1. Data controller
Bonjour Soir, Paris — France, is the data controller for the personal data processed through the site bonjoursoir.com and its sub-domains. You can reach our privacy team at privacy@bonjoursoir.com.
2. Scope of this policy
This policy applies to all personal data processed when you visit the site, subscribe to our newsletter, create an account, list an item, place an order or otherwise interact with Bonjour Soir.
3. Personal data we collect
We process the following categories of personal data:
- Account data — name, email address and Google account identifier provided through Google Sign-In; locale and country preferences; profile picture (where supplied by Google).
- Marketplace data — listings you create (description, photographs, price, condition), purchase and sales history, messages exchanged with the team, dispute records.
- Identity & compliance data (sellers) — KYC information collected directly by Stripe Connect (identity document, date of birth, address, banking details). Bonjour Soir receives only verification status and the Stripe account identifier; the underlying documents remain with Stripe.
- Payment data — billing address, last four digits of the card, the payment-method type and the Stripe payment identifier. Full card numbers are processed by Stripe and never touch our servers.
- Shipping data — postal address, phone number, tracking number, carrier.
- Newsletter data — email address, language preference, engagement events (opens, clicks).
- Technical & analytics data — IP address (truncated for analytics), user-agent, device and browser metadata, pages visited, referrer, timestamps and aggregated performance metrics.
- Support data — content of emails or messages you send to us.
4. Why we use your data & legal bases
We process personal data only for the purposes set out below.
- Operate the site, marketplace and your account — performance of a contract (Art. 6(1)(b) GDPR).
- Process orders, payments and payouts; manage authentication, escrow and disputes — performance of a contract.
- Prevent fraud, abuse and money laundering; comply with our payment partners' rules — legitimate interest and legal obligation (Art. 6(1)(c) & (f) GDPR).
- Send transactional emails (order confirmation, dispatch, refund) — performance of a contract.
- Send the editorial newsletter and marketing emails — your consent (Art. 6(1)(a) GDPR), which you may withdraw at any time using the unsubscribe link.
- Measure audience and improve the site — your consent for non-essential cookies; legitimate interest for aggregated, privacy-preserving statistics.
- Respond to your support requests — legitimate interest.
- Meet our legal obligations (accounting, tax, consumer law, intermediary-platform reporting under the DSA and DAC7) — legal obligation.
5. Service providers (sub-processors)
We rely on a small, vetted list of service providers to deliver the site. Each is bound by a data-processing agreement and the European Standard Contractual Clauses where relevant.
- Vercel Inc. — hosting, edge network and image storage (Vercel Blob).
- Neon, Inc. — managed PostgreSQL database (EU/US region as configured).
- Google LLC — Sign-In (OAuth) and Google Analytics 4 (with anonymised IPs).
- Stripe Payments Europe Ltd. & Stripe Inc. — payment processing, Stripe Connect, fraud-prevention (Stripe Radar) and seller KYC.
- Resend, Inc. — transactional and newsletter email delivery.
- Entrupy Inc. (where applicable) — partner authentication of selected luxury items.
- Shipping carriers — to deliver orders to and from our hub.
A complete and updated list, including hosting locations, is available on request at privacy@bonjoursoir.com.
7. International data transfers
Some of our processors are based outside the European Economic Area (notably in the United States). Where this is the case, the transfer is governed by the European Commission's Standard Contractual Clauses and, where required, additional technical and organisational safeguards (encryption in transit and at rest, pseudonymisation, access controls).
8. Data retention
- Account data: for the lifetime of your account, then deleted or anonymised within 12 months of closure.
- Marketplace & transaction data: 10 years from the transaction, in line with French accounting and consumer-law obligations.
- KYC verification status: 5 years after the end of the relationship (anti-money-laundering rules).
- Newsletter subscription: until you unsubscribe, then deleted within 30 days.
- Analytics: up to 14 months for GA4 events.
- Support correspondence: up to 3 years.
9. Your rights under the GDPR
You have the right to:
- access your personal data and obtain a copy;
- rectify inaccurate or incomplete data;
- request erasure (subject to our legal retention obligations);
- restrict or object to a specific processing;
- data portability for the data you provided to us;
- withdraw your consent at any time, without affecting prior lawful processing;
- define directives concerning the fate of your data after your death.
To exercise your rights, write to privacy@bonjoursoir.com from the email address linked to your account. We respond within one month (extendable to three months for complex requests, as permitted by Art. 12 GDPR).
10. Security
We implement industry-standard technical and organisational measures to protect your data, including HTTPS/TLS transport encryption, encryption of the database at rest, strict access controls, secret rotation, audit logging and a least-privilege architecture. No system is perfectly secure; should an incident affecting your data occur, we will notify you and the relevant supervisory authority in accordance with Art. 33 and 34 of the GDPR.
12. Children & minors
Bonjour Soir is intended for adults. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us so we can delete it.
13. Automated decision-making
We may use automated tools — including those provided by Stripe Radar and our authentication partners — to detect fraud and counterfeit risk. These tools assist human reviewers and do not produce legal effects on you without a human decision. You have the right to obtain human intervention, to express your point of view and to contest the outcome.
14. Changes to this policy
We may update this policy to reflect changes to our services, our processors or applicable law. Material changes will be notified by email or via an in-app banner before they take effect.
15. Contact & complaints
Questions or requests: privacy@bonjoursoir.com.
If you believe we have not handled your data properly, you may lodge a complaint with the French data protection authority (CNIL), 3 Place de Fontenoy, 75007 Paris — cnil.fr/fr/plaintes.