Politique de confidentialité
1) WHO IS THE CONTROLLER?
See the Contact Details Policy.
This policy covers processing carried out via poplarbio.com and associated channels (ordering, customer service, newsletter, social media pages managed by PoplarBio).
2) WHAT DATA DO WE COLLECT?
Depending on the case:
Identity and contact details: first/last name, postal address, email, phone.
Order data: products purchased, history, order number, comments, RMA.
Delivery data: addresses, instructions, pick-up point, parcel tracking.
Payment data: payment token and transaction information. We never store full card numbers; these are processed by our secure payment provider.
Customer relationship data: messages, reviews, support requests, contact preferences.
Marketing data: newsletter subscriptions, consents, unsubscribes.
Technical (browsing) data: IP, cookie identifiers, logs, device and browser type, pages viewed, time spent, events (with your consent where required).
Sensitive data: not requested. Please do not send us health information; if you do so in a free-text message, it will be used only to respond and promptly deleted if not necessary.
3) FOR WHAT PURPOSES AND ON WHAT LEGAL BASES?
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Managing your orders, payments, invoices, deliveries | Contract performance |
| Customer service, returns/RMA, statutory warranties | Contract performance |
| Managing your customer account | Contract performance |
| Prospecting (newsletter, offers) | Consent (opt-in); for customers, messages about similar products: legitimate interest with the right to object at any time |
| Audience measurement, personalisation, non-essential cookies | Consent |
| Anti-fraud and site security | Legitimate interest |
| Legal obligations (accounting, tax, warranties, product recall) | Legal obligation |
| Internal statistics, service optimisation | Legitimate interest |
4) HOW LONG DO WE KEEP YOUR DATA?
Account / orders: for the duration of the contractual relationship, then 5 years after the last purchase (civil limitation), unless longer obligations apply.
Invoices & accounting records: 10 years (legal obligation).
Prospects / newsletter: 3 years from last contact or until consent is withdrawn.
Technical, security and fraud logs: 6 months to 2 years depending on purpose.
Cookies: depending on type (see § 8). Non-essential trackers are kept for no more than 13 months, with related data kept up to 25 months.
When retention is no longer justified, data is deleted or anonymised.
5) WHO ARE THE RECIPIENTS OF YOUR DATA?
Secure payment provider: (card processing, anti-fraud).
Banks and financial institutions involved in the transaction.
Logistics / shipping: carriers and shipping platforms to deliver your orders.
Hosting & IT: web host, backup, anti-spam, technical support.
Emailing / CRM: transactional email and newsletter platform.
Analytics / A/B testing: , only after consent where required.
Authorities: where required by law, or to assert our rights.
These recipients act as processors (on PoplarBio’s instructions) or as joint controllers/independent controllers, as applicable. Appropriate agreements govern these transfers.
6) TRANSFERS OUTSIDE THE EUROPEAN UNION
Some providers may be located outside the EEA (e.g., in the United States). In such cases, we ensure the transfer relies on:
an adequacy decision by the European Commission (e.g., the EU-US Data Privacy Framework); or
Standard Contractual Clauses (SCCs) with additional measures where necessary.
7) YOUR RIGHTS
You have the rights to access, rectify, erase, restrict, port, object (including to marketing), and to withdraw consent at any time.
To exercise these rights: write to contact@poplarbio.com, stating the purpose of your request and providing proof of identity if needed. We will respond within 1 month (extendable by 2 months due to complexity or number of requests).
You may also lodge a complaint with the competent supervisory authority:
Estonia: Andmekaitse Inspektsioon (AKI) – aki.ee
France: CNIL – cnil.fr
8) COOKIES & TRACKERS
On your first visit, a banner lets you accept, refuse, or customise non-essential trackers. You can withdraw your consent at any time via the Cookie Preferences button on the Site.
Categories used:
Necessary (exempt): cart operation, authentication, security, CMP consent.
Retention: session to 12 months.
Audience measurement (consent required unless strictly necessary configuration): traffic statistics.
Retention: up to 13 months.
Marketing / personalisation (consent): email/ads, retargeting.
Retention: depending on partner, max 13 months.
A detailed cookie table (name, provider, purpose, duration) is available via the consent manager and updated whenever changes occur.
9) SECURITY
We implement reasonable technical and organisational measures: TLS encryption, access control, permissions management, backups, access logging, encryption at rest where available from our providers, regular testing. Payments are processed via a PCI-DSS-compliant provider.
10) MINORS
The Site is not intended for minors. Sales of supplements are not intended for children. In France, for online marketing, consent for a child under 15 must be given/authorised by the holder of parental responsibility (in the EU, the age may vary between 13 and 16 depending on the country).
11) SOCIAL NETWORKS
When you interact with our pages on social networks, data is processed jointly by the platform and PoplarBio, according to the network’s settings and your consent where applicable. Please also refer to the platforms’ policies.
12) UPDATES TO THIS POLICY
We may amend this policy to reflect legal or technical changes. The last updated date appears at the top. For material changes, we will notify you via a notice on the Site and/or by email.
13) CONTACT
For any questions or to exercise your rights: contact@poplarbio.com
Postal address: PoplarBio – Sepapaja 6, 15551 Tallinn, Estonia