Skip to content
Home » Privacy Policy

Crizalia — Privacy Policy

How we handle your personal data

Crizalia Le Blan, Lille (France)  ·  Version 2.0  ·  In effect from 27 April 2026

Your privacy matters. This Privacy Policy (“Policy“) explains, in plain language, what personal data Crizalia Le Blan (“Crizalia“, “we”, “us”) processes when you visit www.crizalia.com (the “Site“) or book a Service, why we process it, on what legal basis, how long we keep it, and the rights you have. It applies to all visitors of the Site and all clients of our Services.

We process your data in compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR” / “RGPD”) and the French Loi Informatique et Libertés (Loi n° 78-17 of 6 January 1978, as amended). This Policy supersedes any previous version published on the Site.

Article 1 — Who is the controller of your data

Crizalia Le Blan — auto-entrepreneur (micro-entreprise)

Headquarters: 182 rue de Lompret, 59130 Lambersart, France

SIREN: 853 018 612  ·  SIRET: 853 018 612 00012

Email: info@crizalia.com

For all data-protection matters — questions, requests to exercise your rights, complaints — please write to info@crizalia.com or by post to the headquarters address. We respond within thirty (30) days, extendable by two months for complex or numerous requests (Article 12(3) GDPR).

Article 2 — What data we collect

We collect only the data we genuinely need to provide our Services, run the Site, and meet our legal obligations. The categories are:

  • Identification data. Name, postal address, email, phone, date of birth (where required for age verification).
  • Booking and billing data. Service booked, dates, price paid, payment method, invoice details.
  • Health data — only when relevant. When you book a Service for which a Health Declaration is required, we collect the answers you provide on that form. See Article 4 for how we protect this category.
  • Site-usage data. IP address, browser and device type, server logs, page-access timestamps. Collected automatically when you visit the Site.
  • Voluntary communications. Information you choose to share when you contact us by email, contact form, newsletter signup, or social-media direct message.

What we do not do. We do not process biometric, genetic, racial, religious, philosophical, political, sex-life, or sexual-orientation data. We do not buy data from third parties. We do not sell your data — ever.

Article 3 — Why we process your data

Each purpose is mapped to a legal basis under Article 6 GDPR (and Article 9 GDPR where the data is sensitive), and to a specific retention period.

3.1  Booking management and contract performance

Data: identification, booking. Legal basis: Article 6(1)(b) GDPR — performance of the contract you have entered into with us. Retention: 5 years from the end of the contractual relationship (Article 2224 of the French Civil Code, ordinary commercial limitation).

3.2  Invoicing and accounting

Data: identification, billing. Legal basis: Article 6(1)(c) GDPR — compliance with a legal obligation. Retention: 10 years (Article L123-22 of the French Code de commerce).

3.3  Pre-contractual contact

Data: identification, voluntary communications. Legal basis: Article 6(1)(b) GDPR — pre-contractual measures taken at your request. Retention: 3 years from your last contact, unless you become a client (in which case section 3.1 applies).

3.4  Participation-fitness assessment via Health Declaration

Data: health data declared by you. Legal basis: Article 9(2)(a) GDPR — your explicit consent to the processing of this data for the specified purpose. Retention: a maximum of 3 months after the end of the Service, then secure destruction. See Article 4 for the full safeguards.

3.5  Site security and fraud prevention

Data: site-usage data, server logs. Legal basis: Article 6(1)(f) GDPR — our legitimate interest in keeping the Site safe and operational, balanced against your interests. Retention: 12 months.

3.6  Newsletter (optional)

Data: email and first name. Legal basis: Article 6(1)(a) GDPR — your consent. Retention: until you unsubscribe (one-click unsubscribe link in every newsletter).

3.7  Defending or asserting legal claims

Data: any of the above as relevant. Legal basis: Article 6(1)(f) GDPR — legitimate interest. Retention: until the relevant claim is time-barred under French law.

Article 4 — Health data: how we protect it

Your health data, declared via the Health Declaration form, falls within the special categories of data (catégories particulières de données) protected by Article 9 GDPR. We process it under Article 9(2)(a) GDPR — your explicit consent — and only for one specific purpose: assessing your fitness to participate safely in the Service you have booked.

Your consent is freely given. You can refuse to provide a Health Declaration, but in that case we will not be able to confirm your booking for Services where it is required. Your consent can be withdrawn at any time by writing to info@crizalia.com; withdrawal does not affect the lawfulness of processing already carried out (Article 7(3) GDPR).

Strict access. Health Declaration data is read by Crizalia Le Blan only, and (where the participation involves a medical clearance, see T&Cs Article 7.3) by the qualified healthcare professional you choose. We do not share it with anyone else.

Short retention. Three (3) months after the end of the relevant Service, the Health Declaration is permanently deleted from our systems. The retention is short by design: the data is no longer needed and we do not keep it “just in case”.

Security. Health Declarations are stored encrypted at rest, on infrastructure hosted in the European Union. Paper copies, if any, are kept under lock and shredded at the retention deadline.

Article 5 — Who we share data with

We disclose your personal data only to the recipients listed below, only for the purposes set out above, and only to the extent strictly necessary. All processors act under our written instructions and provide adequate guarantees pursuant to Article 28 GDPR.

  • Hosting provider: OVH SAS, 2 rue Kellermann, 59100 Roubaix, France. Servers located in the European Union.
  • Booking & website infrastructure: WordPress (open source) running on OVH; booking plugin Amelia (TMS-Plugins).
  • Payment service providers: Stripe Payments Europe, Ltd. (for card payments) and PayPal (Europe) S.à r.l. et Cie, S.C.A. (for PayPal). Bank transfers are processed by your and our respective banks. Your bank and our bank each process the transaction as independent data controllers under their own privacy policies; Crizalia stores only the transaction reference, the date, the amount, and the name of the account holder as it appears on the transfer, for accounting and reconciliation. We do not collect or store card numbers, IBAN beyond what appears on incoming transfer notifications, or any other payment-instrument data.
  • Email service: Email correspondence is processed by our email provider; we will name the provider on request to info@crizalia.com.
  • Newsletter platform: If you opt in to the newsletter, your email is processed by our newsletter provider, named in the newsletter and on request.
  • Public authorities: Where required by law (e.g. tax authorities, courts, CNIL), and only to the extent of the legal obligation.

No data sale, no advertising profiling. We do not sell, rent, or trade your data. We do not run advertising profiles on you.

Article 6 — International transfers

Our hosting and primary processing take place inside the European Union. Where a processor unavoidably transfers data outside the EU/EEA (for example, certain back-end functions of major payment providers), the transfer is governed by the European Commission Standard Contractual Clauses (Decision (EU) 2021/914) or another mechanism listed in Articles 45–49 GDPR. You may obtain a copy of the relevant safeguards by writing to info@crizalia.com.

Article 7 — Security

We implement appropriate technical and organisational measures (Article 32 GDPR) to protect your data against unauthorised access, loss, alteration, or disclosure: encryption in transit (TLS) and at rest where applicable, strict access control, regular backups, and incident-response procedures. In the unlikely event of a personal-data breach likely to result in a risk to your rights and freedoms, we notify the CNIL within 72 hours (Article 33 GDPR) and you directly when required (Article 34 GDPR).

Article 8 — Your rights

Under Articles 15 to 22 GDPR, you have the following rights, free of charge:

  • Right of access (droit d’accès, Article 15) — obtain confirmation that we process your data and a copy.
  • Right to rectification (droit de rectification, Article 16) — correct inaccurate or incomplete data.
  • Right to erasure (droit à l’effacement, Article 17) — have your data deleted, subject to legal exceptions.
  • Right to restriction (droit à la limitation, Article 18) — restrict processing in defined cases.
  • Right to data portability (droit à la portabilité, Article 20) — receive your data in a structured, machine-readable format.
  • Right to object (droit d’opposition, Article 21) — object to processing based on legitimate interest.
  • Right to withdraw consent (droit de retirer le consentement, Article 7(3)) — at any time, without affecting the lawfulness of past processing.
  • Right to set post-mortem directives (droit aux directives post-mortem, Article 85 of Loi n° 78-17) — define how your data is handled after death.

To exercise any of these rights, write to info@crizalia.com. We do not require a copy of your ID by default; we may ask for additional verification only if there is reasonable doubt about your identity (CNIL guidance). We respond within thirty (30) days, extendable by two months for complex or numerous requests.

Right to lodge a complaint with the CNIL (droit d’introduire une réclamation, Article 77 GDPR). If you believe that our processing infringes your rights, you may lodge a complaint with the French data-protection authority: Commission Nationale de l’Informatique et des Libertés (CNIL), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr.

Article 9 — Cookies and similar technologies

Our use of cookies and similar technologies is described in the Cookie Policy published on the Site. The Cookie Policy explains which cookies are strictly necessary (set without consent), which require your consent, how to grant or refuse consent, and how to withdraw consent at any time.

Article 10 — Children

Our Services are reserved for persons aged 18 and over. We do not knowingly collect personal data from children. If you believe we have collected such data, please contact info@crizalia.com and we will delete it without delay.

Article 11 — Updates to this Policy

We may update this Policy to reflect legal, technical, or organisational changes. The version applicable to a given booking is the one in force at the time of confirmation. Material changes are communicated to active clients before any new processing.

Article 12 — Contact

Questions about this Policy or about how your data is processed? Write to info@crizalia.com or by post to: Crizalia Le Blan, 182 rue de Lompret, 59130 Lambersart, France.

error: Our content is restricted to protect ancestral culture and traditions