Privacy policy
Horus privacy policy: data collected, purposes, retention, your GDPR rights and how to exercise them.
Horus SAS respects your privacy. This policy explains how we collect, use, store and share your personal data, and the rights you have over them.
1. Data controller
HORUS SAS — 3 rue Desirat, 31350 Boulogne-sur-Gesse, France — RCS Toulouse 949 895 890 — acting as data controller under Regulation (EU) 2016/679 (« GDPR »). Data Protection Officer (DPO): privacy@horus-sas.com.
2. Data collected and purposes
| Purpose | Data collected | Legal basis | Retention |
|---|---|---|---|
| Account creation and management | Email, hashed password, first/last name, phone (optional) | Performance of contract (art. 6.1.b) | Active account life + 3 years after last login |
| Order processing & shipping | Shipping & billing address, items, payment reference (Viva), tracking number | Performance of contract | 10 years (legal obligation) |
| Invoicing | Customer + order data | Legal obligation | 10 years |
| Newsletter | Email, first name (optional), declared interests | Consent (art. 6.1.a) | Until unsubscribe + 1 month |
| Customer service | Email, message content, exchange history | Legitimate interest / contract | 3 years |
| Anonymized audience metrics | Pageviews, traffic source, device type — no user identifier | Consent | 13 months max |
| Security & fraud prevention | Hashed IP, connection logs, rate-limit signals | Legitimate interest | 12 months |
3. Recipients
Your data is never sold. Access is restricted to authorized Horus staff and, strictly when needed, to the following processors:
- Viva Wallet — payment processor (EU) — receives order amount, reference, transaction return. No card data ever reaches Horus servers.
- La Poste / Colissimo — carrier — receives name, address, phone, email for delivery notifications.
- ACME (French SAS — RCS Paris 805 313 160, 38 rue Dunois, 75013 Paris) — infrastructure hosting and transactional / newsletter emails (SMTP).
All processors are bound by GDPR-art. 28 contracts.
4. Non-EU transfers
No customer data is transferred outside the EU by Horus.
5. Security
Horus implements appropriate technical and organizational measures: site-wide TLS 1.3, Argon2id password hashing, SHA-256 hashing of IPs in logs, security headers (CSP, HSTS, X-Frame-Options), CSRF tokens, rate-limiting, encrypted secret storage, daily encrypted backups, least-privilege admin access.
6. Your rights
Under articles 15–22 GDPR, you have the rights of:
- Access — obtain a list of data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure (« right to be forgotten »).
- Restriction of certain processing.
- Portability — receive your data in a readable format (JSON export available from your account).
- Objection to processing based on legitimate interest, or to direct marketing.
- Withdrawal of consent — at any time for consent-based processing, with no retroactive effect.
To exercise these rights: from your account (export, deletion), via the My rights page, or by email to privacy@horus-sas.com. We respond within 1 month max (3 months for complex requests, with prior notice).
7. Cookies
See our cookie policy. You may change your preferences any time via the « Cookie preferences » button in the footer.
8. Complaint
If you feel your rights are not respected, you may lodge a complaint with the French supervisory authority: CNIL, 3 place de Fontenoy, 75007 Paris — cnil.fr.
9. Updates
This policy may evolve. Significant changes are notified by email to active accounts and signalled on the homepage for 30 days.
Last updated: 25 April 2026.