Treatment declared to the Cnil and recognized as compliant on 26/01/2018
Oyst is a brand of the company Oyst France domiciled at 81 rue reaumur 75002 Paris, France
Oyst processes personal data concerning you as controller in the context of the use of its website accessible via the following address: https://oyst.com and its services accessible on the areas managed by Oyst. It respects privacy and protects the personal data of users of the services it offers.
The purpose of this policy is in particular to inform users of the methods of collecting, processing and using their personal data and their rights regarding the protection of personal data.
Where do these data come from?
In particular, your data is collected directly when:
- You communicate them to us yourself via our website and our services:
1) By creating your Oyst space
2) By placing your orders through our services
3) By browsing our site and consulting the products presented on our pages
- You contact us, we receive and store certain types of information automatically through cookies
Data is collected directly from you and when you use the Oyst website and services.
Merchant sites inform you of the possibility of transferring your data to their technical partners, including Oyst. For more information, please refer to their personal data policies. The data concerning you and possibly transferred to Oyst by merchants are only used in the context of the fight against bank fraud.
Which categories of data collected do we process?
In the context of the use of the website and services, several types of personal data may be collected. The data collected mainly correspond to the following categories:
- The information you provide us (name, first name, address, date of birth, e-mail address, telephone number, credit card information)
- The information we automatically collect (IP address, connection data, email addresses, products purchased, unique number (pixel) associated with the cookie, language used, user browser agent, telecom operator or ISP, history and navigation data…)
- Information from other sources and in particular from our partners (credit card identification token provided by our Payment Service Provider and used to link a credit card to a customer)
- Any data transferred by the merchant to Oyst (content of the order, delivery method used, time spent on the site, number of previous purchases made on the site, amount of previous transactions made on the site, status of previous transactions, bank issuing the card used for your previous purchases). All this data will only be used for the purpose of combating bank fraud.
Mandatory data are indicated in the collection forms by an asterisk. In their absence, the service related to this collection may not be provided.
For what purposes are the data collected?
Depending on the case, Oyst processes your data in whole or in part for the following main purposes:
- To offer you an additional sales service
- Provide you with appropriate content and offers
- Facilitate your customer journey
- Facilitate the purchase and processing of your financial information
- Avoid having to re-enter your bank details for each order
- Keep and update our files and your Oyst space
- Detect fraud or abuse
- Perform statistics and analyses
- Personalize and improve our services
For payment purposes, bank details are collected and stored by our PCI-DSS certified payment service provider. This certification attests to compliance with the objectives of confidentiality, cardholder data integrity and data and transaction security.
Oyst only keeps the partially masked bank details so that you can recognize your payment card when you make purchases. Please note that Oyst never comes into contact with your unencrypted bank details, as they are encrypted in your internet browser and are sent directly (always encrypted) to our Payment Provider’s servers authorised to receive them. Our Payment Provider then sends us back an internal identification number of your card (also called “token”) as well as the first 6 numbers and the last 4 numbers of your card.
To whom are they transmitted?
The data processed are intended for the following persons, depending on the case:
- Oyst France SAS, controller
- Oyst France SAS and the subsidiaries or parent companies that Oyst France SAS controls or is controlled by, and that comply with this Personal Data Policy;
- Our technical partners (Payment Service Provider, subcontractor for sending SMS). All our technical partners store only this data within the European Union and comply in particular with the General Data Protection Regulations.
- Our partner merchant sites only obtain data that is vital to the delivery of the service/product you purchased from this merchant site. Our partner merchant sites become responsible for processing the information communicated by their customers via the Oyst Purchasing solution. The data transferred to our partner merchants may be used for commercial purposes by them, subject to the customer’s acceptance.
In addition, the data may be communicated to any authority legally entitled to know them, in particular in the event of a judicial requisition by the judicial, police or administrative authorities.
How long is the data kept?
In accordance with Article L561-12 of the French Monetary and Financial Code, all financial data of our customers are kept for a period of 5 years by our Payment Service Provider. At the end of these retention periods, the data are anonymised in order to be re-used for statistical purposes, the fight against fraud, the fight against money laundering, the fight against the financing of terrorism and the improvement of the purchasing system.
Non-financial data or data not collected directly from the User at the time of payment are kept for a period of 3 years.
What are your rights?
You have the right to access, query and rectify data concerning you.
You also have a right to object on legitimate grounds to the processing of your personal data and a right to object to the use of your data for canvassing purposes, in particular for commercial purposes.
You also have the right, as the case may be, to have your data rectified, completed, updated, locked or deleted. You can exercise your rights by connecting to your space via the URL https://1-click.oyst.com/ or by contacting firstname.lastname@example.org.
In order to ensure confidentiality and protection of personal data, Oyst must ensure the identity of the user before responding to his request. Therefore, any request to exercise these rights must be accompanied by a copy of an identity document.
European Data Protection Regulation
Oyst is in compliance with the new European Data Protection Regulation. This compliance is concretely reflected in the following elements:
- appointment of a Data Protection Officer
- implementation of measures to control the use, availability and display of data
- internally (limiting this access to what is strictly necessary according to the needs of each employee)
- data security via a designated infrastructure designed to be secure
- implementation of measures to verify user consent and the electronic archiving of this consent for each of the data collected.
- development of an internal mapping of data processing
Cookies and other tracking devices
What security measures are implemented?
In order to guarantee the security of your data, Oyst takes all necessary precautions, whether physical, logical, administrative or organisational, with regard to the nature of the data it processes and the risks presented by the various processing operations, to preserve the security of the data and to prevent it from being distorted, damaged or accessed by unauthorised third parties.
These measures include in particular:
- The use of the SSL (Secure Sockets Layer Software) protocol which encrypts information
- Request proof of identity before providing you with your personal information
- In the event of subcontracting part or all of the processing of personal data, Oyst contractually requires its subcontractors to guarantee the security and confidentiality of personal data by means of technical measures to protect such data and appropriate human resources.
Site owned by third parties
Links on the Oyst website may take you to external sites.
In this respect, please note that the personal data protection policies of these sites may differ from this policy.
In this context, it is recommended in all cases to read the personal data protection policy of each of the sites concerned.
In any event, Oyst cannot be held liable in the event that the content of one of the sites contravenes the legal and regulatory provisions in force.
Updating of the data protection policy
Last modification: 09/03/2018