Privacy Policy (France)

1. Who We Are

This conversational AI service is provided by ShopAi Limited to Nutrigée. Both companies jointly control and use your data as described in this policy.

2. What Information We Collect

When you use this service, we collect:

• Your conversation content - all messages exchanged with the AI assistant
• Your device location - GPS coordinates when you scan the QR code or access the service
• Time and date - when you use the service
• Your name - if you choose to provide it during conversation
• Your email address - if you request information to be sent to you
• Device information - browser type, operating system (technical data only)

3. How We Use Your Information

Nutrigée uses your data to:

• Understand what customers care about and improve products accordingly
• Analyze campaign performance and measure engagement
• Provide customer service and respond to your questions
• Send you information you requested (recipes, product details, updates)
• Identify geographic patterns in customer interests and preferences
• Improve product formulations and safety information

ShopAi uses your data to:

• Improve the AI platform and conversation quality across all clients
• Train AI models to provide more accurate and helpful responses
• Develop new features and capabilities for the platform
• Create anonymized benchmarks and industry insights
• Monitor system performance and fix technical issues

4. Legal Basis for Processing (GDPR & French Law)

We process your personal data based on:

• Consent - you clicked "Continue" or "Yes" to start using the service
• Legitimate interests - improving products and services benefits both you and us
• Legal obligation - for product safety and regulatory compliance (if applicable)

5. Who We Share Your Data With

Your data is shared between:

• Nutrigée - sees your full conversation, location, and any information you provided
• ShopAi Limited - processes and analyzes all data to operate the platform

6. How Long We Keep Your Data

• Active conversations: Stored for 36 months for analysis and service improvement
• Location data: Retained for 24 months for geographic analysis
• Personal identifiers (name, email): Retained until you request deletion or for 36 months of inactivity
• Health/dietary data: Retained for 24 months unless you request earlier deletion

You can request deletion of your data at any time (see Your Rights below).

7. Your Rights Under French Law & GDPR

You have the right to:

• Access (Droit d'accès) - request a copy of all data we hold about you
• Rectification (Droit de rectification) - correct any inaccurate data
• Erasure (Droit à l'oubli) - request deletion of your data ("right to be forgotten")
• Restrict processing (Droit à la limitation) - limit how we use your data
• Data portability (Droit à la portabilité) - receive your data in a machine-readable format
• Object (Droit d'opposition) - object to processing based on legitimate interests
• Withdraw consent (Retrait du consentement) - stops future data collection
• Define post-mortem wishes (Directives post-mortem) - specify what happens to your data after death (French-specific right)
• Lodge a complaint (Droit de réclamation) - contact CNIL or your local data protection authority

8. Post-Mortem Data Rights (French Law)

Under French law (Article 40-1 of the Loi Informatique et Libertés), you have the right to define instructions about what happens to your personal data after your death.

You can specify:

• Whether you want your data to be deleted after death
• Whether you want your data to be preserved for a specified period
• Who can access or manage your data after death (designated third party)

To exercise this right, contact us at privacy@shopai.uk with your instructions. These instructions can be modified or revoked at any time during your lifetime.

9. How to Exercise Your Rights

To access, delete, or manage your data, contact:

We will respond to requests within 30 days as required by law. For complex requests, we may extend this to 60 days and will inform you.

10. Data Security

We protect your data with:

• Encryption in transit (HTTPS/TLS 1.3)
• Encryption at rest (AES-256 database encryption)
• Access controls (limited to authorized personnel only)
• Regular security audits and penetration testing
• Secure data centers in the EU (France or other EU member states)
• Data breach notification procedures (CNIL notification within 72 hours)

11. International Data Transfers

Your data is stored and processed in the European Union (primarily France). If we need to transfer data outside the EU, we use:

• European Commission-approved standard contractual clauses
• Adequacy decisions where applicable
• Additional safeguards as required by CNIL

12. Children's Privacy (French Law: Age 15)

13. Cookies and Tracking

This service uses strictly necessary technical cookies only:

• Session management cookie (keeps you in your conversation) - expires when you close browser
• Consent cookie (remembers you agreed to terms) - stored for 13 months

Under French law (CNIL guidelines): These cookies are essential for the service to function and do not require additional consent beyond your initial acceptance of terms.

We do NOT use:

• Advertising cookies or trackers
• Analytics cookies (beyond counting conversations)
• Social media cookies
• Third-party tracking technologies

14. Automated Decision-Making

The AI assistant provides conversational responses based on product information. No automated decisions are made about you that produce legal effects or significantly affect you. All responses are informational and educational only.

15. Health and Supplement Data (French-Specific)

If you discuss health-related topics, allergies, supplements, or dietary needs:

• This data is processed as sensitive data under GDPR Article 9
• French health regulations (Code de la santé publique) apply
• We only use this data to respond to your questions
• We do not make health diagnoses or medical recommendations
• Always consult healthcare professionals for medical advice

16. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. When we make material changes, we will:

• Update the "Last updated" date
• Notify you during your next conversation
• Request your consent again if required by law
• Notify CNIL if required

17. Contact & Complaints

For questions, complaints, or to exercise your rights:

18. Special Categories of Data

If you voluntarily share health information, dietary requirements, supplement usage, allergies, or other sensitive personal data during conversations, this data is processed under GDPR Article 9 and French health regulations with extra safeguards.

19. Your Responsibilities

Please do not share:

• Financial information (credit card numbers, bank details)
• Government ID numbers (passport, carte nationale d'identité, carte vitale)
• Other people's personal information without their consent
• Detailed medical records or diagnoses (general questions are fine)

20. Language

This policy is available in French and English. Both versions have equal legal force. In case of conflict between versions, the French version prevails for users in France.