Privacy Policy, Hepicure

Hepicure takes the protection of the personal data of its clients, prospects and property owners very seriously. As data controller, Hepicure complies with the French Data Protection Act, the EU GDPR 2016/679, and the recommendations of the CNIL.

1. Personal data we collect

The personal data we collect from Users includes:

Surname(s) and first name(s); date of birth; gender; family composition
Postal address; email address; telephone number(s)
A copy of your identity document; booking history; bank details
Where applicable, special category data such as health data (disability, allergy, dietary restriction, medical condition related to wellness or biohacking equipment), or data that may indirectly reveal information regarding religion, beliefs or personal convictions
Online behavioural and consumption data; any other information provided when using the Website or our Services

We may also collect personal data relating to third parties provided by you (e.g. other stay participants). By providing such data, you warrant that the other persons have been informed of and have consented to such disclosure.

2. Cookies

Cookies are trackers stored in the User's browser that allow the Website to recognise you, provide secure connections, and improve your experience. We use cookies for operational purposes, statistical analysis, and to provide a personalised experience.

Where prior consent is required, the validity period of consent to cookies is 6 months. The retention period for audience measurement cookies not requiring consent is 13 months. You may manage your cookie preferences at any time by clicking "Cookie settings" at the bottom of the Website.

3. How your personal data is collected

3.1, Direct collection by Hepicure

We collect your data when you submit a Property booking request, create a Client or Owner Space on the Website, or communicate with our teams by email, telephone or instant messaging.

3.2, Third-party services

We use the following third-party services that may collect data in connection with your use of the Website:

Analytics: Google Analytics 4, Meta Events Manager
Database management: Airtable
Forms & surveys: Typeform
Tag management: Google Tag Manager
Contact management: Lusha, Twilio
Session recording: Hotjar
Advertising: Google Ads Conversion Tracking, Meta Pixel
Remarketing: Meta Custom Audience, LinkedIn Website Retargeting
Hosting: Netlify / Squarespace, Cloudflare

4. Legal bases for processing

The processing activities carried out by Hepicure are based on the following legal bases in accordance with the GDPR: performance of a contract; compliance with legal obligations; our legitimate interests; and, where required, your prior consent. Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

5. Who receives your personal data

Your personal data is processed by the relevant Hepicure departments. We ensure that only duly authorised persons may access your data. Hepicure undertakes not to transfer or sell personal data to non-partner third parties.

We may share your data with:

Our affiliated entities, to provide the Services requested
Property Owners, Partner Service Providers, and technical service providers (IT, hosting, email distribution, licensed PSP including Stripe Connect)
Carefully selected partners in the wellness, longevity and biohacking sector, subject to your prior consent (these partners act as independent data controllers)
Duly authorised French or foreign authorities, including tax authorities or the CNIL, in connection with legal proceedings or information requests

6. Third-party sites & sub-processors

The Website may contain links to third-party websites. This Privacy Policy applies only to data collected by Hepicure. Hepicure uses the following sub-processors for personal data management:

Provider	Country	Purpose
Stripe	United States	Online payment
Gmail / Google Calendar / Drive	United States	Email, calendar, file storage
Airtable	United States	Database & CRM
Squarespace / Netlify	United States	Web hosting
WhatsApp	United States	Electronic messaging
Lusha	United States	Data enrichment & contact management
Dotfile	France & United States	AML/CTF screening
Mindee	France & United States	Identity document data extraction

7. International data transfers

We may transfer your personal data to countries outside the European Economic Area solely for the purposes described in this Policy. In such cases, we ensure adequate protection through: your specific consent; European Commission adequacy decisions; or data transfer agreements based on EU standard contractual clauses.

8. Security of your personal data

Hepicure implements all necessary technical and organisational measures to ensure the protection of your personal data. We have put in place procedures to deal with any suspected data security breach and will notify you and any relevant supervisory authority where we are legally required to do so.

If you believe that the security of an account you hold with us has been compromised, please inform us immediately at privacy@hepicure.com.

9. Retention periods

We retain personal data only as long as necessary for the purposes for which it was collected:

Newsletter subscribers only: 3 years from last contact
Users who consented to data transfer to wellness partners: 3 years from consent or until withdrawal
Booking requests that did not proceed: 10 years from last contact
Completed bookings: 10 years from last contact; 2 months after stay for identity documents; 10 years for rental contracts and invoices (legal obligation); 10 years after stay in the event of bodily injury
In the event of legal proceedings: until proceedings are fully resolved

After expiry of these periods, data is either deleted or anonymised, unless retained for pre-litigation or litigation purposes.

10. Your rights over your personal data

Right of access

Obtain confirmation that your data is being processed and access a copy of it.

Right to rectification

Ask us to correct inaccurate or incomplete personal data.

Right to erasure

Request deletion of your data where there is no compelling reason for us to continue using it.

Right to restriction

Block or prevent the further use of your data while we evaluate a rectification or objection request.

Right to portability

Obtain and reuse certain personal data across different organisations.

Right to object

Object to processing based on legitimate interests, including direct marketing at any time.

Right to withdraw consent

Where processing is based solely on your consent, withdraw it at any time without affecting prior lawful processing.

Right re: posthumous data

In France, give instructions on the management of your data after your death.

11. How to exercise your rights

To exercise any of your rights, or for any question about this Privacy Policy:

By email: privacy@hepicure.com
By post: Hepicure, Data Protection Officer, [REGISTERED OFFICE ADDRESS]

All requests will be examined within the timeframes set out by applicable law. We may ask for specific information to confirm your identity. If you are unsatisfied with our response, you may lodge a complaint with the CNIL, the competent French data protection authority.

12. Amendments to this Policy

Hepicure may amend this Privacy Policy from time to time to reflect changes in practices or applicable legislation. When we do, we update the "Last updated" date at the top of this page. We invite you to consult this Policy regularly to stay informed of how Hepicure protects your personal data.

Privacy Policy