Privacy Policy

Effective date: November 2025

FLC GROUP, a simplified joint stock company with a single shareholder and capital of €1,072, registered with the Paris Trade and Companies Register under number 898 585 294, with its registered office at 8 rue François 1er – 75008 Paris, registered with ADEME under the unique identification number (IDU) FR404352_01PJYK (hereinafter, the " Company ") is the marketing company for products under the "Laboratoires Botanique Avancée " brand, available for sale on its website https://www.laboratoires-botanique-avancee.com (hereinafter, the "Website").

FLC GROUP processes the Personal Data of its Users and customers in the course of its business activities. FLC GROUP is committed to protecting Personal Data and makes every effort to ensure the highest level of protection, in compliance with the regulations applicable to Users and customers. To this end, FLC GROUP has implemented a privacy and processing policy within the Group that applies to Personal Data collected and processed in the course of its business (hereinafter the " Policy" ). 

This Policy applies to all Processing of Personal Data carried out by the Group, collected via the Websites, through email exchanges and other correspondence, at events, through programs, campaigns, and/or marketing activities. 

This Policy embodies all of FLC GROUP's commitments to its customers and Users with regard to the Processing of Personal Data. 

The purpose of this Policy is, in particular, to: 

a) Present the technical and organizational measures implemented by the Group to ensure a high level of protection for Personal Data processed, in accordance with applicable regulations; 

b) Document compliance with applicable regulations; and

c) Inform the individuals concerned about the means available to them to stay informed and control the processing of their Personal Data. 

For the purposes hereof, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the " GDPR ") and Law No. 2018-493 of June 20, 2018 on the protection of personal data: 

− The term " Personal Data " means any information relating to an identified or identifiable natural person (hereinafter the " Data Subject "). A natural person is considered to be identified or identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. 

− The term " Sensitive Data " means any information concerning the racial or ethnic origin, political, philosophical, or religious opinions, trade union membership, health, or sex life of the Data Subject;

− The term " Processing " refers to any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 

− The term " Data Controller " means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing; and

− The term " Subcontractor " means the natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Data Controller. 

I.                        PRINCIPLES GOVERNING THE PROCESSING OF PERSONAL DATA

Before any Processing, the Group ensures that said Processing: 

− Is based on a specific, explicit, and legitimate purpose for which the Personal Data is processed; 

− Be strictly limited to the intended purpose; and

− Is lawful on the basis of (i) the necessary performance of a contract between the Group and the Data Subject or pre-contractual measures, (ii) a legal obligation, (iii) the prior consent of the Data Subject, or (iv) the pursuit of a legitimate interest by the Group, provided that it does not infringe on the fundamental rights of the Data Subjects.

The Group ensures that the Personal Data Processed is accurate and up to date.

Each entity within the Group regularly reviews its processing and personal data protection procedures in order to adjust and supplement them to ensure that its customers and website users enjoy the highest possible level of protection in accordance with applicable regulations.

II.                      CATEGORY OF PERSONAL DATA

Personal Data is collected, at any time, by any entity within the Group:

i.                         When browsing the Websites;

ii.                       When purchasing a Product on the Website or from a service provider chosen by FLC GROUP;

iii.                    When participating in any event, program, or marketing activity; or Via the contact form available on the Websites or email exchanges or correspondence. 

The mandatory or optional nature of the Personal Data collected is indicated at the time of collection on the contact form or any contractual document by an asterisk (*).  

The Personal Data processed by the Group includes: 

− Civil identity (last name, first name, date of birth, gender, nationality); 

− Contact details (address, phone number, and email address); 

− Information on the civil identity of persons receiving a Gift Product;

− Personal information (skin type, preferences, beauty routine, interests, etc.); 

− Information on payment methods for transaction purposes;

− Information about browsing via cookies and similar technologies used on the Site; 

− Commercial and statistical data on the use of the search engine; 

− The membership number for the loyalty program or another partner program; 

− Technical and location information generated in connection with the use of the Site; 

− Responses to satisfaction or prospecting surveys;

Anyone should contact the Data Controller if a minor has provided Personal Data without the prior consent of their legal guardian, so that this Personal Data can be deleted.  In order to satisfy customer requests or provide the appropriate Service, the Group may collect Sensitive Data, such as racial or ethnic origin. Any Processing of Sensitive Data is subject to the prior express consent of the Data Subject. 

III.                    PURPOSES OF PERSONAL DATA PROCESSING

The processing of personal data carried out by the Group is for the following purposes: 

a)       The performance of a pre-contractual or contractual relationship with the Data Subject:

o The management, processing, and tracking of purchases/orders of Products and/or Gift Products on behalf of any customer

 o Billing and follow-up; 

b)       the legitimate interest pursued by the Group when it pursues the following purposes:

o Prospecting and promotion within the scope of the Group's activities;  

o Customization of Service offers and purchase of Products and Gift Products; 

o Customer and prospect relationship management; 

o Handling all claims and complaints; 

o Organizing, registering, and inviting participants to events, programs, and marketing activities organized by the Group, and sending newsletters and information, where applicable;

o Management of loyalty programs; 

o Conducting satisfaction surveys, studies, and statistics; 

o Improving Services, Products, and Gift Products; 

o Knowledge of Users; 

o The performance of the Site; and

o Securing the Site; 

c)       Compliance with legal and regulatory obligations when the Group implements Processing for the purpose of: 

o Prevention of money laundering and terrorist financing, and the fight against corruption; 

o Management of requests and appeals relating to Personal Data;

 o Billing; and 

o Accounting; 

d)       Consent of the Data Subject:

o Personalized solicitation.

IV.                  RETENTION PERIOD FOR PERSONAL DATA

FLC GROUP only retains Personal Data for the period necessary for the operations for which it was collected and in compliance with applicable regulations.

For accounting purposes, the Personal Data of the Group's customers is retained for the entire contractual period and for a period of ten (10) years from the end of the financial year during which the last invoice was sent to the Data Subject. 

The Personal Data of Website Users is retained for a period of three (3) years if no contractual relationship has been established between the Data Subject and the Group.

Personal Data relating to payment methods is deleted from the Group's servers after the payment transaction has been completed, but may be kept on file for a period of thirteen (13) months after collection in order to protect against any disputes relating to the financial transaction. 

V.                     PERSONAL DATA SECURITY MEASURES

In order to guarantee security, confidentiality, integrity, and availability, and to protect Personal Data Processed by the Group against any destruction, loss, alteration, or unauthorized disclosure of such Data, FLC GROUP implements the following protective measures: 

− Training of Group personnel in the regulations applicable to the processing and protection of personal data; 

− Limited access by staff to Personal Data; 

− Where applicable, verification of subcontractors' and Partners' compliance with applicable regulations; 

− Securing the premises, hardware, and software used by the Group; 

− Updating of personalized and secure profiles, including the use of passwords that meet higher security standards and are changed regularly; 

− Use of regularly updated antivirus and IT security systems; 

− Use of different internal and external backup modes; 

− Website hosting by one or more hosting providers offering leading security measures; and

− Implementation of an internal procedure to manage any incident, breach, or violation of any Personal Data.

VI.                  VIOLATION OF PERSONAL DATA

In the event of a Personal Data breach, the Group shall notify the competent supervisory authority of the breach as soon as possible, and no later than seventy-two (72) hours after becoming aware of it. 

Furthermore, in the event that the breach is likely to result in a high risk to the rights and freedoms of a natural person, the Group will inform the Data Subject of the breach of their Personal Data as soon as possible, unless: 

− The Group has implemented appropriate technical and organizational protection measures and that these measures have been applied to the Personal Data affected by the breach, in particular measures that render the Personal Data unintelligible to any person who is not authorized to access it, such as encryption; 

− The Group has taken further measures to ensure that the high risk to the rights and freedoms of the Data Subjects is no longer likely to materialize; 

− What if communication required disproportionate effort?

VII.                PROCESSING BY THIRD PARTIES AND TRANSFER OF PERSONAL DATA

The Personal Data Processed is intended for the Group. In order to ensure the highest quality of Services, Products, and Gift Products, the Group may need to disclose Personal Data to: 

a) Employees and internal staff of Maisons each entity of the Group; it being specified that employees and staff are informed of the applicable regulations and are required to comply with this Policy; and

b) Partners, service providers, and subcontractors of the Group.

Processed Personal Data may also be shared in order to comply with any legal or regulatory obligations. In such cases, FLC GROUP will make every effort to limit the types and volume of Personal Data that the Group may have to share for legal purposes to what is reasonably necessary, and will make every effort to ensure that any transfer to countries outside the European Union is carried out on a legal basis that is appropriate and protective of the rights of the Data Subject. 

No transfer of Personal Data to countries outside the European Union will be carried out by the Group. Furthermore, the Group does not sell the Personal Data Processed to third parties.

The Group may collect and/or process Personal Data in connection with any sale, acquisition, merger, restructuring, bankruptcy, or other legal transaction involving the Group. In such a case, FLC GROUP will take reasonable measures to require that Personal Data be processed in accordance with this Policy.  The Website may provide links or features to other third-party websites that are not owned by FLC GROUP. If you use these links or features, you do so at your own risk. FLC GROUP shall in no way be liable for the content or practices of any third-party website, application, or feature. 

VIII.              RIGHTS OF DATA SUBJECTS

Under the conditions defined by applicable regulations, Data Subjects have the following rights, subject to certain conditions: 

− Access Data concerning them; the Group must, upon request, provide a copy of the Personal Data concerning them;

− Obtain from the Group, as soon as possible, the rectification of Personal Data concerning them that is inaccurate or incomplete; 

− Obtain from the Group, as soon as possible, the deletion of Personal Data concerning them;

 − Obtain from the Group the restriction of Processing; and

− Receive the Personal Data concerning them that they have provided in a structured, commonly used, and machine-readable format, and transmit this Data to another Data Controller (right to the portability of Personal Data in accordance with Article 20 of the GDPR).

All Data Subjects have the right to define guidelines regarding the fate of their Personal Data after their death. 

When Processing is based on the consent of the Data Subject, the latter may withdraw their consent at any time. Any Data Subject may also object to Processing based on the legitimate interest of the Group by notifying it.  For any information or to exercise rights relating to the Processing of Personal Data, please contact the Group's Data Controller: 

− By email to the following address: info@laboratoires-botanique-avancee.com; or 

− By signed letter accompanied by a copy of an identity document to the following address: FLC GROUP, 8 rue François 1er 75008 Paris, for the attention of the Data Controller.  

FLC GROUP undertakes to process all requests for information and exercise of rights relating to Personal Data as soon as possible after receipt of any request, and at the latest within one (1) month. 

Any Data Subject may at any time lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (the "CNIL") (the supervisory authority in France).

IX.                  REGISTER OF PERSONAL DATA PROCESSING

The Group undertakes to keep a record of Processing activities under its responsibility, containing all the information required by the provisions of Article 30 of the GDPR.

X.                      COOPERATION WITH THE SUPERVISORY AUTHORITY

The Group undertakes to cooperate with the CNIL, at its request, in the performance of its duties.

XI.                   USE OF COOKIES

When visiting the Website, cookies may be stored on the hard drive of the User's device. A cookie is a text file used to collect information relating to the User's browsing and identification for analysis purposes, in order to provide personalized services and products or to facilitate the User's browsing experience. 

The maximum retention period for cookies is twelve (12) months. 

Users of a Website may at any time refuse the use of these cookies by configuring their browser software accordingly.

Users may therefore, at any time and at their convenience, choose to disable these cookies and/or configure their browser to accept or reject each cookie.

XII.                 PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA WITHIN THE COMPANY

THIS PRIVACY POLICY MAY BE MODIFIED BY FLC GROUP AT ANY TIME WITHOUT PRIOR NOTICE TO USERS. IT IS THEREFORE RECOMMENDED THAT YOU REGULARLY REVIEW THIS POLICY ON THE WEBSITES.

FOR FURTHER INFORMATION ON THE PROTECTION OF PERSONAL DATA, ANYONE MAY CONSULT THE CNIL WEBSITE: www.cnil.fr.