PRIVACY POLICY

SCENTYS is a simplified single shareholder company with share capital of 470,806.60 euros, registered with the Paris Trade and Companies Register under number 478 525 009 and headquartered at 35 Boulevard des Capucines – 75002 Paris (hereinafter “We/Us”).

In the conduct of our business, we are particularly vigilant about keeping confidential the personal data we process and protecting your privacy in general.

We act in compliance with EU regulation 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, known as the “General Data Protection Regulation”, or GDPR (hereinafter GDPR) and French Law 78-17 of January 6, 1978 on information technology, files and freedoms, as modified.

The present document (hereinafter “Privacy Policy”) describes the measures we implement to protect the personal data we process and, more specifically, informs you of the ways we collect and process your personal data through the management of files on our customers, prospects, and users of the www.scentys.com website (hereinafter the “Website”) and our social media, notably Facebook, Instagram, Twitter, LinkedIn and YouTube (hereinafter “Social Media”).

Our Privacy Policy is not contractual in nature and does not create any obligations beyond what is stipulated in the aforementioned regulations on the protection of personal data. 

We may update our Privacy Policy. You will be notified beforehand of any updates and, if your consent is necessary, we will seek to obtain it.

The terms “data controller”, “subcontractor”, “personal data”, “processing”, “personal data breach”, “member states” shall have the same meaning as in the GDPR and terms derived from them shall be interpreted in an identical manner.

      

Who is responsible for processing your personal data?

We control the processing of your personal data in the course of conducting our business.

If you have questions about the processing of your personal data, you can contact us:

  • By email, at info@scentys.com
  • By mail, at the following postal address: SCENTYS, 35 Boulevard des Capucines – 75002 Paris
  • By telephone, at (33)(1).53.45.99.40

      

When do we collect your personal data?

We may have collected your personal data when:

  • You created an account on our Website;
  • You purchased one of our products (online, by phone, at one of our points of sale (retailers), at a trade show, or through any other means);
  • You contacted us or asked us to contact you through any means of communication (telephone, postal mail, email, contact form on our Website, Social Media, etc.);
  • You exchanged with us;
  • You visited our Website;
  • You left a review of our Products using our provider “Avis Vérifiés”;
  • You signed up to receive our newsletters, news updates and offers;
  • You participated in games and contests we organized;
  • You participated in our polls and satisfaction surveys;
  • You applied to work for us;
  • You looked at or followed us on and/or used our Social Media;
  • You agreed to have your data included in our files or directories, and for it to be transmitted to us;
  • You agreed with our service providers or partners to have your data transmitted to us.

Personal data may be transmitted to us directly by you or by another individual in the company or organization you work for or on whose behalf you act.

Personal data may also be collected through cookies and other internet tracking technologies on our Website, such as your IP addresses, length of connection, language, location data, preferences, browsing history, etc. We invite you to review our cookies tool for more details.

      

What personal data do we collect?

We collect the following personal data:

  • For the creation of a customer account: capacity (professional/individual), business sector, company name, SIRET number, title, last name, first name, job title, date of birth, email address, and, where applicable, for the creation of a customer account on our Website, password.

The collection of this personal data is required. If this required information is not provided, we cannot create a customer account for you. These requirements to provide personal data are contractual in nature.

  • For the management and processing of your contact requests: capacity (professional /individual), business sector, company name, SIRET number, title, last name, first name, job title, email address and phone number.

The collection of this personal data is required. If this required information is not provided, we cannot respond to your request. These requirements to provide personal data are contractual in nature.

  • For the management and processing of orders, business relationship management (business operations and promotions), claims: capacity (professional/individual), title, last name, first name, email address, postal address (shipping address, billing address), date of birth and, where appropriate, data on purchases and contracts (transaction number, order details, product(s) purchases(s), reference(s) of product(s) purchased, subscription(s), quantities, purchase amounts, frequency, purchase history, product returns, correspondence between you and our services), payment details (method of payment, discounts applied, receipts, balances and outstanding debts).

The collection of this personal data (with the exception of title and date of birth) is required. If this required information is not provided, we cannot execute purchase contracts, manage the business relationship, or follow up on and respond to your claims. These requirements to provide personal data are contractual in nature.

  • For the management and processing of your job applications: last name, first name, email or postal address or telephone number, degrees earned, professional experience, information pertaining to the job for which you are applying.

 

The collection of this personal data is required. If this required information is not provided, we cannot respond to your application. These requirements to provide personal data are contractual in nature.

  • To receive our newsletters, news updates, offers, you must provide your email address. If you fail to provide this information, we will not be able to send you newsletters, news updates or offers. These requirements to provide personal data are contractual in nature.
  • To exercise your rights, as outlined below, you may be required to provide data or documents that confirm your identity or additional information about the nature of your requests. Failure to provide this information may prevent us from responding to your requests. These requirements to provide personal data are contractual in nature.

The collection of other personal data may also be required. You will be informed directly at the time of collection of all personal data the collection of which is required, of the contractual or regulatory nature of the obligation to provide it, and of the consequences of failing to provide said personal data. On the contact form on our Website, all fields for personal data that is required are marked with an asterisk.

You may provide personal data when using our Social Media and the free text fields in the contact form on our Website. You are hereby notified that you should provide only adequate and relevant information. You should not write comments that are excessive or insulting, or provide data that is considered sensitive with regard to article 9 of the GDPR (racial or ethnic origin, political opinions, philosophical or religious beliefs, union membership, data about health condition or sexual life, offenses committed, convictions, detention orders).

We do not process your personal data related to bankcards. Transactions are entirely processed via “SYSTEMPAY” and “STRIPE” payment modules.

      

What is the purpose and legal basis for processing your personal data?

Your personal data is collected for the purposes and on the legal bases outlined in the table below:


Purposes


Legal bases


Management and processing of your contact requests

Identification and management of customer accounts

Management and processing of orders, deliveries, and product returns

Management of our communication with you

Management of the business relationship

Management of accounting

Management of job applications


Execution of a contract to which you are a party or of pre-contractual measures taken at your request or in our legitimate interest (conduct of our business), as the case may be


Management of subscriptions to newsletters, news updates and offers

Management of games and contests, polls and satisfaction surveys

Sending of messages with information about our business (e.g. greetings and wishes, event invitations)

Management of events we organize (sign-ups)


Our legitimate interest (promotion of our business)


Management of claims, outstanding debts, pre-litigation and litigation


Our legitimate interest (defense of our rights and interests) or fulfilment of our legal obligations as the case may be


Management of the exercise of your rights outlined below


Fulfillment of our legal obligations


Proper functioning of and steady improvements to our Website

Audience measurement on our Website


Consent (collected through the cookie information banner on our Website)

      

To whom is your personal data sent?

The personal data we collect is intended, depending on the case, for the authorized staff in our customer relations, accounting, marketing, sales, legal and human resources departments.

We may also provide your personal data:

  • To our subcontractors and their subcontractors when strictly necessary to allow them to perform services for us (transportation providers, IT services providers, customer feedback collection providers, technical services providers, payment services providers, ID verification services providers, fraud prevention and fraud-fighting services providers, analytic solutions providers, collection and credit agencies, accounting firms and public accountants, law firms, auditing firms, marketing companies, third parties that could place cookies on devices when you consent to it). Our subcontractors are bound by privacy and security obligations, and other obligations set forth in the GDPR;
  • To financial, legal, administrative or government agencies, public bodies and regulatory authorities to which we may be required to provide certain data, notably in the event of a procedure, a dispute, an audit and/or summons, upon request and within the limits of what the regulation allows;
  • To our potential successors and assigns;
  • To our commercial partners, subject to your consent.

 

      

Where is your personal data stored?

Your personal data is stored on secure servers located in France.

However, we may transmit all or some of your personal data to certain subcontractors and partners operating outside the European Union for the purposes outlined above.

We assure you that such transfers of personal data outside the European Union are done in accordance with the Privacy Policy. When the State to which the personal data is sent is not a member of the European Union and has not been officially recognized by the European Commission as offering adequate safeguards, we will provide the appropriate guarantees regarding the protection of your persona data, in accordance with article 46 of the GDPR, notably through standard contractual clauses approved by the European Commission. We also ensure that you will always have enforceable rights and effective remedies.

Transfers that may occur and precautions that will be taken are described below.

Entity

Country to which data is sent

 

Protection

(Standard contractual clauses, binding corporate rules or BCR, adequacy decision from the European Commission)

Partners based outside the European Economic Area (if necessary and subject to your consent)

Destination country varies case-by-case

The safeguard measure depends on the country in question and is verified if such a transfer is considered for a specific case.

 

      

How long do we keep your personal data?

Your personal data is kept only as long as is strictly required by the purposes outlined above.

 

Personal data retained

 

Total length of storage

 

Data related to the contracts you enter into with us

 

The length of time during which we can be held liable (taking into account potential interruptions or suspension of civil or criminal statutes of limitation)

 

 

 

Data related to management of outstanding debts

 

 

5 years from the resolution of the outstanding debt

 

Data related to your customer account

 

3 years from the last activity on the account

 

Data related to your job application

 

2 years from the last time you contacted us, if you are not hired

 

During the period during which we could be held liable if you are hired

 

 

Data that allows us to fulfill our accounting obligations

 

10 years from the end of the fiscal year in question

 

Data related to guidelines on the handling of your data after your death

 

As long as the data covered by the guidelines are kept

 

Data related to the exercise of a right of access, rectification or erasure

 

5 years from the date of the end of the procedure associated with your request

 

Data related to the exercise of a right to object

 

6 years from the date of the end of the procedure associated with your request

 

Data related to the exercise of a right to restriction of processing

 

5 years from the end of the restriction of processing

 

Data used for direct marketing (newsletters, news updates and offers, messages with information about our business, sign-ups for events we organize, games-contests, polls or satisfaction surveys)

 

Other data used outside the situations listed above: data used to respond to various contact requests

 

3 years from when the data is collected or the last contact initiated by you

 

When the periods listed above expire, your personal data will be either erased or anonymized.

As an exception, in the event of pre-litigation or litigation, all or some of your personal data may be kept for longer if it is relevant to said pre-litigation or litigation.

      

What are your rights and how can you exercise them?

Per the provisions of article 15 of the GDPR, and subject to exceptions, you have the following rights:

  • Right to obtain confirmation whether or not your personal data is being processed and, if that is the case, to access the personal data and certain information about processing (right of access);
  • Right to object, for reasons related to your specific circumstances, to your personal data being processed by us (right to object);
  • Right to rectify your data when it is inaccurate (right of rectification);
  • Right to have your data erased in certain cases (right of erasure or “to be forgotten”);
  • Right to receive the personal data you provided to us in a structured, commonly-used and machine-readable format, and/or to ask us to transfer that data to another data controller, when the basis for processing is consent or a contract and processing is done with automated processing (right to data portability);
  • Right to restrict processing in certain cases (right to restriction of processing);
  • Right to establish guidelines for the preservation, deletion and transmission of your personal data after your death. These guidelines may be general or specific. We can only keep on file specific guidelines related to your personal data that we process. General guidelines may be sent to and stored by a trusted digital third party certified by the French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés, hereinafter “CNIL). You also have the right to designate a third party to which your personal data can be sent after your death. In this case, you are obligated to inform that third party of your request and that data allowing them to be clearly identified will be transmitted to us and to share the present Privacy Policy with them;
  • Right to withdraw at any time your consent to having your personal data processed when processing is based on said consent, without affecting the lawfulness of processing done prior to withdrawal (right to withdraw your consent);
  • Right to object to having your personal data used for direct marketing (right to object to your data being used for direct marketing);
  • Right not to be subject to solely automated decisions, which have a legal or similarly significant effect on them (right to not be subject to automated individual decision-making);
  • Right to lodge a complaint with a supervisory authority, which, in France, is the CNIL, and to take legal action against us in the competent court if you estimate that your data protection rights have been breached. You may claim full compensation for the damages suffered.

The existence of these rights notably depends on the legal basis of the processing that is the subject of the request. These rights are not without limitations and, in certain cases, we may reject your request (for instance, on legitimate and compelling grounds with regard to the right to object). Under certain circumstances, we may respond that your request cannot be met with a positive response from us and we will explain why we cannot comply.

If we have a reasonable doubt about your identity, we may request some additional information or documents to verify your identity (for instance, in certain cases, a black and white copy of the front of your French identity card).

In accordance with the conditions set forth in the regulation, you may exercise your rights by writing to us at the addresses given above. If you have a customer account on our Website, you can also access, modify, correct, or delete your personal data directly by going to the “My Account” page and then the tab “Your personal data”.

We will do our best to respond to your requests within a reasonable timeframe, and in all cases will respond by the deadline set by the regulations in force.

      

What steps do we take to protect your personal data?

Respecting your right to data protection, security and privacy is our priority.

All payments made online are handled in accordance with the payment card industry data security standard (PCI DSS). It is an international security standard that ensures the privacy and integrity of data and thus the security of transactions.

 

The organizational and technical security measures we implement are adapted to the degree of sensitivity of your personal data, to protect it from malicious attacks, accidental loss, accidental or illegal destruction, alteration or disclosure to unauthorized third parties.