Privacy Policy
La Maison du Chocolat, head office address 65 avenue de Ségur in the 7th arrondissement of Paris, is a company specializing in the chocolate and patisserie sector.
La Maison du Chocolat respects your privacy and is committed to processing your personal data fairly and transparently, in accordance with applicable data protection regulations, and in particular the General Data Protection Regulation (GDPR).
Please read the following carefully to understand our policy and practices regarding your personal data and how we process it.
The company, La Maison du Chocolat, acts as Data Controller for the processing of personal data referred to in this document and is hereinafter referred to as "the Data Controller" or "we/us".
The Data Controller has appointed a person responsible for the data protection policy, who you can contact:
Via the following email address:mesdonneespersonnelles@lamaisonduchocolat.com
Using the contact form: https://www.lamaisonduchocolat.com/fr_fr/contact
By post at the following address:
La Maison du Chocolat
FAO GDPR Officer
41 rue Paul Lescop, 92000 Nanterre, France
enclosing proof of your identity by all appropriate means. In addition, you must clearly indicate your surname(s) and forename(s), and the address to which you wish the reply to be sent.
The data protection officer can be contacted at the following email address: dpo@savencia.com
Purposes of processing | Categories of personal data processed |
Order management |
Identification details for individuals: title, forename, surname, date of birth. Identification details for company contacts: title, forename, surname, company, country. Details relating to business relationship follow-up: invoices, billing address, delivery address, order information, details of products purchased, tracking number provided by the carrier. Contact details: email address, telephone number. |
Creating and managing user accounts |
Identification details for individuals: title, forename, surname, date of birth. Identification details for company contacts: title, forename, surname, company, country. Contact details: email address, telephone number. |
Management of requests from the contact form |
Identification details: title, forename, surname. Contact details: email address. Data relating to the business relationship: order number. |
Claims management |
Identification details: forename, surname. Contact details: email address and/or telephone number Data relating to the business relationship: order number. |
Sales prospecting / Sending marketing communications / Sending newsletters |
Identification details: forename, surname, date of birth. Contact details: email address, telephone number, postal address. Other data: interests, favorite categories. |
Competitions |
Identification details: forename, surname. Contact details: email address, cell phone number. Data relating to participation in the competition: answers transmitted for the competition, results obtained by the participant. |
Management of chat requests (on the Company Area page) |
Identification details: surname. Contact details: email address. |
Management and follow-up of requests to exercise your personal data rights |
Identification details: surname, forename. Contact details: email address. |
Management of job applications via job boards |
Identification details: forename, surname. Contact details: email address. Data transmitted as part of an application: CV, cover letter. |
Management of quote requests made via the website |
Identification details: title, forename, surname, company, department. Contact details: email address, telephone number. |
Customer feedback management |
Identification details: title, forename, surname. Contact details: email address. Data relating to the business relationship: order number, purchase store, purchase date, purchase amount, products purchased. |
Retargeting our audiences |
Identification data: forename, surname, zip code, country. Contact details: email address, telephone number. Browsing data. |
Audience analysis |
Demographic data: age, gender, interests, geolocation data. Browsing data: pages visited, actions, clicks, conversions. Technical data: browser version, device, user IDs, operating system. |
Customer categorization and customer path-to-purchase follow-up | User experience data: purchasing habits. |
Loyalty program management |
Identification details: title, forename, surname, date of birth. Contact details: email address, telephone number, postal address. |
You must fill in fields marked with an asterisk on our forms. If you do not, the associated service cannot be provided.
La Maison du Chocolat undertakes to process your personal data fairly and transparently.
Your personal data is collected fairly, without any processing taking place without your knowledge and without prior information.
We are committed to processing your personal data for specific purposes: each data processing operation carried out is for a legitimate, stated and explicit purpose.
We ensure that your data is kept up to date, and implement procedures to enable inaccurate data to be deleted or corrected.
The purposes, legal bases and retention periods implemented by the Data Controller are set out below.
We will retain your personal data in accordance with a fixed-period retention policy so that data is retained for the time proportionate to the purpose for which it was collected, except where laws and regulations require a different retention period.
Accordingly, we organize our policy as follows:
Purposes of processing | Legal bases | Retention periods |
1. Order management | Contractual obligation | For the duration of the contractual relationship in active database, then 5 years in interim storage. |
Billing information is kept for 10 years from the end of the financial year. | ||
2. Creating and managing user accounts | Legitimate interest | 4 years from your last contact. |
3. Management of requests from the contact form | Legitimate interest | Processing time in active database, then 3 years in interim storage. |
4. Claims management | Legitimate interest | Processing time in active database, then 3 years in interim storage. |
5. Sales prospecting / Sending marketing communications / Sending newsletters | Consent | Until you withdraw your consent or, failing that, 4 years after the last positive contact from you. |
6. Competitions | Contract performance (competition rules) | For the duration of the competition, plus 6 months. |
Legitimate interest (fraud prevention) | ||
7. Management of chat requests (Company Area) | Legitimate interest | Processing time in active database, then 3 years in interim storage. |
8. Managing rights requests | Legal obligation (Articles 15 et seq. of GDPR) | Right of access, correction, deletion and restriction of processing: 1 year then anonymization at the end of the period. |
Right to object: 6 years then anonymization at the end of the period. | ||
9. Application management | Execution of pre-contractual measures | The time it takes to process a request in the active database, then up to 2 years in interim storage. |
10. Management of quote requests made via the website | Execution of pre-contractual measures | For quotes not converted into orders, 5 years from quote date. |
For confirmed orders, 10 years from the end of the financial year. | ||
11. Customer feedback management | Legitimate interest | Data may be kept for a maximum of 24 months. It is then aggregated and anonymized. |
12. Retargeting our audiences | Consent | Until you withdraw your consent or, failing that, 4 years after the last positive contact from you. |
13. Audience analysis. | Consent | Data is kept for 14 months. |
14. Customer categorization and customer path-to-purchase follow-up | Legitimate interest | 4 years after your last positive contact. |
15. Loyalty program | Consent | Until you withdraw your consent or, failing that, 4 years after the last positive contact from you. |
Data in interim storage may only be consulted on a case-by-case basis by persons specifically authorized to do so.
The personal data that we collect, as well as data that is collected subsequently, is intended to be used by us in our capacity as Data Controller.
We ensure that only authorized persons have access to this data. Our subcontractors/service providers may receive this data to perform the services we entrust to them.
When we use a service provider, we only disclose personal data to them after obtaining a commitment and guarantees from them regarding their ability to meet these security and confidentiality requirements.
In compliance with its legal and regulatory obligations, La Maison du Chocolat enters into contracts with its subcontractors which precisely define the terms and conditions of data processing by the latter, in accordance with regulations on personal data protection.
Your personal data may be reconciled, pooled or shared between all the parent, sister and subsidiary entities of the Data Controller.
It may be disclosed to these entities for the purposes set out in this data protection policy. These operations are carried out on the basis of instruments compliant with applicable regulations and capable of ensuring protection of and compliance with your rights.
As part of the services offered, we transfer your personal data to recipients located in the following countries:
- United States
- Japan
- Hong Kong
- Canada
- Tunisia
Each of these transfers is governed by legal instruments in accordance with the applicable legal framework.
We attach particular importance to the security of personal data.
La Maison du Chocolat has implemented technical and organizational measures adapted to the degree of sensitivity of personal data, with a view to ensuring its integrity and confidentiality and protecting it against any malicious intrusion, loss, alteration or disclosure to unauthorized third parties.
However, despite our best efforts, no security measure can protect against all risks of misappropriation or piracy, for which we cannot be held responsible as Data Controller.
In the event of a personal data breach, we undertake to notify CNIL (the French Data Protection Agency) thereof in accordance with current regulations on personal data protection. In the event of a data breach that poses a high risk to your rights and freedoms, we will inform you as soon as possible, in accordance with the conditions laid down in current regulations on personal data protection.
La Maison du Chocolat, as the Data Controller, is particularly careful about respecting your rights as regards the data processing it implements.
a. Your right to be informed
You acknowledge that this data protection policy informs you of the purposes, legal framework, interests, recipients or categories of recipients with whom your personal data is shared, and of the possibility of data transfer to a third country or to an international organization.
In addition to this information and in order to ensure the fair and transparent processing of your data, you acknowledge that you have received additional information concerning:
- The retention period for your personal data
- Your rights and how to exercise them
Should we decide to process data for purposes other than those indicated, you will be provided with all information relating to these new purposes.
b. Your right of access
By exercising this right, you have confirmation that your personal data is or is not being processed, and where it is, you have the right to request a copy of your data and information about:
- The purposes of its processing
- The categories of personal data concerned
- The recipients or categories of recipients and, where appropriate, if such disclosures are to be made, the international organizations to which the personal data has been or will be disclosed, in particular recipients in third countries
- Where possible, the intended retention period for personal data or, where not possible, the criteria used to determine this period
- The right to request from the Data Controller the correction or deletion of your personal data, the right to request the restriction of its processing, and the right to object to its processing
- The right to lodge a complaint with a supervisory authority
- Information relating to the source of the data when it is not collected directly from the data subjects
- Automated decision-making, including profiling, and in such cases, any relevant information about the underlying logic as well as the significance and expected consequences of such processing for the data subjects
You may ask us to correct or complete your personal data if it is inaccurate, incomplete, ambiguous or out of date.
c. Your right to correct your data
You may ask us to correct or complete your personal data if it is inaccurate, incomplete, ambiguous or out of date.
d. Your right to deletion
i. General case
You may ask us to delete your personal data in the cases provided for by law and regulations. Please note that the right to data deletion is not a general right, and can only be exercised if one of the reasons provided for in the applicable regulations is present.
ii. Special case of competitions
Requests received during a competition period will be assessed according to the competition rules.
e. Your right to restrict data processing
You may ask us to restrict the processing of your personal data in the cases provided for by law and regulations.
f. Your right to object
You have the right to object at any time, for reasons relating to your particular situation, to the processing of your personal data for which the legal basis is the legitimate interest pursued by the Data Controller.
g. Your right to portability
You have the right to the portability of your personal data. Please note that this is not a general right. In effect, not all data from all processing operations is portable, and this right only applies to automated processing, not to manual or paper-based processing. This right is limited to processing for which the legal basis is your consent or the performance of pre-contractual measures or of a contract.
h. Your right to withdraw your consent
When the data processing we carry out is based on your consent, you may withdraw it at any time. We will then stop processing your personal data without it affecting any previous operations to which you have consented.
i. Your right to define post-mortem instructions
You also have the option of specifying particular instructions regarding to the retention, deletion and disclosure of your personal data after your death, according to the procedure set out below. These specific instructions only concern the processing carried out by us and will be restricted to this scope.
You also have the right, once this person has been designated by the executive authority, to specify general instructions for the same purposes.
All the rights listed above may be exercised:
Via the following email address: mesdonneespersonnelles@lamaisonduchocolat.com
Using the contact form: https://www.lamaisonduchocolat.com/fr_fr/contact
By post at the following address:
La Maison du Chocolat
FAO GDPR Officer
41 rue Paul Lescop, 92000 Nanterre, France
enclosing proof of your identity by all appropriate means. In addition, you must clearly indicate your surname(s) and forename(s), and the address to which you wish the reply to be sent.
In principle, all your rights can be exercised free of charge. However, to exercise the right of access, you may be asked to pay reasonable administrative fees for any copies of the data you request.
With regard to the right to be informed, the Data Controller is under no obligation to fulfill your request if you already have the information you are requesting.
The Data Controller will inform you if they are unable to comply with your requests within one month of receiving them. If necessary, this period may be extended by a further two months, in which case you will be informed of the extension and the reasons for it.
These rights are not absolute and are subject to different conditions under:
- Local applicable personal data protection or privacy law
- Laws and regulations applicable to you
The Data Controller wishes to inform you that any omission or modification of your data may have consequences with regard to the processing of certain requests for the performance of the contractual relationship, and that your request to exercise your rights will be kept for monitoring purposes for six years when exercising the right to object and for one year when exercising other rights.
The data protection officer can be contacted at the following email address: dpo@savencia.com.
If necessary, you are entitled to lodge a complaint with the French Data Protection Agency (3 place de Fontenoy, 75007 Paris, France or https://www.cnil.fr/fr/plaintes), or to take legal action.
This data protection policy may be amended, particularly in the event of changes to the services offered by La Maison du Chocolat. We therefore recommend that you consult this policy each time you visit the website.