Privacy policy

Last updated: July 18, 2025

This personal data management policy aims to inform and present to the various users of the website www.cairn-sport.com (hereinafter referred to as "the Website") how the PUBLISHER processes the personal data collected as the data controller.

Data concerning users and customers in connection with the use of the Website and orders are processed by the PUBLISHER as the data controller under the conditions detailed below.

The PUBLISHER's contact details are listed in the legal notices.

The PUBLISHER has appointed a Data Protection Officer (DPO) who can be reached:

- by email at dpo@cairn-sport.com

- by postal mail at the following address: CAIRN - DPO, 55 T Avenue René Cassin, 69 009 Lyon

DESCRIPTION OF PROCESSING CARRIED OUT IN CONNECTION WITH THE USE OF THE WEBSITE AND ORDERS

In connection with the operation of the Website and its activity, the PUBLISHER may collect and process personal data, as the data controller, according to the methods detailed below:

Account Creation

Data collected: first name, last name, email address, password (not stored in clear text), login history, preferences, account creation date.

Data collected in connection with the order and order history.

Purposes: management of registration and customer account.

Legal basis: legitimate interests of the PUBLISHER to allow the creation of an account and to enable users to retrieve their information.

Data retention period:

- Active base: Retention during the account's active period and until the account is deleted by the user or after a period of 2 years of inactivity. The PUBLISHER will notify Users of any account inactive for more than 2 years of the upcoming deletion of the account if there is no response from the User within 90 days. In the absence of a response from the User, the PUBLISHER will delete the account and archive the data.

- Archive base: data may be retained for 5 years from the date of account deletion, based on the legitimate interests of the PUBLISHER for the purposes of establishing, exercising, or defending a legal claim (prescription period).

By exception to the above, account login logs are retained only for the duration of the account's activity.

The mandatory or optional nature of data entry is specified during collection. The mandatory communication of certain personal data is necessary for the PUBLISHER to implement the purposes specified above. Otherwise, the User will not be able to create their account.

Product Order

Data collected: account data and additionally, first name, last name, billing and shipping address(es) if different, payment method, order details, delivery method, exchanges, and correspondence regarding the order.

Purposes: Execution of obligations related to the order such as delivery, billing, and warranty or after-sales service obligations, if applicable;

- Management of returns and recalls; Conducting sales statistics. The data is anonymized for statistical purposes.

- Legal basis: Execution of the contract (general terms of sale) and legal obligations related to billing, accounting, and execution of warranties;

- Legitimate interests of the publisher for conducting statistics.

Data retention period:

- Active database: see account retention.

- Archive database: see account retention.

By exception to the above, invoices are kept for 10 years (accounting obligations). Contracts with a value greater than 120 euros are archived for 10 years (legal obligation).

The mandatory or optional nature of data entry is specified during collection. The mandatory communication of certain personal data is necessary for the PUBLISHER to implement the aforementioned purposes. Otherwise, the User will not be able to place an order.

Contact form

Data collected: request category (dropdown menu), subject of the request, last name, first name, email address, phone, country, city, and optionally, depending on the subject of the request: product serial number, defect details, attachment, comment.

Purposes: respond to messages sent via the form and create a contact file.

Legal basis: Legitimate interests of the PUBLISHER as part of its commercial prospecting activity.

Retention period: 3 years from the last contact or until opposition.

The mandatory or optional nature of data entry is specified during collection. The mandatory communication of certain personal data is necessary for the PUBLISHER to implement the aforementioned purposes. Otherwise, the User will not be able to use the contact form.

Sending newsletters

Data collected: email address, newsletters sent, opening clicks, and if available (account creation or order placement), last name, first name, purchase history.

Purposes: sending news emails and promotional offers concerning the PUBLISHER.

Legal basis: legitimate interests of the PUBLISHER as part of its commercial prospecting activity for clients, consent for non-clients.

Retention period: 3 years from the last contact or until opposition or withdrawal of consent.

Customer reviews

Data collected: First name or pseudonym, Email address, Rating (stars), Free comment, Submission date, Evaluated product reference

Purposes: Public display of customer reviews on the site. Moderation and verification of reviews. Improvement of product and service quality. Internal statistics related to products.

Legal basis: Legitimate interest of The EDITOR to allow other customers to benefit from a useful evaluation and maintain transparency

Retention period: 3 years after publication for verification or moderation purposes. Reviews are retained as long as they are relevant to the referenced products and published anonymously via a pseudonym or first name.

The mandatory or optional nature of data entry is specified during collection. The mandatory communication of certain personal data is necessary for the EDITOR to implement the aforementioned purposes. Otherwise, the User will not be able to create a review on a product.

User-Generated Content

Collected data: - Social account identifier (name/nickname). Shared content: photo, video, text. Associated metadata (publication date, possibly visible location, mentions). Explicit consent or dedicated hashtag: #CairnSport

Purposes: Highlighting content on the site, social networks, newsletters, communication media. Valuing the community. Product marketing and inspiration.

Legal basis: Explicit consent (e.g., use of the hashtag #CairnSport, rights transfer form)

Legitimate interest of the EDITOR in the case of unsolicited public shares and mention of the hashtag #CairnSport

Retention period:

- Content can be used up to 5 years after publication

- Personal metadata (social account, mentions, private messages) are retained for a maximum of 3 years for proof of consent or possible contact.

Cookies and trackers

Data is collected via cookies placed on users' browsers when they visit the Website, as described on the cookie management console.

In addition, the user is informed that personal data may be collected and processed via cookies, according to the terms described below:

Technical data:

- Collected data: IP address, browser type, language, operating system, timestamp, referrer URL, device type

- Purposes: Ensure site security, bug resolution, adapt display according to used screens.

- Legal basis: legitimate interests of the EDITOR within the framework of the operation and security of the Website

- Data retention period: 12 months from collection

Session cookie:

- Collected data: Temporary session identifier

- Purposes: Maintain the session open, secure navigation

- Legal basis: interests legitimate interests of the EDITOR within the framework of the operation of the Website

- Data retention period: duration of the user's session on the Website

Performance cookies:

- Data collected: Load time, errors, user journey, time spent, bounce rate

- Purposes: understanding user behavior on the website, optimizing content and improving website performance.

- Legal basis: consent

- Retention period: 13 months maximum after collection

Functionality cookies:

- Data collected: Display preferences, language, user options

- Purposes: Personalizing the user experience based on user choices and preferences

- Legal basis: consent

- Retention period: 6 to 13 months depending on the nature of the preference

Preference cookies:

- Data collected: Language choice, region, viewed products

- Purposes: Providing a personalized browsing experience and retaining user choices

- Legal basis: consent

- Retention period: 6 to 13 months, renewable in case of new interaction

Audience measurement cookies:

- Data collected: Pages viewed, time spent, clicks, traffic source

- Purposes: Website traffic analysis and improvement of User Experience

- Legal basis: consent

- Retention period: 13 months maximum

Targeting or advertising cookies:

- Data collected: Advertising identifiers, browsing history, viewed products, clicks

- Purposes: Adapting marketing campaigns to users' interests, tracking browsing habits, linking with social networks, measuring the effectiveness of advertising campaigns

- Legal basis: consent

- Retention period: 13 months maximum

Regarding third-party cookies: the EDITOR and its partners act as joint controllers for the processing of personal data collected via the cookies of its partners. Information regarding the partners is listed in the cookie management console.

Cookies used on our site

Our site uses different cookies to ensure its proper functioning, improve your user experience, and comply with legal obligations regarding data protection (GDPR/CCPA). Here is the list of cookies deposited by our partners:

Publisher Cookie Name Retention period Function

Axeptio (Agilitation) axeptio_all_vendors 6 months and 6 days Contains the complete list of all vendors/cookies declared in the Axeptio configuration. Serves as a reference for comparison with authorized vendors.

Axeptio (Agilitation) axeptio_authorized_vendors 6 months and 6 days List of cookie vendors authorized by the user after consent. Allows conditional triggering of third-party scripts.

Axeptio (Agilitation) axeptio_cookies 6 months and 6 days Main cookie containing GDPR consent information (date, unique identifier, consent status, etc.). Compatible with Google Consent Mode v2.

Shopify Inc. cart_currency 14 days Stores the selected currency for the shopping cart (e.g., EUR) to prevent accidental conversions during browsing.

Shopify Inc. keep_alive Session Technical session cookie for managing domain redirections and server load balancing. Expires upon browser closure.

Shopify Inc. localization 1 year Stores language and regional preferences (e.g., FR/French) to adapt content, currencies, dates, taxes, etc.

Shopify Inc. shopify_pay_redirect 1 day Manages payment-related redirections via Shop Pay. Secures transactions with a temporary "pending" value.

Shopify Inc. storefront_digest Session Security cookie protecting site areas with a password. Prevents re-authentication on every page.

Shopify Inc. tracking_consent 1 year Stores the tracking consent status. Used for GDPR/CCPA compliance and integration with Google Analytics, Meta Pixel, etc.

RECIPIENTS OF PERSONAL DATA

Data Controller: the data controller of these data is the company the PUBLISHER whose complete contact details are listed in the legal notices.

Recipients: in compliance with the purposes set out above, the personal data of the User and the User may be communicated:

- To the PUBLISHER's staff for the management of Internet site accounts and features as well as commercial management, contract follow-up, and execution of orders and after-sales service;

- To the PUBLISHER's technical suppliers (hosting provider, IT service providers) as well as payment establishments, delivery service providers, and its advisors if necessary.

USER RIGHTS ON THEIR PERSONAL DATA

The persons whose data is collected by the PUBLISHER have at any time, the following rights over their personal data:

- Right of access: obtain confirmation of the processing of their personal data as well as a certain amount of information on the processing, it being understood that this information is in any case given in this personal data protection policy

- Right of rectification: obtain the rectification of their personal data when they are inaccurate or incomplete;

- Right to erasure ("right to be forgotten"): obtain the erasure of their personal data when they are no longer necessary in relation to the purposes for which they were collected or in case of opposition to the processing of their personal data.

The right to erasure is not enforceable in the cases provided for in Article 17.3 of the GDPR. In particular, this right is not open as long as the user wishes to use the platform, these personal data being necessary for the PUBLISHER to provide the service.

- Right to restriction of processing: obtain the restriction of processing of their personal data, especially in case of contestation of the accuracy of the data, when the data retention period has expired but the person whose data is processed still needs to keep these personal data for the establishment, exercise or defense of a legal claim;

- Right to data portability: obtain the communication of personal data communicated to the PUBLISHER in a readable format, or request the PUBLISHER to transfer the communicated personal data to another data controller;

- Right to object: object at any time, for reasons related to their personal situation, to the processing of their personal data based on the legitimate interest of the PUBLISHER, unless there is a compelling reason for the PUBLISHER;

- Right to withdraw consent: withdraw their consent for data processing based on it, the withdrawal of consent being applicable for the future;

- Right to lodge a complaint: lodge a complaint with the National Commission for Computing and Liberties if the person whose data is processed considers that the processing carried out by the PUBLISHER constitutes a violation of their personal data;

- Right to define directives regarding the fate of their personal data after their death.

These rights can be exercised at any time with the PUBLISHER:

- By email at the following address: customer.care@cairn-sport.com

- By postal mail at the following address: Cairn – Customer Service – 55 T Avenue René Cassin, 69 009 Lyon, France