Privacy policy
This English translation is provided for convenience. The original French version is legally binding in case of dispute.
Last updated: 18 May 2026
This policy describes how Maison Bugnazet (SAS http5000) collects, uses and protects your personal data when you use www.bugnazet.fr, in compliance with the General Data Protection Regulation (GDPR) and the French Data Protection Act.
1. Data controller
Maison Bugnazet (SAS http5000) Chez Le Petit Musée du Vin, 3 rue Passet, 69007 Lyon — France SIRET 431 903 376 00033
For any question about your data: info@bugnazet.fr
2. Data collected
| Data | Source | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| First/last name | Account / order | Identification, delivery, billing | Contract performance (art. 6.1.b GDPR) | 5 years after last order |
| Postal address | Account / order | Delivery, billing | Contract performance | 5 years |
| Email address | Account / order / newsletter | Order confirmation, support, marketing if consented | Contract + consent | 3 years after last interaction |
| Phone number | Order | Delivery tracking, carrier contact | Contract performance | 5 years |
| Order history | Order | Accounting, support, anonymous statistics | Legal obligation (Commercial Code) | 10 years (invoices) |
| Payment data | Stripe (never stored by us) | Payment processing | Contract performance | Per Stripe (PCI-DSS) |
| Age confirmation | Order validation | Compliance with L. 3342-1 of the Public Health Code | Legal obligation | Session + log |
| IP address, server logs | Browsing | Security, fraud prevention | Legitimate interest | 12 months maximum |
No sensitive data (health, political opinions, etc.) is collected.
3. Sub-processors
| Sub-processor | Service | Hosting location |
|---|---|---|
| Stripe | Payment processing | Ireland / USA (PCI-DSS certified, standard contractual clauses) |
| Hetzner Online GmbH | Server hosting | Germany (EU) |
| Resend | Transactional emails (confirmation, shipping) | USA (standard contractual clauses) |
| Boxtal (planned) | Shipping labels, delivery tracking | France |
| Plausible Analytics (self-hosted) | Anonymous visit statistics | Germany (our Hetzner server) |
All sub-processors are bound by contract and offer sufficient guarantees regarding GDPR.
4. No unsecured transfers outside the EU
When data is processed outside the European Union (Stripe, Resend), this is done under the protection of standard contractual clauses of the European Commission or adequacy decisions, in accordance with articles 44 ff. of the GDPR.
5. Your rights
In accordance with articles 15 to 22 of the GDPR, you have the following rights regarding your data:
- Right of access (art. 15) — obtain a copy of data concerning you
- Right of rectification (art. 16) — correct inaccurate data
- Right to erasure (art. 17) — "right to be forgotten", subject to legal retention obligations
- Right to restriction of processing (art. 18)
- Right to portability (art. 20) — retrieve your data in a reusable format
- Right to object (art. 21) — including to marketing
- Right to withdraw consent at any time for the newsletter
To exercise these rights: info@bugnazet.fr. We respond within one month.
6. Complaint to the CNIL
If you believe, after contacting us, that your rights are not respected, you may file a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):
3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07 www.cnil.fr
7. Cookies
See our cookie policy.
8. Security
We implement appropriate technical and organisational measures to protect your data: TLS encryption across the entire site, encrypted daily backups, back-office access with strong authentication, and access logging.
9. Updates
This policy may be updated. The date of last modification appears at the top of the document. In case of substantial change, customers will be informed by email.