Privacy policy

MT MANAGEMENT SAS, operator of the Luxarmonie website (https://luxarmonie.com/), is committed to protecting the privacy of its clients and visitors. This Privacy Policy describes how we collect, use, retain and protect your personal data, in accordance with Regulation (EU) 2016/679 of 27 April 2016 on data protection (GDPR) and French Law no. 78-17 of 6 January 1978, as amended, known as the Data Protection Act (Loi Informatique et Libertés).

This policy applies to any individual visiting or making a purchase on the website https://luxarmonie.com/, regardless of their geographical location.

 

The controller responsible for the processing of your personal data is:

 

Entity	MT MANAGEMENT SAS
Legal form	Simplified joint-stock company with a sole shareholder
Share capital	1 000,00 €
SIREN / RCS	988 489 985 — RCS Paris
Intra-Community VAT	FR32988489985
Registered office	200 rue de la Croix Nivert, 75015 Paris, France
GDPR contact email	contact@luxarmonie.com
WhatsApp (messages)	+33 7 56 83 85 41

 

For any question relating to your personal data or to the exercise of your rights, please contact us exclusively at the email address above or by post.

MT MANAGEMENT has not formally appointed a Data Protection Officer (DPO), as such designation is not mandatory in view of its activity and the nature of the data processed (Article 37 GDPR).

 

2.1 Data you provide to us directly

–      Identification data: surname, first name, email address

–      Contact details: telephone number (if voluntarily provided)

–      Delivery data: full postal address (street, town/city, postcode, country)

–      Customer account data: login credentials (email + encrypted password, never stored in clear text)

–      Communications: messages sent via our contact form, by email or via WhatsApp

–      Product personalisation data: options selected at the time of order (colour, size, engraving, etc.)

2.2 Data collected automatically as you browse

–      Technical data: IP address, browser type and version, operating system, screen resolution

–      Browsing data: pages visited, time spent viewing, referring URL, journey through the site

–      Behavioural data: products viewed, basket additions, basket abandonments, interactions with elements of the site

–      Approximate location data: country and city inferred from the IP address (not GPS)

–      Cookie and tracker data: see Article 7

2.3 Transactional data

–      Order history: references, amounts inclusive of tax, dates, statuses, products ordered

–      Payment data: payment method used (card type, last digits if displayed by the provider) — full payment card data is never stored by MT MANAGEMENT and is processed exclusively by our PCI-DSS certified payment service providers

–      Delivery data: delivery address, carrier used, tracking number

2.4 Data we do not collect

MT MANAGEMENT does not collect sensitive data within the meaning of Article 9 of the GDPR (racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, sexual orientation). Our website is intended for an adult clientele (aged 18 and over); we do not knowingly collect data relating to minors.

 

3.1 Performance of the contract — Article 6.1.b GDPR

–      Processing, preparation and follow-up of your orders

–      Organisation and tracking of delivery (transmission of the necessary data to carriers)

–      Management of after-sales service, returns and refunds

–      Invoicing, accounting and tax archiving

–      Management of your customer account and your purchase history

3.2 Legal obligation — Article 6.1.c GDPR

–      Retention of invoicing data for 10 years (Article L123-22 of the French Commercial Code)

–      Response to legally founded judicial, administrative or tax requisitions

–      Compliance with VAT reporting obligations (IOSS, OSS) on international sales

3.3 Legitimate interest — Article 6.1.f GDPR

–      Prevention and detection of order and payment fraud

–      Technical security of the website and information systems

–      Improvement of our products, services and shopping experience (anonymised statistical analysis)

–      Management of disputes and defence of our rights in court

You may object to such processing based on legitimate interest at any time (see Article 8 — your rights).

3.4 Consent — Article 6.1.a GDPR

–      Sending of marketing emails, newsletters and promotional communications (via Klaviyo)

–      Sending of promotional SMS messages (via Kanal)

–      Placement and reading of non-essential analytical and advertising cookies (Meta, Pinterest, Google Ads)

Consent is obtained on an explicit, free and informed basis. It may be withdrawn at any time, without affecting the lawfulness of any processing carried out prior to such withdrawal.

 

 

Customer data — invoices, orders	10 years from the date of the transaction (statutory accounting obligation — art. L123-22 of the French Commercial Code)
Active customer account data	Lifetime of the account + 3 years following the last activity
Inactive customer account data	3 years from the last login or interaction, after which data is deleted or anonymised
Email marketing data (Klaviyo)	3 years from the last contact or until consent is withdrawn
SMS marketing data (Kanal)	3 years from the last contact or until unsubscription (STOP SMS)
Browsing data and server logs	13 months maximum
Analytical and advertising cookies	13 months maximum (in accordance with CNIL recommendations)
Payment card data	Not retained by MT MANAGEMENT — processed and stored exclusively by PCI-DSS certified providers
Fraud prevention data	5 years from the closure of the file

 

Beyond these periods, data is either permanently deleted or irreversibly anonymised for statistical purposes.

 

Your personal data may be transmitted to the following processors and partners, strictly within the limits necessary for the performance of their services. Each of them has contractually committed to GDPR compliance through appropriate contractual clauses.

 

Processor	Purpose	Country	Transfer Safeguard
Shopify Inc.	Store hosting, order and payment management	Canada / USA	European Commission SCCs
Klaviyo Inc.	Email marketing, automations, segmentation	USA	European Commission SCCs
Kanal	SMS marketing and notifications	EU	GDPR Data Processing Agreement
Meta Platforms	Facebook / Instagram advertising pixel (server-side)	USA	European Commission SCCs
Pinterest Inc.	Pinterest advertising pixel (server-side via Stape & GTM)	USA	European Commission SCCs
Google LLC	Google Ads — conversion tracking and remarketing	USA	European Commission SCCs
Stape / GTM	Server-side tag management, containerisation	EU / USA	European Commission SCCs
Logistics carriers	Order delivery (PostNL, DHL, DPD, etc.)	Variable	Contractual clauses
Payment service providers	Secure payment processing (Shopify Pay, Klarna, PayPal, etc.)	Variable	PCI-DSS + SCCs

 

MT MANAGEMENT never sells your personal data to third parties. No data transfer for advertising or commercial purposes is carried out outside of the partners listed above.

5.1 Transfers outside the European Union

Several of the processors listed above are established in the United States. These transfers are governed by the Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with Article 46 of the GDPR, ensuring an adequate level of protection for your data.

Within the framework of server-side tracking (Meta, Pinterest via Stape & GTM), data is processed server-side prior to transmission to the advertising platforms, thereby limiting the raw data transmitted and strengthening the protection of your privacy compared to a conventional browser pixel.

 

Luxarmonie uses a server-side tracking system for its Meta (Facebook/Instagram), Pinterest and Google Ads advertising campaigns. This system operates as follows:

–      Conversion events (purchase, add to basket, page view) are first captured by our servers via Google Tag Manager Server-Side hosted on Stape

–      Only the data strictly necessary for measuring advertising performance is then transmitted to the platforms (Meta Conversions API, Pinterest API for Conversions, Google Ads API)

–      This system reduces the volume of raw data sent to the platforms compared to traditional browser pixels

–      Server-side tracking is only activated if you have given your consent to advertising cookies via our consent banner

The data used for advertising tracking may include: hashed email address (SHA-256), partially anonymised IP address, purchase events and order values.

 

7.1 What is a cookie?

A cookie is a small text file placed on your device (computer, tablet, smartphone) when you visit the website. Some cookies are essential to the operation of the site, while others require your prior consent.

7.2 Strictly necessary cookies — no consent required

 

_session_id	Shopify user session — duration: session
_shopify_visit	Visit counter — 30 minutes
_shopify_uniq	Unique visitor identification — expires at midnight
cart	Shopping basket contents — 2 weeks
_secure_session_id	Checkout session security
storefront_digest	Access to password-protected storefront
_shopify_y	Anonymous visitor identification — 1 year

7.3 Analytics and advertising cookies — prior consent required

 

Meta Pixel (fbq)	Facebook/Instagram conversion measurement and remarketing — via server-side Stape
Pinterest Pixel (pintrk)	Pinterest Ads conversion measurement — via server-side Stape & GTM
Google Ads (gtag)	Google Ads conversion tracking and remarketing
Klaviyo (_kla_id)	Browsing behaviour tracking for email personalisation — 2 years

 

These cookies are placed only after your explicit consent has been collected via our cookie management banner, accessible at the foot of the website. You may amend your preferences at any time.

7.4 Managing your preferences

You may manage your cookie preferences at any time via:

–      Our consent banner accessible at the foot of the website

–      Your browser settings (deletion, blocking of third-party cookies)

–      The opt-out tools provided by each platform (Meta: facebook.com/adpreferences, Google: myaccount.google.com/data-and-privacy, Pinterest: pinterest.com/settings/privacy)

Refusing advertising cookies does not affect your ability to browse the website or place an order.

 

In accordance with Articles 15 to 22 of the GDPR, you have the following rights regarding your personal data:

 

Right of access (Art. 15)	Obtain a copy of all data we hold concerning you
Right to rectification (Art. 16)	Correct inaccurate, incomplete or outdated data
Right to erasure (Art. 17)	Request the deletion of your data, subject to legal retention obligations
Right to restriction (Art. 18)	Temporarily restrict the processing of your data (e.g. during a dispute)
Right to data portability (Art. 20)	Receive your data in a structured, machine-readable format, in order to transmit it to another controller
Right to object (Art. 21)	Object to the processing of your data for direct marketing purposes or based on legitimate interest
Withdrawal of consent	Withdraw at any time your consent for processing based thereon (marketing emails, SMS, advertising cookies)
Right not to be subject to automated decision-making (Art. 22)	Not to be subject to a decision producing legal effects based solely on automated processing

 

To exercise your rights, please contact us at: contact@luxarmonie.com, clearly stating your request and enclosing a copy of proof of identity if necessary. We undertake to respond within a maximum period of 30 calendar days from receipt of your request. This period may be extended by a further 2 months in the case of a complex or multiple request (you will be notified accordingly).

 

If, after contacting us, you consider that your rights regarding your personal data are not being respected, you have the right to lodge a complaint with the competent supervisory authority:

 

Authority	Commission Nationale de l'Informatique et des Libertés (CNIL)
Website	www.cnil.fr
Address	3 Place de Fontenoy — TSA 80715 — 75334 Paris CEDEX 07
Telephone	+33 1 53 73 22 22
Online form	www.cnil.fr/fr/plaintes

 

Residents of other EU Member States may also refer the matter to the supervisory authority of their country of residence.

 

MT MANAGEMENT implements appropriate technical and organisational measures to protect your personal data against any loss, unauthorised access, disclosure, alteration or accidental or unlawful destruction. These measures include, in particular:

–      SSL/TLS encryption (HTTPS) of all communications between your browser and our servers

–      AES-256 encryption of payment data by our PCI-DSS certified providers

–      SHA-256 hashing of identification data prior to transmission to advertising platforms (server-side tracking)

–      Access to personal data restricted to authorised personnel, on the basis of the principle of least privilege

–      Secure authentication and access management for internal tools

–      Access monitoring and logging of actions performed on sensitive data

In the event of a personal data breach likely to result in a high risk to your rights and freedoms, MT MANAGEMENT undertakes to inform you as soon as possible, in accordance with Article 34 of the GDPR.

 

The website https://luxarmonie.com/ is intended for an adult clientele aged 18 and over. MT MANAGEMENT does not knowingly collect personal data from minors. If you are a minor, you must not use this website or make any purchases on it without the agreement and supervision of a parent or legal guardian.

If MT MANAGEMENT becomes aware that it has collected data from a person under the age of 18 without valid parental consent, such data will be deleted as soon as possible.

 

In addition to the GDPR rights detailed in Article 8, customers residing outside the European Union enjoy the following rights under their national legislation. These rights apply in addition to the GDPR rights, and MT MANAGEMENT undertakes to uphold them.

12.1 Customers residing in the United Kingdom — UK GDPR

Since 1 January 2021 (Brexit), the United Kingdom has its own data protection legislation: the UK GDPR, incorporated into the Data Protection Act 2018. Its provisions are virtually identical to the European GDPR.

Your rights are the same as in the EU (access, rectification, erasure, portability, objection, restriction). The competent supervisory authority for customers residing in the United Kingdom is:

 

Authority	Information Commissioner's Office (ICO)
Website	www.ico.org.uk
Address	Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone	+44 303 123 1113
Complaint form	ico.org.uk/make-a-complaint

 

Data transfers from the United Kingdom to MT MANAGEMENT (established in France, EU) benefit from an adequacy decision by the United Kingdom recognising the adequate level of protection of the EU.

12.2 Customers residing in California (USA) — CCPA/CPRA

California residents enjoy the rights conferred by the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), which came into force on 1 January 2023.

Under these laws, you have the following rights:

–      Right to know: to be informed of the categories of personal data collected, the purposes of collection, and the third parties with whom they are shared

–      Right to deletion: to request the deletion of your personal data, subject to legal exceptions

–      Right to correction: to rectify inaccurate personal data

–      Right to opt out of data sharing: to object to the sharing of your data for targeted advertising purposes

–      Right to non-discrimination: MT MANAGEMENT will not penalise you for exercising your CCPA rights

–      Right to limit the use of sensitive data: applicable where relevant

Under California laws, the use of your data by our advertising partners (Meta, Pinterest, Google Ads) for advertising targeting may be considered a "sharing" of data within the meaning of the CCPA. You may object to this at any time by contacting us at contact@luxarmonie.com with the subject "CCPA Opt-Out", or via the opt-out tools provided by each platform (see Article 7.4).

To exercise your CCPA rights, please contact us at contact@luxarmonie.com — we will respond within 45 calendar days (extendable by a further 45 days if necessary).

MT MANAGEMENT does not sell your personal data for monetary consideration within the strict meaning of the CCPA.

12.3 Customers residing in Canada — PIPEDA / Law 25 (Quebec)

Canadian residents enjoy the rights conferred by the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level, and for residents of Quebec, by Law 25 (an Act to modernise legislative provisions as regards the protection of personal information).

Your rights include in particular:

–      Right to access your personal information and to obtain a copy thereof

–      Right to rectification of inaccurate information

–      Right to withdraw your consent to processing (with reasonable notice)

–      Right to be informed in the event of a confidentiality incident affecting you

Consent to the processing of your data is obtained explicitly upon your registration or order. You may withdraw it at any time by contacting contact@luxarmonie.com.

For Quebec residents, MT MANAGEMENT undertakes to comply with the enhanced requirements of Law 25, in particular regarding transparency of purposes, retention periods and opt-out rights.

12.4 Language of the Privacy Policy

This Privacy Policy is available in several languages corresponding to Luxarmonie's active markets. In the event of any divergence of interpretation between the various language versions, the French version shall be authoritative and shall prevail over all other versions.

If you wish to receive this policy in a specific language available on the website, please contact us at contact@luxarmonie.com.

 

12.1 Email marketing — Klaviyo

If you have consented to receive our marketing communications by email, you may receive:

–      Luxarmonie newsletters and news updates

–      Promotional offers and discount codes

–      Automated emails (abandoned basket, order tracking, post-purchase follow-ups)

–      Personalised product recommendations based on your browsing and purchase history

You may unsubscribe at any time by clicking the unsubscribe link at the bottom of each email, or by contacting contact@luxarmonie.com. Unsubscription takes effect immediately for campaigns and within 10 working days for automations.

12.2 SMS marketing — Kanal

If you have consented to receive commercial SMS messages, you may receive promotional offers and Luxarmonie notifications by SMS. This consent is independent of any purchase and does not condition access to the website or to its offers.

To unsubscribe: reply STOP to any SMS received. Unsubscription is immediate and definitive. Your telephone number is never transmitted to third parties for commercial purposes other than the sending of the SMS messages to which you have consented.

 

Our website may contain links to third-party websites (social networks, partners, press articles). MT MANAGEMENT is not responsible for the privacy practices of these websites. We recommend that you consult their respective privacy policies.

 

MT MANAGEMENT reserves the right to amend this Privacy Policy at any time, in particular to keep it compliant with changes in regulations, our practices or our tools. The update date appears at the top of the document.

In the event of a substantial amendment affecting your rights or the manner in which we process your data, we will notify you by email if you are an active customer, or via a visible notification on the website. Continued use of the website following notification shall constitute acceptance of the amendments.

The version history of this policy is available on request at contact@luxarmonie.com.

 

 

GDPR email	contact@luxarmonie.com
WhatsApp (messages only)	+33 7 56 83 85 41
Postal mail	MT MANAGEMENT SAS — 200 rue de la Croix Nivert — 75015 Paris, France
Response time	30 calendar days maximum (art. 12 GDPR)
Supervisory authority	CNIL — www.cnil.fr