As part of its activities, PAYOT, as the data controller, collects and processes your Personal Data in compliance with the amended French Data Protection Act (“Informatique et Libertés”) and the General Data Protection Regulation (GDPR) to meet your needs and requests.

This document aims to explain PAYOT’s principles and commitments regarding the protection of Personal Data.

Your rights as a data subject in relation to our data processing.

This Policy applies to all PAYOT services, regardless of their nature.

This Policy specifically applies to all websites and applications managed by PAYOT:

https://www.payot.com

Its main purpose is to inform you about:

The Policy concerns any third natural person related to PAYOT (this may include customers, website users, suppliers, service providers, other partners, etc.).

This document focuses on describing the processing methods applied solely to personal data.

The data controller of personal data is the company LABORATOIRES DR.N.G. PAYOT.

PAYOT complies with the following obligations:

To integrate data protection upstream in projects: “Privacy by Design.”
PAYOT commits to considering the protection of your Personal Data and your privacy from the design phase of the services offered to you, thus minimizing the risks of non-compliance with the principles of the GDPR and the amended French Data Protection Act.
Accordingly, appropriate and proportionate technical and organizational measures are taken regarding the purpose sought by Payot in the intended processing.

The application of this principle therefore enables the implementation of preventive measures to limit risks related to Personal Data.

To ensure, by default, the highest level of protection of personal data: “Privacy by Default.”
PAYOT implements appropriate technical and organizational measures to guarantee that, by default, an optimal security of processing is organized and applied.

The Register of Processing Activities at PAYOT covers various categories of data subjects according to different activities. In customer relations, it includes managing customer statistics, handling public and private responses, managing website reviews and comments, overseeing social media content, maintaining relationships with loyal customers, providing customer loyalty services, managing online chat, and processing and shipping orders.

In digital marketing, it covers managing influencer accounts, handling contest winners on social networks, managing applications submitted via the website, managing reviews and comments related to PAYOT campaigns, overseeing photos on social networks, and managing PAYOT after-sales service complaints.

For e-commerce, the processing involves managing e-commerce statistics, handling blocked orders, managing customer accounts registered on the PAYOT website, processing payments for e-commerce orders, sending automated emails to customers and prospects, and shipping e-commerce orders.

Operational marketing activities include communication and in-store animation, management of contests, and searching for contacts or prospects, especially at trade shows.

Finally, in the management of commercial partners, the processing includes managing commercial distribution as well as order processing, services, and subscriptions related to suppliers, distributors, and partners.

Payot commits to collecting only the data strictly necessary to carry out the processing and not to divert this data from the purpose for which it was initially collected.

Payot collects and processes the data strictly necessary for its operational activities. The categories of data processed notably include:

For customer service activities: identification data (first and last name), contact data (phone number, email address), location data (postal address), economic and financial data (bank details), transaction data (date, amount, etc.), and communication data (exchanges).

For e-commerce activities: identification data (first and last name), contact and location data (email addresses, postal address), transaction data (shopping cart, amount and dates of transactions, etc.), and communication data (via email, phone, etc.).

For digital marketing activities: identification data (first and last name), contact data (phone number, email address), location data (postal address), bank details, connection data (user data, IT traceability data), professional life data (e.g., collection of CVs and information related to candidates’ careers on the PAYOT site), and data related to images and videos.

For operational marketing activities: identification data (first and last name), transaction data (shopping cart, date, and amount of transaction), and contact data (email address, phone number).

For activities related to managing commercial partners and commercial distribution: identification data (first and last name), transaction data (shopping cart, date, and amount of transaction), and contact data (email address, phone number).

PAYOT relies on the following legal bases to process personal data: legal obligation, contractual performance, consent, and legitimate interest.

The collected data is intended for PAYOT and is hosted only by the services responsible for their processing. Your data may be transmitted or shared, depending on the processing involved, with certain of our partners, particularly in the areas of e-commerce, communication, customer relations, and training. These include:

For e-commerce: Axome, TVH / SAP, Klaviyo, Loyaly, Stripe, PayPal, Colissimo.

For communication/influence: Affilae.

For customer relations: Gorgias, Dialog.

We also inform you that we occasionally or in the medium term work with other partners or subcontractors, mainly in the context of our activities related to IT development, security and data protection, infrastructure and software integration.

Additionally, some data from our partners or clients may be shared (only if they have given their consent) on PAYOT’s social media platforms (TikTok, Instagram, etc.).

PAYOT carries out all processing of your personal data within the territory of the European Union (EU).

The retention period of your personal data depends on the processing carried out. PAYOT commits not to keep your personal data beyond the time necessary to provide the service, and thus your use of the service, plus the retention period required by applicable legal statutes of limitation. A summary table of all retention periods is currently being prepared by PAYOT. It will be published and accessible from this paragraph once finalized.

PAYOT is committed to taking all measures to ensure the security and confidentiality of your personal data, specifically to prevent it from being damaged, deleted, or accessed by unauthorized third parties.

Only authorized personnel can access the data. Any subcontractor staff accessing data servers are always accompanied and supervised by a PAYOT employee and/or the IT department.

We continuously improve our security procedures as technology evolves to maintain the highest level of protection. Our staff and subcontractors who have access to personal data are contractually bound by confidentiality obligations.

Organizational measures include limiting access to personal data to only authorized individuals who have a legitimate interest in knowing the data.

Furthermore, in the event of a security incident affecting your personal data (destruction, loss, alteration, or disclosure), PAYOT ensures compliance with the obligation to notify data breaches, particularly to the CNIL (French Data Protection Authority).

You have the right at any time to exercise your rights with PAYOT as provided by applicable personal data regulations, subject to meeting the necessary conditions and depending on the legal basis of the processing concerned. You can request access to your personal data processed by PAYOT when it is based on your consent, a legal obligation, the performance of a contract, or PAYOT’s legitimate interest. You also have the possibility to request the correction or updating of this data.

You may object to the processing of your personal data when it is based on your consent, contractual performance, or PAYOT’s legitimate interest, except when the processing is carried out under a legal obligation imposed on PAYOT, in which case this objection is not possible. You can request the deletion of your data under the same conditions, subject to legal retention periods, but not if the processing is justified by a legal obligation.

It is also possible to request the restriction, meaning the temporary suspension of processing, if you have a request for correction, deletion, or objection in progress, or if you believe the processing is unlawful but PAYOT refuses to delete your data. Finally, you have the right to data portability, which means PAYOT can provide you with your personal data, but only if the processing is based on your consent or the performance of a contract. This right does not apply when the processing is carried out under a legal obligation.

When collecting your personal data, you are informed of the postal and/or email address to which you can send your request to exercise your rights. A template for this request is attached as an annex to this policy.

Any request that is not made in a way that leaves no doubt about the identity of the requester must be accompanied by a copy of an identity document. PAYOT commits to responding to your requests to exercise your rights as quickly as possible and at the latest within one month of receiving your request, provided that exercising these rights does not interfere with the execution of the contract or compliance with legal and regulatory obligations. If necessary, this period may be extended by two months in case of complexity and/or a large number of requests.

To ensure the protection, security, and confidentiality of your personal data, PAYOT has appointed a Data Protection Officer (DPO). You can contact our Data Protection Officer as follows:

Identification of the DPO: the company Dposystem

By email: dpo.payot@dposystem.fr

Furthermore, you retain the right to file a complaint with the CNIL by submitting your requests on the website: www.cnil.fr/fr/plaintes/internet