Privacy Policy Boutique and Cosmetic Treatment Centre
Last updated: 07/05/2026
Article 1 – Identity of the Data Controller
| Company name | GALÉNIC COSMETICS LABORATORY |
| Legal form | SAS |
| Registered office | 3 rue du Colonel Moll, 75017 Paris |
| SIRET | 889 310 108 |
| RCS | Paris |
| Data Protection Officer (DPO) | dpo@galenic.com |
Article 2 – Purpose of This Policy
This privacy policy is intended to inform customers of the boutique and cosmetic treatment centre of GALÉNIC COSMETICS LABORATORY about the manner in which their personal data is collected, processed, stored and protected, in accordance with the General Data Protection Regulation (GDPR – EU Regulation 2016/679) and French Law No. 78-17 of 6 January 1978 as amended ("Informatique et Libertés").
It applies to all personal data processing carried out in connection with the following activities:
- Reception and identification of customers in-store.
- Provision of cosmetic and wellness treatments.
- Customer relationship management and loyalty programmes.
- Commercial communications (with consent).
- Compliance with cosmetovigilance obligations (declaration and assessment of adverse effects linked to cosmetic products).
Article 3 – Data Collected and Purposes
3.1 Customer profile form (CIC Form)
| Data Collected | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Name, first name, title, email, postal address, phone number | Customer relationship management, identification, invoicing | Performance of contract (Art. 6.1.b) | Duration of commercial relationship + 5 years (civil limitation, Art. 2224 C. civ.); accounting data: 10 years (Art. L.123-22 C. com.) |
| Purchase history (products, dates, amounts) | Customer relationship follow-up, after-sales management, proof of transactions | Performance of contract (Art. 6.1.b) | Duration of commercial relationship + 5 years |
| Date of birth | Personalised offers (birthday), age verification where applicable | Legitimate interest (Art. 6.1.f) | Duration of commercial relationship + 3 years |
| Country | Sending correspondence, event invitations | Legitimate interest (Art. 6.1.f) | Duration of commercial relationship + 3 years |
| Skin type, skin concerns, skincare routine | Personalisation of advice and in-store experience | Consent (Art. 6.1.a) | Until withdrawal of consent or 3 years of inactivity |
| Email / phone (prospecting) | Marketing communications, exclusive event invitations | Consent (Art. 6.1.a) | Until withdrawal of consent or 3 years of inactivity |
| Purchase history (marketing purpose) | Marketing targeting and personalised product recommendations, including via segmentation | Consent (Art. 6.1.a) | Duration of commercial relationship + 3 years |
| (If selected) Facial photograph and automated skin analysis | The VISIA machine (Canfield Imaging Systems) captures a photograph of your face and generates an automated analysis of your cutaneous characteristics | Consent (Art. 6.1.a) | Until withdrawal of consent or 3 years of inactivity |
3.2 Cosmetic treatment questionnaire (Spa Form)
| Data Collected | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Name, first name, email, phone number | Customer identification, appointment management | Performance of contract (Art. 6.1.b) | Duration of relationship + 5 years |
| Treatment goal, preferences (pressure, ambiance) | Personalisation of the treatment experience | Performance of contract (Art. 6.1.b) | Duration of relationship + 5 years |
| Allergies, skin reactions, pathologies, pregnancy, treatments, surgical interventions, presence of metal implants in the body | Safe adaptation of the treatment, prevention of contraindications | Explicit consent for health data (Art. 9.2.a) | Duration of treatments + 10 years (personal injury limitation, Art. 2226 C. civ.; product liability, Art. 1245-15 C. civ.) |
| Health and identification data of the customer in the event of a reported adverse effect | Cosmetovigilance declaration with the ANSES and imputability assessment by service provider VIGIPHARM | Legal obligation (Art. 6.1.c GDPR; Art. L.5131-9 and R.5131-15 of the French Public Health Code) | 10 years from the date of the report (product liability limitation) |
| (If selected) Facial photograph and automated skin analysis | The VISIA machine (Canfield Imaging Systems) captures a photograph of your face and generates an automated analysis of your cutaneous characteristics | Consent (Art. 6.1.a) | Until withdrawal of consent or 3 years of inactivity |
Upon expiry of these retention periods, data is deleted or irreversibly anonymised.
Article 4 – Health Data – Enhanced Protection
Certain data collected via the treatment questionnaire constitutes "health data" within the meaning of Article 9 of the GDPR (allergies, pathologies, pregnancy, medical treatments, surgical interventions, presence of metal implants in the body). These data benefit from enhanced protection:
- They are collected only with your explicit consent, recorded via a dedicated tick-box on the treatment form.
- They are used exclusively to adapt the treatment to your physiological profile and to prevent any risks associated with contraindications.
- They are accessible only to authorised centre staff (practitioners performing the treatment, institute manager).
- They are never communicated to third parties for commercial purposes.
- They are stored securely (paper forms under lock and key at the boutique).
- In the event of an adverse effect (redness, irritations, skin reactions, etc.) occurring following the use of our products or a treatment, GALÉNIC COSMETICS LABORATORY is subject to a legal cosmetovigilance obligation (Articles L.5131-9 and R.5131-15 of the French Public Health Code). In this context, your health and identification data may be transmitted to our cosmetovigilance service provider, VIGIPHARM, for the purpose of assessing the imputability of the product concerned, and where applicable to the Agence Nationale de Sécurité du Médicament (ANSES). This processing is based on a legal obligation (Art. 6.1.c GDPR) and does not require your prior consent.
You may withdraw your consent at any time by contacting our DPO. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal. However, in the absence of consent to the processing of your health data, we may not be able to perform the treatment under optimal safety conditions. If a cosmetovigilance report is in progress, the data necessary for its processing will be retained on the basis of the legal obligation, irrespective of the withdrawal of consent.
Article 5 – Recipients of Data
Your personal data is accessible to the following categories of recipients:
Standard data:
- Authorised centre staff: practitioners, institute manager, reception staff (for identification data only).
- Shopify International Limited (Ireland), acting as a data processor under Article 28 GDPR for the hosting and management of identification data and purchase history. Shopify is bound by a GDPR-compliant Data Processing Addendum (https://www.shopify.com/legal/dpa). Shopify has no access to health data.
Health and biometric data (VISIA machine only, if selected):
- Authorised centre staff: practitioners and institute manager.
- Vigipharm, cosmetovigilance service provider, recipient of health and identification data exclusively in the event of a reported adverse effect, within the legal cosmetovigilance framework. Vigipharm acts as a data processor under Article 28 GDPR and is subject to confidentiality obligations.
- Competent authorities (ANSES for cosmetovigilance, judicial authorities upon requisition).
- Canfield, with access to data solely within the scope of VISIA machine maintenance.
No personal data is sold, rented or transferred to third parties for commercial purposes.
Article 6 – Transfers of Data Outside the European Union
In the course of its activities, GALÉNIC COSMETICS LABORATORY uses technical service providers that may involve transfers of personal data outside the European Union. No health data is subject to such transfers; health data is retained exclusively on paper records held at the boutique.
Shopify International Limited (Ireland) — Identification data and purchase history collected via the CIC form are hosted by Shopify International Limited, based in Ireland. In the course of providing its services, Shopify may transfer these data to Canada (Shopify Inc.), a country benefiting from an adequacy decision of the European Commission (Decision 2002/2/EC, renewed on 15 January 2024). Transfers to Shopify's sub-processors located in the United States and Singapore may also occur, governed by Standard Contractual Clauses (SCCs) approved by the European Commission. Details of Shopify's sub-processors are available at: https://help.shopify.com/en/manual/privacy-and-security/privacy/subprocessors.
Article 7 – Data Security
GALÉNIC COSMETICS LABORATORY implements appropriate technical and organisational measures to ensure the security and confidentiality of your personal data, in particular:
- Restricted access to data via individual password and authentication.
- Storage of paper forms in a locked room with limited access.
- Staff awareness training and education on data protection.
- Professional confidentiality obligation binding all personnel.
- Hosting of digital data with Shopify, a SOC 2 Type II and PCI DSS Level 1 certified provider, with encryption of data in transit and at rest, strict access controls and redundant backups.
Article 8 – Your Rights
In accordance with the GDPR and the Loi Informatique et Libertés, you have the following rights:
| Right | Description |
|---|---|
| Right of access (Art. 15) | Obtain confirmation that data about you is being processed and receive a copy. |
| Right to rectification (Art. 16) | Have inaccurate or incomplete data corrected. |
| Right to erasure (Art. 17) | Request the deletion of your data, subject to legal retention obligations. |
| Right to restriction (Art. 18) | Request a temporary freeze on the processing of your data. |
| Right to portability (Art. 20) | Retrieve your data in a structured, machine-readable format. |
| Right to object (Art. 21) | Object to processing for legitimate reasons, or at any time for direct marketing purposes. |
| Withdrawal of consent | Withdraw your consent at any time, without affecting the lawfulness of prior processing. |
| Post-mortem directives | Define instructions regarding the fate of your data after your death (Art. 85 Loi Informatique et Libertés). |
How to exercise your rights?
You may exercise all of the above rights by contacting our Data Protection Officer:
- By email: dpo@galenic.com
- By post: GALÉNIC COSMETICS LABORATORY – DPO – 3 rue du Colonel Moll, 75017 Paris
A response will be provided within one month of receipt of your request. This period may be extended by two months in cases of complexity or a high volume of requests.
Proof of identity may be requested if there is reasonable doubt as to your identity.
Article 9 – Complaint with the CNIL
If, after contacting us, you consider that your data protection rights are not being respected, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):
- Online: www.cnil.fr
- By post: CNIL – 3 Place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07
Article 10 – Automated Decision-Making and Profiling
GALÉNIC COSMETICS LABORATORY does not carry out any fully automated decision-making or profiling within the meaning of Article 22 GDPR in the context of the processing described in this policy.
GALÉNIC COSMETICS LABORATORY may use segmentation techniques based on preferences and purchase history to personalise its commercial communications. This processing does not produce legal effects or similarly significant effects on individuals. You may object to this profiling at any time by contacting the DPO at: dpo@galenic.com
Article 11 – Confidentiality
All GALÉNIC COSMETICS LABORATORY personnel are subject to a professional confidentiality obligation. Data collected via treatment questionnaires is handled in strict confidence.
Important: our centre offers non-medical cosmetic and wellness treatments. All staff are bound by a contractual confidentiality obligation.
Article 12 – Changes to This Policy
This privacy policy may be updated at any time to reflect legislative, regulatory or operational changes. In the event of a material change, you will be informed by appropriate means. The date of the last update appears at the top of this document.