General policy on the protection of personal data
FPG INVEST, the holding company of the VOLATYS group, with its registered office at Espace Performance III, Bâtiment P, 35769 SAINT GREGOIRE, registered under number 445 225 832 RCS Rennes, a subsidiary of the GALLIANCE group, processes Personal Data (as defined below) as part of its business activities, acting both on its own behalf and on behalf of its subsidiaries (ACTIGEL, VOLATYS SAS), hereinafter referred to as “VOLATYS.”
- This Policy (the “Policy”) on Personal Data Protection describes how VOLATYS collects, uses, and processes your personal data in compliance with applicable regulations. VOLATYS places great importance on respecting your privacy and is committed to protecting and safeguarding your data privacy rights.
- This Policy applies to personal data that we may collect from our clients, suppliers, and service providers in connection with the execution of all types of commercial contracts. It also applies to personal data of users of our various websites, individuals wishing to apply for our job offers, and any other persons we are legitimately required to contact as part of VOLATYS Group activities.
- Under the applicable personal data protection regulations, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and Law No. 78-17 of 6 January 1978 on information technology, files and freedoms, as amended (hereinafter collectively referred to as the “Personal Data Regulations”), the company responsible for your personal data is VOLATYS.
- VOLATYS may update this Policy from time to time. Please visit this page regularly to review any updates we may publish.
- In case of disagreement with certain aspects of our Policy, you have legal rights, which will be communicated to you when necessary.
Table of Contents
1. Introduction
2. Definitions
3. Collection of Personal Data
4. Protection of Personal Data of Minors
5. Purposes of Collecting Personal Data
6. Recipients of Personal Data
7. Transfer of Personal Data Outside the European Union
8. Security of Personal Data
9. Data Rights
10. Facilitated Contact for Exercising Rights
11. Policy Updates
1. Introduction
The Personal Data Protection Policy is based on, but not limited to, the following principles:
- Comply with applicable optional standards and recommendations issued by the French Data Protection Authority (CNIL) and the National Cybersecurity Agency of France (ANSSI), while meeting VOLATYS’ operational requirements;
- Apply data protection rules from the design and implementation stage (“Privacy by Design” and “Privacy by Default”) of new products intended to process personal data, and limit data collection to what is strictly necessary (“minimization”);
- Continuously monitor compliance with legal obligations and commitments undertaken by VOLATYS throughout the lifecycle of computerized data processing;
- Ensure maximum transparency regarding data processing, except for information whose disclosure could compromise its security;
- Strengthen individuals’ rights and facilitate their exercise.
2. Definitions
“Personal Data” or “Personal Information”: Any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
“Data Subject”: A natural person whose personal data is being processed as described in Article 4.
“Data Controller”: A natural or legal person, alone or jointly with others, that determines the purposes and means of the processing. The Data Controller is generally the Terrena entity that collected the Personal Data. In cases where the Terrena cooperative, parent company of the Terrena Group, provides technical, administrative, marketing, or commercial support to this entity, the Terrena cooperative may also be considered a Data Controller.
“Data Processing”: Any operation performed on personal data, whether or not by automated means, including collection, recording, use, transmission, or disclosure.
“Processor”: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller.
“Recipient”: A natural or legal person, public authority, internal or external service, or any other entity that receives communication of personal data.
“TERRENA”: The Terrena cooperative and its subsidiaries.
“GALLIANCE”: The Galliance company and its subsidiaries.
“VOLATYS”: FPG INVEST and its subsidiaries (VOLATYS and ACTIGEL).
3. Collection of Personal Data
The Personal Data that VOLATYS may collect varies depending on the purpose of the processing. Such data is primarily intended to enable the identification of individuals in the context of their interactions with VOLATYS.
In any case, the Personal Data collected will be limited to the data necessary for the purposes outlined in Article 5 below.
Data Subjects
The Data Subjects concerned by the processing carried out by VOLATYS include:
- Visitors, users, and clients of its websites
- Clients (members and non-members) of SCA Terrena and its subsidiaries
- In-store clients who identify themselves using their loyalty card
- Participants in contests, lotteries, or special online or in-store promotions
- Participants in surveys, polls, or panels
- Recipients of online or commercial promotional or marketing campaigns
- Suppliers and service providers
- Job applicants and employees
Collection of Personal Data
Personal data may be collected directly from Data Subjects in various ways, including:
- Through contracts concluded with VOLATYS;
- Through quotes in the context of pre-contractual relations;
- During appointments;
- Through paper or web forms via websites;
- Through cookies present on the internet browser of the Data Subjects.
In the case of indirect data collection from third parties (e.g., purchased databases, publicly accessible sources), VOLATYS ensures that Data Subjects are informed at the first point of contact and, at the latest, within one month, unless the Data Subjects already have this information.
Note for visitors and users of its websites:
Certain features and functionalities of the websites can only be used if certain Personal Data is provided. Users are free to provide all or part of the requested Personal Data. However, if a user chooses not to provide this information, such a decision may prevent the satisfactory achievement of the purposes described in Article 5 below. Certain services and functionalities of the websites may not function properly, and/or the user may be denied access to certain pages.
Data Related to Clients (Members and Non-Members)
The data that VOLATYS collects about its clients is limited. Generally, VOLATYS requires the contact details of the client or prospect representatives (including their name, phone number, and email and postal addresses) in order to execute contracts concluded with clients. In the context of client satisfaction surveys, VOLATYS also holds information about clients’ needs or constraints, which may then be used to ensure that marketing communications are relevant and timely. VOLATYS may also hold additional information that client representatives have chosen to provide, such as through loyalty programs. In certain circumstances, when clients interact with specific VOLATYS services or departments, calls may be recorded in accordance with applicable local laws and requirements.
Data Related to Suppliers and Service Providers
VOLATYS also collects data regarding its suppliers and service providers. For proper management of commercial relationships, VOLATYS collects information about its contacts within the supplier or service provider company, such as their name, phone number, and email and postal addresses. VOLATYS may also hold additional information that these contacts have chosen to provide.
Data Related to Personnel Management
For candidates applying for VOLATYS job offers, various types of information are collected to allow evaluation of applications in relation to the offered positions, including identity, personal contact information, professional experience, qualifications, and motivations.
VOLATYS also collects all information necessary for proper personnel management, including identity, civil status, personal contact details, professional experience, qualifications, bank details, social security information, and administrative information in accordance with legal and regulatory requirements.
Data Related to Users of VOLATYS’ Websites
VOLATYS collects personal data from users of its websites, which is used to improve website usage and manage the services provided. This information includes, in particular, how the websites are used, the frequency of user visits, browser type, location from which users access VOLATYS’ websites, language used, and peak visiting hours.
4. Protection of Personal Data of Minors
VOLATYS products and services are intended for adults and are not designed to be marketed to minors. VOLATYS does not knowingly collect or retain Personal Data of minors, except in the context of information related to personnel management.
5. Purposes of Collecting Personal Data
Personal Data is collected for the purposes of VOLATYS’ activities, such as the execution of contracts concluded with its clients (members or non-members), suppliers, other service providers, or any third party, for its legitimate interests, or to comply with statutory reporting obligations, as well as for the recruitment of staff and the management of VOLATYS employees.
VOLATYS collects and uses Personal Data to support its activities, particularly to enable the execution of the following activities:
| Purpose | Legal Basis | Retention Period |
| Regarding the Use of the Websites | ||
| Making the Websites, and the products and services offered on the Websites, available | Performance of pre-contractual measures at the request of Users and/or Clients and/or performance of the contract | The duration necessary to achieve the purpose of the processing and an additional period of five (5) years |
| Responding to requests submitted via forms or by using the contact methods available on the Websites | Performance of pre-contractual measures at the request of Users and/or Clients and/or performance of the contract | The duration necessary to achieve the purpose of the processing and an additional period of five (5) years |
| Regarding All Clients (Members and Non-Members) for Customer Relationship Management | ||
| Create and manage active accounts to allow the issuance of quotes, order management, reservations, delivery, and invoicing of products, services, and solutions | Performance of pre-contractual measures at the request of Users and/or Clients and/or performance of the contract | Five (5) years from the Client’s last activity, then archived for an additional five (5) years |
| Manage inquiries, questions, and complaints | Performance of pre-contractual measures at the request of Users and/or Clients and/or performance of the contract | Five (5) years from each inquiry, question, or complaint |
| Understand and profile clients, monitor the relationship, improve and personalize communications, offers, and advice, conduct statistical studies | Legitimate interest | Five (5) years from the Client’s last activity, then archived for an additional five (5) years |
| Use Personal Data as a client to be recognized as such by other services offered by other companies within the Terrena Group | Legitimate interest | Five (5) years from the Client’s last activity, then archived for an additional five (5) years |
| Provide digital tools, financial activity management services, and regulatory data while ensuring the security of these tools | Legitimate interest | Five (5) years from the Client’s last activity, then archived for an additional five (5) years |
| Create loyalty accounts and loyalty cards in stores; provide benefits such as deposits to loyalty wallets or personalized (or non-personalized) coupons and offers based on your purchase habits that can be used in stores | Performance of pre-contractual measures at the request of Users and/or Clients and/or performance of the contract | Three (3) years from your last activity, then destruction |
| Use Personal Data as a cardholder client to be recognized as such by other services offered by other companies within the Terrena Group | Legitimate interest | Three (3) years from your last activity, then destruction |
| Manage commercial prospecting by mail, phone, or electronic means for similar products and services | Legitimate interest | Three (3) years from your last activity, then destruction |
| Regarding All Suppliers | ||
| Manage purchases and supply: • Order management • Purchase and stock tracking • Performance monitoring and account management • Store supply management • Invoice generation | Legitimate interest | Five (5) years from the Supplier’s last activity, then archived for an additional five (5) years |
| Regarding Marketing and Prospecting | ||
| Sending promotions and offers, personalized or not, by electronic means | Consent | Three (3) years from the last activity |
| Participation in contests, lotteries, or prize draws | Performance of pre-contractual measures at your request and/or performance of the contract | Three (3) years from the closing date of the relevant contest |
| Implement profiling to improve client knowledge (establishing your profile, combining online and offline purchase and informational data, segmentation, conducting studies and analyses to better understand expectations regarding services, products, or offers) | Legitimate interest | Online and offline purchase Personal Data used for this purpose is retained for 24 months from the date of your purchase. Other Personal Data used for this purpose is retained as long as you have a client or loyalty account, but never exceeding five (5) years from your last activity. |
| Regarding All Candidates | ||
| Analyze applications in relation to the positions offered | Legitimate interest | 1 month if the candidate is not selected, with the possibility of adding the CV to the database for a maximum of 2 years |
| Compliance with legal and regulatory obligations, defending rights, safeguarding interests, and preventing fraud | ||
| Accounting and taxation: Retention of invoices and other mandatory documents as part of general accounting management and tax obligations | Compliance with legal and regulatory obligations | Personal Data processed in the context of accounting and tax obligations is retained for the current fiscal year plus one (1) year, then archived for an additional ten (10) years |
| Exercise of Users’ and/or Clients’ rights: Management of requests to exercise rights (communications, extracts of required information) | Compliance with legal and regulatory obligations | Personal Data related to requests to exercise rights is retained for three (3) or six (6) years from the request, depending on the right exercised. When identity verification documents are collected, they are deleted once verification is completed |
| Defense of VOLATYS’ rights and fraud prevention: Establishment and retention of evidence necessary to defend rights in actions and claims brought by Users and/or Clients, and for fraud prevention | Legitimate interest | Personal Data necessary to establish and retain evidence for the defense of rights is retained for the entire duration of the applicable statutory limitation periods, or for the duration of the dispute or litigation if it occurs, and until a final legally binding decision is rendered |
| Public and judicial authorities: Management of requests from public or judicial authorities and communications with authorities | Legitimate interest | Personal Data related to handling requests from authorities is retained for the entire duration of the proceedings before the relevant authority, and until a final legally binding decision is rendered |
If VOLATYS is required to process the Personal Data of Users and/or Clients for purposes other than those listed in the tables above, VOLATYS will take any additional steps necessary to ensure the legal compliance of all such processing activities.
6. Recipients of Personal Data
To achieve the purposes described above, and only to the extent necessary to pursue these purposes, the personal data we collect may be transmitted to all or part of the following recipients:
Within the Terrena Group:
- To the Terrena Group subsidiaries responsible for the negotiation, management, and execution of contracts and orders;
- To the Terrena Group subsidiaries responsible for marketing, customer relations, complaints, business development, administrative services, IT services, online advertising, or commercial prospecting;
- To the Terrena Group subsidiaries responsible for the centralized management of our customer databases;
- To any other Terrena Group subsidiary whose involvement is necessary for the execution of processing activities carried out in accordance with this policy.
Outside the Terrena Group:
- To our service providers involved in all or part of the identified processing activities (including IT service providers maintaining the website, partners in online advertising and personalized communications, and those responsible for the shipment and delivery of products);
- To our partners providing services available on our website or services accessible through the use of loyalty programs;
- To our partners who sell products or services directly through our website;
- To our partners involved in carrying out and sending commercial prospecting campaigns;
- To our partners involved in the process of delivering personalized online advertisements or commercial prospecting;
- To suppliers of products and services from the Terrena Group’s partner brands who may receive personal data concerning you.
7. Transfer of Personal Data Outside the European Union
VOLATYS is committed to ensuring that data is stored and transferred securely. Consequently, any data that may occasionally be transferred outside the European Economic Area (EEA) — which includes the Member States of the European Union, as well as Norway, Iceland, and Liechtenstein — will only be transferred to countries that comply with data protection legislation and where transfer mechanisms provide adequate protection for your data.
To ensure that personal information receives an adequate level of protection, appropriate procedures are implemented with third parties with whom personal data is shared, to guarantee that such information is processed by these third parties in a manner consistent with data protection laws.
8. Security of Personal Data
The “processing” of Personal Data includes, in particular, the use, storage, recording, transfer, adaptation, analysis, modification, reporting, sharing, and destruction of Personal Data as required by the circumstances or legal obligations.
8.1 Data Security by TERRENA
TERRENA places particular importance on the security of Personal Data.
TERRENA implements technical and organizational measures, taking into account the sensitivity of the Personal Data, to ensure data integrity and confidentiality, and to protect it against any malicious intrusion, loss, alteration, or disclosure to unauthorized third parties.
Whenever possible and necessary, the following measures are implemented:
- Encryption;
- Anonymization;
- Pseudonymization;
- Deployment of means to ensure the confidentiality, integrity, and availability of systems;
- Deployment of means to restore the availability and access to your Personal Data in the event of a technical incident.
As all Personal Data is confidential, access is limited to employees, processors, or business partners who need it to perform their tasks.
8.2 Data Security by Recipients of Personal Data
In cases where applications, services, or products provided by third parties are used, Terrena ensures with their providers that they comply with legal requirements and are capable of protecting the data that will be processed.
Accordingly, and in line with its commitments, Terrena carefully selects its processors and service providers and imposes on them, in particular:
- A level of protection for Personal Data at least equivalent to its own;
- The use of Personal Data solely for the purposes of managing the services they are required to provide;
- Strict compliance with applicable laws and regulations regarding confidentiality, banking secrecy, and Personal Data;
- The implementation of all appropriate measures to ensure the protection of Personal Data they may process;
- The definition and implementation of the necessary technical and organizational measures to ensure security.
If you suspect any misuse, loss, or unauthorized access to your personal information, please notify us immediately.
9. Data Rights
Article 15 of the General Data Protection Regulation (GDPR) recognizes the right of any natural person to obtain from the Data Controller confirmation as to whether Personal Data concerning them is being processed, and, where such data is processed, access to that data.
VOLATYS has implemented appropriate Personal Data protection measures to ensure that Personal Data is used in accordance with the purposes described above and to ensure its accuracy and currency.
Right to Object:
You may object at any time to our processing of your Personal Data.
Your objection request will be handled promptly, and we will cease the activity to which you object. However, we reserve the right not to cease the activity in question if:
- We can demonstrate that we have legitimate and compelling grounds for processing your data that override your interests; or
- We are processing your data for the establishment, exercise, or defense of legal claims.
If your objection relates to direct marketing, we must act in accordance with your objection and cease this activity with respect to you.
Right to Withdraw Consent:
If we have obtained your consent to the processing of your Personal Data for certain activities (other than those for which no consent is required), you may withdraw this consent at any time, and we will cease the particular activity to which you had consented, unless we believe there is another lawful reason to continue processing your data for that purpose, in which case we will inform you.
Access Requests:
You may request at any time that we confirm the information we hold about you, and you may request that we correct, update, or delete it. We may ask you to verify your identity and provide additional information regarding your request.
If we grant you access to the information we hold about you, we will not charge for this access unless your request is “manifestly unfounded or excessive.” If you request additional copies of this information, we may charge a reasonable administrative fee where permitted by law. Where the law allows, we may refuse your request. If we do so, we will always provide an explanation for the refusal.
Right to Erasure:
You have the right to request that we erase your Personal Data under certain circumstances.
In principle, the information in question must meet one of the following criteria:
- The data is no longer necessary for the purposes for which it was originally collected and/or processed;
- You have withdrawn your consent to the processing of your data and there is no other legitimate reason for us to continue processing it;
- The data has been processed unlawfully;
- The data must be erased to comply with our legal obligations as a Data Controller; or
- In cases where we process the data because we consider it necessary for our legitimate interests, you object and we are unable to demonstrate a legitimate and compelling reason to continue the processing.
We may refuse to comply with your request only for one of the following reasons:
- To exercise the right to freedom of expression and information;
- To comply with legal obligations;
- For reasons of public health in the public interest;
- For archiving purposes, scientific or historical research, or statistical purposes; or
- To establish, exercise, or defend legal claims.
When we respond to a valid erasure request, we will take all reasonable practical steps to delete the relevant data.
Right to Restriction of Processing:
You have the right to request that we restrict the processing of your Personal Data under certain circumstances. This means that we may only continue to store your data and may not carry out any other processing activities except in one of the following cases: (i) to resolve one of the circumstances listed below; (ii) with your consent; or (iii) if further processing is necessary for the establishment, exercise, or defense of legal claims, to protect the rights of another person, or for important reasons of public interest of the European Union or a Member State.
The circumstances in which you have the right to request that we restrict the processing of your Personal Data are as follows:
- When you contest the accuracy of the Personal Data we are processing about you. In this case, our processing of your Personal Data will be restricted for the duration of the verification of the data’s accuracy;
- When you object to our processing of your Personal Data for our legitimate interests. You may request that the data be restricted while we verify the legitimacy of our processing of your Personal Data;
- When your data has been processed unlawfully by us, but you prefer that we restrict the processing rather than erase it; and
- When we no longer need to process your Personal Data, but you request it for the establishment, exercise, or defense of legal claims.
If we have disclosed your Personal Data to third parties, we will inform them of the restricted processing unless this proves impossible or involves disproportionate effort. Of course, we will inform you before lifting any restriction on the processing of your Personal Data.
Right to Rectification:
You also have the right to request that we correct any inaccurate or incomplete Personal Data we hold about you. If we have disclosed such Personal Data to third parties, we will inform them of the correction unless this proves impossible or involves disproportionate effort. Where applicable, we will also inform you of which third parties we have communicated these inaccurate or incomplete Personal Data to. If we believe it is reasonable not to comply with your request, we will provide you with the reasons for this decision.
Right to Data Portability:
If you wish, you have the right to transfer your Personal Data from one Data Controller to another. In practice, this means you can transfer the data to another online platform. To enable this, we will provide your data in a readable format. This right to portability applies to the following data: (i) Personal Data that we process automatically (i.e., without human intervention); (ii) Personal Data you provide; and (iii) Personal Data we process based on your consent or in the context of the execution of a contract.
Right to Set General or Specific Directives Regarding the Retention, Erasure, or Disclosure of Personal Data After Death:
You have the possibility to set general or specific directives regarding how you wish the rights granted to you under applicable law to be exercised after your death.
General directives concern all Personal Data relating to you, and you may revoke them at any time. They can be registered with a trusted digital third party certified by the French Data Protection Authority (CNIL).
Specific directives concern the processing mentioned in these directives and are registered with us: they require your specific consent and can be revoked by you at any time.
Right to Lodge a Complaint with a Supervisory Authority:
If, after contacting us regarding this matter, you believe that your rights relating to your Personal Data are not being respected, you may lodge a complaint with the French Data Protection Authority (CNIL) at 3 Place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07, France – Tel: +33 1 53 73 22 22 or via https://www.cnil.fr/fr/plaintes
It is important that the personal information we hold about you is accurate and up to date. Please inform us of any changes to your personal information during the period in which we hold your data.
10. Facilitated Contact for Exercising Rights
Although VOLATYS has taken reasonable measures to protect Personal Data, no transmission or storage technology is completely infallible.
Nevertheless, VOLATYS is committed to ensuring the protection of Personal Data. If you have reason to believe that the security of your Personal Data has been compromised or that it has been misused, you are invited to contact VOLATYS at: dataprotection[@]volatys.com
You may exercise your rights at any time and contact the Data Protection Officer (DPO) at the following address:
- By mail: Galliance (Terrena Group), Data Protection/DPO, 7 avenue Jean Joxé, CS 20248, 49002 ANGERS, France; or
- By email: dataprotection[@]volatys.com
11. Policy Updates
This Policy may be updated according to VOLATYS’ needs and circumstances, or as required by law. We therefore encourage you to review updates regularly.
VOLATYS is committed to complying with legal or regulatory developments regarding Personal Data.
Accordingly, VOLATYS reserves the right to modify its processing activities and security measures at any time and to update its data privacy policy accordingly.
Updated on 11/04/2025