Privacy policy
This is a courtesy translation. The French version prevails in case of discrepancy.
Pépite Pass attaches great importance to protecting the personal data of its users. This privacy policy describes how your data is collected, used, shared and protected, in accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act (loi Informatique et Libertés).
1. Data controller
The data controller is:
- Legal name: Léo Petit (sole trader)
- SIRET: 99094700400018
- Address: 3 rue Robert Schuman, 95880 Enghien-les-Bains
- Email: contact@pepitepass.fr
- Data protection officer (DPO): not appointed (appointment not mandatory given the nature of the activity, Article 37 GDPR).
2. Data collected
Pépite Pass collects the following categories of data:
- Identification data: surname, first name, email, phone, business name.
- Connection data: IP address, technical identifiers, connection logs.
- Usage data: pages visited, actions performed on the platform.
- Payment data: processed exclusively by our provider Stripe (Pépite Pass does not store any bank card data).
- End-customer data: retailers may record in Pépite Pass the data of their own customers (name, email, phone, purchase history). Pépite Pass then acts as a data processor within the meaning of the GDPR.
3. Purposes and legal bases
- Provision of the service: performance of the contract (Article 6.1.b GDPR).
- Billing and accounting obligations: legal obligation (Article 6.1.c GDPR).
- Marketing communication (newsletter, promotions): consent (Article 6.1.a GDPR), withdrawable at any time.
- Service improvement and statistics: legitimate interest (Article 6.1.f GDPR).
- Security and fraud prevention: legitimate interest (Article 6.1.f GDPR).
4. Retention period
- Active account: for the entire duration of the contractual relationship.
- After termination: 3 years for prospecting purposes, then intermediate archiving for legal obligations (10 years for accounting data).
- Technical logs: 12 months maximum.
5. Hosting and data recipients
Primary hosting of customer data: all the personal data collected via Pépite Pass (merchant accounts, end-customer data, loyalty histories, Wallet cards) is stored and processed by:
- Company: Supabase Inc.
- Address: 970 Toa Payoh North #07-04, Singapore 318992
- Website: supabase.com
- Hosting region: European Union (AWS infrastructure, Ireland region, eu-west-1).
- Compliance: GDPR, SOC 2 Type II and HIPAA certifications, signed data processing agreement (DPA).
Your data may also be transmitted to our other technical subcontractors:
- Stripe Payments Europe Ltd.: payment processing and billing (Ireland).
- Amazon Web Services (AWS EMEA SARL): hosting of the backend application (EU region).
- Brevo (formerly Sendinblue): sending transactional emails and SMS (France).
- Apple Inc.: distribution of cards via Apple Wallet and sending update notifications (APNs).
- Administrative or judicial authorities upon lawful request.
No data is resold to third parties for commercial purposes.
6. Transfers outside the European Union
Although the data is hosted within the European Union, some of our providers (Supabase Inc., Stripe, AWS, Apple) are companies established outside the EU and may, in certain cases (technical support, backups), access data from the United States. These transfers are governed by the Standard Contractual Clauses adopted by the European Commission and, where applicable, by the Data Privacy Framework (DPF), which guarantee a level of protection equivalent to the GDPR.
7. Your rights
In accordance with the GDPR, you have the following rights over your data:
- Right of access: obtain a copy of your data.
- Right to rectification: correct inaccurate data.
- Right to erasure: request the deletion of your data.
- Right to restriction: restrict the processing.
- Right to portability: retrieve your data in a structured format.
- Right to object: object to the processing on legitimate grounds.
- Right to withdraw consent: at any time, for processing based on consent.
To exercise these rights, write to contact@pepitepass.fr. A response will be provided within 30 days at the latest.
If you are not satisfied with the response, you may lodge a complaint with the CNIL: www.cnil.fr.
8. Cookies
The website uses cookies that are strictly necessary for its operation (authentication, security), an experience measurement tool (Microsoft Clarity), and, subject to your consent, measurement and advertising cookies: Google Analytics 4, Google Ads and the Meta (Facebook) pixel. The latter are governed by Google Consent Mode v2 and remain disabled by default until you accept them via the banner. You can refuse or withdraw your consent at any time by clearing the cookies in your browser or by contacting us.
9. Security
Pépite Pass implements appropriate technical and organisational measures to ensure the security of your data: TLS encryption, password hashing, restricted access, regular backups, certified cloud infrastructure.
10. Amendments
This policy may be updated at any time. The date of the last amendment is shown below. Any substantial change will be notified to you by email.
Last updated: May 2026.