Privacy policy for personal data

Last update: 23/03/2019

The following text has been translated by a machine from its original French version to English for your convenience without any warranty of correctness. Please understand that, Institut Calysta being a French company, ONLY the FRENCH version has legal value. Do not hesitate to contact us in case of questions with regards to our privacy policy.

Institut Calysta (hereinafter the "Company") offers wellness care services (hereinafter the "Services") to its clients (hereinafter the "Clients").

The Company uses a multifunctional "Flexybeauty" SaaS software solution designed for wellness professionals, enabling them to benefit from cash register software, build a database of its Customers (hereinafter referred to as the "Customer Data"), track their appointment history, manage its inventories, access statistics on its Customers and use a direct marketing service.

The Company is responsible for the processing of Customer Data.

The Company, concerned about the Client's personal data, undertakes to ensure the conformity of the processing operations carried out in its capacity as controller, in accordance with the provisions of Regulation 2016/679 of the European Parliament and of the Council dated 27 April 2016 (the "GDPR").

To do this, the Company uses a solution that complies with the DGMP and has implemented a strict confidentiality policy to ensure an optimal level of protection for the data collected from the Client.

This privacy policy is intended for Customers using the Services offered by the Company.

Article 1. Personal data collected

The Client is informed that when purchasing or booking a wellness treatment service from the Company, the following personal data concerning him/her are collected (i) by telephone or electronic means of communication (e. g. SMS, E-Mail, Facebook, WhatsApp) when making an appointment, (ii) via the Company's website (hereinafter the "Site") when sending a message via the contact form or (iii) to the beauty institute when paying for the service or making an appointment:

Name, first name ;
Sex;
Email address ;
Telephone number;
Date of birth;
Mailing address ;
Gift voucher;
Loyalty card.

The Client is also informed that the history of his services, appointments and payments is kept by the Company.

The Client consents to the processing of the personal data listed above.

The Client is informed that the Company does not collect any sensitive data within the meaning of the laws and regulations in force.

The Client undertakes to provide only accurate, complete and regularly updated data on his identity and information. The Company shall under no circumstances be held liable in the event of communication of obsolete, illegal or contrary to public policy data.

The Company informs the Customer that it places cookies or similar tracking technologies on the Customer's terminal when the Customer consults the Site and collects the following data:

IP address (Internet Protocol);
Browser version of the terminal used;
Site visit/navigation data ;
Cookies of operation.

The purposes of processing data collected via cookies and tracking devices as well as the management of cookies will be detailed in Article 6.

Article 2. Purpose of the processing operation carried out

The Company collects, processes and stores the data transmitted by the Client in the context of access to the Services.

In addition, subject to its express acceptance, the Customer may receive direct marketing requests, namely promotional offers, from the Company's commercial partner, Flexybeauty.

In the event that the Client's personal data are collected by telephone or at the institute, an email confirming consent will be sent to the Client.

Thus, the Company collects and processes the Client's personal data only for the strict performance and optimal use of the Services it offers.

The Client is informed that the processing carried out by the Company is also intended to produce statistics on the use of the Services.

The Company informs Customers that no personal data will be collected without its express prior consent.

The Company informs the Client that the data are only kept for the duration of the contractual relationship expressly necessary for the purpose of the processing.

Article 3. Obligations of the company

In its capacity as controller, and in accordance with the laws and regulations in force, the Company undertakes to:

Collect data from the Company's Customers only for the purposes described in Article 2;
Keep a register of processing operations;
Implement all technical and organisational measures to ensure the security of the processing operations carried out;
Restrict access to Customer data to persons duly authorized for this purpose only;
Sensitize and train staff in data processing;
Guarantee all rights of access, portability, deletion, rectification and opposition of Customers regarding their data collected when using the Services;
Notify the CNIL of any security breach posing a high risk to the rights and freedoms of Customers within 72 hours of the discovery of the breach;

Article 4. Access to collected data

The Customer has at any time, before, during or after processing, a right of access, copying, rectification, opposition, portability, limitation and deletion of data concerning him.

He can directly configure his data via his personal account or exercise his rights by sending an e-mail to the following address: contact@institutcalysta.com, or by post to the following address: Institut Calysta, 4 rue de l'Artisanat, FR-68730 Blotzheim, subject to proof of his identity.

The Customer is duly informed that the deletion of his personal account results in the deletion of access to the Services and data related to the use of the Services. The Customer is informed that the Customer Data are kept for a period of sixty (60) days from the termination, except for any data for which a longer storage would be required by law or regulation.

In addition, the Client may at any time question the Company if he considers that his rights are not being respected. In the absence of a satisfactory response, the Client may file a complaint with the CNIL. For further information, the Company invites the Client to consult its rights on the CNIL website available at the following link: www.cnil.fr

Article 5. Hosting of customers' personal data

The Company informs the Client that the data collected for the performance of the Services may be transferred to the United States from GOOGLE's hosting service, which is a member of the Privacy Shield system, to which the Client is hereby expressly informed. The Company informs the Client that the service provider in charge of hosting its data guarantees all the security measures it can legitimately expect. The Client is informed that, at its discretion, the Company may change its hosting provider to one located elsewhere in the European Union.

Article 6. Cookie management

A cookie is a text file placed, subject to the Client's choices, on his computer when visiting a web page. Its purpose is to collect information relating to the Customer's navigation and to send him services adapted to his device (computer, mobile or tablet).

The Customer is therefore informed that the use of the Services involves the storage of "Cookies" files, cookies, other tracers or similar technologies on the Customer's terminal.

The Client is informed that the Company deposits cookies and tracers on its terminal in order to allow (i) the Client to identify himself, (ii) the Company to administer the Client's personal space, (iii) to improve the content of the Site, or if necessary (iv) for the purpose of measuring the Site's audience by calculating statistics on the pages consulted by the Client and determining the most used Services.

The Customer is informed that cookies and tracers will be placed on his terminal for a period of thirteen (13) months.

The Customer may at any time configure his browser to receive notification when a cookie is sent or to refuse cookies.

However, some of the features of the Services may not work without cookies. In addition, if most browsers are set by default and accept the installation of all cookies, the Customer has the possibility, if he so wishes, to choose to accept the deposit of all cookies, other than functional cookies, or to reject them systematically or to choose those he accepts according to their issuers, and this by making the following settings.

The Company informs the Client that he may at any time withdraw his consent by changing these settings.

Article 7. Use of videos

This website uses the Youtube integration function to display and play videos from the provider "Youtube" which belongs to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

The extended data protection mode is used here. According to the supplier's declarations, the latter does not initiate any backup of the user's information until the video or videos are played back. If playback of integrated YouTube videos is started, "YouTube" cookies are used by the provider to collect information about the user's behaviour. According to information provided by "Youtube", these cookies are used, among other things, to collect video statistics, improve usability and prevent abusive practices. If you are connected to Google, your information will be associated with your account as soon as you click on a video. If you do not want Youtube to associate this information with your profile, we invite you to log out before activating the video playback. Google saves your data (even for users who are not logged in) as usage profiles and evaluates them. This assessment shall be made in accordance with the provisions of Article 6(1)(f) of the DGPS on the basis of Google's legitimate interests in the insertion of personalised advertising, market research and/or a demand-driven website design. However, you can oppose the creation of these user profiles by contacting Youtube.

Regardless of the playback of the integrated videos, a simple visit to this website results in a connection to Google's "DoubleClick" network that may trigger further data processing operations over which we have no influence.

Google LLC, based in the United States, participates in the EU - United States Data Protection Shield, which aims to ensure the protection of personal data transferred from a Member State of the European Union to the United States.

Further information on "YouTube" data protection can be found in the supplier's data protection declaration at https://policies.google.com/privacy?hl=fr