Data Protection
Privacy Policy
Last updated : 21 avril 2026
At Hayoss, protecting your privacy is a top priority. This policy explains what data we collect, why, how we protect it, and your rights. It is written in accordance with the GDPR (EU Regulation 2016/679) and applicable data protection law.
1. Data Controller
Controller : Hayoss — {{COMPANY_NAME}}
Legal form : {{LEGAL_FORM}}
Address : {{ADDRESS}}
Company reg. no. : {{SIRET}}
Privacy contact : contact@hayoss.com
2. Data Collected
We collect the following categories of data:
Identification data
- •First and last name
- •Email address
- •Phone number (optional)
Delivery data
- •Postal delivery and billing address
- •Country and postcode
Transaction data
- •Order history
- •Amounts and currencies
- •Payment status (no card data stored — Stripe tokenisation)
Navigation data
- •IP address (anonymised)
- •Pages visited, session duration
- •Cookies with your consent (see §8)
3. Purposes of Processing
| Purpose | Legal basis (GDPR) |
|---|---|
| Order processing and delivery | Contract performance (art. 6.1.b) |
| Customer account management | Contract performance (art. 6.1.b) |
| Transactional emails (confirmation, dispatch) | Contract performance (art. 6.1.b) |
| Invoice retention | Legal obligation (art. 6.1.c) |
| Newsletter and marketing communications | Consent (art. 6.1.a) |
| Anonymous audience analytics | Legitimate interest (art. 6.1.f) |
| Targeted advertising (Meta CAPI) | Consent (art. 6.1.a) |
4. Retention Period
| Data type | Retention period |
|---|---|
| Active customer account | 3 years after last activity |
| Order data and invoices | 10 years (legal obligation) |
| Prospect data (newsletter) | 3 years after last contact or unsubscription |
| Navigation logs (anonymous) | 13 months |
| Non-essential cookies | 13 months maximum |
5. Data Recipients
Your data is shared only with the sub-processors necessary for the service. We never sell your data to third parties.
Card payment processing
Non-EU transfer : Adequacy / SCCs
Israel payment processing
Non-EU transfer : Adequacy decision (Israel)
Product supplier and dispatch
Non-EU transfer : Standard Contractual Clauses (SCCs)
Frontend website hosting
Non-EU transfer : Standard Contractual Clauses (SCCs)
API backend hosting
Non-EU transfer : Standard Contractual Clauses (SCCs)
PostgreSQL cloud database
Non-EU transfer : EU territory
Email marketing (newsletter, retargeting)
Non-EU transfer : Standard Contractual Clauses (SCCs)
Transactional emails
Non-EU transfer : Standard Contractual Clauses (SCCs)
6. International Data Transfers
Some of our sub-processors (Stripe, Vercel, Railway, Klaviyo, Resend) are based in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46 of the GDPR. Our product supplier AliExpress is based in China; transfers are also covered by SCCs. China does not benefit from an EU adequacy decision.
7. Your GDPR Rights
Under the GDPR, you have the following rights:
Right of access
Obtain confirmation of processing and a copy of your data.
Right to rectification
Have inaccurate or incomplete data corrected.
Right to erasure ("right to be forgotten")
Request deletion of your data (subject to legal retention obligations).
Right to restriction
Temporarily restrict the processing of your data.
Right to data portability
Receive your data in a structured, machine-readable format.
Right to object
Object to processing for direct marketing or legitimate interest purposes.
Withdrawal of consent
Withdraw your consent for marketing at any time.
To exercise your rights:
Send your request to contact@hayoss.com. We will respond within one month.
8. Cookies
Essential cookies
Required for the site to function (session, cart, authentication). No consent required.
Analytics cookies
Used to measure audience and improve the experience. Subject to consent.
Marketing cookies
Used to display personalised ads (Meta CAPI, etc.). Subject to prior consent.
9. Data Security
- •Encrypted communications in transit (TLS/SSL)
- •Payment data managed exclusively by Stripe (PCI-DSS tokenisation)
- •Data access restricted to authorised personnel
- •Passwords hashed (never stored in clear text)
- •Regular encrypted backups
10. Data Protection Officer (DPO)
Hayoss is not legally required to appoint a DPO based on the size and nature of its activities. For any questions about data protection, contact us directly at contact@hayoss.com.
11. Right to Lodge a Complaint
If you believe the processing of your personal data does not comply with applicable regulations, you have the right to lodge a complaint with the competent supervisory authority:
French Data Protection Authority (CNIL)
3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
www.cnil.fr — Tel : 01 53 73 22 22
12. Policy Changes
This privacy policy may be updated to reflect legal, regulatory, or operational changes. We will notify you of significant changes by email or via a visible banner on the site.