Back to homePrivacy

Privacy policy

DirectOffice pays particular attention to the protection of personal data. This privacy policy describes how your data is collected, used, and protected in compliance with EU Regulation 2016/679 of 27 April 2016 (GDPR) and French Data Protection Act n° 78-17 of 6 January 1978 (as amended).

Last updated: 29/04/2026

Data controller

Identity
DirectOffice.fr (Société par actions simplifiée à associé unique (SASU))
Trade name
DirectOffice
SIREN
103 663 597
RCS
RCS Paris 103 663 597
Address
66 avenue des Champs-Élysées, 75008 Paris, France
Email
contact@directoffice.fr
Legal representative
Raphaël Jean-Claude RICCI (President)

Data collected

We collect only the data strictly necessary for the purposes described below. Depending on your use of the site, the following may be collected:

  • Identification data: first name, last name, company name, email address, password (hashed), user role.
  • Contact data: phone number, postal address, shipping address.
  • Billing data: amount, taxes, payment method (without the full card number), any promo code, Stripe identifiers.
  • Technical data: IP address, session identifiers, event logs, user agent.
  • User-generated content: listings, photos, descriptions, generated QR codes.

Purposes and legal bases

  • Creation and management of the user account (contract performance, art. 6.1.b GDPR).
  • Order processing, payments, and invoice delivery (contract performance and legal obligation, art. 6.1.b and 6.1.c GDPR).
  • Retention of invoices for 10 years (legal obligation, art. L123-22 of the French Commercial Code).
  • Moderation and fraud prevention (legitimate interest, art. 6.1.f GDPR).
  • Sending account- or order-related emails (contract performance).

Retention period

  • User account: for the entire duration of the contractual relationship, then 3 years archived for commercial prospecting.
  • Invoicing data: 10 years from the closing of the financial year (accounting and tax obligation).
  • Technical logs: 12 months maximum (LCEN-mandated period for operators).
  • Session cookie: 30 days. The site does not drop any non-strictly-necessary cookies.

Recipients and processors

Your data is never sold or rented. It is only accessible to authorised persons (internal administrators) and to a limited number of processors strictly bound by contract pursuant to article 28 GDPR:

  • OVH SAS — hosting and backups (Roubaix, France).
  • Stripe Payments Europe Ltd — payment processing (Ireland, European Union).
  • La Poste / Colissimo — delivery of ordered posters and shipment tracking.
  • Transactional email provider — delivery of emails related to your account and orders.

By default, your data is processed within the European Union. Where, if applicable, a processor is located outside the European Union (for example an email provider), the transfer is governed by appropriate safeguards, in particular the standard contractual clauses adopted by the European Commission.

Your rights

In accordance with articles 12 to 23 GDPR and the French Data Protection Act, you may exercise the following rights at any time:

  • Right of access and right to portability.
  • Right to rectification.
  • Right to erasure ("right to be forgotten").
  • Right to restriction of processing, exercised via the same email point of contact.
  • Right to object on legitimate grounds, exercised via the same email point of contact.
  • Right to set instructions regarding the fate of your data after your death.

To exercise these rights, contact contact@directoffice.fr with proof of identity. You also have the right to lodge a complaint with the French Data Protection Authority (CNIL, www.cnil.fr).

We respond to your request within one month of its receipt (art. 12.3 GDPR). This period may be extended by a further two months for complex or numerous requests; you will then be informed within one month of receiving the request.

Security

We implement appropriate technical and organisational measures to protect your data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access: TLS encryption on network exchanges, robust password hashing, database isolation, automated backups, access logging, least-privilege principle for administrators.

Minors

The service is not intended for minors under 15 and is not meant to be used by persons under 18 without the consent of their legal representative. We do not knowingly collect data concerning minors. If you believe a minor has provided us with personal data, please contact us: such data will be deleted as soon as possible after verification.

Cookies

The site only uses cookies and local storage strictly necessary for operation (authentication session, remembering that the cookie banner was dismissed). No advertising tracker or third-party audience measurement tool is dropped. For details, see our cookie policy.

Updates

This policy may evolve to reflect regulatory or technical changes. The last-updated date is shown at the top of the page. Substantial changes will be notified by email or via a visible banner on the site.