PRIVACY POLICY AND PERSONAL DATA PROTECTION

Last updated: 13 June 2025

MALFROY&MILLION (hereinafter referred to as “MALFROY”) is committed to protecting your personal data to enable you to browse our websites www.malfroy.com and shop.malfroy.com (hereinafter the “Sites”) with confidence.

We protect your privacy by ensuring the protection, confidentiality, integrity, availability, and security of the personal data you entrust to us across all our communication channels.

This policy (hereinafter the “Policy”) is intended to inform you of the processing of your personal data (hereinafter the “Data”) in connection with your use of our Sites, in accordance with Articles 12, 13 and 21 of the European General Data Protection Regulation (GDPR) and the French Data Protection Act as amended.

Personal data means any information relating to an identified or identifiable natural person, as defined in Article 4 of the GDPR.

 

1. DATA CONTROLLER

The controller of your Data, within the meaning of the GDPR, is:

MALFROY & MILLION
SARL with sole shareholder – Share capital: €1,232,000
Registered with the RCS of LYON under number 957 526 379
Registered office: 153, route de Vourles BP-33, 69564 Saint-Genis Laval Cedex, France
Email: malfroy@malfroy.com
Phone: +33 (0)4 72 39 33 66

 

2. DATA PROTECTION OFFICER

Contact details of our Data Protection Officer:

Name: Marie-Aude Van Duynslaeger
Phone: +33 (0)4 72 39 33 66
Email: malfroy@malfroy.com

 

3. PURPOSES AND LEGAL BASES FOR DATA PROCESSING

We collect and process your Data in order to provide our Sites and offer you the best possible service.

a. Visiting Our Sites

When using the Sites, we may collect certain data such as the URL of the links through which you accessed the Sites, your internet service provider, your IP address, etc. These may be collected by us or our subcontractors (e.g., Shopify, Google, Meta, etc.).

We process your Data to provide technical access to our Sites on the following legal basis:

• Legitimate interest: to ensure we provide technically functional, user-friendly, and secure Sites, and to protect against cybersecurity threats.

b. Contact via Phone or Contact Form

When contacting us by phone, you may be asked to provide your name and contact details (phone number, email address, etc.).

When contacting us through our contact form, you will be asked to provide your name, surname (only on www.malfroy.com), phone number (only on www.malfroy.com), email address, subject, and message. Country and company are optional fields (only on www.malfroy.com).

Data is recorded to process your request and/or respond to any queries.
Data is retained for the time strictly necessary to manage your request, and in any case no longer than three (3) years from your last unanswered request, unless you request deletion or object in the meantime.

We do not share your Data with any third parties without your express consent, except those listed in Article 5.

Legal basis:

• Legitimate interest: to respond to and manage your requests.

c. Purchase via shop.malfroy.com

When placing an order on shop.malfroy.com, you will need to provide required information such as: name, surname, postal address, phone number, email address, and payment details.

This data is stored on secure servers.

Data is retained for the duration strictly necessary to manage our commercial relationship, and no longer than five (5) years from your last purchase, unless you request deletion or object.

We do not share your Data with any third parties without your express consent, except those listed in Article 5.

Legal basis:

• Performance of a contract: to fulfill your order.

d. Newsletter Subscription

You may subscribe to our newsletter by providing your email address in the relevant section.

You will then receive regular newsletters with updates on our products. You can unsubscribe at any time.

Data is retained only for as long as necessary to send you the newsletter and, in any case, until you unsubscribe.

We do not share your Data with any third parties without your express consent, except those listed in Article 5.

Legal basis:

• Consent: which may be withdrawn at any time by emailing malfroy@malfroy.com, calling +33 (0)4 72 39 33 66, or clicking the unsubscribe link in the newsletter.
  
  
  

4. DATA DELETION

Your Data is deleted as soon as the purpose for which it was collected no longer applies or upon your request.
It is also deleted after the retention periods mentioned above unless its continued storage is required for contractual, legal, or administrative purposes or if you have expressly consented to extended retention.

5. CATEGORIES OF DATA RECIPIENTS

Initially, only our administrative and management staff process your Data. They are bound by confidentiality obligations and regularly trained in data protection and security.

However, we may share your Data with service providers supporting our Sites, to the extent permitted or required by law. These third parties may act as:

• Processors, acting strictly under our instructions and in compliance with data protection laws; or
• Independent Controllers, handling Data with appropriate safeguards when required.

Categories of recipients include:

• Delivery providers: Certain details may be shared with logistics providers to process and deliver your order placed on shop.malfroy.com.

 

6. COOKIES

Please refer to our Cookie Policy for further details.

 

7. DATA TRANSFERS

Collected Data will not be transferred outside the European Union under any circumstances.

8. SECURITY

We have implemented appropriate security and confidentiality measures to protect the personal Data you provide from unauthorized access and use.

To this end, technical and organizational measures are in place to prevent the loss, misuse, alteration, or destruction of your personal data. These measures are tailored to the level of sensitivity of the data processed and the level of risk posed by the processing or its implementation.

However, please be aware that despite all security measures taken, no data transmission over the internet is 100% secure, and all information communicated online may potentially be intercepted and used by individuals other than the intended recipient.

 

9. RIGHTS OF DATA SUBJECTS 

You have the following rights:

• Right of Access: You are entitled, at any time, to request confirmation as to whether or not personal Data concerning you is being processed; if so, you are also entitled to access said Data and certain other details (including the purposes of the processing, categories of Data, categories of recipients, expected retention period, source of the Data, use of automated decision-making, and, in the case of Data transfer to a non-member state, the appropriate safeguards), as well as to obtain a copy of your Data.
• Right to Rectification: You are entitled to request the correction of any inaccurate or incorrect Data.
• Right to Erasure ("Right to be Forgotten"): Under certain conditions, you are entitled to request the erasure of your Data as soon as possible. The right to erasure does not apply in particular where Data processing is required (i) for the exercise of the right to freedom of expression and information, (ii) to comply with a legal obligation to which we are subject (such as legal retention obligations), or (iii) for the establishment, exercise, or defense of legal claims.
• Right to Restriction of Processing: Under certain conditions, you are entitled to request restriction of the processing of your Data.
• Right to Data Portability: You have the right to receive your personal Data that you have provided to us in a structured, commonly used, and machine-readable format.
• Right to Object: Under certain conditions, and based on your particular situation, you may object to the processing of your Data. In such cases, we will cease processing unless the processing must continue for legal reasons or for the establishment, exercise, or defense of legal claims.
• Right to Withdraw Consent: You have the right to withdraw your consent to data processing at any time. Withdrawal of consent does not affect the legality of the processing based on the consent prior to its withdrawal.

You can exercise these rights by contacting us at: malfroy@malfroy.com. Your request will be processed within thirty (30) days.

If you exercise one or more of your rights, we are required to inform, where applicable, all recipients to whom your personal Data has been disclosed—subject to your express prior consent—unless this proves impossible or requires disproportionate effort. You are entitled to request information about such recipients.

 

10. COMPLAINTS TO THE SUPERVISORY AUTHORITY

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés).

The CNIL will inform you of the progress and outcome of your complaint, including the possibility of judicial recourse pursuant to Article 78 of the GDPR.

However, we encourage you to contact us first at malfroy@malfroy.com or +33 (0)4 72 39 33 66. We will respond within thirty (30) days.

 

11. AMENDMENTS AND UPDATES TO THIS POLICY

By using the Site, you agree to the collection, use, and disclosure of your Data as described in this Policy.

This Policy reflects MALFROY’s current practices and may be amended or updated at any time.