Privacy policy
Last updated: 29 April 2026.
This policy describes how Aura Créative collects, uses and protects your personal data when you use the website auracreative.com, in accordance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and French Act No. 78-17 of 6 January 1978 (as amended).
1. Controller
Aura Créative, sole trader operated by Sonia Choisnet, whose contact details are set out in the legal notice. Dedicated data protection contact: contact@aura-creative.com.
2. Data protection officer (DPO)
No DPO has been appointed; Aura Créative's activity does not fall within the mandatory cases of art. 37 GDPR (public authority, regular and systematic large-scale monitoring, large-scale processing of special-category data).
3. Data collected, purposes, legal bases and retention
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Name, email, message, language (contact form) | Reply to the request | Legitimate interest of the controller (GDPR art. 6.1.f) | 3 years from the last contact |
| IP address, date and time (contact form) | Security, fraud and spam prevention | Legitimate interest (art. 6.1.f) | 12 months |
| Email, language (newsletter) | Sending newsletters about new artworks and exhibitions | Consent (art. 6.1.a) | Until unsubscription, then deletion within 30 days |
| Name, email, shipping address, amount, transaction reference (orders) | Order processing and shipment, accounting, after-sales | Performance of the contract (art. 6.1.b); accounting legal obligation (art. L123-22 of the French Commercial Code) | 10 years (accounting and tax obligation) |
| Email, hashed password (admin account) | Back-office authentication | Performance of service contract (art. 6.1.b) | Duration of the engagement, deletion within 6 months thereafter |
| Technical session cookie (admin) | Maintaining the authenticated back-office session | Strictly necessary (art. 82 of the French Data Protection Act, exempt from consent) | Browser session |
No payment card data (card number, security code, etc.) is collected or stored by Aura Créative. This data is processed exclusively by the payment provider EasyTransac and its acquirer Checkout.com (see section 4).
4. Recipients and processors
Your data is processed by Aura Créative and, strictly to the extent necessary for the purposes above, by the following processors, bound by contractual confidentiality and security obligations consistent with art. 28 GDPR:
| Processor | Role | Location | Safeguards |
|---|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, D1 database, R2 storage | United States (with EU datacenters) | EU-US Data Privacy Framework certification; Standard Contractual Clauses (SCC) |
| Resend, Inc. | Transactional email delivery (order confirmation, contact) | United States | Standard Contractual Clauses |
| EasyTransac (Provence Telecom SAS) | Payment platform | France | Payment institution authorised by ACPR (No. 16958) |
| Checkout.com | Acquirer for card transactions (EasyTransac sub-processor) | European Union / United Kingdom | Authorised payment institution; PCI-DSS Level 1 certification |
No data is sold, rented or transferred to third parties for commercial purposes. No profiling or automated decision-making producing legal effects within the meaning of art. 22 GDPR is carried out.
5. Transfers outside the European Union
Cloudflare and Resend, established in the United States, may process some of your data outside the EU. These transfers are framed by: (i) their certification under the EU-US Data Privacy Framework adopted by Commission adequacy decision of 10 July 2023, and/or (ii) the signature of Standard Contractual Clauses adopted by Implementing Decision (EU) 2021/914 of 4 June 2021.
6. Your rights
Pursuant to articles 15 to 22 GDPR and to the French Data Protection Act, you have the following rights over your data:
- Right of access (art. 15 GDPR)
- Right of rectification (art. 16)
- Right to erasure, the "right to be forgotten" (art. 17)
- Right to restriction of processing (art. 18)
- Right to data portability (art. 20)
- Right to object to processing (art. 21)
- Right to withdraw consent at any time, without affecting prior processing (notably for the newsletter, via the unsubscribe link in each issue)
- Right to give directives on the fate of your data after your death (art. 85 of the French Data Protection Act)
To exercise these rights, write to contact@aura-creative.com specifying your request. Proof of identity may be requested in case of reasonable doubt. A response will be provided within one month (extendable by two months for complex requests, art. 12 GDPR).
7. Complaint to the CNIL
If, after raising the issue with Aura Créative, you believe your rights have not been respected, you may lodge a complaint with the French Data Protection Authority (CNIL), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France, +33 1 53 73 22 22, www.cnil.fr.
8. Security
Aura Créative implements appropriate technical and organisational measures to preserve the security, confidentiality and integrity of your data: TLS encryption across the entire website (HTTPS), passwords hashed via PBKDF2-SHA256, session cookies signed with HMAC-SHA256, restricted access to the back-office. In case of a personal data breach posing a risk to your rights and freedoms, Aura Créative undertakes to notify the CNIL within 72 hours (art. 33 GDPR) and, if the risk is high, to inform you (art. 34).
9. Cookies
The list of cookies used and management options are set out on the Cookies page.
10. Changes
This policy may be amended. The date of last update is shown at the top. In case of substantial change, newsletter subscribers and customers having provided their email address may be informed electronically.