Version: 20/08/2025

1) Controller Information

Data Controller: Napstoria (trade name) — Sole Proprietor (micro‑enterprise), 2 avenue du Stade de Coubertin, 92100 Boulogne‑Billancourt, France — contact@napstoria.com

Data Protection Contact: contact@napstoria.com

Main purposes: order and delivery management, invoicing, customer relationship/service, customer account, fraud prevention, marketing/newsletters (with consent), audience analytics, review management, mediation/disputes, and legal obligations (accounting, tax).

2) Legal Bases

• Performance of contract: order, payment, delivery, customer account, after‑sales service.
• Legal obligation: invoicing/accounting, archiving of contracts ≥ €120.
• Legitimate interest: fraud prevention, website improvement, exempted statistics (strictly necessary audience measurement).
• Consent: electronic marketing (newsletters), non‑essential cookies (ads, analytics), testimonials identifying clients, etc. Withdrawal possible at any time.

3) Data Processed (Categories)

Identity (name, surname), contact details (address, e‑mail, phone), delivery/billing addresses, order content, order/invoice number, customer support exchanges, marketing preferences, payment data (tokens/identifiers provided by the payment provider; no complete card number kept), technical browsing data and cookies/trackers.

4) Recipients

Authorized personnel of the seller and subcontractors/service providers: hosting provider, payment processor ([Stripe/PayPal…]), carriers ([La Poste/UPS/DHL…]), emailing tools, review platforms, accountant, consumer mediator, and legally authorized authorities. Access is limited to what is strictly necessary.

5) Transfers Outside the EU

Some providers may be located outside the EU (e.g., USA). In such cases, appropriate safeguards are implemented (Standard Contractual Clauses, complementary measures) or use of providers ensuring adequate protection. Details available upon request.

6) Data Retention Periods

• Customer account & orders: duration of the relationship, then 5 years in intermediate storage (statutory limitation). Invoices/records: 10 years.
• Electronic contracts ≥ €120: 10 years (accessible upon request).
• Marketing: 3 years from last contact (or until consent withdrawal).
• After‑sales service/claims/mediation: processing time + 5 years.
• Cookies: see §8 for duration by purpose.

7) Your Rights

Access, rectification, erasure, restriction, portability, objection (notably to marketing), consent withdrawal at any time, and post‑mortem directives. Exercise: contact@napstoria.com or mail: 2 avenue du Stade de Coubertin, 92100 Boulogne‑Billancourt, France.
You may lodge a complaint with the CNIL (www.cnil.fr) if you believe your rights are not respected.

8) Cookies & Trackers

We use trackers for site operation, audience measurement, and, where applicable, advertising. No non‑essential cookies are placed without your consent.

• Consent banner: first visit → options “Accept All / Refuse All / Customize”, refusal as easy as acceptance. Your preferences are stored and can be modified at any time via the “Manage my cookies” link in the footer.
• Audience measurement: if configured as strictly necessary (no cross‑referencing, truncated IPs, no data sharing), consent may not be required; otherwise, it is.
• Advertising/retargeting: strictly opt‑in.
• Indicative durations: consent preferences (6–12 months), analytics (13 months max for cookies, 25 months for raw data), advertising per partner (see detailed Cookies Policy if applicable).

9) Security

Organizational and technical measures: secured accounts, TLS encryption, restricted access, logging, backups. In case of a serious incident, notification will be made to authorities and, if necessary, to affected individuals.

10) Minors

The site is not intended for minors under 15 years old. No intentional collection of minor data without consent from the holder of parental authority.

11) Updates

This policy may be updated to reflect legal or technical developments. Last update on the date indicated above.