Privacy Policy

Politique de confidentialité · last updated 18 May 2026

This Privacy Policy describes how Z-SCHOOL SARL processes your personal data in compliance with EU Regulation 2016/679 (GDPR) and the French Data Protection Act (Loi Informatique et Libertés as amended).

1. Data controller

Z-SCHOOL SARL
2 Avenue de la Découverte, 21000 Dijon, France
SIREN · 803 348 564 · RCS Dijon
For data requests: privacy@zzschooll.com

2. Data Protection Officer (DPO)

As a SARL of fewer than 250 employees not processing large-scale special-category data, we are not required to designate a DPO under Article 37 GDPR. The privacy-contact role is held by the company managers, reachable via privacy@zzschooll.com.

3. Data we collect

  • Order data — name, billing/shipping address, email, phone, items, order amount
  • Payment data — card details are processed by Stripe and never stored on our servers. We retain only a tokenised reference and the last 4 digits
  • Account data (optional) — email, hashed password, saved addresses, order history
  • Analytics — pseudonymised page views, referral source, device type — only if you accept analytics cookies
  • Newsletter — email address — only if you opt in
  • Customer-care correspondence — content of your emails to us

4. Legal basis for processing (GDPR Article 6)

  • Order processing and delivery — performance of contract (Art. 6(1)(b))
  • Newsletter and analytics — consent (Art. 6(1)(a)), withdrawable any time
  • Accounting records — legal obligation (Art. 6(1)(c)), 10 years per French Commercial Code (Art. L123-22)
  • Customer-care correspondence — legitimate interest (Art. 6(1)(f)) in handling your request
  • Fraud prevention — legitimate interest (Art. 6(1)(f)) via Stripe Radar

5. Recipients (sub-processors)

  • Stripe Payments Europe Ltd. (Ireland) — payment processing
  • Hostinger International Ltd. (Cyprus / EU) — site hosting and transactional email
  • Carrier partners — varying by destination — fulfilment and tracking
  • Google Ireland Ltd. — Google Analytics 4, only if analytics cookies accepted
  • French tax authorities — VAT One-Stop-Shop reporting

Data may transit through servers outside the EU/EEA via these providers. Such transfers are protected by Standard Contractual Clauses (Art. 46 GDPR) or, where applicable, adequacy decisions.

6. Retention periods

Order & invoice data · 10 years (French Code de Commerce L123-22)
Customer account · 3 years from last activity, then deletion or anonymisation
Marketing consent · 3 years from last interaction, or until withdrawn
Customer-care emails · 3 years
Analytics (pseudonymised) · 14 months (CNIL recommendation)
Cookie consent log · 13 months

7. Your rights

Under GDPR you have the right to:

  • Access your data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (“right to be forgotten”, Art. 17) — subject to legal retention obligations
  • Restrict processing (Art. 18)
  • Data portability in a structured machine-readable format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time without affecting the lawfulness of past processing
  • Define directives on the fate of your data after death (French specific, Loi pour une République numérique 2016)

To exercise any right, email privacy@zzschooll.com with a copy of your ID. We reply within 1 month (extendable by 2 months for complex requests, Art. 12 GDPR).

8. Right to lodge a complaint

If you believe our processing violates GDPR, you may lodge a complaint with the French supervisory authority:

CNIL — Commission Nationale de l’Informatique et des Libertés
3 Place de Fontenoy — TSA 80715
75334 PARIS CEDEX 07, France
Tel · +33 1 53 73 22 22
Online complaint · www.cnil.fr/fr/plaintes

9. Children

Our products are sold to adults. We do not knowingly collect personal data from children under 15 (digital age of consent in France, GDPR Art. 8 + French DPA Art. 45). If you believe a child has provided us data, email privacy@zzschooll.com and we will delete it.

10. Security

We use TLS encryption (HTTPS), tokenised payments (Stripe PCI Level 1), hashed account passwords (bcrypt), and Wordfence intrusion detection. Backups are stored in the EU. In case of a personal-data breach affecting your rights, we notify the CNIL within 72 hours (Art. 33 GDPR) and you when the breach poses a high risk (Art. 34).

11. Cookies

See Cookie Policy for full details and the consent banner.

12. Changes to this policy

Material changes are notified by banner on the homepage and, where appropriate, by email to registered users. The “last updated” date at the top of this page is always current.

Z-SCHOOL SARL, RCS Dijon 803 348 564, head office at 2 Avenue de la Découverte, 21000 Dijon, France. Email · privacy@zzschooll.com.