Privacy Policy

Last updated: 06/13/2026

In accordance with the General Data Protection Regulation (GDPR – EU 2016/679), GALVACYL is committed to ensuring the protection, confidentiality, and security of its users' personal data.

1. Data Controller

Company name: GALVACYL SAS
Address: Impasse de la Sparterie Jardin Industriel, 38280 Janneyrias, France
SIRET: 10147940000018
Email: contact@galvacyl.com
Phone: +33 6 49 34 72 64
Legal representatives: Océane NICOD, David LEHMANN, General Managers

This information precisely matches the company's Kbis.

2. Personal data collected

We only collect data necessary for the following purposes:

Contact form: Name, email, phone (optional), message.
E-commerce orders: Name, email, shipping address, phone, payment information (processed by Stripe).
Admin authentication: Email, password (hashed via Supabase Auth).
Cookies: Cookie consent stored locally.

No banking data is stored by GALVACYL. Payments are securely processed by Stripe.

3. Legal basis for processing

In accordance with Article 6 of the GDPR:

Contact form: Art. 6.1.b GDPR — Pre-contractual measures or contract performance.
E-commerce orders: Art. 6.1.b GDPR — Performance of the sales contract.
Analytical/marketing cookies: Art. 6.1.a GDPR — Consent.
Admin authentication: Art. 6.1.f GDPR — Legitimate interest.

4. Data retention period

In accordance with Article 5.1.e of the GDPR (storage limitation):

Order data: 10 years — Commercial Code art. L123-22.
Contact form: 3 years — CNIL recommendation (commercial prospecting).
Administrator accounts: 2 years of inactivity — Best practice.
Server logs: 6 months — Law for Confidence in the Digital Economy (LCEN).
Cookies: 13 months maximum — CNIL Deliberation 2020-091.

5. Recipients of your data

Your personal data is only transmitted to the following service providers, in strict compliance with the GDPR:

Supabase European Union

Application backend: authentication, PostgreSQL database, file storage, server functions.

Data transferred: Authentication data (email, technical identifiers), application data stored in the database, files uploaded by users.

✅ DPA signed. Standard Contractual Clauses (SCC). Data encryption. GDPR compliance declared by Supabase. Administrative access possible by a company established outside the EU, legally framed.

Hostinger European Union — Lithuania

Website hosting, servers, technical logs, security, CDN.

Data transferred: Navigation data (server logs), technical data (IP, HTTP requests), content hosted on the website.

✅ DPA signed. Company established in the European Union (Lithuania). Native GDPR compliance. Technical and organizational security measures. Technical data may temporarily transit outside the EU via the CDN.

Stripe Global infrastructure (data may be processed outside the EU, particularly in the United States)

Online payment processing and financial transaction management.

Data transferred: Payment details (via tokens, cards not stored by the site), identification data related to transactions, billing data.

✅ DPA signed. Standard Contractual Clauses (SCCs). High level of security (PCI-DSS). Stripe acts as a data processor or data controller depending on the context. Certifications: PCI-DSS Level 1, ISO 27001, SOC 2 Type II.

Renvoyer EU – Ireland (eu-west-1), company established outside the EU (United States) with potential supervised access

Sending transactional emails (order confirmation, notifications, system emails).

Data transferred: Email address, email content, sending metadata (logs, timestamps).

✅ DPA signed. Standard Contractual Clauses (SCC). Data encryption. Use limited to transactional emails.

6. Data transfers outside the European Union

Any data transfers outside the European Union are governed by appropriate safeguards, in accordance with Article 46 of the GDPR:

Data Privacy Framework (DPF): EU-US adequacy decision adopted in July 2023. Applicable to: Stripe, Resend.
Standard Contractual Clauses (SCC): Standard contractual clauses approved by the European Commission. Applicable to: Stripe, Resend.

⚠️ Important note: In accordance with EDPB Recommendations 01/2020 (post-Schrems II), we conduct a Transfer Impact Assessment for each transfer to the United States.

7. Your rights regarding your personal data

In accordance with Articles 15 to 22 of the GDPR, you have the following rights:

Right of access (Art. 15): Obtain a copy of your personal data and information regarding its processing.
Right to rectification (Art. 16): Correct inaccurate data or complete incomplete data.
Right to erasure (Art. 17): Request the deletion of your data (except for legal obligations). Accounting data is stored for 10 years in anonymized form.
Right to restriction of processing (Art. 18): Request the temporary suspension of processing in certain situations.
Right to data portability (Art. 20): Receive your data in a structured, commonly used, and machine-readable format.
Right to object (Art. 21): Object to the processing of your data for reasons related to your particular situation.

8. How to exercise your rights?

To exercise one of your rights, please follow the procedure below:

1. Send your request to contact@galvacyl.com
2. Specify: name, email, subject of the request
3. Attach a proof of identity if necessary (access, rectification, erasure)
4. You will receive a response within a maximum of 1 month

📧 contact@galvacyl.com – Response within 1 month maximum (Art. 12.3 GDPR, extendable to 2 months in case of complexity). An ID may be requested for access, rectification, or erasure requests.

9. Deletion and Anonymisation

In the event of a request for erasure of your data (right to be forgotten):

— Data not subject to a legal obligation is permanently deleted.
— Data subject to legal obligations (invoicing, accounting) is anonymized and kept solely to comply with the law.
— You will receive confirmation of the deletion/anonymization within 1 month.

10. Data Security

We implement all appropriate technical and organizational measures:

— Encryption in transit: HTTPS/TLS 1.3
— Encryption at rest: AES-256 (Supabase)
— Passwords: bcrypt hashing via Supabase Auth
— Secure authentication: JWT with server-side validation
— Anonymized logs: Emails, phone numbers, and names are anonymized in server logs
— Principle of least privilege: Access limited to authorized administrators only

11. Cookie management

This site uses cookies and similar technologies. You can manage your preferences via the consent banner.

Essential cookies: necessary for the shopping cart and session to function — no consent required.
Analytical cookies: placed only with your consent.
Duration: 13 months maximum (CNIL deliberation 2020-091).

12. Right to lodge a complaint with the CNIL

If you believe that your rights are not being respected, you have the right to lodge a complaint with the French supervisory authority:

CNIL (National Commission for Information Technology and Civil Liberties)
3 Place de Fontenoy, 75007 Paris, France
Telephone: +33 1 53 73 22 22
www.cnil.fr — File a complaint: online form available on the website.

13. Changes to this Policy

We reserve the right to modify this privacy policy at any time. Any changes will be posted on this page with a new updated date.

Version: 1.0.0 — This policy complies with Regulation (EU) 2016/679 (GDPR).