Privacy policy
DirectOffice pays particular attention to the protection of personal data. This privacy policy describes how your data is collected, used, and protected in compliance with EU Regulation 2016/679 of 27 April 2016 (GDPR) and French Data Protection Act n° 78-17 of 6 January 1978 (as amended).
Last updated: 29/04/2026
Data controller
- Identity
- DirectOffice.fr (Société par actions simplifiée à associé unique (SASU))
- Trade name
- DirectOffice
- SIREN
- 103 663 597
- RCS
- RCS Paris 103 663 597
- Address
- 66 avenue des Champs-Élysées, 75008 Paris, France
- contact@directoffice.fr
- Legal representative
- Raphaël Jean-Claude RICCI (President)
Data collected
We collect only the data strictly necessary for the purposes described below. Depending on your use of the site, the following may be collected:
- Identification data: first name, last name, company name, email address, password (hashed), user role.
- Contact data: phone number, postal address, shipping address.
- Billing data: amount, taxes, payment method (without the full card number), any promo code, Stripe identifiers.
- Technical data: IP address, session identifiers, event logs, user agent.
- User-generated content: listings, photos, descriptions, generated QR codes.
Purposes and legal bases
- Creation and management of the user account (contract performance, art. 6.1.b GDPR).
- Order processing, payments, and invoice delivery (contract performance and legal obligation, art. 6.1.b and 6.1.c GDPR).
- Retention of invoices for 10 years (legal obligation, art. L123-22 of the French Commercial Code).
- Moderation and fraud prevention (legitimate interest, art. 6.1.f GDPR).
- Sending account- or order-related emails (contract performance).
Retention period
- User account: for the entire duration of the contractual relationship, then 3 years archived for commercial prospecting.
- Invoicing data: 10 years from the closing of the financial year (accounting and tax obligation).
- Technical logs: 12 months maximum (LCEN-mandated period for operators).
- Session cookie: 30 days. The site does not drop any non-strictly-necessary cookies.
Recipients and processors
Your data is never sold or rented. It is only accessible to authorised persons (internal administrators) and to a limited number of processors strictly bound by contract pursuant to article 28 GDPR:
- OVH SAS — hosting and backups (Roubaix, France).
- Stripe Payments Europe Ltd — payment processing (Ireland, European Union).
- La Poste / Colissimo — delivery of ordered posters and shipment tracking.
- Transactional email provider — delivery of emails related to your account and orders.
By default, your data is processed within the European Union. Where, if applicable, a processor is located outside the European Union (for example an email provider), the transfer is governed by appropriate safeguards, in particular the standard contractual clauses adopted by the European Commission.
Your rights
In accordance with articles 12 to 23 GDPR and the French Data Protection Act, you may exercise the following rights at any time:
- Right of access and right to portability.
- Right to rectification.
- Right to erasure ("right to be forgotten").
- Right to restriction of processing, exercised via the same email point of contact.
- Right to object on legitimate grounds, exercised via the same email point of contact.
- Right to set instructions regarding the fate of your data after your death.
To exercise these rights, contact contact@directoffice.fr with proof of identity. You also have the right to lodge a complaint with the French Data Protection Authority (CNIL, www.cnil.fr).
We respond to your request within one month of its receipt (art. 12.3 GDPR). This period may be extended by a further two months for complex or numerous requests; you will then be informed within one month of receiving the request.
Security
We implement appropriate technical and organisational measures to protect your data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access: TLS encryption on network exchanges, robust password hashing, database isolation, automated backups, access logging, least-privilege principle for administrators.
Minors
The service is not intended for minors under 15 and is not meant to be used by persons under 18 without the consent of their legal representative. We do not knowingly collect data concerning minors. If you believe a minor has provided us with personal data, please contact us: such data will be deleted as soon as possible after verification.
Cookies
The site only uses cookies and local storage strictly necessary for operation (authentication session, remembering that the cookie banner was dismissed). No advertising tracker or third-party audience measurement tool is dropped. For details, see our cookie policy.
Updates
This policy may evolve to reflect regulatory or technical changes. The last-updated date is shown at the top of the page. Substantial changes will be notified by email or via a visible banner on the site.