Privacy Policy

Solune Atelier. Full legal entity details (registered company name, registration number, address, and VAT number) will be published here once finalized. For privacy enquiries, please reach out via our contact page. We have not appointed a Data Protection Officer as we are not required to do so under GDPR Article 37.

• Identity & contact: name, email, phone number, billing and shipping address.
• Order data: items purchased, order value, payment status, refunds.
• Payment data: handled directly by Stripe; we only receive a token and the last 4 digits of your card.
• Account data: if you create an account, your login credentials and preferences.
• Technical data: IP address, browser, device type, pages visited, and approximate location derived from your IP.
• Marketing data: newsletter subscription status, opens, clicks.
• Communications: emails and messages you send to customer care.

• To process orders, payments, shipping, and returns.
• To provide customer support and respond to enquiries.
• To send transactional emails (order confirmations, shipping updates, refunds).
• To send marketing emails, only if you have opted in. You can unsubscribe at any time via the link in every email.
• To prevent fraud and secure the Service.
• To comply with legal, tax, and accounting obligations.
• To improve the Service through aggregated, anonymized analytics.

• Contract (Art. 6(1)(b)): processing necessary to fulfil your order.
• Legal obligation (Art. 6(1)(c)): tax, accounting, and consumer protection requirements.
• Legitimate interests (Art. 6(1)(f)): fraud prevention, network and information security, basic aggregated analytics, and product improvement. You can object at any time.
• Consent (Art. 6(1)(a)): marketing communications and non-essential cookies. You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We share data only with trusted processors who help us run the Service:

• Stripe Payments Europe, Ltd. (Ireland) — payment processing, fraud prevention.
• Colissimo / La Poste, DHL Express, FedEx — delivery.
• Klaviyo, Inc. (USA) — transactional and marketing email.
• Plausible Analytics (EU) — privacy-friendly aggregated analytics, no personal identifiers.
• Cloudflare, Inc. (USA) — CDN, DDoS protection, infrastructure.
• Lovable Cloud / Supabase (EU) — hosting and database.

Each processor is bound by a data processing agreement and may only use your data on our instructions. We do not sell your personal data and we do not share it for cross-context behavioral advertising in the sense of CCPA.

Some of our processors are located outside the EEA / UK (notably the United States). When data is transferred internationally, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), together with supplementary technical and organizational measures. A copy of the relevant transfer mechanism is available on request.

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing, including profiling. Stripe Radar may flag transactions for fraud review, but a human reviews any decision to refuse an order.

• Order and invoice data: 10 years (legal accounting requirement in France).
• Account data: until you delete your account, then 30 days.
• Marketing data: until you unsubscribe, then 6 months.
• Support tickets: 3 years from last contact.
• Analytics: aggregated and retained no longer than 14 months.

You have the right to access, rectify, erase, restrict, or object to the processing of your personal data, the right to data portability, and the right to withdraw consent at any time. To exercise these rights, please reach out via our contact page. We will respond within one month.

You may lodge a complaint with your local supervisory authority. In France this is the CNIL; in the UK, the ICO.

If you are a California resident, you have the right to know what personal information we collect, to access it, to delete it, to correct it, to limit our use of sensitive personal information, and to opt out of any "sale" or "sharing" for cross-context behavioral advertising. We will not discriminate against you for exercising these rights.

In the past 12 months we have collected the following CCPA categories of personal information: identifiers (A), customer records (B), commercial information (D), internet activity (F), geolocation (G), and inferences (K). We do not sell personal information and we do not share personal information for cross-context behavioral advertising. We honor the Global Privacy Control (GPC) signal as a valid opt-out request.

To exercise your rights or designate an authorized agent, please reach out via our contact page. We will verify your request using the email and order information on file.

We use cookies and similar technologies as described in our Cookie Policy. Non-essential cookies are loaded only with your consent, which you can change at any time from the "Cookie preferences" link in the footer.

We use TLS encryption in transit, encrypted databases at rest, role-based access controls, and regular security reviews. No system is perfectly secure, but we work hard to protect your data. In the event of a personal data breach affecting your rights, we will notify you and the competent supervisory authority within 72 hours where required by law.

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this Privacy Policy from time to time. The updated version will be posted here with a new "Last updated" date. Material changes will be communicated by email where you have given us your address.