1. Preamble
This privacy policy describes the way in which Escal'Adventure (Florian Vizier, sole proprietorship) collects, uses and protects the personal data of visitors to the escal-adventure.fr website and of its clients.
It is drawn up in accordance with the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — and with the French "Data Protection Act" (Informatique et Libertés) no. 78-17 of 6 January 1978, as amended.
We undertake to collect only the data strictly necessary to process your request and to run the service properly.
2. Data controller
The controller of the personal data is:
Florian Vizier — Escal'Adventure
Sole proprietorship, 32 rue Principale, Lieu-dit Liaucous, 12720 Mostuéjouls, France
SIRET: 88529257300023
E-mail: contact@escal-adventure.fr
Telephone: +33 6 43 58 31 27
Given the size of the business (sole proprietorship), no data protection officer (DPO) has been appointed. Any question relating to your data may be sent directly to Florian using the contact details above.
3. Data collected
The following data may be collected, only when you provide it voluntarily:
Via the contact form
- Identity: surname, first name;
- Contact details: e-mail, telephone number;
- Information about the outing: desired activity, dates, number of participants;
- Free-text message: the written content of your request.
- Information about the participants: first name, age, level, as well as height and weight — essential for sizing the safety equipment (harness, helmet, lanyard);
- Gift voucher (if you request one): the beneficiary's name, the giver's name, the amount, and the message to appear on the voucher. The beneficiary is informed of this processing when the voucher is handed over (article 14 GDPR);
- Image rights: your agreement — or its absence — to the use of photos and videos (optional tick box).
When booking and during the outing
- Information relevant to safety: participants' ages, any medical contraindications you wish to disclose, and an emergency contact;
- Payment information: where applicable, the amount and means of payment (bank card details are never stored on the site).
Browsing the site
No analytics or marketing cookie is placed without your explicit consent (see section 10). Analytics is carried out by means of a solution self-hosted by Deiro Digital, on its own servers: until you have consented, it operates without any cookie and transmits no data to any third party.
What we do not collect
- No bank data stored on the site;
- No precise location data;
- No sensitive data (origin, opinions, etc.). Medical contraindications are disclosed only if you choose to report them, for your own safety (see section 5).
4. Purposes of the processing
Your data is used exclusively for the following purposes:
- Answering your contact or booking request and providing you with a quote where applicable;
- Organising the outing (sizing the group, choosing the site, adapting to the level, taking contraindications into account);
- Contacting you urgently in the event of an unforeseen situation (weather, cancellation, change of programme);
- Issuing the invoice and keeping the accounts, in accordance with legal obligations;
- Contacting you again later if you ask us to (newsletter, outing suggestions), subject to your prior explicit consent.
No data is used for unsolicited commercial prospecting, nor sold or rented to third parties.
5. Legal basis for the processing
Depending on the purpose, the processing of your data relies on one of the legal bases provided for by the GDPR:
- Performance of a contract or pre-contractual measures
- For processing your booking request and confirming and organising the outing — including participants' height and weight, necessary for sizing the safety equipment (article 6.1.b GDPR).
- Consent
- For analytics and marketing cookies, the use of photos and videos (image rights, optional box) and any marketing communications (article 6.1.a GDPR).
- Explicit consent (health data)
- For the medical contraindications you choose to disclose before the outing: their disclosure is optional and relies on your explicit consent (article 9.2.a GDPR).
- Legal obligation
- For retaining invoices and accounting records (article 6.1.c GDPR, tax and accounting obligations).
- Legitimate interest
- To ensure the security of the site and to prevent fraud or abuse (article 6.1.f GDPR).
6. Recipients of the data
Your data is accessible only to:
- Florian Vizier, as the data controller;
- Deiro Digital, technical data processor: design and maintenance of the site, and hosting of the analytics solution on its own servers;
- Hostinger, the site's hosting provider;
- Formspree, the service processing the contact form;
- Google (Google Ads), only if you have accepted the marketing cookies;
- the payment provider, where applicable;
- the authorised public authorities in the event of a legal obligation (URSSAF, tax services, courts).
Transfers outside the European Union
Two data processors are established in the United States. These transfers are governed by the safeguards of Chapter V of the GDPR:
- Formspree (privacy policy), which processes the messages sent from the contact form and hosts them in the United States: the transfer is governed by the European Commission's Standard Contractual Clauses (SCCs);
- Google LLC (Google Ads), only if you have accepted the marketing cookies: transfer governed by the adequacy decision on the EU-US Data Privacy Framework.
No other transfer outside the European Union is carried out. In particular, the analytics data remains hosted in Europe and is transmitted to no third party.
7. Retention period
The retention periods applied are as follows:
| Type of data | Period |
|---|---|
| Contact request with no follow-up | 3 years from the last exchange |
| Booking data (client) | 3 years after the last outing |
| Invoices and accounting records | 10 years (legal obligation, article L.123-22 of the French Commercial Code) |
| Medical data shared for the outing | Deleted at the end of the outing |
| Analytics data | 25 months maximum (CNIL recommendation) |
| Cookie preferences | 13 months maximum (CNIL recommendation) |
8. Your rights
In accordance with the GDPR, you have the following rights over your personal data:
- Right of access: to obtain confirmation that data concerning you is being processed, and to receive a copy of it;
- Right to rectification: to have inaccurate or incomplete data corrected;
- Right to erasure ("right to be forgotten"): to obtain the deletion of your data in the cases provided for by law;
- Right to restriction: to request the temporary suspension of processing;
- Right to object: to object to processing on legitimate grounds, or at any time to commercial prospecting;
- Right to portability: to retrieve your data in a structured, machine-readable format;
- Right to withdraw your consent at any time, where the processing relies on it;
- Right to give directives concerning the fate of your data after your death.
To exercise any of these rights, simply send an e-mail to contact@escal-adventure.fr, stating your request and, where necessary, enclosing a copy of an identity document (so we can check that the request genuinely comes from you).
A reply will be provided to you within a maximum of 1 month from receipt of the complete request.
9. Data security
We implement appropriate technical and organisational measures to protect your data against loss, alteration, unauthorised disclosure or unauthorised access:
- encryption of communications via the HTTPS (TLS) protocol;
- hosting with a GDPR-compliant provider (Hostinger);
- access to the data limited to Florian Vizier only;
- regular backups of critical data;
- strong passwords for access to professional accounts.
In the event of a personal data breach likely to give rise to a high risk to your rights and freedoms, you will be informed as soon as possible, in accordance with article 34 of the GDPR.
11. Data concerning minors
The site is not intended for minors under 15 years of age, and we do not knowingly collect personal data from them. Bookings concerning minors taking part in an outing are made by a responsible adult (a parent or legal guardian), who provides the necessary information.
If you believe that we have collected data concerning a minor without parental authorisation, contact us immediately at contact@escal-adventure.fr so that it can be deleted.
12. Changes to the policy
This privacy policy may be amended at any time to take account of legal, regulatory, case-law or technical developments. The date of the last update appears at the top of the page.
Any material change will be notified to you by e-mail if you are a client, or displayed on the site via a dedicated banner.
13. Contact & complaints to the CNIL
For any question concerning this policy or your personal data, write to contact@escal-adventure.fr.
If, after contacting us, you believe that your rights are not being respected, you may lodge a complaint with the French Data Protection Authority (CNIL — Commission Nationale de l'Informatique et des Libertés):
CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Telephone: +33 1 53 73 22 22
Website: www.cnil.fr