Sculptor's Workshop

Privacy Policy

This policy explains how atelier-yo.fr collects, uses, stores, and protects personal data for visitors and account holders (user, admin, dev), including reservations and Google Auth Platform sign-in.

This document is provided for information and should be reviewed by legal counsel for a full compliance audit.

1. Data controller

Controller: Lionel Peron
Contact: contact@atelier-yo.fr
Website: https://atelier-yo.fr

2. Legal framework

  • Regulation (EU) 2016/679 (GDPR).
  • French Data Protection Act no. 78-17 (January 6, 1978).
  • ePrivacy Directive 2002/58/EC (cookies and trackers).
  • French Digital Economy Act no. 2004-575 (LCEN).

3. Data we collect

3.1 Account data

  • Name, email, avatar (if provided), account role.
  • Password hash, password update timestamp.
  • Email verification status, creation and update timestamps.

3.2 Authentication and security

  • Authenticated session cookie (`sculptor_session`, HttpOnly, 7-day duration).
  • Login attempts and temporary lockout after repeated failures.
  • 2FA-related data for dev/admin accounts and security technical logs.
  • Google reCAPTCHA v2 verification for login, sign-up, and reservations.

3.3 Google Auth Platform sign-in

  • OAuth provider identifier, email, name, and optional profile image.
  • OAuth account metadata (provider, scopes, technical expiration dates).
  • Used only for authentication and account security.

3.4 Reservation data

  • Artwork title, reference, status (REQUESTED, CONFIRMED, CANCELLED, PAID).
  • Name, email, customer notes, workshop notes, lifecycle timestamps.
  • Status history needed to process and track requests.

3.5 Technical and browsing data

  • IP address (rate limiting, anti-abuse, application security).
  • Technical cookies and consent preference stored in localStorage.
  • Performance and availability events used for monitoring.

4. Purposes and legal bases

  • Account creation and management: contract or pre-contractual steps (GDPR Art. 6(1)(b)).
  • Authentication, anti-fraud, security logs: legitimate interest in service security (Art. 6(1)(f)).
  • Google OAuth sign-in: user-requested authentication service (Art. 6(1)(b)) and security legitimate interest (Art. 6(1)(f)).
  • Reservation processing and workshop/customer communication: contract performance (Art. 6(1)(b)).
  • Administrative and evidentiary retention: legal obligation (Art. 6(1)(c)) and legitimate interest (Art. 6(1)(f)).

5. Cookies and similar technologies

  • Session cookie (`sculptor_session`): required for signed-in sessions.
  • `locale` cookie: language preference, set when consent is accepted.
  • `cookie_consent` localStorage key: stores banner preference.
  • Google reCAPTCHA third-party cookies (example: `_GRECAPTCHA`) to distinguish human users from bots.

Strictly necessary security and authentication cookies remain required for core service operation.

6. Recipients and processors

  • Hosting: Hetzner Online GmbH (server infrastructure).
  • Domain registrar: OVH SAS.
  • Google: Google reCAPTCHA and Google Auth Platform (OAuth).
  • Email delivery: SMTP provider for transactional messages.

Some processing may involve transfers outside the EEA through global providers. Where applicable, appropriate safeguards are used (such as standard contractual clauses and supplemental security controls).

7. Retention periods

  • User accounts: while active, then deletion/archiving as legally required.
  • Session cookie lifetime: up to 7 days.
  • Login attempt and security signals: limited, proportionate anti-abuse retention.
  • Unconfirmed reservations: operational retention followed by internal purge cycle.
  • Completed reservations/transactions: retained as required for admin/accounting follow-up.
  • Technical logs: retained for limited periods aligned with operational needs.

8. Your rights

You may exercise the following rights (GDPR Arts. 15-22):

  • Right of access.
  • Right to rectification.
  • Right to erasure (within legal limits).
  • Right to restriction of processing.
  • Right to object on legitimate grounds.
  • Right to data portability where applicable.

Contact us at contact@atelier-yo.fr. You may also lodge a complaint with your supervisory authority (in France: CNIL, https://www.cnil.fr).

9. Data security

  • Encryption in transit (HTTPS/TLS).
  • Password hashing and role-based access controls.
  • Rate limiting, temporary lockouts, and anti-bot verification.
  • Segregated privileged access and mandatory 2FA for privileged contexts.
  • Operational backup and restore procedures.

10. Minors

The service is not intended to knowingly collect personal data from minors without legally required authorization.

11. Policy updates

This policy may be updated at any time to reflect legal, technical, or operational changes. The online version prevails.

12. Useful links

Last updated: March 2, 2026.