Privacy Policy
Last updated: May 25, 2026
1. Data Controller
Vitrin is a service operated by a French micro-enterprise. For any data-related question: info@vitrin-catalog.com
2. Data Collected
Vitrin only collects data necessary for the service to function:
Service for adult professionals only. Vitrin does not knowingly collect personal data from persons under 15 years old. If you are a minor, please do not use this service.
- Email and password (authentication)
- Company name and URL slug
- Logo and brand settings (optional)
- Catalog content (products, images, descriptions)
- Quote requests received (names, emails, phones of end customers)
- Payment information — processed directly by Stripe, not stored by Vitrin
3. Legal Basis for Processing
| Processing | Legal basis |
|---|---|
| Authentication and account management | Contract performance (Art. 6.1.b GDPR) |
| Service delivery (catalog, quotes) | Contract performance (Art. 6.1.b GDPR) |
| Billing and payment | Legal obligation (Art. 6.1.c GDPR) |
| Service improvement | Legitimate interest (Art. 6.1.f GDPR) |
4. Cookies
Vitrin only uses cookies strictly necessary for operation. No tracking, advertising or third-party analytics cookies are used.
| Cookie | Purpose | Duration |
|---|---|---|
sb-* | Supabase authentication session | Session / 7 days |
NEXT_LOCALE | Language preference (FR/EN) | 1 year |
As these cookies are strictly necessary, no explicit consent is required (ePrivacy Directive, CNIL interpretation).
5. Sub-processors and Hosting
Vitrin uses the following sub-processors. All data is hosted in Europe.
| Provider | Role | Location |
|---|---|---|
| Supabase | Database and authentication | UE (AWS Frankfurt) |
| Vercel | Frontend hosting | UE |
| Stripe | Payment and billing | UE / US (SCCs) |
| Resend | Transactional email sending | UE / US (SCCs) |
6. Data Retention
- Account data: until account deletion
- Catalog and quote data: until account deletion
- Billing data: 10 years (legal accounting obligation)
- After account deletion: all data is erased within 30 days
7. Your Rights (GDPR)
Under GDPR, you have the following rights:
- Right of access — obtain a copy of your data
- Right to rectification — correct inaccurate data
- Right to erasure — delete your account and data
- Right to restriction — temporarily suspend processing of your data
- Right to portability — receive your data in a readable format
- Right to object — object to certain processing activities
- Right to complain — to the CNIL (cnil.fr) or your local authority
Account deletion is available directly from your settings. For any other request: info@vitrin-catalog.com
8. Changes to This Policy
Vitrin may update this policy. Any material change will be notified by email at least 15 days before taking effect. The last updated date is shown at the top of this page.
info@vitrin-catalog.com — Response guaranteed within 72h (GDPR obligation).