Privacy Policy
Last updated: 2026-05-22
This policy describes how Romain Lacube EI (trading as CosmeticsReady) processes personal data in the context of the cosmeticsready.com site and the CosmeticsReady Shopify app, in accordance with the GDPR (EU) 2016/679 and the French Data Protection Act.
1. Data controller
Romain Lacube — Entrepreneur individuel (EI) · 315 chemin de la Croix Verte, 13090 Aix-en-Provence, France · SIRET 848 852 356 00031
GDPR contact : [email protected].
2. Data collected
2.1 Via the Shopify app (once installed)
- Shopify store ID and domain
- Store owner's email (transmitted by Shopify during OAuth installation)
- Product catalogue (title, variants) — this data is public
- Cosmetic composition entered by the merchant (INCI ingredients, manufacturer, EU responsible person, safety warnings) — provided voluntarily by the Customer
We collect no data relating to end customers (no orders, no carts, no addresses, no payment methods).
2.2 Via the website (cosmeticsready.com)
- A functional cookie
cr_langstoring your language preference (no consent required) - No analytics, advertising or tracking cookies are used on the marketing site
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Service provision (compliant display) | Contract performance (art. 6.1.b) |
| Billing and accounting obligations | Legal obligation (art. 6.1.c) |
| Support and Service improvement | Legitimate interest (art. 6.1.f) |
| Remembering your language preference | Functional, strictly necessary |
4. Recipients and sub-processors
| Sub-processor | Role | Location |
|---|---|---|
| Shopify Inc. | App installation, billing | Canada / EU (DPF) |
| Cloudflare, Inc. | Marketing site hosting (Pages), CDN, DNS | United States (DPF) / EU edge |
| Fly.io, Inc. | App hosting | EU (Paris, cdg) |
| Neon Inc. | Managed database (Postgres) | EU |
| Resend, Inc. | Transactional email | United States (DPF) |
5. Retention periods
- Active customer data: subscription duration + 12 months after uninstallation.
- Cosmetic composition entered: subscription duration + 12 months.
- Accounting data: 10 years (legal obligation).
- Technical logs: 12 months.
- Language cookie (
cr_lang): 12 months.
6. Your rights
In accordance with articles 15 to 22 of the GDPR: access, rectification, erasure, restriction, portability, objection, withdrawal of consent.
How to exercise: [email protected]. Response within 1 month. You may file a complaint with the French data protection authority (CNIL, www.cnil.fr). Uninstalling the app triggers the deletion of your store data in accordance with Shopify's mandatory privacy webhooks.
7. Cookies
The marketing site uses a single strictly necessary cookie (cr_lang) to remember your language. No analytics or advertising cookies are set, so no consent banner is required. Inside the Shopify admin, the app relies on the session cookies managed by Shopify.
8. Security
Encryption in transit (TLS), access restriction, logging, backups, European hosting (app and database hosted in the EU). Breach notification within 72 hours in accordance with article 34 of the GDPR.