Privacy Policy
Last updated: January 2025
Introduction
Ma Box de Cross SARL (hereinafter 'MBC Store', 'we', 'our') is committed to protecting the privacy of users of its website mbcstore.fr (hereinafter 'the Site'). This privacy policy describes the personal data we collect, how we use it and what your rights are.
This policy complies with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and the French Data Protection Act of January 6, 1978 as amended.
Article 1 - Data Controller
Ma Box de Cross SARL
Share capital: 1000 euros
RCS Pontoise 884 241 878
VAT number: FR07884241878
Registered office: 11 rue de Navarre, 77700 Serris, France
Legal representative: Fabien Loyer
Email: contact@mbcstore.fr
Article 2 - Personal Data Collected
We collect the following data as part of our business:
2.1 Identification data
- First and last name
- Email address
- Phone number (optional)
- Shipping and billing postal address
2.2 Transaction data
- Order history
- Products purchased
- Transaction amounts
- Payment data (processed exclusively by Stripe, we do not store your banking information)
2.3 Technical data
- IP address
- Browser type and version
- Operating system
- Pages visited and visit duration
- Traffic source
2.4 Communication data
- Email correspondence
- Reviews and comments
- Communication preferences
Article 3 - Purposes and Legal Bases
In accordance with GDPR, we process your data on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Order processing | Contract performance |
| Product delivery | Contract performance |
| Customer relationship management | Contract performance |
| Billing and accounting | Legal obligation |
| Fraud prevention | Legitimate interest |
| Website improvement | Legitimate interest |
| Newsletter and marketing communications | Consent |
| Analytics and marketing cookies | Consent |
Article 4 - Data Retention Period
We retain your personal data for the following periods:
- Active customer data: For the duration of the business relationship, then 3 years after the last contact
- Billing data: 10 years (legal accounting obligation)
- Payment data: Stored only by Stripe according to their policy
- Cookies: 13 months maximum (see our cookie policy)
- Connection logs: 12 months
At the end of these periods, your data is deleted or anonymized.
Article 5 - Data Recipients
Your data may be shared with the following categories of recipients:
5.1 Our service providers
| Provider | Purpose | Location |
|---|---|---|
| Stripe | Secure payment | EU / USA |
| Printful | Printing and shipping | EU / USA |
| Vercel | Website hosting | USA |
| Google Analytics | Traffic analysis | USA |
| Mailjet | Email delivery | France / EU |
5.2 Other recipients
- Judicial or administrative authorities (in case of legal requisition)
- Legal advisors and accountants (bound by professional secrecy)
Article 6 - Transfers Outside the European Union
Some of our service providers are located outside the European Union (particularly in the United States). These transfers are governed by:
- Standard contractual clauses: approved by the European Commission (decision 2021/914)
- EU-US Data Privacy Framework: for certified American companies
You can obtain a copy of the safeguards in place by contacting us.
Article 7 - Data Security
We implement appropriate technical and organizational measures to protect your data:
- SSL/TLS encryption for all communications
- Secure hosting with Vercel (SOC 2 certified)
- Secure payments via Stripe (PCI-DSS certified)
- Restricted access to personal data
- Regular backups
In case of a data breach likely to result in a high risk to your rights and freedoms, we will inform you as soon as possible, as well as the CNIL within 72 hours.
Article 8 - Your Rights
In accordance with GDPR (articles 15 to 22), you have the following rights:
- Right of access (art. 15): Confirm that your data is being processed and receive a copy
- Right of rectification (art. 16): Correct your inaccurate or incomplete data
- Right to erasure (art. 17): Request deletion of your data ('right to be forgotten')
- Right to restriction (art. 18): Restrict processing of your data in certain cases
- Right to portability (art. 20): Receive your data in a structured, machine-readable format
- Right to object (art. 21): Object to certain processing, particularly direct marketing
- Right to withdraw consent: At any time, without affecting the legality of prior processing
- Post-mortem directives: Define directives regarding the retention and communication of your data after your death
Article 9 - How to Exercise Your Rights
To exercise your rights, you can contact us:
By email: contact@mbcstore.fr
By mail:
MBC Store - Ma Box de Cross
Personal data request
11 rue de Navarre
77700 Serris, France
We will respond to your request within one month. This period may be extended by two months in case of complex requests, in which case we will inform you.
We may ask you to verify your identity before processing your request.
Article 10 - Right to Lodge a Complaint
If you believe that the processing of your personal data constitutes a violation of GDPR, you have the right to lodge a complaint with the CNIL (French Data Protection Authority):
CNIL
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07
Website: www.cnil.fr
Article 11 - Cookies
Our site uses cookies. For more information about the cookies we use and how to manage them, please see our Cookie Policy.
Article 12 - Policy Modifications
We reserve the right to modify this privacy policy at any time. In case of substantial modification, we will inform you by email or via a notification on the site. The date of the last update is indicated at the top of this page.
Contact
For any questions regarding this privacy policy or your personal data:
MBC Store - Ma Box de Cross SARL
Email : contact@mbcstore.fr
Address : 11 rue de Navarre, 77700 Serris, France