Skip to content
La Bonne Cueillette

Privacy policy

Last updated : 14 June 2026

This policy describes how La Bonne Cueillette collects, uses and protects users' personal data, in accordance with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act. It applies to the website, the mobile app and related services.

1. Data controller

The data controller is the Publisher identified in the legal notice (“Terms of Sale / Legal notice” page). For any question or to exercise your rights, you can contact it at the data-protection address shown in that notice.

2. Data we collect

Depending on your use of the Service, we process the following categories of data:

  • Identity and account data: last name, first name, email, password (encrypted), role (shopper/producer);
  • Producer profile data: farm name, description, labels, town, farm contact details;
  • Location data: town or approximate position, to show nearby producers;
  • Order and transaction data: products, amounts, pickup slots, history;
  • Payment data: processed by our provider Stripe; we do not store card numbers;
  • Communications: messages exchanged via the in-app messaging, contact requests, newsletter sign-up;
  • Technical data: connection logs, device type, and — after consent — audience-measurement data.

3. Purposes and legal bases

Your data is processed for the following purposes:

  • Provide and manage the Service, accounts and orders — basis: performance of the contract;
  • Process payments and producer payouts — basis: performance of the contract;
  • Provide customer relations, support and messaging — basis: contract / legitimate interest;
  • Send the newsletter and information — basis: consent;
  • Measure audience and improve the Service — basis: consent (non-essential cookies);
  • Ensure security, prevent fraud and meet our legal obligations — basis: legitimate interest / legal obligation.

4. Recipients and processors

Your data is accessible to the Publisher's authorised teams and, within the limits of their tasks, to the following processors, governed by agreements compliant with article 28 GDPR:

  • Supabase (database, authentication, storage — European Union);
  • Stripe (payment and payouts);
  • Resend (transactional emails);
  • Vercel and Fly.io (hosting);
  • Mapbox (maps);
  • PostHog (audience measurement, after consent) and, where applicable, Sentry (error monitoring);
  • Expo, Apple and Google (push notifications and app distribution).

5. Transfers outside the European Union

Some processors may be located outside the European Union, notably in the United States. In that case, transfers are governed by appropriate safeguards (the European Commission's standard contractual clauses or equivalent mechanisms).

6. Retention periods

Data is kept for as long as strictly necessary for the purposes:

  • Account data: for the lifetime of the account, then deleted or anonymised;
  • Order and billing data: kept up to 10 years for accounting and tax obligations;
  • Prospecting / newsletter data: until consent is withdrawn, then deleted;
  • Audience-measurement cookies: 13 months maximum.

7. Security

The Publisher implements appropriate technical and organisational measures to protect data (password encryption, access control, row-level security partitioning at the database level, encrypted communications).

8. Your rights

Under the GDPR, you have the following rights:

  • right of access, rectification and erasure;
  • right to restriction of and objection to processing;
  • right to data portability;
  • right to withdraw your consent at any time (without retroactive effect);
  • right to set instructions on the fate of your data after your death.

9. Cookies and trackers

The site uses no non-essential audience-measurement cookie or tracker before your consent, collected via the dedicated banner. You can accept or decline, and change your choice at any time. Cookies strictly necessary for operation do not require consent.

10. Minors' data

The Service is not intended for minors under 15 without the authorisation of the holder of parental authority. The Publisher does not knowingly collect data about minors without such authorisation.

11. Complaint to the CNIL

If you believe the processing of your data does not comply, you may lodge a complaint with the French data protection authority (CNIL), 3 place de Fontenoy, 75007 Paris — www.cnil.fr.

12. Changes

This policy may be updated to reflect legal or Service changes. The last-updated date appears at the top of the page.