Version 1.0 — Last updated 2026-04-07
I. Data Controller
The data controller for your personal data is GFA Bernard Solane et Fils, registered at Château Crabitan Bellevue, 33410 Sainte-Croix-du-Mont – FRANCE (SIRET : 398 341 701 00017).
Contact : dpo@crabitanbellevue.fr — Phone : +33 (0)5 56 62 01 53
II. Data Collected and Purposes
1. Orders and payments
When placing an order, we collect your first and last name, delivery and billing address, email address and phone number. This data is necessary for the performance of the contract (GDPR Article 6(1)(b)). Card payments are processed by a PCI-DSS certified provider; we never store your full payment card details.
2. Account creation
If you create a customer account, we store your email address and password (hashed). This data allows us to manage your personal space and order history (legal basis: performance of contract).
3. Contact form
When you use our contact form, we collect your name, email address and message content solely to handle your enquiry (legal basis: legitimate interest).
4. Newsletter
If you subscribe to our newsletter, we retain your email address based on your consent (GDPR Article 6(1)(a)). You may unsubscribe at any time from your "My Account" space or via the unsubscribe link in every email. The newsletter uses a double opt-in mechanism: your subscription is only confirmed after email validation.
5. Email tracking
Our emails (newsletters and cart-abandonment reminders) include a tracking pixel (1×1 invisible image) and tracking links that allow us to measure open and click rates. This data is processed on the basis of our legitimate interest (GDPR Article 6(1)(f)) in improving the relevance of our communications. No tracking data is shared with third parties. You may object to this processing by unsubscribing from the newsletter or by contacting our DPO at dpo@crabitanbellevue.fr.
6. Abandoned cart reminders
If you added products to your cart without completing your order, we may send you a reminder email within 72 hours of abandonment. This processing is based on our legitimate interest (GDPR Article 6(1)(f)) in maintaining a commercial relationship with identified customers. Only customers with a verified account are concerned. You may object to this processing at any time by contacting our DPO at dpo@crabitanbellevue.fr or by deleting your account.
7. Analytics cookies
With your consent, we use Google Analytics 4 to measure website traffic (pages visited, visit duration, device type). Your IP address is anonymised before any storage. No analytics script is loaded without your prior consent (GDPR Article 6(1)(a)). You may withdraw your consent at any time via the "Manage cookies" link at the bottom of every page.
8. Technical cookies
We use cookies strictly necessary for the operation of the website: session cookie (authentication), language preference cookie and age verification cookie. These cookies do not require consent as they are essential to the requested service.
9. Full list of cookies set
In accordance with GDPR Article 13 and CNIL deliberation n°2020-091 of 17 September 2020, here is the complete list of cookies we set:
| Cookie name | Purpose | Retention period | Consent required |
|---|---|---|---|
auth_token |
Authentication — contains the session JWT of the logged-in user (HttpOnly, Secure) | 2 hours (JWT duration) | No — strictly necessary |
device_token |
Remembers trusted device for MFA validation (HttpOnly, Secure) | 90 days | No — strictly necessary for account security |
lang |
Stores language preference (FR/EN) | Session (cleared when browser is closed) | No — functional preference |
age_verified |
Records the age declaration (legal alcohol age gate) | 24h (13 months if "Remember me" is checked) | No — legal obligation (Art. L3342-1 French Public Health Code) |
cookie_consent |
Stores analytics cookie consent choice | 13 months (CNIL 2020 recommendation) | No — necessary to respect your choice |
_ga |
Google Analytics 4 — anonymised session identifier for audience measurement | 2 years | Yes — only set after explicit consent |
_ga_* |
Google Analytics 4 — session persistence for page-view tracking | 2 years | Yes — only set after explicit consent |
III. Data Minimisation
Protecting your personal data is our priority. We apply the data minimisation principle set out in GDPR Article 5(1)(c): we only collect data strictly necessary for the purpose for which it is requested. No superfluous data is retained. Your data is never sold, transferred or shared with third parties for commercial purposes.
IV. Retention Periods
- Order and billing data: 10 years from the order date (legal accounting obligation — French Commercial Code Art. L123-22).
- Customer account data: duration of the commercial relationship, then 3 years in intermediate archiving after inactivity.
- Contact data: 3 years from the last contact.
- Newsletter: until unsubscription.
- Newsletter tracking data: 13 months from the date of opening or click (legitimate interest, CNIL recommendation).
- Connection logs and server logs: 1 year (CNIL recommendation — Art. L34-1 CPCE).
- Consent cookie: 13 months maximum (CNIL 2020 recommendation).
- Google Analytics data: 26 months (default GA4 setting).
V. Processors and Data Recipients
Your data is processed solely by authorised members of GFA Bernard Solane et Fils. It may also be processed by the following providers acting as processors in accordance with GDPR Article 28:
| Processor | Role | Location | GDPR safeguards |
|---|---|---|---|
| IONOS SE | Web server hosting, database, transactional email delivery | Germany (EU) | DPA included in IONOS Terms of Service |
| Crédit Agricole | Card payment processing (PCI-DSS certified) | France (EU) | Commercial contract + PSP DPA |
| Google LLC | OAuth authentication (Google sign-in) — Audience measurement (GA4, with consent) | United States | Standard Contractual Clauses (SCCs) + Google Cloud DPA — EU-US Data Privacy Framework |
| DeepL SE | Interface translation (editorial content only, no personal data) | Germany (EU) | DeepL Terms of Service — no personal data transmitted |
| GitHub Inc. (Microsoft) | Source code hosting and continuous integration (CI/CD) | United States | Microsoft SCCs + GitHub Customer Agreement DPA |
These providers are contractually bound to respect the confidentiality of your data and to use it only for the agreed purposes.
VI. International Data Transfers
Some of our processors (Google LLC, GitHub Inc.) are established in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, in compliance with the EU-US Data Privacy Framework. You may request information on the safeguards in place by contacting: dpo@crabitanbellevue.fr.
VII. Your Rights
Under the General Data Protection Regulation (GDPR — EU Regulation 2016/679), you have the following rights:
- Right of access (Art. 15) — obtain a copy of your data.
- Right to rectification (Art. 16) — correct inaccurate data.
- Right to erasure (Art. 17) — request deletion of your data.
- Right to data portability (Art. 20) — receive your data in a structured format.
- Right to object (Art. 21) — object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7) — at any time for consent-based processing (e.g. analytics cookies, newsletter).
To exercise these rights, contact: GFA Bernard Solane et Fils, Château Crabitan Bellevue, 33410 Sainte-Croix-du-Mont, France or by email at dpo@crabitanbellevue.fr. We respond within one month (GDPR Art. 12).
If you believe your rights are not being respected, you may lodge a complaint with the CNIL (French Data Protection Authority) — www.cnil.fr — or with the supervisory authority of your country of residence.
VIII. Data Security
We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss or accidental destruction: HTTPS/TLS connection, bcrypt password hashing, multi-factor authentication (MFA), PCI-DSS certified payment processing, hosting on a dedicated IONOS server in Germany, AES-256-GCM encryption of sensitive database columns (GDPR Art. 32). Our infrastructure is designed with a view to migrating to quantum-resistant algorithms (NIST PQC) as standards become available. In the event of a personal data breach, we undertake to notify the CNIL within 72 hours of becoming aware of the incident, in accordance with GDPR Art. 33.
IX. Changes to This Policy
We reserve the right to update this privacy policy to reflect legal changes or updates to our practices. In the event of a material change, we will inform users with an account. The current version is always accessible from this page and from the website footer.
For any question relating to the protection of your data, please also consult our Legal notice.