Last updated: 18 May 2026 — GDPR-compliant (EU 2016/679), with CCPA (California) and UK GDPR overlays.
1. Who we are (Data Controller)
BATI Z (Société à Responsabilité Limitée), SIRET 882 651 011 00018, registered office 14 Rue Régine Gosset, 93300 Aubervilliers, France (“Batizz”, “we”, “us”). We are the data controller for personal data collected through batizz.com. We are below the threshold for being required to appoint a Data Protection Officer (DPO) under GDPR Article 37, but you can reach our internal privacy contact at privacy@batizz.com.
2. What personal data we collect, why, and on what legal basis
| Data | Purpose | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Name, billing address, shipping address, email, phone | Process and ship your order; legal accounting | Performance of contract (b) + Legal obligation (c) | 10 years (French Code de commerce Art. L123-22) |
| Account credentials (email + hashed password) and order history | Account management, repeat purchase | Performance of contract (b) + Legitimate interest (f) for security | Until you delete the account |
| Card details (last 4 digits + expiry only) | Display of saved cards | Performance of contract (b) | 13 months (Stripe-side retention; we never see full card numbers) |
| Full card details | Payment processing | Performance of contract (b) | Stripe retention only — never reaches our servers |
| IP address, user-agent, language | Security (anti-fraud, login audit) | Legitimate interest (f) | 12 months |
| Newsletter email + consent record | Marketing | Consent (a) | Until you unsubscribe |
| Cookies — analytics (e.g. _ga) | Site usage analytics | Consent (a) | Up to 2 years (Google), revocable any time |
| Cookies — marketing (e.g. _fbp) | Retargeting | Consent (a) | Up to 3 months, revocable any time |
| Support correspondence (email, photos you send) | Resolve your support request | Performance of contract (b) + Legitimate interest (f) | 3 years after closure |
| Cookie consent log | Proof of consent | Legal obligation (c) | 5 years |
3. Processors (who handles your data on our behalf)
| Service | Role | Country | Safeguard |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Payment processing | Ireland (EU) | Within EU |
| Hostinger International Ltd. | Web hosting | EU data centres | Within EU |
| Intuit Mailchimp | Newsletter (optional) | United States | EU Standard Contractual Clauses + DPF |
| Google Ireland Ltd. (Analytics, if accepted) | Anonymous analytics | Ireland / US | SCCs + IP truncation |
| DPD, Colissimo, USPS, FedEx | Shipping | Various | Only name/address shared |
| French and EU tax authorities | Tax obligations | EU | Legal obligation |
We do not sell your personal data to anyone. We do not engage in cross-context behavioural advertising as defined by California Civil Code §1798.140.
4. International transfers
Where data leaves the EEA (mainly to Mailchimp and Google when you opt into those cookies), we rely on the European Commission’s Standard Contractual Clauses (SCCs) and, for the US, on the EU-US Data Privacy Framework (DPF) where the recipient is certified. You may request a copy of the relevant safeguard at privacy@batizz.com.
5. Your rights
You have the following rights, which you may exercise free of charge by emailing privacy@batizz.com. We respond within 30 days (extendable by 60 days for complex requests). You may need to verify your identity.
- Access — receive a copy of the personal data we hold about you (GDPR Art. 15).
- Rectification — correct inaccurate data (Art. 16).
- Erasure (“right to be forgotten”) — delete data where there is no longer a lawful reason to keep it (Art. 17). Note: legally required retention (e.g. invoices) cannot be deleted before the retention period ends.
- Restriction of processing (Art. 18).
- Data portability — receive your data in a machine-readable format (Art. 20).
- Objection to processing based on legitimate interest (Art. 21).
- Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
- Not be subject to a decision based solely on automated processing — we do not currently do this.
- Complain to a supervisory authority — for French residents, the CNIL. For other EU residents, your local DPA. For UK residents, the ICO.
5b. California residents (CCPA)
If you are a California resident: you have rights to know, delete, correct, and limit the use of sensitive personal information. We do not “sell” or “share” personal information for cross-context behavioural advertising. Contact privacy@batizz.com. We do not require verification beyond what is necessary to confirm your identity.
6. How we secure your data
- HTTPS / TLS 1.3 across the entire Site.
- Bcrypt-hashed passwords; we never store plain-text credentials.
- Payment data tokenised by Stripe (PCI-DSS Level 1).
- Daily encrypted backups, 30-day retention.
- Access to personal data restricted on a need-to-know basis with audit logging.
- Annual employee security awareness review.
In the unlikely event of a personal data breach likely to result in a risk to your rights, we will notify the CNIL within 72 hours (GDPR Art. 33) and, where the risk is high, notify you directly without undue delay (Art. 34).
7. Children
The Site is intended for adults. We do not knowingly collect personal data from anyone under 16. If you believe we have, email privacy@batizz.com and we will delete the data.
8. Cookies
See our Cookie Policy for the full list of cookies, their purposes, and how to manage your preferences.
9. Changes to this policy
We may update this policy. Material changes will be communicated by email to account holders and prominently flagged on this page for 30 days before they take effect. The “last updated” date at the top tracks revisions.
10. Contact
For any privacy question or to exercise a right: privacy@batizz.com.
