Privacy policy for personal data

Last update: 09/05/2024

The following text has been translated by a machine from its original French version to English for your convenience without any warranty of correctness. Please understand that, Institut Calysta being a French company, ONLY the FRENCH version has legal value. Do not hesitate to contact us in case of questions with regards to our privacy policy.

Institut Calysta (hereinafter the "Company") offers wellness care services (hereinafter the "Services") to its clients (hereinafter the "Clients").

The Company uses a multifunctional "Flexybeauty" SaaS software solution designed for wellness professionals, enabling them to benefit from cash register software, build a database of its Customers (hereinafter referred to as the "Customer Data"), track their appointment history, manage its inventories, access statistics on its Customers and use a direct marketing service.

The Company is responsible for the processing of Customer Data.

The Company, concerned about the Client's personal data, undertakes to ensure the conformity of the processing operations carried out in its capacity as controller, in accordance with the provisions of Regulation 2016/679 of the European Parliament and of the Council dated 27 April 2016 (the "GDPR").

To do this, the Company uses a solution that complies with the DGMP and has implemented a strict confidentiality policy to ensure an optimal level of protection for the data collected from the Client.

This privacy policy is intended for Customers using the Services offered by the Company.

Article 1. Personal data collected

The Client is informed that when purchasing or booking a wellness treatment service from the Company, the following personal data concerning him/her are collected (i) by telephone or electronic means of communication (e. g. SMS, E-Mail, Facebook, WhatsApp) when making an appointment, (ii) via the Company's website (hereinafter the "Site") when sending a message via the contact form or (iii) to the beauty institute when paying for the service or making an appointment:

  • Name, first name ;
  • Sex;
  • Email address ;
  • Telephone number;
  • Date of birth;
  • Mailing address ;
  • Gift voucher;
  • Loyalty card.

The Client is also informed that the history of his services, appointments and payments is kept by the Company.

The Client consents to the processing of the personal data listed above.

The Client is informed that the Company does not collect any sensitive data within the meaning of the laws and regulations in force.

The Client undertakes to provide only accurate, complete and regularly updated data on his identity and information. The Company shall under no circumstances be held liable in the event of communication of obsolete, illegal or contrary to public policy data.


The Company informs the Customer that it places cookies or similar tracking technologies on the Customer's terminal when the Customer consults the Site and collects the following data:

  • IP address (Internet Protocol);
  • Browser version of the terminal used;
  • Site visit/navigation data ;
  • Cookies of operation.
  • The purposes of processing data collected via cookies and tracking devices as well as the management of cookies will be detailed in Article 6.

    Article 2. Purpose of the processing operation carried out

    The Company collects, processes and stores the data transmitted by the Client in the context of access to the Services.

    In addition, subject to its express acceptance, the Customer may receive direct marketing requests, namely promotional offers, from the Company's commercial partner, Flexybeauty.

    In the event that the Client's personal data are collected by telephone or at the institute, an email confirming consent will be sent to the Client.

    Thus, the Company collects and processes the Client's personal data only for the strict performance and optimal use of the Services it offers.

    The Client is informed that the processing carried out by the Company is also intended to produce statistics on the use of the Services.

    The Company informs Customers that no personal data will be collected without its express prior consent.

    The Company informs the Client that the data are only kept for the duration of the contractual relationship expressly necessary for the purpose of the processing.

    Article 3. Obligations of the company

    In its capacity as controller, and in accordance with the laws and regulations in force, the Company undertakes to:

    • Collect data from the Company's Customers only for the purposes described in Article 2;
    • Keep a register of processing operations;
    • Implement all technical and organisational measures to ensure the security of the processing operations carried out;
    • Restrict access to Customer data to persons duly authorized for this purpose only;
    • Sensitize and train staff in data processing;
    • Guarantee all rights of access, portability, deletion, rectification and opposition of Customers regarding their data collected when using the Services;
    • Notify the CNIL of any security breach posing a high risk to the rights and freedoms of Customers within 72 hours of the discovery of the breach;
    • To destroy Customer data in the absence of contact with the Company for a period of three (3) years.

    Article 4. Access to collected data

    The Customer has at any time, before, during or after processing, a right of access, copying, rectification, opposition, portability, limitation and deletion of data concerning him.

    He can directly configure his data via his personal account or exercise his rights by sending an e-mail to the following address: This email address is being protected from spambots. You need JavaScript enabled to view it., or by post to the following address: Institut Calysta, 7 rue de l'Industrie, FR-68730 Blotzheim, subject to proof of his identity.

    The Customer is duly informed that the deletion of his personal account results in the deletion of access to the Services and data related to the use of the Services. The Customer is informed that the Customer Data are kept for a period of sixty (60) days from the termination, except for any data for which a longer storage would be required by law or regulation.

    In addition, the Client may at any time question the Company if he considers that his rights are not being respected. In the absence of a satisfactory response, the Client may file a complaint with the CNIL. For further information, the Company invites the Client to consult its rights on the CNIL website available at the following link:

    Article 5. Hosting of customers' personal data

    The Company informs the Client that the data collected for the performance of the Services may be transferred to the United States from GOOGLE's hosting service, which is a member of the Privacy Shield system, to which the Client is hereby expressly informed. The Company informs the Client that the service provider in charge of hosting its data guarantees all the security measures it can legitimately expect. The Client is informed that, at its discretion, the Company may change its hosting provider to one located elsewhere in the European Union.

    Article 6. Cookie management

    A cookie is a text file placed, subject to the Client's choices, on his computer when visiting a web page. Its purpose is to collect information relating to the Customer's navigation and to send him services adapted to his device (computer, mobile or tablet).

    The Customer is therefore informed that the use of the Services involves the storage of "Cookies" files, cookies, other tracers or similar technologies on the Customer's terminal.

    The Client is informed that the Company deposits cookies and tracers on its terminal in order to allow (i) the Client to identify himself, (ii) the Company to administer the Client's personal space, (iii) to improve the content of the Site, or if necessary (iv) for the purpose of measuring the Site's audience by calculating statistics on the pages consulted by the Client and determining the most used Services.

    The Customer is informed that cookies and tracers will be placed on his terminal for a period of thirteen (13) months.

    The Customer may at any time configure his browser to receive notification when a cookie is sent or to refuse cookies.

    However, some of the features of the Services may not work without cookies. In addition, if most browsers are set by default and accept the installation of all cookies, the Customer has the possibility, if he so wishes, to choose to accept the deposit of all cookies, other than functional cookies, or to reject them systematically or to choose those he accepts according to their issuers, and this by making the following settings.

    The Company informs the Client that he may at any time withdraw his consent by changing these settings.

    Article 7. Integration of Trusted Shops Trustbadge / other widgets

    Trusted Shops widgets are integrated into this website in order to display Trusted Shops services (e.g. the Trusted Mark, collected reviews) as well as to offer Trusted Shops services for buyers after an order. This serves to safeguard our legitimate interests in the optimal marketing of our offer by enabling secure purchasing, which prevail when balancing the respective interests of the parties in accordance with Article 6, § 1, f) GDPR. The Trustbadge and the services advertised therein are offered by Trusted Shops AG, Subbelrather Straße 15C, 50823 Cologne, Germany (hereinafter referred to as "Trusted Shops"), with whom we are jointly responsible for data protection in accordance with Art. 26 GDPR. In the context of this data protection declaration, we would like to inform you of the main points of the agreement in accordance with Art. 26, § 2 RGPD.

    In the context of the joint responsibility between us and Trusted Shops, please contact Trusted Shops AG for questions regarding data protection and to exercise your rights using the contact details given in the Trusted Shops data protection declaration. Regardless of this, you can always contact the person responsible of your choice. If necessary, your request will be forwarded to the other responsible party for response.

    7.1. Data processing related to the integration of the Trustbadge/other widgets

    The Trustbadge is provided by a US Content Delivery Network (CDN) provider. An adequate level of data protection is ensured by standard data protection clauses and other contractual measures.

    When the Trustbadge appears, the web server automatically records a server log file that also contains your IP address, the date and time of the display, the amount of data transferred and the requesting provider (log file data), and documents the display. The IP address is anonymized immediately after collection, so that the stored data cannot be traced back to you. The anonymized data is used for statistical and error analysis purposes.

    7.2. Data processing at the end of the order

    After the order has been completed, the Trustbadge accesses the order information stored in your terminal equipment (order amount, order number, product purchased if applicable) as well as your e-mail address. This is necessary in order to be able to offer you the Trusted Shops Services and, if applicable, to automatically secure your order. For this purpose, your e-mail address is transmitted to Trusted Shops in an encrypted one-way format. The legal basis for this is Art. 6, § 1, f) GDPR.

    This serves to check whether you are already registered for the Trusted Shops Services and is therefore necessary to satisfy our overriding legitimate interests and those of Trusted Shops in the provision of the concrete order-related Buyer Protection and customer review services in accordance with Art. 6, § 1, f) GDPR. If this is the case, further processing takes place in accordance with the contractual agreement between you and Trusted Shops. If you have not yet registered for the Services, you will then have the opportunity to do so for the first time. Further processing after registration is also governed by the contractual agreement with Trusted Shops. If you do not register, all data transmitted will be automatically deleted by Trusted Shops and it will no longer be possible to establish a relationship with you.

    Trusted Shops uses service providers in the areas of hosting, monitoring and logging. The legal basis for this is Art. 6, § 1, f) GDPR in order to ensure a smooth operation. In this context, processing may take place in third countries (USA and Israel). An adequate level of data protection is guaranteed in the case of the United States by standard data protection clauses and other contractual measures, and in the case of Israel by an adequacy decision. For more information, please click here..

    Article 8. Third party services

    8.1. This website uses the Youtube integration feature to display and play videos from the provider "Youtube" which is owned by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google").

    The extended data protection mode is used here. According to the provider's statement, this mode does not save the user's information until the video(s) are played. If the integrated YouTube videos are played, "YouTube" cookies are used by the provider to collect information about the user's behavior. According to the information provided by "YouTube", these cookies are used, among other things, to collect video statistics, to improve usability and to prevent abuse. If you are logged into Google, your information will be associated with your account when you click on a video. If you do not want Youtube to be able to associate this information with your profile, we invite you to log out before activating the video. Google saves your data (even for users who are not logged in) as usage profiles and evaluates them. This evaluation is carried out in compliance with the provisions of Article 6 paragraph 1 point f) GDPR on the basis of Google's legitimate interests in the insertion of personalized advertisements, market research and/or a demand-oriented design of its website. However, you can object to the creation of these user profiles by contacting Youtube.

    In addition to playing the embedded videos, a visit to this website results in a connection to Google's "DoubleClick" network, which may trigger other data processing operations over which we have no control.

    Google LLC, located in the United States, participates in the EU-U.S. Privacy Shield, which is designed to ensure the protection of personal data that is transferred from a member state of the European Union to the United States.

    You can find further information on "YouTube" data protection in the provider's data protection declaration at

    8.2.    We use Google Ads to enable the display of advertisements for our services in a targeted manner and in particular on other websites, in particular to people who are interested in our services, including our site. web, or who use our services, including our website, for which we transfer corresponding information, also of a personal nature, to Google (retargeting). Cookies are also used. Google uses different domain names for Google Ads, including, and We also use Google Tag Manager to integrate and manage Google Ads and other Google and third-party services on our website. Google processes the transferred information and other data relating to Google Ads pseudonymously. That is to say, from Google's point of view, pseudonymous profiles and not the profiles of actually identified individual persons are processed, unless the corresponding person has authorized Google to carry out the processing without pseudonymization.
    < br> You can object to interest-based advertising by Google by using the Google's corresponding setting options.

    Google Ads is a service of the American company Google LLC. The Irish
    Google Ireland Limited is responsible for users in the European Economic Area (EEA) and Switzerland. Google is subject to the EU-American and Swiss-American Privacy Shield (Privacy Shield) by which Google undertakes to guarantee sufficient data protection. In particular, Google has published the following information on the nature, scope and purposes of data processing in connection with Google Ads: data protection and personalized ads, declaration on the Privacy Shield and Terms of Service, Privacy Shield Listing (Privacy Shield).

    8.3.    We use Google Analytics to analyze the use of our offer, while anonymizing the collected IP addresses before the analysis. Google Analytics also uses cookies.

    Google Analytics is a service of the American company Google LLC. The Irish Google Ireland Limited is responsible for users in the European Economic Area (EEA) and Switzerland. We need this service to provide our offer, including our website, efficiently and user-friendly, as well as permanently, securely and reliably, in particular by analyzing usage and measuring performance and reach at troubleshooting and improvement purposes. We can also determine whether our internet advertising is successful and result in corresponding visits to our website (conversion tracking). Cookies are also used. You can oppose the statistical report of Google Analytics with an "opt-out" cookie or with the “Browser Add-on to disable Google Analytics”.

    Google is subject to the Privacy Shield (Privacy Shield) EU-American and Swiss-American by which Google undertakes to guarantee sufficient data protection. In particular, Google has published the following information on the nature, scope and purposes of data processing in connection with Google Analytics: Google Analytics Terms , Data Protection Statement and Terms 'use, Privacy Shield listing.

    8.4    We use Google Fonts to embed selected fonts in our website. Google Fonts is a service of the American company Google LLC. The Irish Google Ireland Limited is responsible for users in the European Economic Area (EEA) and Switzerland. Google is subject to the EU-American and Swiss-American Privacy Shield (Privacy Shield) by which Google undertakes to guarantee sufficient data protection. Google has in particular published the following information on the nature, scope and purposes of data processing in connection with Google Fonts: data protection at Google Fonts, data protection declaration and terms of use 'use, Privacy Shield listing.

    8.5.    We use Google Maps to integrate maps into our website. Google Maps is a service of the American company Google LLC. The Irish company Google Ireland Limited is responsible for users in the European Economic Area (EEA) and Switzerland. Google is subject to the EU-American and Swiss-American Privacy Shield (Privacy Shield) by which Google undertakes to guarantee sufficient data protection. In particular, Google has published the following information on the nature, scope and purposes of data processing in connection with Google Maps: data protection for Google products, including Google Maps, data protection statement and terms of use, listing of the Privacy Shield.

Institut Calysta