Data Protection Policy

1. Introduction

The purpose of this policy is to inform users of the website www.steam-and-vape.fr about how their personal data is collected, processed, and protected by the company STEAM AND VAPE, in compliance with the General Data Protection Regulation (GDPR – EU 2016/679) and the amended French Data Protection Act No. 78-17 of January 6, 1978.

By accessing our website, creating a customer account, or placing an order, you agree that your data will be processed under the conditions described below. This policy applies to all personal data processing activities carried out in connection with the services provided on the website.

2. Data Controller

The data controller responsible for processing personal data collected on the website www.steam-and-vape.fr is Mr. Alexandre GUERAND, acting as the legal representative of the company STEAM AND VAPE (SIRET: 795 351 063 00032), whose registered office is located at 37 rue des Pierres Missigault, ZA La Torche, 28630 Barjouville, France.

For any questions regarding the processing of your personal data or the exercise of your rights, you can contact our dedicated team at the following email address: contact@steam-and-vape.fr.

STEAM AND VAPE has appointed an internal representative responsible for matters related to personal data protection. You may contact this representative for any specific request concerning your rights or this privacy policy at the same address: contact@steam-and-vape.fr, or by post at the address mentioned above.

3. Data Collected

STEAM AND VAPE only collects the personal data strictly necessary for the management of its services, in accordance with the data minimization principle set out in the General Data Protection Regulation (GDPR).

The data collected varies depending on how the website is used and may include:

Identification data: first name, last name, postal address, email address, phone number;
Order-related data: purchase history, payment method, delivery and billing information;
Browsing data: IP address, browser type, pages visited, cookies and trackers (see our cookie policy);
Communication data: messages exchanged with customer service, product reviews and returns, messages submitted via the contact form.

STEAM AND VAPE does not collect any sensitive data as defined in Article 9 of the GDPR.

4. Purpose of Data Processing

The personal data collected by STEAM AND VAPE is processed for specific, explicit, and legitimate purposes, in accordance with Article 5 of the General Data Protection Regulation (GDPR).

This data is used for the following purposes:

Order processing: management of purchases, shipping, tracking, after-sales service, and returns.
Billing and legal obligations: issuance of accounting and tax documents.
Customer communication: sending transactional messages (order confirmations, shipping updates, etc.) or responding to inquiries submitted via contact forms.
Commercial prospecting: sending information about our products, offers, or news, only with the prior consent of the data subject.
Audience analysis and site improvement: traffic statistics and optimization of user experience.
Payment security and fraud prevention: transaction verification and detection of suspicious activity.

5. Legal Basis for Processing

The processing of personal data by STEAM AND VAPE is based on various legal grounds, in accordance with the General Data Protection Regulation (GDPR):

Performance of a contract: data is collected and processed to manage orders, payments, deliveries, after-sales service, and customer relations.
Legal obligation: certain data must be retained to meet legal requirements, particularly for tax and accounting purposes (e.g., invoice retention).
Consent: data used for marketing purposes (e.g., newsletters, promotional offers) or audience measurement (non-essential cookies) is processed based on the user's prior and explicit consent.
Legitimate interest: STEAM AND VAPE may also process certain data to enhance the user experience, ensure website security, prevent fraud, or defend its rights in the event of a dispute. In doing so, STEAM AND VAPE ensures a balance between its legitimate interests and the fundamental rights and freedoms of the data subjects.

6. Data Recipients

The personal data collected by STEAM AND VAPE is strictly intended for internal use. However, it may be shared, within the limits of each party's responsibilities, with the following recipients:

STEAM AND VAPE internal departments: responsible for managing orders, customer service, logistics, invoicing, and commercial follow-up.
Service providers and subcontractors: including carriers, payment processors, hosting providers, email service providers, or marketing solution partners, acting on behalf of STEAM AND VAPE and contractually bound by confidentiality and security obligations.
Administrative or judicial authorities: only in the context of legal obligations or upon formal request based on a lawful basis.

Under no circumstances will personal data be sold or rented to unauthorized third parties.

7. Data Retention Period

STEAM AND VAPE retains personal data only for the duration necessary to fulfill the purposes for which it was collected, unless otherwise required by law.

Order and billing data: retained for ten (10) years in compliance with accounting and tax obligations.
Customer account management data: retained as long as the account remains active. In the event of prolonged inactivity (more than 3 years), the data may be deleted after prior notice to the customer.
Data collected for marketing purposes: retained for three (3) years from the last contact or interaction with the customer or prospect.
Cookies and browsing data: retained according to the defined lifespan of each type of cookie, in accordance with our cookie policy.

At the end of these periods, the data is securely deleted or anonymized, unless its retention is necessary for evidentiary purposes or in the event of a dispute.

8. Data Security and Hosting

STEAM AND VAPE implements all appropriate technical and organizational measures to ensure the security, confidentiality, and integrity of the personal data it processes, and to prevent any loss, alteration, disclosure, or unauthorized access.

These measures include, in particular, data encryption during transactions, the securing of IT systems, access rights management, firewalls, regular audits, and strict internal procedures for access control.

All data is hosted exclusively within the European Union, on secure servers provided by a trusted service provider: Ikoula, 175–177 rue d’Aguesseau, 92100 Boulogne-Billancourt, France – www.ikoula.com.

9. Data Transfers Outside the European Union

STEAM AND VAPE does not transfer any personal data outside the European Union, except in cases strictly necessary for shipping orders to third countries (outside the EU). In such cases, only the information required for delivery (name, postal address, phone number) may be shared with the relevant carriers.

These transfers are governed by appropriate safeguards in accordance with Article 46 of the GDPR, particularly through contractual commitments signed with the transport service providers, ensuring a level of protection equivalent to that required within the European Union.

10. Rights of Data Subjects

In accordance with Articles 12 to 22 of the General Data Protection Regulation (GDPR – EU 2016/679), any individual whose personal data is processed has the following rights:

Right of access: to obtain information about the data held and how it is being processed.
Right to rectification: to request the correction of inaccurate or incomplete data.
Right to erasure: to request the deletion of their data in cases provided for by law (“right to be forgotten”).
Right to restriction of processing: to request a temporary suspension of processing in certain situations (e.g., verification of data accuracy).
Right to object: to object at any time to the processing of their data for marketing purposes or in specific situations.
Right to data portability: to receive their data in a structured, commonly used, and machine-readable format and to transmit it to another data controller.
Right not to be subject to automated decision-making: including profiling that produces legal effects, except in legally permitted cases (not applicable in our case).

These rights can be exercised at any time, free of charge, by contacting STEAM AND VAPE at the following address: contact@steam-and-vape.fr.

If there is reasonable doubt regarding the identity of the person exercising a right, proof of identity may be requested.

If you believe your rights are not being respected, you have the right to lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés) via the website www.cnil.fr.

11. Complaints

In accordance with Article 77 of the General Data Protection Regulation (GDPR), any data subject has the right to lodge a complaint with a supervisory authority if they believe that the processing of their personal data constitutes a violation of applicable regulations.

In France, the competent authority is the Commission Nationale de l’Informatique et des Libertés (CNIL), which can be contacted via the following website: www.cnil.fr.

12. Cookies

The website www.steam-and-vape.fr uses cookies to ensure its proper functioning, improve user experience, measure site traffic, and deliver personalized content.

A cookie is a small text file that may be stored on your device (computer, tablet, smartphone) during your visit. It contains anonymous data that allows your device to be recognized and enables certain features of the site.

When you first visit the site, a banner at the bottom of the page allows you to accept, refuse, or configure the use of cookies according to their purpose. Once your preferences are saved, you can revoke your consent at any time from your customer account under the section “Withdraw my cookie consent”.

In accordance with applicable regulations (ePrivacy Directive and GDPR), cookies that require your consent (such as those related to advertising or social media) are only placed after you have given explicit approval.

For more information on the cookies we use and to manage your preferences, please refer to our dedicated page: Cookie Management Policy .

13. Policy Updates

This personal data protection policy may be updated to reflect legislative, regulatory, or technical changes affecting the website or the data processing activities carried out by STEAM AND VAPE.

The applicable version is the one available online at the time of your visit. The latest update was made on May 20, 2025.

In the event of substantial changes, registered users will be informed by email or via a notification on the website.

Use of our website implies acceptance of this personal data protection policy.

This English version is provided for informational purposes only. In case of any discrepancy or legal interpretation, the French version of this policy shall prevail.

This website uses its own and third-party cookies to improve our services and show you advertising related to your preferences by analyzing your browsing habits. To give your consent to its use, press the Accept button.

More information Customize cookies

Functional cookies

Yes

Description and cookies

Functional cookies are strictly necessary to provide the services of the shop, as well as for its proper functioning, so it is not possible to refuse their use. They allow the user to browse through our website and use the different options or services that exist on it.


PHP_SESSID	www.steam-and-vape.fr	The PHPSESSID cookie is native to PHP and allows websites to store serialised status data. On the website it is used to establish a user session and to pass state data through a temporary cookie, which is commonly known as a session cookie. These Cookies will only remain on your computer until you close your browser.	Session
PrestaShop-#	www.steam-and-vape.fr	This is a cookie used by Prestashop to store information and keep the user's session open. It stores information such as currency, language, customer ID, among other data necessary for the proper functioning of the shop.	168 hours

Analytics cookies

Yes

Description

Collect information about the user's browsing experience in the shop, usually anonymously, although sometimes they also allow the user to be uniquely and unequivocally identified in order to obtain reports on the user's interests in the products or services offered by the shop.

Performance cookies

Yes

Description

These are used to improve the browsing experience and optimize the operation of the shop.

Other cookies

Yes

Description

These are cookies without a clear purpose or those that we are still in the process of classifying.