Privacy Policy — CRP.001

Data Controller: CRP.001

Contact: hi@va001.online

Website: va001.online

We collect only the data strictly necessary to process your orders and operate our business. This includes:

Data you provide directly:

• Full name
• Delivery and billing address
• Email address
• Phone number (if provided)
• Payment information (processed securely by Stripe — we never store your card details)

Data collected automatically:

• IP address
• Browser type and version
• Pages visited and time spent on the site
• Referring URLs
• Device type

Data from cookies:

• Session and preference cookies necessary for the site to function
• Analytics cookies (if applicable) — see Section 7

We process your data only when we have a valid legal basis to do so:

We do not use your data for automated decision-making or profiling.

Your personal data is used exclusively to:

• Process, fulfill, and ship your orders
• Communicate with you about your order status
• Handle any after-sales inquiries or issues
• Comply with our legal and fiscal obligations
• Improve the functionality and experience of our website

We will never sell, rent, or trade your personal data to any third party for commercial purposes.

We share your data only with trusted third-party service providers who are strictly necessary to operate our business:

• Stripe — payment processing (their privacy policy applies to payment data)
• Shipping carriers — your name and delivery address are shared with the carrier handling your order
• Sanity.io — our content management system (product and order data storage)
• Vercel — our website hosting provider

All third-party providers are bound by data processing agreements and are required to handle your data in accordance with GDPR.

We may also disclose your data if required to do so by law, court order, or regulatory authority.

We retain your personal data only for as long as necessary:

• Order data: retained for 10 years in accordance with French accounting and tax law
• Customer correspondence: retained for 3 years from the date of last contact
• Marketing data (if consented): retained until you withdraw consent
• Website analytics data: retained for a maximum of 13 months

After these periods, your data is securely deleted or anonymized.

Our website uses cookies to ensure proper functionality and improve your browsing experience.

Essential cookies: necessary for the site to function (cart, session). These cannot be disabled.

Analytics cookies: used to understand how visitors interact with the site (e.g. pages visited, time on site). These are only activated with your consent.

You can manage or disable non-essential cookies via your browser settings at any time. Disabling cookies may affect some features of the website.

We take the security of your personal data seriously. We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, alteration, or disclosure.

Payment data is processed exclusively through Stripe’s secure, PCI DSS-compliant infrastructure. CRP.001 never stores or has access to your full card details.

However, no method of transmission over the internet is 100% secure. While we do our best to protect your data, we cannot guarantee absolute security.

As a data subject under the GDPR, you have the following rights:

• Right of access — you can request a copy of the personal data we hold about you
• Right to rectification — you can ask us to correct inaccurate or incomplete data
• Right to erasure (“right to be forgotten”) — you can ask us to delete your data, subject to legal retention obligations
• Right to restriction of processing — you can ask us to limit how we use your data
• Right to data portability — you can request your data in a structured, machine-readable format
• Right to object — you can object to processing based on legitimate interest
• Right to withdraw consent — where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, contact us at: hi@va001.online

We will respond to your request within 30 days. If you believe your rights have been violated, you have the right to lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés) at www.cnil.fr.

Some of our third-party providers (Stripe, Vercel, Sanity) may process data outside the European Economic Area (EEA). Where this occurs, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, to protect your data in accordance with GDPR requirements.

Our website is not directed at children under the age of 16. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The most current version will always be posted on this page with the effective date. Your continued use of the website after any update constitutes acceptance of the revised policy.

For any questions, requests, or concerns regarding your personal data or this Privacy Policy, please contact us at:

You also have the right to contact the French data protection authority: