Updated on 15/05/2024
As part of its provision of the Application and/or the website accessible at https://o-tacos.com/fr/ (hereinafter referred to as "the Website") to Users and/or connection to the Application and/or the Website and/or use thereof by the User, O'TACOS HOLDING INTERNATIONAL (a simplified joint stock company with capital of 1.000 euros, whose registered office is at Cap Sud, 106, avenue Max Dormoy, 92120 MONTROUGE, registered in the NANTERRE Trade and Companies Register under number 819 957 101) and O'TACOS CORPORATION, (a simplified joint stock company with capital of 1.000,000, whose registered office is at Cap Sud, 106, avenue Max Dormoy, 92120 MONTROUGE, registered with the Nanterre Trade and Companies Register under number 809 849 615) collect and process the User's personal data. O'TACOS HOLDING INTERNATIONAL and O'TACOS CORPORATION (hereinafter collectively referred to as "O'TACOS" or "we") act in this capacity as data controllers within the meaning of the General Data Protection Regulation (GDPR)[1] .
The purpose of this personal data protection policy is to inform you of the methods of collecting, processing, using, sharing and protecting your personal data via the Application and/or the Website, the purposes for which it is used, and the rights you have with regard to said data.
WHEN YOU CREATE A PERSONAL ACCOUNT ON THE APPLICATION OR WEBSITE, WHEN YOU CONNECT TO THE APPLICATION OR WEBSITE AND WHEN YOU USE IT, YOU ACCEPT THAT YOUR PERSONAL DATA MAY BE COLLECTED AND PROCESSED IN ACCORDANCE WITH THE PROVISIONS OF THIS PERSONAL DATA PROTECTION POLICY. IF YOU DO NOT CONSENT TO THE TERMS OF THIS POLICY, YOU MUST NOT CREATE AN ACCOUNT ON THE APPLICATION AND/OR WEBSITE, OR USE THEM.
This personal data protection policy is governed by French law. Notwithstanding the foregoing, if the User is a consumer and his/her habitual residence is located in a European Union country other than France, the mandatory provisions of the User's country of residence will apply.
In the event of any dispute relating to this policy, the French courts shall have jurisdiction. Notwithstanding the foregoing, if the User is a consumer and his/her habitual residence is located in a European Union country other than France, the mandatory provisions of the User's country of residence will apply.
In the event that a legislative or regulatory amendment or a court ruling invalidates a clause of this personal data protection policy, the other clauses shall remain valid.
We may make changes to this personal data protection policy, in particular to comply with any changes in legislation, regulations, case law or technology. The version that can be consulted on the Application and the Website is the current version; the date of its update will be clearly identified at the top of the personal data protection policy.
Article 1: What is personal data?
Personal data (hereinafter referred to as "Personal Data") is any information relating directly or indirectly to an identified or identifiable natural person (surname, first name, telephone number, location data, etc.).
Article 2: What information is provided about the processing of personal data?
O'TACOS implements all of its Personal Data Processing in accordance with the relevant rules, and in particular:
The Processing of Personal Data carried out as part of the operation of the Website and the Application complies with the principles of fairness, legality and transparency. O'TACOS undertakes to provide clear, complete and easily accessible information on how such processing is carried out.
The scope of the use and management of the Website and the Application leads O'TACOS to carry out the Processing of Personal Data detailed in the table below:
Purpose of processing |
Personal data transmitted to O'TACOS |
Legal basis for processing personal data |
How long we keep your personal data |
Management of initial contact requests from users of the Website |
Last name, First name, Email, Address |
Legitimate interest of O'TACOS |
Retention for a period of 3 years after the last contact from the user of the Website |
Management of customer account creation via the Application |
Name, First name, E-mail, Sex, Date of birth, Postal address, Country of location, Your O'TACOS product preference(s), Your favourite O'TACOS restaurant(s) |
Consent to use the Application |
Retention for a period of 3 years after the last order placed via the Application |
Loyalty programme management via the Application |
Name, First name, E-mail, Sex, Date of birth, Postal address, Country of location, Your favourite O'TACOS product(s), Your favourite O'TACOS restaurant(s), Photo of student card if applicable |
The User's consent to join the O'TACOS loyalty programme |
Retention for a period of 3 years from the last use of loyalty points on the Application |
Managing customer payments via the Application |
Surname, First Name, E-mail, Restaurants where the User has placed orders, Products ordered |
Contractual performance between O'TACOS and the User of the Application |
Retention for a period of 10 years from the date of issue of the invoices |
Management of the Click and Collect service via the Application or the Website |
Last name, First name, E-mail, Sex, Date of birth, Postal address, Your favourite O'TACOS product(s), Your favourite O'TACOS restaurant(s), Photo of student card if applicable |
Contractual performance between O'TACOS and the User of the Application or the Website | Retention for a period of 3 years from the last order placed by the User of the Application or the Website |
O'TACOS Customer Service Management |
Last name, First name, Order reference, IBAN |
Legitimate interest of O'TACOS |
Retention for the duration of the start and end of the resolution of the User's dispute In the event of litigation, retention during all phases of litigation, then deletion once all avenues of appeal have been exhausted. |
Management of satisfaction surveys via O'TACOS restaurants |
Last name, First name, E-mail, Age, Date of birth, Postcode, Sex |
Legitimate interest of O'TACOS |
Retention for as long as necessary to achieve the purpose of the survey |
Newsletter management via the Application and/or the Website |
Last name, First name, E-mail, Sex, Date of birth, Postal address, Country of location, Your favourite O'TACOS product(s), Your favourite O'TACOS restaurant(s), Photo of student card if applicable |
The User's consent to receive newsletters and promotional offers |
Retention for a period of 3 years after the last interaction of the User of the Application and/or the Website with an interest in O'TACOS products. |
Managing the recruitment of new O'TACOS franchised restaurants via the Website |
Surname, First name, E-mail, Postal address, Telephone number, Date of birth, Professional life, CV, Proof of bank account status, Identity document |
Pre-contractual and contractual performance of O'TACOS and the franchised restaurant |
Retention for a period of 10 years after termination of the franchise agreement If the profile is not selected for the opening of the new franchised restaurant, retention for a period of 6 months |
Management of processing and responses to requests for individual rights via the Website and/or the Application |
Last name, First name, E-mail |
Legal obligation of O'TACOS |
Retention for a period of 10 years from the closure of the individual entitlement request |
Management of activity and traffic on the Website and Application |
Mobile IP address, Type of Internet browser, Operating system, IOS of the mobile or tablet, Connection URL including associated date and time, Content accessible via the Application and the Website. |
Legitimate interests of OTACOS |
Storage for a maximum of 13 months |
Management of dual authentication on the Application |
Email address |
Legitimate interest of O'TACOS |
Retention for the time of Customer authentication |
Article 3: Where is your personal data stored?
O'TACOS may store your personal data and pass them on to subcontractors for the following purposes:
In this context, O'TACOS undertakes to check that they comply with the rules on the protection of Personal Data, and to implement a dedicated contractual framework, under the conditions required by the aforementioned rules.
O'TACOS may also submit certain information to authorised persons and entities internally (company employees, management and agents) and externally, in particular to third parties authorised by virtue of legal, administrative or judicial prerogatives.
O'TACOS may transfer your Personal Data outside the European Union if you agree to your data being used for statistical purposes, audience measurement to improve our services and to send you newsletters and promotional offers.
Nevertheless, in the event of data being transferred outside the European Union, O'TACOS will apply the regulatory framework necessary and appropriate to the situation of the said Transfer, ensuring :
Article 4: Personal data of minors
In France, minors under the age of 15 may not create an account on the Application and the Website. Minors over the age of 15 may create their own account on the Application and the Website.
In Italy, minors under the age of 14 may not create an account on the Application and the Website. Minors over the age of 14 may create their own account on the Application and the Website.
In Belgium and Spain, minors under the age of 13 may not create an account on the Application and the Website. Minors over the age of 13 may create their own account on the Application and the Website.
In Luxembourg, the Netherlands, Germany and Switzerland, minors under the age of 16 may not create an account on the Application and the Website. Minors over the age of 16 may create their own account on the Application and the Website.
In the event that a parent or guardian with parental authority becomes aware that their child has provided us with Personal Data without their consent, we invite them to contact us in accordance with the procedures set out in Article 10 of this personal data protection policy.
We will take the necessary steps to remove this information from our database in accordance with applicable regulations.
Article 5: How is your Personal Data secured?
O'TACOS undertakes to take all necessary precautions to ensure the security of your Personal Data.
To this end, O'TACOS undertakes to apply all the technical and organisational Measures within the meaning of Article 32 of the RGPD, which will ensure the confidentiality, integrity and availability of Personal Data, and thus a sufficient level of protection of the latter.
O'TACOS and its employees have been trained and made aware of the protection of Personal Data, including the consideration and application of the said measures.
In the event of a breach of your Personal Data, i.e. if the Personal Data for which we are responsible suffers a security incident that results in a breach of its confidentiality, availability or integrity, we will notify the Commission Nationale de l'Informatique et des Libertés (CNIL), as well as any competent national supervisory authority, where applicable, under the conditions prescribed by the applicable regulations.
Article 6: What are your rights?
You have the right to request, at any time, the exercise of your individual rights, and in particular to request :
You may exercise these rights by contacting us through the following channels:
*By post:
O'TACOS CORPORATION
CAP SUD - 106 avenue Marx Dormoy
92120 MONTROUGE
O'TACOS HOLDING INTERNATIONAL
CAP SUD - 106 avenue Marx Dormoy
92120 MONTROUGE
*By e-mail:
[email protected], specifying "personal data" in the subject line of your email.
O'TACOS may, in certain cases necessary for your identification, make the implementation and processing of your request conditional upon the transmission of valid proof of identity.
O'TACOS undertakes to process any request concerning the exercise of your individual rights within thirty (30) days of receipt; this period may be extended to sixty (60) additional days in the event of complexity in the investigation of the request in particular. In this case, O'TACOS undertakes to keep you informed and to follow up the said requests.
If you believe that the processing of your Personal Data constitutes a breach of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, your place of work or the place where the breach occurred. The supervisory authorities are as follows:
You may also lodge a complaint with the Commission nationale de l'informatique et des libertés (CNIL) in France, by post at the following address CNIL - Service des plaintes, 3, place de Fontenoy -TSA 80715 -75334 PARIS CEDEX 07 Or online: https://www.cnil.fr/fr/cnil-direct/question/844 or https://www.cnil.fr/fr/plaintes.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.