1. Introduction

This Privacy Policy describes how Craft collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act.

By using the Craft application, you accept the practices described in this policy.

2. Data Controller

CRAFT
52 RUE JULES VERNE, 59120 LOOS, France
Email: support@bonjourcraft.com
Phone: +33 6 32 93 36 50

For any questions regarding the processing of your data, you can contact us at the email address above.

3. Data Collected

3.1. Identification data:

• First and last name
• Email address
• Phone number (optional)
• Profile photo
• Username

3.2. Professional data:

• Bio and description
• Skills and experience
• Professional title
• City and location
• Type of projects sought

3.3. Geolocation data:

• Latitude and longitude (with your consent)
• City and region

3.4. Connection data:

• Login credentials
• Connection history
• IP address
• Technical data (browser, device)

3.5. Content data:

• Creations and published projects
• Messages and comments
• Interactions with other users
• Permissions granted

4. Processing Purposes

4.1. Account management:

• Creation and maintenance of your profile
• Authentication and security
• Customer support

4.2. Platform features:

• Networking with other creatives
• Sharing creations and projects
• Messaging system
• Talent discovery

4.3. Notifications:

• Push notifications for interactions
• Service and information emails
• Security alerts

4.4. Service improvement:

• Usage analysis and statistics
• Development of new features
• Performance optimization

5. Legal Basis for Processing

5.1. Contract performance:

• Account management
• Provision of platform services
• Customer support

5.2. Consent:

• Precise geolocation
• Push notifications
• Third-party integrations
• Personalization cookies

5.3. Legitimate interest:

• Security and fraud prevention
• Service improvement
• Communication of important information

5.4. Legal obligation:

• Retention of billing data
• Response to authority requests

6. Data Recipients

6.1. Authorized Craft personnel:

• Technical team for maintenance
• Customer support for assistance
• Legal team if necessary

6.2. Service providers:

• Firebase (hosting and database)
• Push notification services
• Analytics and monitoring tools

6.3. Competent authorities:

• Upon legal or judicial request
• In case of emergency or security

6.4. Other users:

• Public profile information
• Shared creations and projects
• Messages in conversations

7. Data Transfers

7.1. Intra-EU transfers:

• Your data may be processed in the European Union
• All our providers are GDPR compliant

7.2. Transfers outside the EU:

• United States: Firebase (Google)
• Ireland: Google Cloud Platform
• These transfers are subject to appropriate safeguards:
• Standard contractual clauses of the European Commission
• Privacy Shield (for transfers to the United States)
• Data protection agreements with our providers
• You have the right to refuse these transfers
• Refusal may limit certain features

7.3. Transfer security:

• Encryption of data in transit
• Data protection agreements
• Transfer monitoring

8. Retention Period

8.1. Account data:

• During your registration period
• 3 years after account deletion (billing data)

8.2. Content data:

• During your registration period
• Immediate deletion upon your request

8.3. Connection data:

• 12 months maximum
• Longer retention if necessary for security

8.4. Geolocation data:

• During active session
• No permanent retention

8.5. Billing data:

• 10 years (legal obligation)

9. Your Rights

9.1. Right of access:

• Consult your personal data
• Obtain a copy of your data

9.2. Right of rectification:

• Correct inaccurate data
• Complete incomplete data

9.3. Right to erasure:

• Delete your data
• Close your account

9.4. Right to restriction:

• Restrict processing
• During verification of a dispute

9.5. Right to portability:

• Retrieve your data
• Transfer to another service

9.6. Right to object:

• Refuse processing
• Withdraw your consent

9.7. Right to withdraw consent:

• For processing based on consent
• Without affecting the lawfulness of prior processing

10. Exercising Your Rights

10.1. Main contact:

• Email: support@bonjourcraft.com
• Online form in the application

10.2. Response time:

• Response within 30 days maximum
• Possible extension of 60 days maximum if necessary
• Mandatory justification of extension

10.3. Free of charge:

• Exercise of rights free
• Reasonable fees in case of abusive requests

10.4. Identification:

• Identity document required
• Verification of your identity

10.5. Data Protection Officer:

• Contact: dpo@bonjourcraft.com
• For complex and technical questions
• Response within 48 hours for emergencies

11. Data Security

11.1. Technical measures:

• Encryption of data in transit and at rest
• Secure authentication
• Regular backups
• Access monitoring

11.2. Organizational measures:

• Staff training
• Security procedures
• Access controls
• Regular audits

11.3. Incident management:

• Notification procedure
• Risk assessment
• Corrective measures
• Information of authorities if necessary

11.4. Data breach:

• Notification to CNIL within 72 hours maximum
• Information of affected users within 48 hours
• Immediate remediation measures
• Mandatory documentation of the incident
• Post-incident audit and improvement of measures

12. Cookies and Similar Technologies

12.1. Technical cookies:

• Application operation
• Security and authentication
• No consent required

12.2. Analytics cookies:

• Usage statistics
• Service improvement
• Consent required

12.3. Personalization cookies:

• User preferences
• Personalized interface
• Consent required

12.4. Cookie management:

• Settings in the application
• Possible deactivation
• Impact on functionality

12.5. Third-party cookies:

• Firebase: operation and security (duration: session)
• Deactivation and consequences on functionality

13. Third-Party Integrations

13.1. Integrated platforms:

• Spotify: Sharing of musical preferences and playlists
• Instagram: Sharing of username (via links)
• LinkedIn: Sharing of professional information (via links)
• YouTube: Sharing of videos (via links)

13.2. Nature of integrations:

• Integrations via links and content sharing
• No OAuth authentication with these platforms
• Use of public APIs only
• Voluntary sharing by the user

13.3. Shared data:

• Only data that you choose to share
• With your explicit consent
• Possible revocation at any time

13.4. Third-party policies:

• Each platform has its own policy
• We encourage you to consult them
• We are not responsible for their practices

13.5. Google OAuth Authentication:

• When you sign up or sign in using the "Sign in with Google" button, we use Google OAuth to authenticate your account. This method works for both creating a new account and accessing an existing account.
• Data collected via Google OAuth:
• Your Google email address
• Your first and last name
• Your Google profile photo (optional)
• This data is collected directly from your Google account with your explicit consent during the OAuth connection process
• This data is stored in our database to manage your account and is used in accordance with this privacy policy
• You can revoke access to your Google account at any time through your Google account settings
• Revoking access will not delete your Craft account, but you will need to use an alternative authentication method (email or Apple Sign In) to access your account
• For more information about how Google handles your data, please consult Google's Privacy Policy: https://policies.google.com/privacy

14. Modifications of this Policy

14.1. Update:

• Regular review of this policy
• Adaptation to legal developments
• Improvement of transparency

14.2. Notification:

• Information via the application
• Email for important changes
• Reasonable notice period

14.3. Acceptance:

• Continued use = acceptance
• Possibility to refuse modifications
• Impact on service use

15. Contact, Complaints and Emergency Procedures

15.1. General questions:

• Email: support@bonjourcraft.com
• Support in the application

15.2. Data Protection Officer:

• Email: dpo@bonjourcraft.com
• Technical and legal questions

15.3. Supervisory authority:

• CNIL (Commission Nationale de l'Informatique et des Libertés)
• Website: www.cnil.fr
• Right to file a complaint

15.4. Mediation:

• Consumer mediator
• In case of persistent dispute

15.6. Emergency procedures:

• Data breach: dpo@bonjourcraft.com (response within 24 hours)
• Illegal content: support@bonjourcraft.com (immediate removal)
• Privacy violation: support@bonjourcraft.com (priority treatment)
• Technical emergencies: +33 6 32 93 36 50