Privacy & Discretion Charter – Galénic Cosmetics Laboratory

Last updated: 09/04/2026

Article 1 – Identity of the Data Controller


Company name	GALÉNIC COSMETICS LABORATORY
Legal form	SAS (Simplified Joint-Stock Company)
Share capital	€7,958,323
Registered office	3 rue du Colonel Moll, 75017 Paris
SIRET	889 310 108
RCS	Paris
Legal representative	Sarah Michel STEVENS
Data Protection Officer (DPO)	dpo@galenic.com

Article 2 – Purpose of This Policy

This privacy policy is intended to inform customers of the boutique and cosmetic treatment space of GALÉNIC COSMETICS LABORATORY about how their personal data is collected, processed, stored and protected, in accordance with the General Data Protection Regulation (GDPR – EU Regulation 2016/679) and French Law No. 78-17 of 6 January 1978, as amended, known as the "Informatique et Libertés" (Data Protection) Act.

It applies to all personal data processing carried out in connection with the following activities:

Welcoming and identifying customers in-store
Providing cosmetic and wellness treatments
Customer relationship management and loyalty programmes
Commercial communications (with consent)

Article 3 – Data Collected and Purposes

3.1 In-Store Customer File (CIC Form)

Data Collected	Purpose	Legal Basis	Retention Period
Last name, first name, title, email, phone	Customer relationship management, identification, invoicing	Performance of contract (Art. 6.1.b)	Duration of commercial relationship + 3 years
Date of birth	Personalised offers (birthday), age verification where applicable	Consent (Art. 6.1.a)	Duration of commercial relationship + 3 years
Postal address, country	Sending correspondence, invitations to events	Consent (Art. 6.1.a)	Duration of commercial relationship + 3 years
Skin type, skin concerns, skincare routine	Personalisation of advice and in-store experience	Consent (Art. 6.1.a)	Duration of commercial relationship + 3 years
Email / phone (prospecting)	Marketing communications, invitations to exclusive events	Consent (Art. 6.1.a)	Until withdrawal of consent or 3 years of inactivity

3.2 Cosmetic Treatment Questionnaire (Spa Form)

Data Collected	Purpose	Legal Basis	Retention Period
Last name, first name, email, phone	Customer identification, appointment management	Performance of contract (Art. 6.1.b)	Duration of relationship + 5 years
Allergies, skin reactions, medical conditions, pregnancy, treatments, surgical procedures	Adapting the treatment safely, preventing contraindications	Explicit consent for health data (Art. 9.2.a)	Duration of treatments + 10 years (product liability, Art. 1245-15 Civil Code)
Treatment goal, preferences (pressure, ambiance)	Personalisation of the treatment experience	Performance of contract (Art. 6.1.b)	Duration of relationship + 5 years

Article 4 – Health Data – Enhanced Protection

Certain data collected via the treatment questionnaire falls within the category of "health data" as defined under Article 9 of the GDPR (allergies, medical conditions, pregnancy, medical treatments, surgical procedures). This data benefits from enhanced protection:

It is only collected with your explicit consent, obtained via a dedicated tick-box on the treatment form.
It is used exclusively to adapt the treatment to your physiological profile and prevent any risk related to a contraindication.
It is accessible only to authorised staff at the centre (practitioners performing the treatment, institute manager).
It is never shared with third parties for commercial purposes.
It is stored securely (paper forms kept under lock and key at the boutique).

You may withdraw your consent at any time by contacting our DPO. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent given prior to its withdrawal. However, in the absence of consent to the processing of your health data, we will not be able to perform the treatment under optimal safety conditions.

Article 5 – Data Recipients

Your personal data is accessible to the following categories of recipients:

Authorised centre staff: practitioners, institute manager, reception staff (for identification data only).
Where applicable, our customer relationship management (CRM) provider: Shopify.
Competent authorities, upon judicial or legal requisition only.

No personal data is sold, rented or transferred to third parties for commercial purposes.

Article 6 – Transfers of Data Outside the European Union

No transfer to a third country is carried out.

Article 7 – Retention Periods

The following retention periods apply:

Data Category	Active Retention	Archiving
Customer identification data	Duration of the commercial relationship	3 years after last contact (CNIL recommendation)
Health data (treatment questionnaire)	Duration of treatments	10 years (product liability limitation period, Art. 1245-15 Civil Code)
Commercial prospecting data	Until withdrawal of consent	3 years after last contact (CNIL recommendation)
Invoices and accounting documents	Current financial year	10 years (accounting obligation, Art. L.123-22 Commercial Code)

Upon expiry of these periods, data is deleted or irreversibly anonymised.

Article 8 – Data Security

GALÉNIC COSMETICS LABORATORY implements appropriate technical and organisational measures to ensure the security and confidentiality of your personal data, including:

Restricted access to data via password and individual authentication.
Storage of paper forms in a locked room with limited access.
Awareness training and education of staff on data protection.
Professional confidentiality obligation binding all staff.

Article 9 – Your Rights

In accordance with the GDPR and the Data Protection Act, you have the following rights:

Right	Description
Right of access (Art. 15)	Obtain confirmation that data concerning you is being processed and receive a copy.
Right to rectification (Art. 16)	Have inaccurate or incomplete data corrected.
Right to erasure (Art. 17)	Request deletion of your data, subject to legal retention obligations.
Right to restriction (Art. 18)	Request temporary suspension of the processing of your data.
Right to data portability (Art. 20)	Retrieve your data in a structured, machine-readable format.
Right to object (Art. 21)	Object to the processing of your data on legitimate grounds, or at any time for commercial prospecting.
Withdrawal of consent	Withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
Post-mortem directives	Define instructions regarding the fate of your data after your death (Art. 85, Data Protection Act).

How to exercise your rights

You may exercise all of these rights by contacting our Data Protection Officer:

By email: dpo@galenic.com
By post: GALÉNIC COSMETICS LABORATORY – DPO – 3 rue du Colonel Moll, 75017 Paris

A response will be provided within one month of receipt of your request. This period may be extended by two months in cases of complexity or a high volume of requests. Proof of identity may be requested if there is reasonable doubt as to your identity.

Article 10 – Complaint to the CNIL

If, after contacting us, you consider that your data protection rights are not being respected, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):

Online: www.cnil.fr
By post: CNIL – 3 Place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07

Article 11 – Automated Decision-Making and Profiling

GALÉNIC COSMETICS LABORATORY does not carry out any fully automated decision-making or profiling within the meaning of Article 22 of the GDPR in connection with the processing described in this policy.

Article 12 – Confidentiality

All staff of GALÉNIC COSMETICS LABORATORY are bound by a professional confidentiality obligation. Data collected via treatment questionnaires is handled in strict confidence.

Important: our centre offers non-medical cosmetic and wellness treatments. Staff are bound by a contractual confidentiality obligation but are not subject to medical professional secrecy within the meaning of Article L.1110-4 of the French Public Health Code.

Article 13 – Policy Updates

This privacy policy may be updated at any time to reflect legislative, regulatory or operational changes. In the event of a material change, we will notify you by any appropriate means (in-store notice, email where available). The date of the last update appears at the top of this document.