Privacy Policy
Last updated: 2026-05-22
This policy describes how Romain Lacube EI (trading as CosmeticsReady) processes personal data in the context of the cosmeticsready.com site and the CosmeticsReady Shopify app, in accordance with the GDPR (EU) 2016/679 and the French Data Protection Act.
1. Data controller
Romain Lacube — Entrepreneur individuel (EI) · 315 chemin de la Croix Verte, 13090 Aix-en-Provence, France · SIRET 848 852 356 00031
GDPR contact : [email protected].
2. Data collected
2.1 Via the Shopify app (once installed)
- Shopify store ID and domain
- Store owner's email (transmitted by Shopify during OAuth installation)
- Product catalogue (title, variants) — this data is public
- Cosmetic composition entered by the merchant (INCI ingredients, manufacturer, EU responsible person, safety warnings) — provided voluntarily by the Customer
We collect no data relating to end customers (no orders, no carts, no addresses, no payment methods).
2.2 Via the website (cosmeticsready.com)
- A functional cookie
cr_langstoring your language preference (no consent required) - Google Analytics (audience measurement) — only with your consent via the cookie banner; GA runs cookieless until you accept. No advertising cookies.
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Service provision (compliant display) | Contract performance (art. 6.1.b) |
| Billing and accounting obligations | Legal obligation (art. 6.1.c) |
| Support and Service improvement | Legitimate interest (art. 6.1.f) |
| Remembering your language preference | Functional, strictly necessary |
| Audience measurement (Google Analytics) | Consent (art. 6.1.a) |
4. Recipients and sub-processors
| Sub-processor | Role | Location |
|---|---|---|
| Shopify Inc. | App installation, billing | Canada / EU (DPF) |
| Cloudflare, Inc. | Marketing site hosting (Pages), CDN, DNS | United States (DPF) / EU edge |
| Fly.io, Inc. | App hosting | EU (Paris, cdg) |
| Neon Inc. | Managed database (Postgres) | EU |
| Resend, Inc. | Transactional email | United States (DPF) |
| Google Ireland Ltd. | Audience measurement (Google Analytics) | Ireland (EU) / United States (DPF) |
5. Retention periods
- Active customer data: subscription duration + 12 months after uninstallation.
- Cosmetic composition entered: subscription duration + 12 months.
- Accounting data: 10 years (legal obligation).
- Technical logs: 12 months.
- Language cookie (
cr_lang): 12 months.
6. Your rights
In accordance with articles 15 to 22 of the GDPR: access, rectification, erasure, restriction, portability, objection, withdrawal of consent.
How to exercise: [email protected]. Response within 1 month. You may file a complaint with the French data protection authority (CNIL, www.cnil.fr). Uninstalling the app triggers the deletion of your store data in accordance with Shopify's mandatory privacy webhooks.
7. Cookies
A strictly necessary cookie (cr_lang) remembers your language (no consent required). For audience measurement we use Google Analytics in Consent Mode v2: its cookies (_ga) are set only after you accept via the cookie banner — until then GA runs cookieless. You can decline at any time. No advertising cookies. Inside the Shopify admin, the app relies on the session cookies managed by Shopify.
8. Security
Encryption in transit (TLS), access restriction, logging, backups, European hosting (app and database hosted in the EU). Breach notification within 72 hours in accordance with article 34 of the GDPR.