This policy (the ‘Policy’) describes how ONEFLASH collects and processes personal data via its website (https://oneflash.fr and its subdomains) and its mobile application (iOS/Android) (together, the ‘Services’).

‍Publisher/Data controller: ONEFLASH, a simplified joint stock company with capital of €8,985.40, registered with the Bobigny Trade and Companies. Register under number 853 831 246, head office: 7 Place de l’Hôtel de Ville, 93600 Aulnay-sous-Bois, VAT number FR06853831246 (hereinafter ‘OneFlash’, ‘we’).

1) What data do we collect?
‍
We only collect data that is adequate, relevant and limited to what is necessary (Art. 5 GDPR). Depending on your usage, we may process:
‍
- Identification and contact details: surname, first name, email address, telephone number, company/position (if applicable), marketing preferences.
- Account & authentication: username, hashed password (never in plain text), technical tokens. - Interaction data: support requests (message content, attachments), communication history.
- Browsing and device data (web/app): IP address, logs, pages/screens viewed, application events, system/OS, device model, language, resolution, mobile advertising identifiers (IDFA/GAID) when enabled.
- Geolocation (app): with your consent, precise or approximate location to display stations/offer proximity-related features. You can withdraw this consent at any time in your device settings.
- Cookies and trackers: see § 6. Includes, depending on your choice in the banner, audience measurement, personalisation and advertising.
- B2B prospecting: data provided in forms (company, role), internal sales notes.
- Payment: no card numbers are collected on the site. Payments made in the app or via a secure link are processed by PCI-DSS certified service providers. OneFlash does not store complete card details.


2) For what purposes and on what grounds?
We use your personal data to:
- Provide our Services: account creation and management, features, customer relations (legal basis: performance of the contract);
- Provide support and security: assistance, fraud prevention, logging and debugging (legal basis: legitimate interest);
- Carry out prospecting and newsletters: B2C emails with consent, B2B messages based on our legitimate interest (opt-out possible);
- Measure and improve our performance: statistics, analyses, tests and UX (legal basis: consent);
- Use geolocation: for proximity-related features (legal basis: consent);
- Comply with our legal obligations: invoicing, accounting, responses to authorities (legal basis: legal obligation). You may withdraw your consent at any time (see § 7).


3) Recipients and subcontractors
Access to your data is limited to authorised persons within OneFlash (product, technical, sales and support teams) and our service providers: hosting, email/SMS and push notifications, analytics, CRM/support, measurement and anti-spam tools, payment providers, etc.

We may share aggregated and anonymised statistics with our B2B partners (e.g. sites equipped with stations). Apart from these cases, no data is transferred to third parties for commercial purposes without your consent.

We may also disclose data when required by law or to defend our rights (administrative/judicial authorities). An up-to-date list of subcontractors can be obtained on request from bonjour@oneflash.fr.


4) Transfers outside the European Union
Some service providers may be located outside the EEA (particularly in the United States). In this case, we regulate transfers through:
- Standard Contractual Clauses (SCC 2021/914) and, if necessary, additional measures;
- or adherence to the Data Privacy Framework (EU-US) for certified entities;
- or an adequacy decision by the European Commission.

Further information on these guarantees is available on request.


5) Data retention periods
Data is stored for limited periods:
- Accounts and usage data are stored for the duration of the account and then for 3 years after inactivity;
- B2B/B2C prospects are stored for 3 years after the last contact;
- Support and after-sales service messages are stored for 3 years after closure;
- Technical logs are stored for up to 13 months;
- Cookies and trackers have a maximum duration of 13 months, with consent renewed every 6 months;
- Invoices and accounting documents are kept for 10 years;
- Job applications are kept for 2 years after the last contact.

When data is no longer required, it is deleted or anonymised.


6) Cookies & trackers
A consent management banner (CMP) allows you to accept or refuse non-essential trackers. We use several categories:
- Essential: website/app functionality, security, language, session;
- Audience measurement: traffic statistics;
- Performance: experience improvement and testing;
- Advertising: personalisation, retargeting.

You can change your choices at any time via the ‘Set my cookies’ link or in your browser/device settings. Refusing non-essential cookies does not prevent access to the site, but may limit certain features.

When audience measurement is implemented with a configuration exempted by the CNIL, we do not request consent for these trackers.


7) Your rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights: access, rectification, erasure, restriction, objection, portability and definition of the post-mortem fate of your data.
To exercise your rights: Write to bonjour@oneflash.fr or by post: OneFlash – Privacy/Personal Data, 7 Place de l'Hôtel de Ville, 93600 Aulnay-sous-Bois;
- Proof of identity may be requested in case of reasonable doubt;
- You can unsubscribe at any time via the link at the bottom of our emails or upon request. You can lodge a complaint with the CNIL (www.cnil.fr – 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07).


8) Security
We implement appropriate technical and organisational measures: TLS encryption, encryption at rest, access control, logging, backups, monitoring and periodic security tests. No system is foolproof, so we cannot guarantee absolute security.
‍

9) Minors
Our Services are not intended for minors under the age of 15. If a minor has provided us with data, please contact us to have it deleted.
‍

10) Policy changes
We may amend the Policy to reflect legal or technical developments. In the event of substantial changes, we will notify you by appropriate means (banner, e-mail or in-app notification). The most recent online version shall prevail.


11) Contact & DPO
OneFlash has not appointed a DPO to date. A privacy officer can be contacted at bonjour@oneflash.fr. For any questions or requests regarding your data, please use the contact details in § 7.