Legal notice

Privacy policy

This policy describes the personal data DIX-ONZE collects when you use dixonzeparis.com, how we use it, with whom we share it, and the rights you have. It complies with the General Data Protection Regulation (GDPR) and the French Data Protection Act.

Last updated: 11 May 2026

1. Data controller

The controller of personal data collected on the dixonzeparis.com website is DIX-ONZE, a French SARL with share capital of €1,000, registered with the Bobigny Trade and Companies Register under number 877 977 629, with registered office at Centre Fashion Center, 70 avenue Victor Hugo, 93300 Aubervilliers, France.

For any question regarding the processing of your personal data, you can contact us at contact@dixonzeparis.com.

2. Data we collect

When you browse the site and place orders, we collect the following categories of data:

Identity data: title, first name, last name and, where applicable, date of birth
Contact data: email address, telephone number, postal delivery and billing address
Login and credentials data: password (encrypted), login history
Order data: products ordered, amounts, purchase history, invoices
Payment data: full card details are never stored on our servers; they are collected and processed directly by our payment provider Stripe, certified PCI-DSS Level 1
Browsing data: pages viewed, visit duration, browser type, anonymised technical data (via Vercel Analytics, no third-party cookie)
Communication data: customer reviews, exchanges with customer service, newsletter preferences

3. Purposes and legal bases

In accordance with Article 6 of the General Data Protection Regulation (GDPR), your data is processed for the following purposes:

Management of your customer account and orders (delivery, billing, after-sales service) — legal basis: performance of the contract
Issuing, retaining and transmitting invoices — legal basis: legal obligation (Article L.123-22 of the French Commercial Code)
Combating payment fraud — legal basis: legitimate interest
Sending our newsletter and commercial communications — legal basis: consent, withdrawable at any time from the footer of each email
Responding to customer service enquiries — legal basis: performance of the contract or legitimate interest
Anonymous audience measurement of the site (Vercel Analytics) — legal basis: legitimate interest, processing exempted from consent by the French data protection authority (CNIL)
Moderation of published customer reviews — legal basis: legitimate interest

4. Sub-processors and recipients

Your data may be transmitted to the following sub-processors, acting solely on DIX-ONZE's instructions and under a sub-processing agreement compliant with Article 28 GDPR:

Stripe Payments Europe Ltd (Ireland) and Stripe Inc. (United States) — payment processing; non-EU transfers covered by the European Commission's Standard Contractual Clauses and Data Privacy Framework certification
Easy Express (France) — preparation and delivery of orders
Resend, Inc. (United States) — sending of transactional emails (order confirmation, shipping updates, password reset); non-EU transfers covered by the Standard Contractual Clauses
Vercel Inc. (United States) — hosting of the storefront website; non-EU transfers covered by Data Privacy Framework (DPF) certification
Scaleway SAS (France) — hosting of the e-commerce backend and database

Your data may also be transmitted to competent public authorities where the law requires it (tax authorities, judicial authorities upon request).

DIX-ONZE does not sell, rent or otherwise transfer your personal data to third parties for commercial purposes.

5. Retention periods

Your personal data is retained for the time strictly necessary for the purpose of processing, and in particular:

Customer account: for the entire duration of the account's activity, then three (3) years from the last active contact (order or login), for commercial relationship purposes
Invoices and transaction data: ten (10) years from the close of the financial year, in accordance with Article L.123-22 of the French Commercial Code
Marketing prospect data: three (3) years from the last contact from the customer (click, open, purchase)
Cookies and trackers: thirteen (13) months maximum
Connection data: one (1) year in accordance with Article L.34-1 of the French Postal and Electronic Communications Code
Customer reviews: for five (5) years from publication or until the Customer requests deletion

6. Your rights

In accordance with Articles 15 to 22 of the GDPR and the French Data Protection Act, you have the following rights over your personal data:

Right of access: obtain confirmation that your data is being processed and obtain a copy
Right to rectification: have inaccurate or incomplete data corrected
Right to erasure ("right to be forgotten"): request deletion of your data under the conditions set out in the GDPR
Right to restriction of processing: suspend the processing of your data in certain cases
Right to portability: receive your data in a structured format and transmit it to another data controller
Right to object: object to the processing of your data on grounds relating to your particular situation, or unconditionally for marketing purposes
Right to withdraw consent at any time, where processing is based on your consent
Right to set instructions regarding the fate of your data after your death

You can exercise these rights at any time, free of charge, from your account area or by writing to us at contact@dixonzeparis.com. For security reasons, we may ask you to prove your identity.

We undertake to respond within a maximum of one (1) month, this period being extendable by a further two (2) months given the complexity or number of requests (Article 12 GDPR).

7. Right to lodge a complaint

If, after contacting us, you believe that your data protection rights are not being respected, you may lodge a complaint with the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL):

Online: www.cnil.fr
By post: 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

8. Data security

DIX-ONZE implements appropriate technical and organisational measures to ensure the security, integrity and confidentiality of your personal data:

Systematic encryption of communications via the HTTPS/TLS protocol
Storage of passwords in encrypted form (salted hashing)
HttpOnly and Secure session cookies
Access to data restricted to authorised personnel bound by an obligation of confidentiality
Regular and encrypted backups of the database
Periodic security audits

Despite these precautions, no system is entirely infallible. In the event of a security incident affecting your data and posing a risk to your rights and freedoms, we undertake to notify the CNIL within seventy-two (72) hours and, where applicable, to inform you as soon as possible.