Privacy policy

Last updated : June 13, 2023

This privacy policy (this "Privacy Policy") governs and describes how BUFU, Inc. and its subsidiary BUFU S.A.S. (each the "Company", "We ,""Us"or "Our") may collect, use, and disclose personal data of users of the Company's website accessible at https://at.cafe (the "Website") and users of the Company's web, mobile application and other platforms (the "Application", the Website, the Application and other platforms being collectively referred to as the "Services"). Users of the Services will be referref to as the « User » or « You ».

We collect and process Your personal data in compliance with the applicable French and European legislation, including Act No. 78-17 of 6 January 1978 on information technology, data files and civil liberties, amended by Act No. 2004-801 of 6 August 2004 and by Act No. 2018-493 of 20 June 2018 ("Law Informatique et Libertés"), Regulation (EU) No. 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("RGPD") and Directive 2002/58/EC of 12 July 2002 as amended by Directive 2009/136/EC ("ePrivacy Directive"), and any national transposition text or any subsequent text that may follow them ("Applicable Regulations").

By accessing and/or using the Services, You agree that Your personal data will be collected and processed under the terms and conditions set forth below. If You do not agree to this Policy, You shall cease all use of the Services.

The Charter is an integral part of the Terms and Conditions ("T&C") and must be read together with such T&C.

We may amend the Privacy Policy, in order to comply with any legislative, regulatory, jurisprudential, editorial or technical changes under the conditions described in the T&C. Therefore, before browsing, You should refer to the latest version of the Privacy Policy.

1. Identity of the data controller

The data controller is BUFU S.A.S., a French société par actions simplifiée, with a share capital of EUR 1,000, its registered office at 5 avenue du Général De Gaulle, 94160 Saint-Mandé, France, registered with the Trade and Companies Register of Créteil under number 890 556 368.

Contact details :

• Email : dpo@at.cafe
• Address: BUFU S.A.S. 5 avenue du Général De Gaulle 94160 Saint-Mandé France

2. Collecting personal data

2.1. What is personal data ?

The terms "personal data"("Personal Data"), "process/processing", "data controller", "processor", "recipient(s)", "consent", and "filing system", have the same meaning as in Article 4 of the GDPR.

2.2. Which Personal Data do We collect ?

The Company may collect some Personal Data:

• Information about the User's identity: surname, first names, day and month of birth, telephone number, profile picture, biography, IP address;
• Information relating to transactions carried out by credit card ;
• Information about the User's professional activity: days worked, days off, place of work, job position;
• Information about the User's behaviour on the Application;
• Registration information allowing the person to use the Services: email*, password, IP address, credit card information;

Information fields marked with an asterisk are required fields.

You can always refuse to complete these required fields, in which case We will inform You of the consequences of this refusal.

2.3. How do We collect Personal Data ?

Personal Data is collected directly by the Company, when You use the Services and when You contact the Company.

Your Personal Data is collected when You :

• browse on the Website ;
• use the chatbot on the Website;
• create an account and use the Application;
• access Your User account;
• use the Application;
• contact customer service.

3. How do We use Personal Data?

3.1. What are the legal basis for processing Your Personal Data and why do We collect Your Personal Data?

• Your express consent to such processing ; when You agree to receive offers and news from the Company, or when You accept the placing of some types of cookies when visiting Our website or using our Application ;
• The legitimate interest of the Company ; Improve the Services, in particular, to optimize or offer new features to the Services, or offer You a simplified automatic entry ; or inform You of Our offers and news, unless not consented to by You ;
• The execution of an agreement entered with Us in connection with the use of the Services ;
• Compliance with a legal or regulatory obligation applicable to the Company.

4. Recipients of Personal Data

The following persons will have access to some of Your Personal Data :

• Persons working within the Company or for the Company (managers, employees, interns, freelancers);
• The Company's headquarters located in the United States, for the purpose of invoicing customers located in the US only.
• The Company's subcontractors (Website host, CRM, cloud platform, payment platform, plugins, HRIS, etc.) such as AWS (Amazon Web Services) Our hosting service provider, Stripe, our online payment service provider, Intercom, Tableau and Amplitude;
• Accountants, lawyers, auditors, court officers, public bodies, ministerial officers and bodies responsible for debt collection.

5. Transfer of Personal Data outside European Union

The Website is hosted by AWS, whose servers are located in the United States. However, the Company offers to its users an option to host their Personal Data within the European Union.

Furthermore, depending on the subcontractors, some Personal Data can be transferred outside the European Union.

The transfer of Your Personal Data outside the European Union, if any, is secured as follows:

• The country outside the European Union has been deemed to offer an adequate level of protection by a decision of the European Commission;
• The transfer of Your Personal Data in this context is secured by means of a specific contract governing the transfer of Your data outside the European Union, based on the standard contractual clauses between a data controller and a data processor approved by the European Commission, adapted to the specificities of the transfers implemented for the needs of each of the services provided by Our data processors.

6. Personal data storage period

The Company undertakes not to keep Your Personal Data beyond the period strictly necessary for the purposes for which it was collected, and in accordance with the Applicable Regulations.

The Company undertakes to anonymize or delete Your Personal Data as soon as the purpose and/or the duration of their established retention expire.
The Company uses anonymized data to identify trends, and performance enabling data-driven decision-making and optimizing product experience.

• Audience measurement and service customization, management of cookies and other trackers
  Retention period: 13 months from the receipt of the cookie or other tracker
• Information relating to transactions carried out by credit card
  Retention period: Such data is not retained beyond payment, which may include the regularization of any fees applicable during a check-out, unless You have consented to the saving of such data.
• Information about services purchased
  Retention period: 10 years from the date of the last purchase or the last full payment of the last service provided

• User preference information
  Retention period: 5 years from full payment of the last service provided
• Personal Data processed as part of solicitations and promotional operations, sending offers and news
  Retention period: 3 years from the end of the relationship with the User or from the last interaction initiated by the User

• Personal Data relating to the management of requests for the exercise of rights and questions on Personal Data
  Retention period: 3 years from the last interaction initiated by the User

• Information about managing customer service interactions
  Retention period: 3 years from the last interaction initiated by the User

Nevertheless, Personal Data may be archived beyond the applicable periods for the purposes of researching, investigating, and prosecuting criminal offenses with the sole purpose of allowing, as needed, the provision of such Personal Data to the judicial authorities, or for other retention obligations, in particular for accounting or fiscal purposes. Archiving implies that this Personal Data will be subject to access restrictions and will no longer be available online but will be retrieved and kept on a secure and independent device.

The maximum retention periods set out in the table below apply unless You request that Your Personal Data be erased before the expiry of these periods, in accordance with Article 6 above.

7. Safety

The Company undertakes to take all useful precautions, organizational and technical measures appropriate to preserve the security, integrity and confidentiality of Your Personal Data and in particular to avoid their destruction, loss, theft, alteration or unauthorized access.

In order to reinforce the security of Your Personal Data, We invite You to choose a complex password and to take all precautions to keep it secret, to log out after each session, to avoid logging in on a computer that does not belong to you, and to avoid logging in to Your account via a public wifi network.

8. Our Policy on "Do Not Track"Signals under the California Online Protection Act (CalOPPA)

We do not support Do Not Track ("DNT"). Do Not Track is a preference You can set in Your web browser to inform websites that You do not want to be tracked.

You can enable or disable Do Not Track by visiting the preferences or settings page of Your web browser.

9. Your rights

9.1. What are Your rights ?

You have the following rights regarding Your Personal Data:

• Right to information: the right to obtain clear information about the use of Your Personal Data and Your rights;
• Right of access: the right to obtain Your Personal Data;
• Right to object: right to object to the use of Your Personal Data;
• Right of rectification: right to rectify inaccurate or incomplete Personal Data;
• Right of limitation: right to request to freeze the use of Your Personal Data for a certain period of time;
• Right to portability: when applicable, the right to receive Your Personal Data in a readable format and to request their transfer to the recipient of one's choice;
• Right to be forgotten: the right to request the deletion of Personal Data and to prohibit any future collection of Personal Data;
• Right to file a complaint to the Commission Nationale de l'Informatique et des Libertés (CNIL);
• Right to define instructions after Your death: the right to define instructions concerning the conservation, deletion and communication of Your Personal Data after Your death.

These instructions can be general, i.e. they concern all of Your Personal Data. In this case, they must be transmitted to a trusted digital third party certified by the CNIL.

These directives may be specific, i.e. they relate only to Your Personal Data processed by the Company. In this case, they must be transmitted to the Company.

You may change or revoke Your instructions at any time.

For any additional information, do not hesitate to go on the website of the CNIL.

9.2. How to exercise Your rights?

To exercise Your rights, You can contact the Company at the following e-mail address dpo@at.cafe and provide a photocopy of Your identity card with Your signature.

To exercise Your right to send a complaint to the CNIL, You can contact the CNIL on its website or by mail at the following address :

CNIL - Service des Plaintes 3 Place de Fontenoy - TSA 80715 75334 PARIS CEDEX 07

10. Modifications

We reserve the right to, at Our sole discretion, amend this privacy policy at any moment, in whole or in part. Those amendments will be effective from the publication of the new policy. If You continue to use the Services after the publication of the amendments, You will be deemed to have acknowledged and accepted the new policy. On the contrary, and if the new policy is unacceptable to You, You shall stop using the Services.

11. Security contact

To report security vulnerabilities You can contact the Company at the following e-mail address security@at.cafe