Skip to content
CMay Collections — AccueilCMay Collections — Accueil
Legal · GDPR

Privacy Policy

What data we collect, why, for how long, and what your rights are.

Last updated: 28 mai 2026 — compliant with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act of 6 January 1978, as amended.

1. Data controller

The controller of the personal data collected on https://www.cmay-collections.com is:

  • CMAY COLLECTIONS
  • SIREN: 101 176 410 — Head office SIRET: 101 176 410 00013
  • Data Protection Officer (DPO): dpo@cmay-collections.com

2. Data collected and purposes

We collect and process the following data:

2.1 Customer account management

  • Data: email, password (hashed), first name, last name, sign-up date
  • Purpose: enable authentication and order tracking
  • Legal basis: performance of the contract (GDPR art. 6.1.b)
  • Retention : 3 ans après la dernière connexion (puis suppression / anonymisation)

2.2 Order processing

  • Data: products ordered, delivery address, billing address, amount, payment method (excluding banking data)
  • Purpose: preparation, delivery, invoicing, after-sales service
  • Legal basis: performance of the contract
  • Retention : 10 ans à compter de la livraison (obligation comptable, art. L123-22 Code de commerce)

2.3 Newsletter

  • Data: email, sign-up source, date
  • Purpose: sending commercial and editorial information
  • Legal basis: consent (GDPR art. 6.1.a)
  • Retention : Jusqu'à désabonnement (lien de désinscription dans chaque envoi)

2.4 Loyalty & referral programme

  • Data: email, order history, CMay Coins balance, referred friends
  • Purpose: calculating points, awarding rewards
  • Legal basis: performance of the contract (programme membership)
  • Retention : 3 ans après la dernière transaction

2.5 Customer service / support

  • Data: email, content of exchanges, relevant order number
  • Purpose: handling requests
  • Legal basis: legitimate interest / performance of the contract
  • Retention : 3 ans après le dernier échange

2.6 Cookies & audience measurement

  • Data: cookie identifiers, pages visited, browsing journey
  • Purpose: improving the site, measuring audience, personalising the experience
  • Legal basis: consent (except for strictly necessary cookies)
  • Retention : 13 mois maximum (recommandation CNIL)

Cookie details and management are on the Cookies page.

2.7 Payment data

Banking data (card number, CVV) is never stored by CMay Collections. It is sent directly to our payment service provider (Shopify Payments / Stripe (selon le moyen choisi)), Certifié PCI-DSS niveau 1).

3. Data recipients

Your data is only accessible to those who need to know it for the stated purposes:

  • our teams (logistics, customer service, marketing);
  • our technical subprocessors (hosting provider, database, e-commerce platform, emailing provider, payment provider);
  • our carriers (Colissimo, Mondial Relay, Chronopost) — only the data strictly necessary for delivery;
  • administrative or judicial authorities, upon legal request.

We never sell or rent your data to third parties for commercial purposes.

4. Subprocessors & transfers outside the EU

The main subprocessors are:

  • Vercel Inc. (web hosting) — transfers outside the EU governed by the European Commission's Standard Contractual Clauses. Privacy Policy
  • Supabase Inc. (database) — stored in Union européenne (Frankfurt, Allemagne). Privacy Policy
  • Shopify International Ltd. (e-commerce and payment platform) — Privacy Policy

5. Security

CMay Collections implements appropriate technical and organisational measures to protect your data against loss, alteration, disclosure and unauthorised access: TLS encryption across the entire Site, password hashing (bcrypt algorithm or equivalent), access control, logging, and regular backups.

6. Your rights

In accordance with the GDPR (art. 15 to 22) and the French Data Protection Act, you have the following rights regarding your data:

  • Right of access: obtain a copy of your data
  • Right to rectification: correct inaccurate or incomplete data
  • Right to erasure (the “right to be forgotten”)
  • Right to restriction of processing
  • Right to portability: retrieve your data in a structured format
  • Right to object, in particular to marketing
  • Right to withdraw your consent at any time (without retroactive effect)
  • Right to set post-mortem instructions on what happens to your data after your death

To exercise these rights, send a request to dpo@cmay-collections.com, stating the subject of your request and attaching a copy of an identity document (only where necessary to verify your identity — the copy is deleted immediately after verification).

We respond within 30 days at most (extendable by 2 months in complex cases).

7. Complaint to the CNIL

If you believe your rights are not being respected, you may lodge a complaint with the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL):

8. Changes to the policy

This policy may change. Any substantial change is subject to prior notice (banner, email). The applicable version is the one in effect at the time of the relevant processing.