Personal data protection policy

Updated on 15/05/2024

As part of its provision of the Application and/or the website accessible at https://o-tacos.com/fr/ (hereinafter referred to as "the Website") to Users and/or connection to the Application and/or the Website and/or use thereof by the User, O'TACOS HOLDING INTERNATIONAL (a simplified joint stock company with capital of 1.000 euros, whose registered office is at Cap Sud, 106, avenue Max Dormoy, 92120 MONTROUGE, registered in the NANTERRE Trade and Companies Register under number 819 957 101) and O'TACOS CORPORATION, (a simplified joint stock company with capital of 1.000,000, whose registered office is at Cap Sud, 106, avenue Max Dormoy, 92120 MONTROUGE, registered with the Nanterre Trade and Companies Register under number 809 849 615) collect and process the User's personal data. O'TACOS HOLDING INTERNATIONAL and O'TACOS CORPORATION (hereinafter collectively referred to as "O'TACOS" or "we") act in this capacity as data controllers within the meaning of the General Data Protection Regulation (GDPR)[1] .

The purpose of this personal data protection policy is to inform you of the methods of collecting, processing, using, sharing and protecting your personal data via the Application and/or the Website, the purposes for which it is used, and the rights you have with regard to said data.

WHEN YOU CREATE A PERSONAL ACCOUNT ON THE APPLICATION OR WEBSITE, WHEN YOU CONNECT TO THE APPLICATION OR WEBSITE AND WHEN YOU USE IT, YOU ACCEPT THAT YOUR PERSONAL DATA MAY BE COLLECTED AND PROCESSED IN ACCORDANCE WITH THE PROVISIONS OF THIS PERSONAL DATA PROTECTION POLICY. IF YOU DO NOT CONSENT TO THE TERMS OF THIS POLICY, YOU MUST NOT CREATE AN ACCOUNT ON THE APPLICATION AND/OR WEBSITE, OR USE THEM.

This personal data protection policy is governed by French law. Notwithstanding the foregoing, if the User is a consumer and his/her habitual residence is located in a European Union country other than France, the mandatory provisions of the User's country of residence will apply.

In the event of any dispute relating to this policy, the French courts shall have jurisdiction. Notwithstanding the foregoing, if the User is a consumer and his/her habitual residence is located in a European Union country other than France, the mandatory provisions of the User's country of residence will apply.

In the event that a legislative or regulatory amendment or a court ruling invalidates a clause of this personal data protection policy, the other clauses shall remain valid.

We may make changes to this personal data protection policy, in particular to comply with any changes in legislation, regulations, case law or technology. The version that can be consulted on the Application and the Website is the current version; the date of its update will be clearly identified at the top of the personal data protection policy.

Article 1: What is personal data?

Personal data (hereinafter referred to as "Personal Data") is any information relating directly or indirectly to an identified or identifiable natural person (surname, first name, telephone number, location data, etc.).

Article 2: What information is provided about the processing of personal data?

O'TACOS implements all of its Personal Data Processing in accordance with the relevant rules, and in particular:

  • General Regulation on the Protection of Personal Data no. 2016/679 which came into force on 25 May 2018, as well as,
  • French Data Protection Act no. 78-17 of 6 January 1978, as amended.

The Processing of Personal Data carried out as part of the operation of the Website and the Application complies with the principles of fairness, legality and transparency. O'TACOS undertakes to provide clear, complete and easily accessible information on how such processing is carried out.

The scope of the use and management of the Website and the Application leads O'TACOS to carry out the Processing of Personal Data detailed in the table below:

Purpose of processing

Personal data transmitted to O'TACOS

Legal basis for processing personal data

How long we keep your personal data

Management of initial contact requests from users of the Website

Last name, First name, Email, Address

Legitimate interest of O'TACOS

Retention for a period of 3 years after the last contact from the user of the Website

Management of customer account creation via the Application

Name, First name, E-mail, Sex, Date of birth, Postal address, Country of location, Your O'TACOS product preference(s), Your favourite O'TACOS restaurant(s)

Consent to use the Application

Retention for a period of 3 years after the last order placed via the Application

Loyalty programme management via the Application

Name, First name, E-mail, Sex, Date of birth, Postal address, Country of location, Your favourite O'TACOS product(s), Your favourite O'TACOS restaurant(s), Photo of student card if applicable

The User's consent to join the O'TACOS loyalty programme

Retention for a period of 3 years from the last use of loyalty points on the Application

Managing customer payments via the Application

Surname, First Name, E-mail, Restaurants where the User has placed orders, Products ordered

Contractual performance between O'TACOS and the User of the Application

Retention for a period of 10 years from the date of issue of the invoices

Management of the Click and Collect service via the Application or the Website

Last name, First name, E-mail, Sex, Date of birth, Postal address, Your favourite O'TACOS product(s), Your favourite O'TACOS restaurant(s), Photo of student card if applicable

Contractual performance between O'TACOS and the User of the Application or the Website Retention for a period of 3 years from the last order placed by the User of the Application or the Website

O'TACOS Customer Service Management

Last name, First name, Order reference, IBAN

Legitimate interest of O'TACOS

Retention for the duration of the start and end of the resolution of the User's dispute

In the event of litigation, retention during all phases of litigation, then deletion once all avenues of appeal have been exhausted.

Management of satisfaction surveys via O'TACOS restaurants

Last name, First name, E-mail, Age, Date of birth, Postcode, Sex

Legitimate interest of O'TACOS

Retention for as long as necessary to achieve the purpose of the survey

Newsletter management via the Application and/or the Website

Last name, First name, E-mail, Sex, Date of birth, Postal address, Country of location, Your favourite O'TACOS product(s), Your favourite O'TACOS restaurant(s), Photo of student card if applicable

The User's consent to receive newsletters and promotional offers

Retention for a period of 3 years after the last interaction of the User of the Application and/or the Website with an interest in O'TACOS products.

Managing the recruitment of new O'TACOS franchised restaurants via the Website

Surname, First name, E-mail, Postal address, Telephone number, Date of birth, Professional life, CV, Proof of bank account status, Identity document

Pre-contractual and contractual performance of O'TACOS and the franchised restaurant

Retention for a period of 10 years after termination of the franchise agreement

If the profile is not selected for the opening of the new franchised restaurant, retention for a period of 6 months

Management of processing and responses to requests for individual rights via the Website and/or the Application

Last name, First name, E-mail

Legal obligation of O'TACOS

Retention for a period of 10 years from the closure of the individual entitlement request

Management of activity and traffic on the Website and Application

Mobile IP address, Type of Internet browser, Operating system, IOS of the mobile or tablet, Connection URL including associated date and time, Content accessible via the Application and the Website.

Legitimate interests of OTACOS

Storage for a maximum of 13 months

Management of dual authentication on the Application

Email address

Legitimate interest of O'TACOS

Retention for the time of Customer authentication

 

Article 3: Where is your personal data stored?

O'TACOS may store your personal data and pass them on to subcontractors for the following purposes:

  • Management of the hosting of the Website and the Application,
  • Management of the Click and Collect service via the Application or the Website,
  • Online payment management via the Application,
  • Management of satisfaction surveys via O'TACOS restaurants,
  • O'TACOS customer service management,
  • Managing the recruitment of new O'TACOS franchised restaurants,
  • The management of newsletters and promotional offers via the Website and/or the Application,
  • Management of IT resources and maintenance of the Website and the Application.

In this context, O'TACOS undertakes to check that they comply with the rules on the protection of Personal Data, and to implement a dedicated contractual framework, under the conditions required by the aforementioned rules.

O'TACOS may also submit certain information to authorised persons and entities internally (company employees, management and agents) and externally, in particular to third parties authorised by virtue of legal, administrative or judicial prerogatives.

O'TACOS may transfer your Personal Data outside the European Union if you agree to your data being used for statistical purposes, audience measurement to improve our services and to send you newsletters and promotional offers.

Nevertheless, in the event of data being transferred outside the European Union, O'TACOS will apply the regulatory framework necessary and appropriate to the situation of the said Transfer, ensuring :

  • Personal Data is transferred to an adequate country with an adequate level of protection, or,
  • Signing the Standard Contractual Clauses (SCC) proposed by the European Commission or,
  • Any other guarantee considered appropriate within the meaning of Article 46 of the RGPD.

 

Article 4: Personal data of minors

In France, minors under the age of 15 may not create an account on the Application and the Website. Minors over the age of 15 may create their own account on the Application and the Website.

In Italy, minors under the age of 14 may not create an account on the Application and the Website. Minors over the age of 14 may create their own account on the Application and the Website.

In Belgium and Spain, minors under the age of 13 may not create an account on the Application and the Website. Minors over the age of 13 may create their own account on the Application and the Website.

In Luxembourg, the Netherlands, Germany and Switzerland, minors under the age of 16 may not create an account on the Application and the Website. Minors over the age of 16 may create their own account on the Application and the Website.

In the event that a parent or guardian with parental authority becomes aware that their child has provided us with Personal Data without their consent, we invite them to contact us in accordance with the procedures set out in Article 10 of this personal data protection policy.

We will take the necessary steps to remove this information from our database in accordance with applicable regulations.

 

Article 5: How is your Personal Data secured?

O'TACOS undertakes to take all necessary precautions to ensure the security of your Personal Data.

To this end, O'TACOS undertakes to apply all the technical and organisational Measures within the meaning of Article 32 of the RGPD, which will ensure the confidentiality, integrity and availability of Personal Data, and thus a sufficient level of protection of the latter.

O'TACOS and its employees have been trained and made aware of the protection of Personal Data, including the consideration and application of the said measures.

In the event of a breach of your Personal Data, i.e. if the Personal Data for which we are responsible suffers a security incident that results in a breach of its confidentiality, availability or integrity, we will notify the Commission Nationale de l'Informatique et des Libertés (CNIL), as well as any competent national supervisory authority, where applicable, under the conditions prescribed by the applicable regulations.

 

Article 6: What are your rights?

You have the right to request, at any time, the exercise of your individual rights, and in particular to request :

  • Access to your Personal Data in a clear and comprehensible format in order to find out what information O'TACOS processes about you,
  • Rectification leading to the modification of any Personal Data that is incomplete or incorrectly processed by O'TACOS,
  • The deletion of your Personal Data under conditions predetermined by the applicable Regulations,
  • Limiting the processing of Personal Data under conditions predetermined by the applicable Regulations,
  • The possibility of objecting to data processing on legitimate grounds,
  • The portability of Personal Data in a clear and easily machine-readable format, with the possibility of transmitting said Data to another organisation,
  • Determining the fate of your Personal Data in the event of your death, with the transmission of specific directives to O'TACOS.

 

You may exercise these rights by contacting us through the following channels:

*By post:

O'TACOS CORPORATION

CAP SUD - 106 avenue Marx Dormoy

92120 MONTROUGE

 

O'TACOS HOLDING INTERNATIONAL

CAP SUD - 106 avenue Marx Dormoy

92120 MONTROUGE

 

*By e-mail:

[email protected], specifying "personal data" in the subject line of your email.

O'TACOS may, in certain cases necessary for your identification, make the implementation and processing of your request conditional upon the transmission of valid proof of identity.

O'TACOS undertakes to process any request concerning the exercise of your individual rights within thirty (30) days of receipt; this period may be extended to sixty (60) additional days in the event of complexity in the investigation of the request in particular. In this case, O'TACOS undertakes to keep you informed and to follow up the said requests.

If you believe that the processing of your Personal Data constitutes a breach of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, your place of work or the place where the breach occurred. The supervisory authorities are as follows:

You may also lodge a complaint with the Commission nationale de l'informatique et des libertés (CNIL) in France, by post at the following address CNIL - Service des plaintes, 3, place de Fontenoy -TSA 80715 -75334 PARIS CEDEX 07 Or online: https://www.cnil.fr/fr/cnil-direct/question/844 or https://www.cnil.fr/fr/plaintes.

 

 

 


[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.