In order to fulfill its obligations regarding the protection of its Users’ rights and transparency, while providing the best services, CARTE DE RESTAURANT has chosen to publish and implement a policy on the protection of personal data, summarized below.

This comprehensive policy presents clear, simple, and sincere information regarding the processing of Personal Data carried out by CARTE DE RESTAURANT in a single document.

Indeed, in the context of our activities on the Internet, we are required to collect, process, and retain a certain amount of data concerning our users, clients, prospects, and partners.

The purpose of this personal data protection policy is to inform Users about their rights, as well as the methods used by CARTE DE RESTAURANT to ensure the security of the data collected, in compliance with legal and regulatory requirements.

It should be noted that Regulation (EU) 2016/679 of April 27, 2016 (GDPR), which came into effect on May 25, 2018, provides a specific framework for the regulation and protection of Personal Data. This framework has been reinforced by the reform of the French Data Protection Act.

It is within this framework that this Personal Data Protection Policy is established.

This Policy is complemented by:

• Our legal notices: https://carte-de-restaurant.fr/en/legal-notice/
• Terms of Service: https://carte-de-restaurant.fr/en/terms-and-conditions/
• A cookie policy accessible when connecting to the site and via the following link: https://carte-de-restaurant.fr/en/eu-cookie-policy/

The purpose of this document is to provide all the information on the conditions under which CARTE DE RESTAURANT collects and processes Users’ Personal Data on the Site. By benefiting from the services provided by CARTE DE RESTAURANT, Users undertake to comply with and be bound by this Policy.
In this regard, and for certain specific processes, active consent will be requested from the User beforehand.

You can print or save this document using your Internet browser’s function (usually “File” then “Save as”).

By accepting the following data protection statement, you consent to CARTE DE RESTAURANT collecting, processing, and using your Personal Data in accordance with the data protection laws of this Data Protection Statement.

1. Definitions

• Application: Computer solution that allows the User to use the Features and Services offered by CARTE DE RESTAURANT via the Internet and/or through a smartphone application;
• Data: Any element (information, texts, photographs, messages, etc.) collected by the User and implemented by CARTE DE RESTAURANT within the Site, Application, and Services through its use;
• Personal Data: Pursuant to Article 4.1 of the GDPR, refers to any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
• Feature: Each implemented element accessible and usable within the various Services;
• CARTE DE RESTAURANT: Website owned by the web agency ID&A, a limited liability company with a capital of 2,000 euros, headquartered at 17 rue Verdeau 33400 TALENCE, registered with the Bordeaux Trade and Companies Register under number 488 361 999, represented by Mr. Nicolas BALLION and Mr. Éric JULIAN, in their capacity as co-managers;
• Data Protection Act: Refers to Law No. 78-17 of January 6, 1978 relating to data processing, files and freedoms accessible online at the following address: https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2020-11-10;
• Access Means: Methods and/or functions by which the User can access one or more Services to use them for their own needs;
• Operator: Company operating various electronic communications networks necessary for accessing and using the Services;
• Policy: Refers to this policy on the Protection of Personal Data;
• Sites: CARTE DE RESTAURANT website, allowing the User to access the Services, namely https://carte-de-restaurant.fr/;
• User(s): Refers to any natural person accessing the Site and any person benefiting from the Services;
• Data Controller: Pursuant to Article 4.7 of the GDPR, refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
• GDPR: Refers to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 accessible online at the following address: https://eur-lex.europa.eu/legal-content/FR/TXT/PDF/?uri=CELEX:32016R0679&from=FR;
• Services: All services made available to the User by CARTE DE RESTAURANT and accessible via Access Means;
• Processor: Pursuant to Article 4.8 of the GDPR, refers to the natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller;
• Processing: Refers to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• Third Party: Refers to natural persons who are not affiliated with CARTE DE RESTAURANT or other individuals with no relationship with CARTE DE RESTAURANT and/or the User;

All other terms used in this Policy are defined in Article 4 of the GDPR.

2. Who collects your data (data controller)?

SARL ID&A
17 rue Verdeau 33400 TALENCE
registered with the RCS of BORDEAUX under number 488 361 999

Therefore, the company ID&A (hereinafter “CARTE DE RESTAURANT”) determines the means and purposes of collecting Personal Data Processing necessary for the User to use the Services, as well as other data necessary for establishing, monitoring, and improving the contractual relationship.

3. What are the activities of CARTE DE RESTAURANT?

CARTE DE RESTAURANT provides an online platform, accessible at https://carte-de-restaurant.fr/, allowing for the digitalization of establishment menus (including but not limited to: restaurants, bars, brasseries, company restaurants, institutional restaurants, etc.) to make them accessible to any User with a compatible smartphone via a unique QR Code.

In this regard, the Site allows Restaurateurs to input and manage their menus and provide their contact details.

Users wishing to access a digital menu scan/flash a QR Code using their compatible smartphone/tablet.

CARTE DE RESTAURANT does not intervene in any way in the relationship between the Restaurateur and the User; the Services are solely related to providing publishing services for Restaurateurs and viewing services for Users.

In addition, the Site allows Users to access:

• the list of registered Restaurateurs on the site.

Therefore, CARTE DE RESTAURANT offers Restaurateurs wishing to publish their menus the opportunity to display them along with any necessary information on the site https://carte-de-restaurant.fr/.

These Services are accessible on the Site https://carte-de-restaurant.fr/ and, if applicable, in the form of a mobile application for smartphones, tablets, and other smart devices and application program interfaces.

The Site https://carte-de-restaurant.fr/ is available in the French language.

For more information regarding the activities of CARTE DE RESTAURANT, please refer to our Terms and Conditions here.

In order to provide you with the most suitable Services, it is necessary for us to collect and process certain Personal Data.

In this regard, CARTE DE RESTAURANT collects strictly necessary and limited Personal Data for the provision and improvement of Services, as well as for various legal, accounting, and tax obligations.

4. On what occasions does CARTE DE RESTAURANT collect personal data?

Personal Data is collected by CARTE DE RESTAURANT:

• During visits to our Website and, where applicable, our Application (login credentials);
• When creating an Account;
• When using the Website’s Services;
• During exchanges between a User and CARTE DE RESTAURANT through the contact form or direct contacts;
• During our interactions and your actions on our social media pages.

5. By what means does CARTE DE RESTAURANT collect personal data?

5.1. Channels for collecting personal data on the internet

Personal Data is collected by CARTE DE RESTAURANT directly from the individuals concerned through:

• The website: https://carte-de-restaurant.fr/;
• Direct contacts (phone, email, visits, etc.) between the User and CARTE DE RESTAURANT.

In addition, CARTE DE RESTAURANT has dedicated pages on the following social networks:

• Facebook: https://www.facebook.com/CarteDeRestaurant
• Instagram: https://www.instagram.com/carte_de_restaurant/
• LinkedIn: https://www.linkedin.com/company/carte-de-restaurant/

CARTE DE RESTAURANT is a joint controller for the processing of pages on the aforementioned social networks.

If you encounter any issues using the pages listed above, Users can contact the respective operator (Facebook, Instagram, or others), or contact CARTE DE RESTAURANT directly.

5.2. Details regarding the use of social networks

The website https://carte-de-restaurant.fr/ uses social media buttons and integrations on its pages.

Most of the links on our Site pages containing social media content redirect to the respective sites and tools, and are not directly integrated into the page.

If you click on a share and/or content playback button, a new window will open, allowing you to access the content (possibly after entering your login information for the respective service).

For more information and to exercise your rights regarding the protection and security methods of these third-party providers, please visit the respective pages listed below:

• Facebook: https://fr-fr.facebook.com/privacy/policy
• Instagram: https://privacycenter.instagram.com/policy
• LinkedIn: https://fr.linkedin.com/legal/privacy-policy

6. For what purposes does CARTE DE RESTAURANT collect personal data?

CARTE DE RESTAURANT collects your Personal Data for the following purposes:

• Providing Services (improving customer experience);
• Establishing and monitoring the contractual relationship;
• Managing individual or professional prospects;
• Monitoring the business relationship;
• Billing and payment;
• Sending invoices via email;
• Managing disputes;
• Statistical analysis.

The collection of Data is strictly limited to achieving and monitoring the aforementioned purposes.

7. What are the legal grounds for the collection of personal data by CARTE DE RESTAURANT?

Article 6 of the GDPR states that processing is lawful only if at least one of the following conditions is met:

1. the data subject has given consent to the processing of their personal data for one or more specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. The first subparagraph of Article 6(1)(f) does not apply to processing carried out by public authorities in the performance of their tasks.

In this regard, CARTE DE RESTAURANT confirms that the processing activities are based on:

• The necessity for the performance of pre-contractual and contractual relations;
• Compliance with legal obligations, especially in accounting, tax, and identification matters;
• The legitimate interests pursued by the data controller.

In any case, we ensure not to disregard your interests or fundamental rights and freedoms by allowing you to object, at any time, to all or part of the processing described in this Personal Data Protection Policy.

We will inform you of the consequences of such objection on the provision of the requested service.

8. What data does CARTE DE RESTAURANT collect?

As part of our Services, we collect and process the following Personal Data:

• Collection based on establishing contractual or pre-contractual relationships:
  • Contact details of a User creating an Account or making a request via the Site’s form: title, last name, first name, company, postal address, email address, phone numbers, login ID excluding the password which remains personal and confidential, website, reason for the request, free text field, attached document;
  • Data related to Announcements: description of the Space, etc.
• Collection based on legal obligations:
  • Billing details: name, first name, address, order details, discounts, invoice amount, amount of discounts and benefits, payment date, payment incident, payment method used, any litigation;
• Collection based on legitimate interests:
  • Use of technical and strictly necessary cookies for the delivery of a Service expressly requested by the User or the Third Party;
  • Contact details collected from User’s social media: Facebook, Instagram, Twitter, Pinterest;
  • Tracking and marketing data: IP address, Connection data (dates, number of connections);
• Collection based on your consent:
  • Use of cookies other than technical cookies and those strictly necessary for the delivery of a Service expressly requested by the User or the Third Party. This consent can be withdrawn or modified at any time through the tool provided on the Site;
  • Email address and phone number for commercial prospecting aimed at individuals;

9. How does CARTE DE RESTAURANT ensure the security of my data?

CARTE DE RESTAURANT attaches fundamental importance to the security and confidentiality of the Data you communicate to us.

This policy is reflected in specific guidelines for the use of Data by our employees, as well as in the selection of Subcontractors who comply with the standards set by current regulations.

In addition, every CARTE DE RESTAURANT employee is committed to respecting strict policies on security and confidentiality.

In summary, CARTE DE RESTAURANT implements legal and organizational measures to ensure the best possible protection considering the type and purposes of the Personal Data collected, to protect said Data against alteration, accidental or unlawful loss, unauthorized use, disclosure, or access.

In this regard, CARTE DE RESTAURANT places fundamental importance on:

• Sensitizing its employees to confidentiality requirements;
• Ensuring its subcontractors comply with their confidentiality obligations;
• Securing access to its premises and IT platforms;
• Securing access, sharing, and transfer of Data;
• Implementing a general IT security policy;
• Carefully selecting partners and service providers based on their GDPR compliance.

9.1. Securing exchanges on the website

To ensure greater protection of exchanges made through our Site, we have chosen to secure it using a TLS 1.2, 128-bit key.

The use of this encryption key and certificate secures exchanges made through the Site to access various functionalities.

9.2. Data storage

Personal Data is stored on servers with appropriate security measures located in Europe, complying with adequate security standards for the Data processed.

9.3. Confidentiality obligation

All CARTE DE RESTAURANT employees are subject to strict confidentiality obligations and are trained to comply with regulations on the protection of Personal Data.

In addition, all subcontractors selected by CARTE DE RESTAURANT have affirmed their commitment to comply with their obligations and are bound by confidentiality requirements.

9.4. Regarding online payment data

When processing Data to benefit from the Services, service providers subcontracted by CARTE DE RESTAURANT (such as payment service providers, etc.) only receive the Data necessary for the execution of their own services.

The Data transmitted is usable by our service providers solely for the execution of the tasks entrusted to them by CARTE DE RESTAURANT.

CARTE DE RESTAURANT only collects Personal Data concerning your contact details, email address, and the payment method used.

10. For how long can my data be kept by CARTE DE RESTAURANT?

Below is a list of the main retention periods applied by CARTE DE RESTAURANT:

Upon expiry of the aforementioned retention periods, CARTE DE RESTAURANT will permanently and securely delete all Personal Data.

Personal Data printed on paper will be securely destroyed, including by cross-cut shredding or incineration of paper documents, or by other means. If stored electronically, they will be securely deleted.

Furthermore, CARTE DE RESTAURANT reserves the right to retain anonymized statistical data for longer periods than those mentioned above.

11. Does CARTE DE RESTAURANT collect “sensitive” data and/or data relating to children?

It is reminded that CARTE DE RESTAURANT operates in the restaurant industry.

It is recalled that “sensitive” data is defined as follows by the GDPR:

Information concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life. In principle, sensitive data can only be collected and processed with the explicit consent of individuals.

In this regard, CARTE DE RESTAURANT specifies that it does not generally collect sensitive data transmitted by the User during their order or when editing their preferences.

Any sensitive data that CARTE DE RESTAURANT may collect would only be through the customization tools made available to the User.

In this regard, the User undertakes not to disclose sensitive information and data concerning themselves or a third party during the product customization process, and to limit the information and data transmitted on the site to what is strictly necessary.

Regarding Personal Data relating to minors, it is also reminded that Recital 38 of the GDPR states:

Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

It is thus recalled that Article 7-1 of the Data Protection Act sets the age limit for the use of Personal Data at 15 years.

Moreover, CARTE DE RESTAURANT does not intend to collect Personal Data from minors under the age of 15, except for data that may be provided by the User during their order (first name, last name, date of birth).

12. What are the obligations of the users?

As a preliminary matter, the User must ensure the use of recognized and up-to-date internet access programs, including various add-ons to access the Services.

The User undertakes to provide CARTE DE RESTAURANT with accurate and up-to-date information directly concerning them.

In this regard, each User agrees, when transmitting data on the Site or directly, to comply with CARTE DE RESTAURANT’s General Terms and Conditions of Sale.

The User undertakes not to disclose (via email or through online forms) information that is not expressly requested by CARTE DE RESTAURANT and necessary for the provision of the Services.

13. Optional or mandatory nature of the collected personal data

Only data provided in a form field marked with an asterisk (*) are mandatory to benefit from CARTE DE RESTAURANT’s Services.

All additional data provided by the User are not mandatory and may be optionally provided by the User to enhance their customer experience.

14. Will my contact data be used for advertising purposes? Will I receive spam from CARTE DE RESTAURANT?

CARTE DE RESTAURANT does not engage in commercial prospecting through the sending of emails without prior consent and registration of the User in question.

It is reminded that, in accordance with applicable regulatory and legal provisions, CARTE DE RESTAURANT may send you marketing offers or commercial offers only if you have given your clear, unequivocal, and explicit consent to receive such communications.

The user will have a means to freely and easily object to receiving prospecting emails by unsubscribing from CARTE DE RESTAURANT’s emailing database by clicking on the dedicated button, present in each email sent by CARTE DE RESTAURANT.

In any case, each email sent by CARTE DE RESTAURANT will be signed and clearly indicate the identity of the sender, as well as an unsubscribe method.

If you receive communications purportedly from CARTE DE RESTAURANT that do not include these indications, we invite you to contact CARTE DE RESTAURANT as soon as possible.

15. Where are the data collected by CARTE DE RESTAURANT processed?

CARTE DE RESTAURANT primarily processes data on servers located within Europe.

Our Subcontractors are mostly established within the European Economic Area. In rare cases and for specific Services, data collected by CARTE DE RESTAURANT may be transferred to Subcontractors located outside the European Union.

In such cases, CARTE DE RESTAURANT ensures that appropriate safeguards are provided by the Subcontractors to regulate the said transfer.

16. Who are the recipients of the collected data?

The Personal Data collected by CARTE DE RESTAURANT may be transmitted to Subcontractors selected by CARTE DE RESTAURANT, provided that such Data is necessary for the performance of their duties.

17. Are my data transferred outside of the European Union?

CARTE DE RESTAURANT strives to keep Personal Data within the European Union.

However, in rare cases and for specific Services, Personal Data collected by CARTE DE RESTAURANT may be transferred to Subcontractors located outside of the European Union and countries adhering to GDPR.

In such cases, CARTE DE RESTAURANT ensures that appropriate safeguards are provided by the Subcontractors to regulate any transfer of Personal Data by entering into specific contracts ensuring, in particular, the continued respect of Users’ rights.

18. CARTE DE RESTAURANT’s subcontractors for personal data

CARTE DE RESTAURANT relies on subcontractors to provide its Clients with the best Services.

19. Automation of transmissions and processing

Personal data collected by CARTE DE RESTAURANT is not subject to decisions based solely on automation.

Automation of decision-making or processing may occur as a supplementary process, but will always remain under the control of a human person.

20. What are the rights of users?

According to the current European regulations on data protection, each User has the right to obtain free information about the Personal Data collected by CARTE DE RESTAURANT.

Your rights and claims are as follows:

• Article 15 GDPR – Right to information about how Personal Data is processed by CARTE DE RESTAURANT;
• Article 17 GDPR – Right to erasure, this right does not apply to all collected Data;
• Article 20 GDPR – Right to data portability, this right applies only to Data collected based on consent and contractual relationship;
• Article 21 GDPR – Right to object.

For any request regarding these rights, the User can send their request to the contact details provided in the section “HOW TO CONTACT CARTE DE RESTAURANT?” of this document or via the “Export or deletion of personal data” form available here.

If necessary, CARTE DE RESTAURANT may request additional information (proof of identity, identifier, etc.) to verify your identity in exercising your rights.

21. Regarding website visits and cookies

CARTE DE RESTAURANT reminds users that the website (https://carte-de-restaurant.fr/) and its related sites are fully managed by ID&A.

Regarding cookies and consent management, users are encouraged to refer to the specific page available on the website.

22. How are users informed about changes to this data protection policy?

CARTE DE RESTAURANT reserves the right to modify this Data Protection Policy at any time.

CARTE DE RESTAURANT will inform users of any changes made to this policy through any means.

CARTE DE RESTAURANT encourages users to regularly review the Data Protection Policy to stay fully informed of its provisions.

23. Data Protection Authority

If you believe that CARTE DE RESTAURANT is not complying with its obligations regarding the protection of Personal Data, you have the right to contact the competent supervisory authority, which is the CNIL (French Data Protection Authority) (https://www.cnil.fr/en/home or 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07).

24. How to Contact CARTE DE RESTAURANT?

Users can contact CARTE DE RESTAURANT for any questions they may have regarding this Data Protection Policy at the following addresses:

• by email at: rgpd@carte-de-restaurant.fr
• using the form available at: https://carte-de-restaurant.fr/en/contact-us/