Skip to main content
DigiSolutDigiSolut
Legal

Privacy Policy

Last updated: 2026-05-07

Preamble

This policy describes how {{COMPANY_NAME}}, publisher of the DigiSolut platform, processes the personal data of its users, in accordance with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act of 6 January 1978 (as amended).

1. Data controller

  • Controller: {{COMPANY_NAME}} ({{COMPANY_LEGAL_FORM}})
  • Registered office: {{COMPANY_ADDRESS}}
  • SIRET: {{COMPANY_SIRET}} — RCS: {{COMPANY_RCS}}
  • General contact: {{COMPANY_EMAIL}}

2. Data Protection Officer (DPO)

DPO contact: {{DPO_EMAIL}}. Although designation of a DPO is not mandatory under Article 37 GDPR for this activity, {{COMPANY_NAME}} has nonetheless appointed a privacy contact reachable at this address for any question relating to the processing of personal data.

3. Data collected

  • Identification: email address, first name, last name, preferred language;
  • Authentication: password stored in hashed form (bcrypt), signed session token;
  • Connection data: IP address, browser user-agent, login timestamps, cookie consent choices;
  • Billing data: business name, billing address, VAT number, Stripe customer identifier; payment card data (PAN, CVC, expiry) is never stored on our servers and is processed exclusively by Stripe Payments Europe Ltd;
  • Business data: published content (menus, photos), reservations, contact requests, site settings;
  • Aggregated statistics: anonymised usage indicators for product improvement.

4. Purposes

  • user account management and service delivery;
  • billing, payment processing and accounting obligations;
  • customer support and incident resolution;
  • security (fraud detection, audit logging, abuse prevention);
  • product improvement through anonymised statistics;
  • marketing communications, only after explicit opt-in consent.

5. Legal bases (Article 6 GDPR)

  • Performance of contract (art. 6.1.b): account creation and management, service delivery, billing;
  • Legal obligation (art. 6.1.c): retention of invoices, audit logging, response to judicial requisitions;
  • Legitimate interest (art. 6.1.f): platform security, fraud prevention, aggregated statistics;
  • Consent (art. 6.1.a): marketing communications, non-essential cookies.

6. Recipients

Data is accessible, strictly on a need-to-know basis:

  • to authorised teams of {{COMPANY_NAME}} (support, engineering, accounting);
  • to technical processors bound by contract (Article 28 GDPR): Stripe (payment), {{HOST_NAME}} (hosting), transactional email providers and, where applicable, WhatsApp / SMS / push notification providers;
  • to administrative or judicial authorities upon legal requisition.

7. Transfers outside the European Union

Some processors may process data from countries outside the European Economic Area, in particular Stripe (United States). These transfers are framed by the mechanisms set out in Articles 44 et seq. GDPR:

  • adherence to the EU-U.S. Data Privacy Framework (DPF) (adequacy decision of 10 July 2023) where the recipient is certified;
  • otherwise, Standard Contractual Clauses (SCCs) adopted by the European Commission on 4 June 2021, supplemented as needed by additional measures (encryption in transit and at rest).

8. Retention periods

  • Active account: for the duration of the contractual relationship, then 3 years from last activity;
  • Invoices and accounting records: 10 years from the close of the financial year (art. L.123-22 of the French Commercial Code);
  • Connection logs: 6 months maximum (CNIL recommendation);
  • Cookies: 13 months maximum from initial deposit;
  • Prospect data (marketing): 3 years from last contact or until consent is withdrawn.

9. Cookies and trackers

The platform uses the following cookies:

  • Essential cookies (exempt from consent):
    • __Host-digisolu_session — signed authenticated session;
    • __Host-digisolu_csrf — Cross-Site Request Forgery (CSRF) protection;
    • i18n_redirected — preferred-language memory;
    • resto-cookie-consent — consent-choice memory.
  • Analytics and marketing cookies: set only after explicit consent via the consent banner, and revocable at any time via the "Manage my cookies" link in the footer.

10. Data subjects' rights

In accordance with Articles 15 to 22 GDPR, you have the following rights over your data:

  • Access (art. 15) — obtain a copy of the data concerning you;
  • Rectification (art. 16) — correct inaccurate or incomplete data;
  • Erasure (art. 17) — request deletion of your data under the conditions provided by law;
  • Restriction (art. 18) — request the temporary suspension of a processing activity;
  • Portability (art. 20) — receive your data in a structured, machine-readable format;
  • Objection (art. 21) — object to processing based on legitimate interest or to direct marketing;
  • Post-mortem directives — set out the fate of your data after your death (art. 85 of the French Data Protection Act).

You may exercise these rights:

  • directly from your administrator area, under Profile > Privacy (export, account deletion);
  • by email to {{COMPANY_EMAIL}} or to the DPO at {{DPO_EMAIL}}, providing proof of identity.

A response will be provided within one (1) month, extendable by two (2) months in case of complexity.

11. Complaint to the CNIL

If you consider, after contacting us, that your rights are not being respected, you may lodge a complaint with the French Data Protection Authority (CNIL):

12. Security

{{COMPANY_NAME}} implements appropriate technical and organisational measures within the meaning of Article 32 GDPR: end-to-end TLS encryption, bcrypt password hashing, immutable audit logging, role-based access control (RBAC), encrypted backups, and periodic security reviews.

13. Changes to the policy

This policy may be updated to reflect legal or technical changes. Any substantial modification is notified to users by email and signalled by a banner in the platform at least thirty (30) days before it takes effect.