Privacy Policy

1. Data controller

The data controller is Galerie Roz In Winter, 61 Grande Rue, 77630 Barbizon (France). Contact: artistesrozinwinter@gmail.com — +33 6 10 71 13 25. Full legal information (legal form, registration) is provided in the Legal Notice.

This policy explains what data we collect through galerierozinwinter.com, why, how long we keep it and what your rights are.

2. Data we collect

Depending on how you use the site, we may collect:

• Artist or buyer account: name, email, password (encrypted), and for artists their public profile (bio, photo, social links).
• Orders: name, email, phone, shipping and billing address, details of the artworks ordered.
• Payment: handled directly by Stripe — we never store your card details.
• Newsletter: email, first name and preferred language.
• Price enquiries / contact: name, email, phone, message.
• Opening RSVP: name, email, number of guests.
• Chatbot assistant: the content of the messages you type into it.
• Technical data: IP address, browser type, pages viewed (via cookies, subject to consent).

3. Purposes and legal bases

We process your data for the following purposes:

• Manage your account and fulfil your orders — basis: performance of a contract (Art. 6(1)(b) GDPR).
• Issue invoices and meet accounting obligations — basis: legal obligation (Art. 6(1)(c)).
• Send the newsletter — basis: your consent (Art. 6(1)(a)), revocable at any time.
• Respond to your requests (contact, pricing, chatbot) — basis: your request / legitimate interest (Art. 6(1)(f)).
• Measure audience and improve the site — basis: your consent (cookies).
• Prevent fraud and secure the site — basis: legitimate interest (Art. 6(1)(f)).

4. Recipients and processors

Your data is never sold. It is accessible to the gallery and to technical processors acting on instructions, under GDPR-compliant agreements:

• Supabase — database, authentication and file storage.
• Vercel — website hosting and delivery.
• Cloudflare — DNS and content delivery network.
• Stripe (and Klarna / Alma for instalments) — payment processing.
• Brevo and Resend — transactional emails and newsletter delivery.
• Anthropic — engine of the chatbot assistant (processing of chatbot messages).

5. Transfers outside the European Union

Some processors (Vercel, Stripe, Resend, Anthropic, Cloudflare) are established in the United States or may process data there. These transfers are governed by appropriate safeguards: the European Commission’s Standard Contractual Clauses and/or Data Privacy Framework membership. A copy of these safeguards is available on request.

6. Retention periods

• Account: for the lifetime of the account, deleted upon your request.
• Orders and invoices: 10 years (accounting and tax obligation).
• Newsletter: until you unsubscribe.
• Price and contact requests: 3 years after the last exchange.
• Consent cookies: 6 months; analytics cookies: 13 months maximum.
• Technical logs: 12 months maximum.

7. Cookies and trackers

The site uses strictly necessary cookies (authentication, cart, security), exempt from consent, and — only with your agreement — analytics and marketing cookies. You choose via the consent banner and can change your preferences at any time.

8. Your rights

Under the GDPR, you have the rights of access, rectification, erasure, restriction, portability and objection, as well as the right to withdraw consent and to set instructions regarding your data after death.

If you have an account, you can download or delete your data directly from your space. Otherwise, use our dedicated form. We respond within one month at most.

You may also lodge a complaint with the CNIL (www.cnil.fr).

9. Security

We implement appropriate technical and organisational measures: password and connection encryption (HTTPS), access control, regular backups and a Content Security Policy (CSP).

10. Contact and updates

For any question about your data: artistesrozinwinter@gmail.com. This policy may be updated; the date of last revision appears below.