenance)
  • Google Analytics (traffic analysis)
  • PostHog (behavioral analysis)
  • Cloudflare (Turnstile service for anti-spam protection)
  • OpenStreetMap (open source map data)
  • Stadiamaps.com (satellite data and map tiles)
• Public authorities, only upon legal request

We do not sell, rent or share your personal data with third parties for commercial purposes.

General principle: When data is transferred to the United States, these transfers are governed by the EU-U.S. Data Privacy Framework (DPF) adequacy decision when the recipient is DPF certified, and, where applicable, by the European Commission's Standard Contractual Clauses, supplemented by appropriate technical and organizational measures (encryption, minimization, access restrictions).

When data is transferred outside the EU/EEA to other destinations, these transfers are governed by the European Commission's Standard Contractual Clauses and by complementary measures (encryption in transit/at rest, data limitation, access control).

List by provider:

• AWS Lightsail: Hosting in AWS Paris region (eu-west-3), which keeps data within the European Union. No transfer to the United States for primary hosting.
• Google Analytics: Possible transfers to the United States; DPF if certified, otherwise SCC + measures (anonymized IP, limited retention, no advertising features).
• Cloudflare Turnstile: Cloudflare is DPF certified; transfers governed by DPF and/or SCC.
• PostHog: Possible transfers to the United States; SCC + measures; if EU instance/region, specify that no transfer takes place.
• Stadiamaps: Possible transfers to the United States; SCC + measures; if EU instance/region, specify that no transfer takes place.

All these transfers are carried out in compliance with GDPR and with appropriate guarantees to protect your data.

Your personal data is retained for the following periods:

• Contact data (form): 1 year from request processing (short period compliant with legitimate interest)
• Newsletter and prospecting data: until consent withdrawal or 3 years after last contact for prospects, and during commercial relationship then 3 years after last contact for customers. When subscriber is under 15 years old, consent must be given or authorized by legal representative; we may implement reasonable verification means.
• Wishlist data: stored locally in your browser (localStorage) until manual deletion or cache clearing. No retention on our servers.
• Analytics data (Google Analytics, PostHog): maximum 26 months
• Geolocation data: not retained, used only during session to improve search
• Cookies : voir notre Politique de Cookies
• Connection logs: 1 year in accordance with legislation

We implement appropriate technical and organizational measures to protect your personal data against destruction, loss, alteration, unauthorized disclosure or unauthorized access, including:

• SSL/TLS encryption for data transmissions
• Regular security updates
• Regular backup procedures

In accordance with GDPR, you have the following rights:

• Right of access: obtain confirmation that your data is processed and receive a copy
• Right of rectification: correct your inaccurate or incomplete personal data
• Right to erasure: request deletion of your data in certain cases
• Right to restriction: request restriction of processing of your data
• Right to portability: receive your data in structured and readable format
• Right to object: object to processing of your data
• Right to withdraw consent: at any time, for processing based on consent
• Right to define post-mortem directives: concerning the fate of your data after your death

10.1 Procedure for exercising your rights

Contact address: You can exercise your rights by contacting our Data Protection Officer (DPO) at: [email protected]

Response time: We undertake to respond to your request within a maximum period of 1 month from its receipt. This period may be extended by 2 additional months if the complexity of the request justifies it. In this case, we will inform you within the month following receipt of your request.

Required information: To process your request, please specify:

• The subject of your request (right of access, rectification, erasure, etc.)
• The data concerned (if applicable)
• A copy of an identity document to verify your identity
• Any element allowing us to identify you in our systems (email address used, etc.)

Simplified exercise of certain rights:

• Cookie consent withdrawal: Use the 'Manage cookies' link available in the site footer
• Newsletter unsubscription: Click the unsubscribe link in each email or contact us
• Modify your preferences: Contact us via the site's contact form

Free of charge: Exercising your rights is free. However, reasonable fees may be charged for manifestly unfounded or excessive requests, particularly in case of repetitive nature.

You also have the right to lodge a complaint with the CNIL:

Commission Nationale de l'Informatique et des Libertés (CNIL)

For more information on cookie usage, please see our Cookie Policy.

Our site offers an optional geolocation feature on the partner mapping page.

12.1 Operation

Geolocation works as follows:

• Consent request: Your browser explicitly asks for permission to access your location
• Usage: If you accept, we use your position to show you the closest partners
• Technologies: The map uses OpenStreetMap (free data), Leaflet (mapping library) and Stadiamaps.com (satellite tiles)
• Storage: Your GPS coordinates are not retained after your session

12.2 Your rights regarding geolocation

You have full control over this feature:

• Refuse: You can refuse geolocation and use the map normally
• Revoke: You can disable geolocation at any time in your browser settings
• Alternative: You can manually search for partners by city or region

12.3 Security

Geolocation is handled with the highest level of security:

• Coordinates are used only client-side (your browser)
• No transmission of your exact coordinates to our servers
• Used only to calculate distances and improve your experience

We reserve the right to modify this privacy policy at any time. Modifications will take effect upon publication on the site. We encourage you to regularly consult this page.

Last update date: December 4, 2025 (Version 1.1)

For any questions concerning this privacy policy or the processing of your personal data, you can contact us:

Development and technical maintenance:

The partners portal (accessible to professional partners only) involves specific personal data processing, described below:

16.1 Data processed

The partners portal processes the following data categories:

Identity & professional information:

• Personal data: last name, first name, professional email address
• Company information: company name, function/position, customer number

Identifiers (created by us):

• Access: username (login), hashed and salted password
• Management: account creation, modification, suspension dates
• Roles: access level, specific permissions, partner profile

Technical logs:

• Connections: precise timestamp, IP address, browser user-agent
• Authentication: login attempt results (success/failure), error codes
• Sensitive actions: document downloads, price consultations, data modifications

Anti-bot data:

• Cloudflare Turnstile: verification tokens, technical fingerprints for automatic detection

16.2 Purposes and legal bases

• Partner account management (art. 6(1)(b) GDPR - Contract execution / pre-contractual measures): account creation by us, sending credentials, managing roles and permissions, updating account information
• Security & traceability (art. 6(1)(f) GDPR - Legitimate interest): logging successful/failed connections, detecting abuse and fraud, anti-bot protection via Cloudflare Turnstile, monitoring unauthorized access
• Support & assistance (art. 6(1)(f) GDPR - Legitimate interest): tracking technical support requests, incident resolution, service improvement
• Commercial prospecting: no commercial prospecting is carried out via this portal

16.3 Specific retention periods

• Partner account: throughout the contractual relationship, then up to 3 years in archiving (pre-litigation purposes)
• Security logs (success/failure): maximum 6 to 12 months from recording (period proportionate to security objective)
• Support tickets/requests: 3 years after request closure
• Active sessions: session duration only (browser closure or manual disconnection)
• Anti-bot data (Turnstile): session duration or according to Cloudflare retention policy

16.4 Specific recipients and subcontractors

• Internal technical team: portal administration, technical support
• Host: AWS Lightsail (Paris region, eu-west-3)
• Anti-bot protection: Cloudflare Turnstile (access security)
• Internal tools: monitoring and backup systems

16.5 International transfers

Partners portal data transfers follow the same logic as the public site:

• AWS Lightsail: EU hosting (Paris), no transfer outside EU
• Cloudflare Turnstile: DPF certified, transfers governed by DPF and/or SCC
• Other US providers (if applicable): DPF if certified, otherwise SCC + complementary measures

16.6 Specific rights

Partners have the same rights as public site users, with the following procedures:

• Right of access to logs: ability to view connection history via the portal
• Right of rectification: account information modification via portal or request to DPO
• Right to erasure: partner account deletion (subject to contractual obligations)
• Contact: same contacts as for public site ([email protected])

This privacy policy is archived with each modification. Previous versions can be provided upon written request. Each version is identified by a number and effective date to ensure traceability of changes in personal data protection matters.