KB, a simplified joint-stock company with a share capital of €3000, whose registered office is located at 6 rue des Bateliers, 92110 CLICHY, is registered with the Nanterre Trade and Companies Register under number 534 047 063, (hereinafter referred to as « LES BAINS DE MARRAKECH »).
PREAMBLE
The purpose of this document is to describe how Les Bains de Marrakech processes the personal data (hereinafter, the « Data » or « Personal Data ») of its clients (hereinafter the « Client ») in the context of the execution of a Service reservation contract with the establishment where the service is performed (hereinafter the « Establishment ») via the website https://lesbainsdemarrakech.com/ or a product order placed via the dedicated space https://shop.lesbainsdemarrakech.com (hereinafter, the « Contract »).
LES BAINS DE MARRAKECH'S COMMITMENT
In the course of its activities, Les Bains de Marrakech commits to complying with the current regulations applicable to the processing of personal data, and, in particular, amended Law No. 78-17 of January 6, 1978, relating to data processing, files, and freedoms, as well as Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter « GDPR »).
Les Bains de Marrakech commits to taking all necessary measures to comply with the obligations arising from the GDPR, including:
- to process the Data solely for the specified purpose(s) and, in particular, not to use, directly or indirectly, in any manner or capacity whatsoever, all or part of the information for its own benefit and/or on behalf of third parties, or to permit such use;
- to communicate to the Client the name and contact details of its data protection officer, if one has been appointed in accordance with Article 37 of the GDPR;
- to maintain a written record of all categories of processing activities carried out on behalf of the Client;
- to guarantee the confidentiality and security of the processed Data through the implementation of (i) SSL encryption, (ii) restricted data access, (iii) secure hosting, and (iv) PCI-DSS compliant services for payment providers.
Les Bains de Marrakech commits to ensuring that individuals authorized to process the collected Personal Data (i) undertake to respect the confidentiality of the Data or are subject to a legal obligation of confidentiality; (ii) receive the necessary training in personal Data protection.
Les Bains de Marrakech is prohibited from:
- copying or storing, regardless of form or purpose, all or part of the information or data contained on the media or documents entrusted to it or collected by it during the execution of the contract, outside the conditions specified herein;
- to compromise the integrity, availability, traceability, and confidentiality of this data.
PERSONAL DATA COLLECTED
LES BAINS DE MARRAKECH may collect the following data:
Order-related data
- Client contact details (title, last name, first name, billing address, delivery address, email address, phone number)
- Shopping cart contents
- Purchase history
- Delivery tracking information
- Desired reservation dates and times
- Selected service
- Preferences or special requests
No reservation or order can be processed without this data.
Payment data
Payments are processed via specialized and secure providers, including:
- Stripe
- Ecwid
- PayPal
- Mollie Payments
LES BAINS DE MARRAKECH never stores complete credit card numbers. Payment data is processed directly by the respective provider in accordance with its own privacy policies.
Gift cards
Gift cards are managed via Gift Up! which acts as a sub-processor and processes the data necessary for the issuance and management of gift cards.
Marketing data
- Email address (newsletter)
- Interaction history (opens, clicks)
- Stated preferences
These data are collected solely on the basis of consent.
Technical and browsing data
During browsing:
- IP address
- Device type
- Browser
- Pages viewed
- Visit duration
These data are collected via cookies, particularly through Google (Google Analytics).
PURPOSES OF DATA COLLECTION
| Purpose / Activity | Legal basis | Retention period |
|---|---|---|
| Manage treatment bookings with the Establishment, specifically: reservation, transmission of requests, and sending confirmation emails | Processing necessary for the performance of a contract to which the Client is a party | 3 years from the date of booking |
| Improve complaint management | Processing necessary to improve services | 2 years from the date of closure of the Client's file in the context of a complaint or claim |
| Comply with all applicable legislation (e.g., retention of accounting documents) and manage data protection requests | Processing necessary for compliance with a legal obligation | For the duration specified in the applicable local legislation |
| Statistical analysis | Processing necessary for Client information (advertising, marketing) | Consent |
| Newsletter | Processing necessary for Client information (advertising, marketing) | Consent |
LIMITED THIRD-PARTY ACCESS
Data may be transferred to internal or external recipients who may be located in countries offering different levels of protection:
- The Establishment;
- Service providers (e-commerce, payment, gift cards, logistics and shipping, management and analytical tools, emailing);
- IT or banking service providers of Les Bains de Marrakech (third-party IT subcontractor and/or host and/or bank);
- Local authorities, if required by law or as part of an investigation and in accordance with local regulations.
Les Bains de Marrakech ensures that Data benefits from the same level of protection.
INTERNATIONAL PROTECTION
Les Bains de Marrakech implements appropriate measures to secure the transfer of Personal Data to an external recipient located in a country offering a different level of protection.
Les Bains de Marrakech undertakes not to transfer Personal Data to a country that is not based on an adequacy decision within the meaning of Article 45 of the GDPR, or that does not benefit from appropriate safeguards within the meaning of Article 46 of the GDPR, or that does not fall within the scope of the derogations for specific situations provided for in Article 49 of the GDPR.
TECHNICAL PROTECTION
Les Bains de Marrakech takes appropriate technical and organizational measures, in accordance with applicable legal provisions (in particular Article 32 of the GDPR), to protect Personal Data against destruction, loss or alteration, misuse, and unauthorized access, modification, or disclosure, whether these actions are unlawful or accidental.
COOKIES AND OTHER TRACKERS
Les Bains de Marrakech may use cookies and other trackers on its Site.
A 'cookie' is a small piece of information that a website assigns to a device while a website is being viewed. Cookies are very useful and can be used for various purposes. These purposes include efficient navigation between pages, automatic activation of certain features, remembering your preferences, and speeding up and facilitating interaction between the Client and the services offered. Cookies are also used to ensure that advertisements are relevant, as well as to compile statistical data on service usage.
The site uses the following types of cookies:
- 'Session cookies' which are only stored temporarily during a browsing session to allow normal system use and are deleted from the device when the browser is closed;
- 'Persistent cookies' which are read only by the Site, stored on the device for a fixed period, and are not deleted when the browser is closed. These cookies are used for repeated visits, for example, to allow preferences to be stored for the next login;
- 'Third-party cookies' which are set by other online services that deliver content on the viewed page, for example, by third-party analytics companies that monitor and analyze web access.
Cookies do not contain any personally identifying information about the Client, but personal information stored by Les Bains de Marrakech may be linked to information stored and obtained from cookies. These cookies can be deleted by following the device's instructions; however, if disabled, some site functionalities may not work correctly, and the online experience could be limited.
Les Bains de Marrakech also uses a tool called 'Google Analytics' to collect information about Site usage. Google Analytics collects information such as how often users access the site, which pages they visit when they do so, etc. The information obtained from Google Analytics is used solely to improve the site and services. Google Analytics collects the IP address assigned to the Client on the date of their visit to the sites. Les Bains de Marrakech does not combine information collected via Google Analytics with personally identifiable information. Google's ability to use and share information collected by Google Analytics regarding visits to this site is limited by the Google Analytics Terms of Service and the Google Privacy Policy.
INFORMATION ON ADVERTISEMENTS
It is possible to opt out of many third-party advertising networks, including those operated by members of the Network Advertising Initiative (« NAI ») and the Digital Advertising Alliance (« DAA »). For more information on this practice by NAI and DAA members, as well as choices regarding the use of this information by these companies, including how to opt out of third-party advertising networks operated by NAI and DAA members, please visit their respective websites: http://optout.networkadvertising.org/#!/ and http://optout.aboutads.info/#!/.
CLIENT RIGHTS
The Client has the right to access, rectify, query, object to, port, and erase their personal data. The Client may exercise these rights by writing to Les Bains de Marrakech via email: contact@lesbainsdemarrakech.com or by mail to the registered office of Les Bains de Marrakech as indicated at the beginning of this document. The Client is informed that exercising certain of these rights may prevent Les Bains de Marrakech from fully or partially fulfilling its mission. The Client is also informed that they have the right to lodge a complaint with the CNIL.
Les Bains de Marrakech will notify the Client, by email, of any personal data breach as soon as it becomes aware of it, and within a maximum of twenty-four (24) business hours after becoming aware. This notification will be accompanied by all useful documentation to enable the Client, if applicable, to notify this breach to the competent supervisory authority.
MODIFICATION OF LES BAINS DE MARRAKECH'S COMMITMENTS
The applicable version is the one published on the website on the date of consultation.