It goes without saying that the protection of your personal data is of paramount importance to the Publisher (namely Olga Hilnich EI and Simon Hilnich EI).
This notice explains how the Publisher collects, uses, shares, and processes your personal data in the context of your relationship with the Publisher as a client, partner, supplier, website visitor, or any other person interested in the Publisher’s services, in accordance with applicable personal data protection laws and regulations.
Categories of Personal Data Processed
For the record, the term “personal data” means any information relating to an identified or identifiable natural person, either directly or indirectly through combination with other information held about them.
The Publisher collects personal data from you in the course of its professional activities when you contact the Publisher through any communication channel and when you use its services. This mainly includes the following information:
- Identification and contact data: name, email address, telephone number, publicly available information (e.g., LinkedIn profile or website);
- Professional data: profession, company name;
- Pre-contractual and contractual data: information provided in connection with the provision of services.
If you refuse to provide your data, the Publisher will not be able to enter into a contract with you.
Furthermore, no automated decision-making is ever carried out concerning you.
Certain information may be collected automatically when you visit the Publisher’s website. This includes your country of residence and the date of your visit. None of this information can be used to identify you.
This website does not use any cookies. It is suspected that Cookie Monster, the blue furry creature, has eaten them all. For reference, a cookie is an electronic file stored on a device and read when visiting a website, opening an email, installing or using software or a mobile application, regardless of the type of device used.
Purpose and Legal Basis for Data Processing
Your personal data is always processed for a specific purpose. Processing is based on the following legal grounds:
| Legal Basis | Purpose |
|---|
| Processing necessary for the performance of a contract or pre-contractual measures taken at your request | Performance of the service contract, invoicing or preparation of quotations, processing and fulfillment of orders placed through PayHip, appointment scheduling and management, including online appointments. |
| Processing necessary for the purposes of legitimate interests: responding to inquiries, developing the business, or defending legal rights | Management of contact requests and prospects; acquisition of new clients; protection of the Publisher’s rights and interests in the event of disputes or litigation. |
Your personal data is used only for the purposes for which it was collected and about which the Publisher informed you, unless the Publisher reasonably considers that it should be used for another purpose that is compatible with the original purpose. If the Publisher needs to process your data for another purpose, you will be informed and the legal basis allowing such processing will be explained.
Data Recipients
The Publisher may be required to disclose personal data concerning you if required by law or if the performance of the service contract necessitates sharing information with third parties. Likewise, disclosure may be necessary to protect the Publisher’s rights and interests in the event of a dispute.
Accordingly, data may be transmitted to the following recipients:
- IT service providers (email services, appointment scheduling tools, etc.) acting as processors on behalf of and under the instructions of the Publisher (OVH, Cal.eu, Google Meet), or independently (PayHip);
- Where applicable, legal professionals and competent judicial authorities, insurers (e.g., Add Value Assurances, professional liability insurance).
Any relationship with a processor is governed in accordance with applicable data protection requirements. The Publisher undertakes to engage only processors that provide sufficient guarantees and that are subject to the same obligations.
Your data is processed in France but may be transferred abroad, including to third countries that do not provide an adequate level of personal data protection. When such a transfer occurs, it is safeguarded by:
• An adequacy decision of the European Commission (for example, the United Kingdom, where PayHip is established, or Google, which has adhered to the Data Privacy Framework adopted in 2023); or
Data Retention Period
Your personal data is retained only for as long as necessary to achieve the purposes for which it was collected by the Publisher. The retention period depends on several factors, such as the duration of the service contract and the legal obligations applicable to the Publisher.
The following are indicative retention periods:
- Prospect data (no contract concluded): 3 years from the last active contact (email, phone call, etc.) or upon the prospect’s request;
- Client/contractual data: for the duration of the contract plus 5 years after its termination (general limitation period);
- Accounting data/invoices: 10 years from the end of the financial year (legal obligation under Article L123-22 of the French Commercial Code);
- Data relating to disputes: until all legal remedies have been exhausted.
At the end of these periods, data is securely destroyed or irreversibly anonymized.
Security of Processing
Appropriate technical and organizational measures are implemented to ensure a level of security appropriate to the risk, in accordance with applicable data protection laws. These measures are designed in particular to protect data against destruction, alteration, or unauthorized access, and include:
- Encryption of communications (TLS);
- Restricted and authenticated access to data;
- Regular backups;
- Awareness and training of personnel involved;
- Data Protection Impact Assessments (DPIAs) where necessary for high-risk processing.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the French Data Protection Authority (CNIL) within 72 hours and, where required, inform you accordingly.
Rights of Data Subjects
As an individual, you have a number of rights that may be exercised under certain circumstances, including:
- Right of access (Art. 15 GDPR);
- Right to rectification (Art. 16 GDPR);
- Right to erasure (“right to be forgotten”) (Art. 17 GDPR);
- Right to restriction of processing (Art. 18 GDPR);
- Right to data portability (Art. 20 GDPR) – where processing is based on a contract or consent;
- Right to object (Art. 21 GDPR) – particularly where processing is based on legitimate interests.
You may exercise your rights by contacting the Publisher at: contact@bureauh.fr
Any request will be processed within one month from confirmation of your identity. This period may be extended by up to two additional months in the case of complex requests or a large number of requests.
If you are dissatisfied, you may lodge a complaint with the French Data Protection Authority (CNIL) or any other competent supervisory authority depending on your place of residence.
Last updated: April 2026.