Politique de confidentialité

This privacy policy describes the conditions under which Grand Line Web collects, uses and protects your personal data, in application of Regulation (EU) 2016/679 of 27 April 2016 (hereinafter « GDPR ») and French law n° 78-17 of 6 January 1978 as amended on data processing, files and freedoms. It is supplemented by the cookie policy which specifically details the operation of trackers placed on your terminal.

Article 1. Data controller

The controller of your personal data within the meaning of article 4 of the GDPR is :

Rafael Da Mota Cerqueira, acting under the trade name Grand Line Web
Sole trader, French micro-enterprise regime
SIREN : 919 784 769 — SIRET : 919 784 769 00029
APE code : 7022Z
Address : 9 Place de l'Église, 43100 Vieille-Brioude, France
Email : contact@grandlineweb.com

No Data Protection Officer (DPO) has been appointed, as such an appointment is not required under the criteria of article 37 of the GDPR for the Provider's activity. Any request relating to personal data is handled directly by Rafael Da Mota Cerqueira at the email address above.

Article 2. Scope and commitment

This policy applies to all personal data processing operations carried out by Grand Line Web in connection with :

consultation and browsing of the grandlineweb.com site ;
use of the contact form ;
creation and management of a customer account ;
placing and following up of orders, quotes and invoices ;
performance of subscribed Services (creation plans, monthly care plans, one-off services, Local SEO options) ;
use of the project messaging and the support ticket system.

Grand Line Web undertakes to process your data only for the purposes explicitly stated in this policy, to retain it for strictly necessary periods, never to sell or rent it to third parties for commercial purposes, and to implement appropriate technical and organizational measures to ensure its security.

Article 3. Data collected

Personal data collected varies according to the context of your interaction with the site and the Services.

3.1 During simple browsing of the site

The only data processed without your intervention are those strictly necessary for the technical operation and security of the site :

technical cookies (laravel_session, XSRF-TOKEN, locale) ;
connection IP address, kept in the connection logs of the hosting server for security and technical diagnostic purposes ;
user agent (browser type and version, operating system).

No audience measurement cookie or advertising cookie is placed without your prior explicit consent.

3.2 When using the contact form

Information you voluntarily provide :

name (or first name) ;
email address ;
project type (selected plan from : Esquisse, Composition, Signature, Hosting, Essentielle Maintenance, Confort Maintenance, Signature Maintenance, Hour pack, Audit, Other) ;
free message content.

Also recorded, exclusively for security purposes (combating spam and automated submissions) and qualification of the request, are the following technical metadata :

connection IP address ;
user agent ;
referring page (referrer) ;
browsing language at submission time (fr, en or pt).

3.3 When creating a customer account

name or company name ;
email address (also used as login identifier) ;
password stored irreversibly as a cryptographic hash (bcrypt algorithm) — the plaintext password is never kept ;
preferred interface language ;
date and time of account creation, last login.

3.4 When placing an Order or establishing a Quote

Customer identity : name, first name or company name, legal form ;
postal address and billing address ;
SIREN, SIRET and intra-EU VAT number where applicable ;
email and telephone contact details where applicable ;
Order details : chosen service, ex-tax amount, applicable VAT rate, total amount including tax, payment terms, status, key dates (issue, due, payment, delivery) ;
Stripe transaction identifier (stripe_payment_intent_id) when payment is made by bank card — only this technical identifier is kept, excluding any complete bank data (see article 6).

3.5 During performance of the Services

As part of the execution of your project, Grand Line Web may collect and process, exclusively for the purposes of the Service :

the content you transmit (texts, visuals, identifiers, documents) ;
exchanges with the Provider via the project messaging (message bodies, attachments, dates) ;
support tickets (subject, content, priority, status, attachments, exchanges) ;
satisfaction ratings possibly transmitted at the closing of a ticket.

3.6 Data Grand Line Web does not collect

Grand Line Web does not collect bank card numbers, security codes, health data, allegedly sensitive data within the meaning of article 9 of the GDPR (origin, political opinions, religious beliefs, trade union membership, biometric data, sexual orientation), or data relating to minors.

Article 4. Processing purposes and legal bases

In accordance with article 6 of the GDPR, each processing operation rests on an identified legal basis. The table below summarizes, by purpose, the applicable legal foundation.

Purpose	Legal basis (GDPR)	Reference
Display and technical operation of the site	Provider's legitimate interest in providing a functional and secure site	Article 6.1.f
Reply to contact requests via the form	Consent of the data subject and pre-contractual measures at their request	Articles 6.1.a and 6.1.b
Combating spam and automated submissions (honeypot, IP, user agent)	Provider's legitimate interest in protecting the site from abuse	Article 6.1.f
Customer account creation and management	Performance of the contract	Article 6.1.b
Placing, following up and performing Orders	Performance of the contract	Article 6.1.b
Issuing, managing and storing quotes and invoices	Performance of the contract and compliance with legal accounting obligations	Articles 6.1.b and 6.1.c
Bookkeeping	Compliance with legal obligations	Article 6.1.c
Debt recovery	Provider's legitimate interest	Article 6.1.f
Project messaging and support tickets	Performance of the contract	Article 6.1.b
Anonymized audience measurement (Google Analytics 4)	Explicit consent of the data subject	Article 6.1.a and article 82 of the French Data Protection Act
Retention of server connection logs	Compliance with legal obligations (LCEN law, art. 6 II)	Article 6.1.c

Article 5. Mandatory or optional nature of the data

Data marked with an asterisk or indicated as required in the forms (name, email address, project type, message for the contact form ; identity, address, amount for Orders) are necessary to provide the requested service. Failing their communication, the Provider will be unable to respond to the request, conclude the contract or perform it.

Other data (telephone, company name when not required, etc.) are optional and their absence does not prevent the provision of the service.

Article 6. Recipients and processors

Your personal data are accessible, strictly within the limits of necessity, to the following recipients :

6.1 Internal Grand Line Web staff

Rafael Da Mota Cerqueira, as the sole publisher of the site and Provider, is the only one accessing the data in the exercise of his activity.

6.2 Technical processors

Grand Line Web uses processors within the meaning of article 28 of the GDPR, who only act on the Provider's instruction and within data processing agreements compliant with the GDPR :

Processor	Purpose	Data concerned	Location
SAS o2switch (Chemin des Pardiaux, 63000 Clermont-Ferrand, France)	Hosting of the site, databases, backups, email routing via the SMTP server	All stored and exchanged data	France (European Union)
Stripe Payments Europe Ltd (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland)	Secure processing of bank card payments	Transaction identifier (`stripe_payment_intent_id`), amount, currency, status. Complete bank data (card number, security code) are entered directly on Stripe's secure pages and never transit through Grand Line Web's servers.	Ireland (European Union), with Stripe servers located in the European Union and the United States
Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) — Google Analytics 4 service	Pseudonymized site audience measurement, browsing journey analysis. Activated only with your explicit consent.	Pseudonymous visit identifier, pages viewed, duration, traffic source, device type, estimated country/region	United States, under the Data Privacy Framework (see article 7)

6.3 Authorized third parties

Your data may also be communicated :

to administrative and judicial authorities upon reasoned request and under the conditions provided by law ;
to a possible representative of the Provider (chartered accountant, lawyer, consumer mediator) within the strict limits of their mission, subject to a confidentiality obligation.

No data is transmitted for commercial, advertising or prospecting purposes to third parties.

Article 7. Transfers outside the European Union

All data collected via the contact form, Orders, Quotes, customer accounts, project messaging and the ticket system are stored and processed exclusively within the European Union, on the servers of host o2switch in France.

Two framed exceptions may give rise to a transfer outside the European Union :

Stripe : may transfer certain transaction data to its servers in the United States. Stripe Payments Europe Ltd is certified under the Data Privacy Framework (DPF), an adequacy decision adopted by the European Commission on 10 July 2023 (decision (EU) 2023/1795), guaranteeing a level of protection essentially equivalent to that of the GDPR.
Google Analytics 4 (only if you consent) : Google LLC is also certified under the Data Privacy Framework. The data collected is pseudonymized before transfer and the IP address is truncated (IP anonymization activated by default on GA4).

No transfer is made to a country that does not benefit from an adequacy decision or appropriate safeguards within the meaning of articles 45 and 46 of the GDPR.

Article 8. Retention periods

In accordance with the principle of storage limitation provided for in article 5.1.e of the GDPR, your data are kept only for the time strictly necessary for the purpose pursued. The applied periods are as follows :

Data category	Retention period	Basis
Messages received via the contact form (and associated technical metadata)	3 years from the last contact	CNIL recommendations for commercial prospecting and follow-up of requests
Customer account (identification data, preferences)	Account duration, then 3 years from the last login or activity, after notification	Reasonable reactivation period
Order, Quote and Service performance data	Duration of the contractual relationship, then 5 years from the end of the contract	Article 2224 of the French Civil Code — common law civil prescription
Invoices issued and received, journal book, accounting documents	10 years from the close of the financial year	Article L123-22 of the French Commercial Code
Stripe transaction identifiers	Retention period of the attached invoice	Consistency with the accounting obligation
Support tickets and associated messages	3 years from the closing of the ticket	Reasonable period for handling complaints or disputes
Project messaging conversations	Project duration, then 3 years from its closing	Consistency with project duration
Server connection logs (IP logs)	1 year from their generation	Article L34-1 of the French Postal and Electronic Communications Code (CPCE)
Strictly necessary cookies (`laravel_session`, `XSRF-TOKEN`)	Duration of the browsing session	CNIL recommendations
Language preference cookie (`locale`)	12 months maximum	CNIL recommendations
Consent storage cookie (`gl_consent`)	6 months	CNIL recommendations — period less than or equal to 6 months recommended
Google Analytics 4 analytical cookies (`_ga`, `_ga_[ID]`, `_gid`)	13 months maximum	CNIL recommendations

At the end of the indicated periods, data are either deleted or irreversibly anonymized (notably for internal statistical purposes). Data subject to a legal retention obligation are removed from any active processing and placed in intermediate archiving until the legal period expires.

Article 9. Data security

Grand Line Web implements the appropriate technical and organizational measures to ensure a level of security suited to the risk, in accordance with article 32 of the GDPR :

encryption of communications via the HTTPS (TLS) protocol across the entire site ;
form protection against Cross-Site Request Forgery attacks (CSRF token) ;
protection against automated submissions (honeypot and limitation of the number of submissions per IP, set at 3 submissions per 10-minute window) ;
irreversible cryptographic hashing of passwords (bcrypt algorithm) ;
traceability of sensitive actions in the database ;
daily database backups by host o2switch ;
bank payment processing fully delegated to Stripe, certified PCI-DSS Level 1 ;
access to administration interfaces restricted to the Provider only, by reinforced authentication ;
regular updates of technical components (operating system, package manager, framework, dependencies).

No system being infallible, Grand Line Web undertakes, in the event of a data breach presenting a risk to your rights and freedoms, to notify the CNIL within 72 hours in accordance with article 33 of the GDPR, and to inform you as soon as possible in accordance with article 34 when the breach presents a high risk.

Article 10. Your rights

In accordance with articles 15 to 22 of the GDPR and the French Data Protection Act, you have the following rights over your personal data :

Right of access (article 15 GDPR) : obtain confirmation that data concerning you is being processed and obtain a copy.
Right of rectification (article 16 GDPR) : have inaccurate data corrected or complete data that is incomplete.
Right to erasure (article 17 GDPR), known as « right to be forgotten » : obtain the deletion of your data in cases provided for by law, particularly when the data is no longer necessary for the purposes for which it was collected, when you withdraw your consent, or when you object to processing.
Right to restriction of processing (article 18 GDPR) : obtain the temporary suspension of processing, particularly in the event of a dispute over the accuracy of the data.
Right to portability (article 20 GDPR) : receive the data you have provided, in a structured, commonly used and machine-readable format, and transmit it to another controller.
Right to object (article 21 GDPR) : object, at any time, for reasons relating to your particular situation, to processing based on the Provider's legitimate interest.
Right to withdraw your consent at any time (article 7.3 GDPR), for processing based on consent (audience measurement in particular), without this withdrawal affecting the lawfulness of previous processing.
Right to define directives concerning the fate of your data after your death, in application of article 85 of French law n° 78-17 of 6 January 1978 as amended. These directives may be general (filed with a certified trusted third party) or specific (transmitted directly to the Provider).

Exercise procedure

To exercise these rights, you may write to contact@grandlineweb.com specifying the subject of your request and justifying your identity by any means, or by post to the Provider's head office (9 Place de l'Église, 43100 Vieille-Brioude, France).

The Provider responds to your request within one month from its receipt, which period may be extended by two months due to the complexity or number of requests, in accordance with article 12.3 of the GDPR. You will then be informed of this extension and its reasons.

The exercise of your rights is free, except for manifestly unfounded or excessive requests (notably due to their repetitive nature), in which case the Provider may charge a reasonable fee taking into account administrative costs or refuse to act on the request, in accordance with article 12.5 of the GDPR.

Right to lodge a complaint

If you consider, after having contacted us, that your rights are not respected, you have the right to lodge a complaint with the French Data Protection Authority (CNIL) :

3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Phone : 01 53 73 22 22
Site : www.cnil.fr

Article 11. Cookies and trackers

The grandlineweb.com site uses a limited number of cookies. Full details (categories, purposes, durations, issuers) are in the cookie policy. Summary :

Strictly necessary cookies for the operation of the site (laravel_session, XSRF-TOKEN, locale) : placed without prior collection of your consent, in accordance with article 82 paragraph 2 of the French Data Protection Act.
Audience measurement cookies (Google Analytics 4 — _ga, _ga_[ID], _gid) : placed exclusively after your explicit consent, collected via the consent banner present at the first loading of the site and modifiable at any time via the « Manage cookies » link in the footer.

The site does not use any advertising cookies, social network cookies, profiling or third-party tracking cookies.

Article 12. Automated decisions and profiling

Grand Line Web does not implement any decision based solely on automated processing producing legal effects or significantly affecting the persons concerned, within the meaning of article 22 of the GDPR. No commercial profiling is carried out on the basis of your data.

Article 13. Modification of the policy

This policy may be modified at any time to reflect applicable technical, functional or regulatory developments. The version in force is the one accessible on the site at the date of your consultation, the date of the last update being indicated at the top of the page.

In the event of substantial modification affecting your rights or your data, you will be informed by any appropriate means, particularly by email for holders of a customer account.

Article 14. Contact and useful details

For any question, request for information, exercise of rights or complaint relating to your personal data :

By email : contact@grandlineweb.com
By post : Rafael Da Mota Cerqueira — Grand Line Web, 9 Place de l'Église, 43100 Vieille-Brioude, France

For any complaint to the supervisory authority :

French Data Protection Authority (CNIL), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr