Privacy Policy

The controller of personal data collected via the Site is:

Fantasmagorie Agency (commercial brand: CreativGen)
SAS (simplified joint stock company) with a share capital of €1,000.00
Registered office: 35 rue du Moulinet, 75013 Paris, France
SIREN: 990 917 049
Email: hello@creativgen.com
Phone: +33 1 53 62 05 91

In connection with the use of the Site and its services, the Data Controller collects the following categories of personal data:

• Identification data: surname, first name, email address, phone number.
• Account data: login identifier (email), account preferences, loyalty level and points.
• Booking data: reserved studio, time slot, chosen package, options and add-ons, amount paid.
• Payment data: transactions are processed by our payment provider Stripe. The Data Controller does not store any banking data (card number, CVV). Only the transaction identifier and payment status are retained.
• Browsing data: IP address, browser type, operating system, pages viewed, visit duration, actions performed on the Site.
• Security data: data collected by our abuse and spam protection tools.
• Communication data: content of messages sent via the contact form or quote requests.

Personal data is collected and processed for the following purposes:

• User account management: creation, secure authentication, profile and access rights management.
• Booking processing: time slot management, booking confirmation, service monitoring.
• Payment processing: collection via Stripe, invoice issuance, accounting follow-up.
• Loyalty program: allocation and management of points, levels and associated discounts.
• Communication: sending transactional emails (confirmations, reminders) via SendGrid, responding to contact and quote requests.
• Site improvement: browsing behavior analysis, user experience optimization, bug fixing.
• Security: fraud prevention, abuse detection, protection against automated attacks and unauthorized access.
• Legal obligations: retention of billing data in accordance with accounting and tax obligations.

Each processing of personal data relies on one of the following legal bases, in accordance with Article 6 of the GDPR:

• Performance of a contract (Article 6.1.b): booking processing, account management, loyalty program, transactional emails.
• Legitimate interest (Article 6.1.f): Site security, user experience improvement, fraud prevention.
• Consent (Article 6.1.a): non-essential cookies (analytics), commercial communications where applicable.
• Legal obligation (Article 6.1.c): retention of billing and accounting data.

Personal data may be shared with the following categories of recipients, strictly within the scope of the purposes described above:

• Stripe (Stripe Inc., United States): credit card payment processing. Stripe adheres to the EU-US Data Privacy Framework.
• SendGrid (Twilio Inc., United States): sending transactional emails and notifications. Twilio adheres to the EU-US Data Privacy Framework.
• Vercel (Vercel Inc., United States): Site hosting and file storage. Vercel adheres to the EU-US Data Privacy Framework.
• MongoDB (MongoDB Inc., United States): database hosting. MongoDB adheres to the EU-US Data Privacy Framework.
• Google (Google LLC, United States): abuse protection services. Google adheres to the EU-US Data Privacy Framework.
• Hotjar (Hotjar Ltd, Malta / EU): browsing behavior analysis and user experience optimization. Hotjar processes data within the European Union.
• Axeptio (Agilitation SAS, France): cookie consent management. Data is processed in France.

Some of our processors are established outside the European Union. These transfers are governed by the following safeguards:

• The EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023), to which our US-based processors adhere.
• Standard Contractual Clauses (SCCs) adopted by the European Commission, where the Data Privacy Framework does not apply.

Personal data is retained for the period strictly necessary for the purposes for which it was collected:

• User account data: retained for the duration of the account's existence, then deleted within thirty (30) days of the account deletion request.
• Booking and service data: retained for three (3) years from the last service provided.
• Billing and payment data: retained for ten (10) years in accordance with accounting and tax obligations (Article L.123-22 of the French Commercial Code).
• Browsing and analytics data: retained for a maximum of thirteen (13) months in accordance with CNIL recommendations.
• Contact and quote request data: retained for three (3) years from the last exchange.
• Security logs: retained for twelve (12) months.

In accordance with the GDPR and the Loi Informatique et Libertés, you have the following rights regarding your personal data:

• Right of access (Article 15 GDPR): obtain confirmation that your data is being processed and receive a copy.
• Right to rectification (Article 16 GDPR): request the correction of inaccurate or incomplete data.
• Right to erasure (Article 17 GDPR): request the deletion of your data, subject to legal retention obligations.
• Right to restriction of processing (Article 18 GDPR): request a temporary freeze on the processing of your data.
• Right to data portability (Article 20 GDPR): receive your data in a structured, commonly used and machine-readable format.
• Right to object (Article 21 GDPR): object to the processing of your data based on legitimate interest.
• Right to withdraw your consent at any time, when processing is based on consent, without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to define directives regarding the fate of your data after your death (Article 85 of the Loi Informatique et Libertés).

The Data Controller implements appropriate technical and organizational measures to ensure the security and confidentiality of personal data, including:

• Encryption of exchanges via HTTPS protocol across the entire Site.
• Secure authentication by one-time code with automatic expiration.
• Restricted access to administration interfaces based on user profile.
• Reinforced HTTP security headers.
• Protection against automated attacks on sensitive entry points.
• Anti-abuse verification on sensitive actions (login, file uploads).
• Hosting on secure and certified infrastructure.

The Site uses cookies and similar technologies. For complete information about the cookies used, their purposes and how to manage your preferences, please refer to our Cookie Policy.

The Site is not intended for persons under sixteen (16) years of age. The Data Controller does not knowingly collect personal data from minors under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at hello@creativgen.com so that we can proceed with its deletion.

The Data Controller reserves the right to modify this Privacy Policy at any time. The version in force is that published on the Site, identified by its update date. In the event of a substantial modification, users will be informed by any appropriate means (notification on the Site, email). Continued use of the Site after modification constitutes acceptance of the new version.