Privacy Policy

Last updated: 13 February 2026

‍

This policy details how POPPINS, a simplified joint stock company registered with the Paris Trade and Companies Register under number 929 553 691, with its registered office at 38 Rue Quai Henri IV, 75004 Paris, France ("POPPINS" or "we"), acting as data controller within the meaning of the applicable regulations on the protection of personal data, processes the personal data* (the "Data") of Users (the "User "   or "you") on its website at www.wearepoppins.com and through  its mobile application (together, the "Application") (together, the "Privacy Policy").

‍

Please read this privacy policy carefully. By using the Application, the User agrees to the collection, storage and processing of their information                                                                                   in accordance with this privacy policy.

‍

*Personal data is any information relating to an identified or identifiable person. In accordance with the GDPR, personal data refers to any information relating to the User, such as a name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the User. 

‍

Article I. Data processed, purpose of processing and legal basis

‍

1. Data processed

‍

The Data processed includes the email address, first and last name, photographs and all information indicated in the profile description, the User's country, address and telephone number that Poppins may request from the User. It also includes banking information strictly necessary for the payment of the security deposit and, where applicable, its refund. 

‍

This banking information may include the IBAN number, as well as credit card details (card number, expiry date, cardholder's first and last names), and secure technical identifiers (tokens) transmitted by the payment service provider mentioned herein, enabling the completion of transactions related to the payment of the security deposit.

(IBAN number and credit card number, credit card expiry date, cardholder's first and last name). 

Users must give their explicit consent to the tokenisation of their bank card information. This consent is obtained via a mandatory checkbox before the payment is made.

‍

Users can log in to the Application via a Google or Apple ID ("Social Login"). POPPINS therefore also processes Usage Data (Social Login, IP addresses, browser type, browser version, Application pages visited by Users, time spent on these pages, time and date of visits, unique device IDs and other diagnostic data ).

‍

When you access the Application through or via a mobile device, POPPINS may automatically collect certain

information automatically, including, but not limited to, the type of mobile device used, the unique identifier of the mobile device, the IP address of the User's mobile device, the User's mobile operating system and the type of mobile internet browser used, as well as the unique device identifier and other diagnostic data. POPPINS processes this Data in order to optimise the User experience and provide services tailored to the Users' needs.

‍

2. Purpose of data collection and processing

‍

POPPINS may collect and process Data for the following purposes:

‍

• To provide and maintain the Application, including monitoring the use of the Application.

‍

• Managing User accounts: to manage the User's registration as a User of the Application. The Data provided by Users may enable them to access the various features of the Application that are available to them as registered Users.

‍

• Performance of contractual obligations: the preparation, compliance and execution of lists, Loans and payments made or offered by the User.

‍

• Contacting Users: contacting Users by email, telephone calls, text messages or other equivalent forms of electronic communication to send offers, promotions or commercial communications for services, including security updates, when necessary or reasonable for their implementation.

‍

• Provide Users with news, special offers and general information about other services and events that we offer and that are similar to those that Users have already purchased or enquired about, unless Users have opted out of receiving such information.

‍

• Manage User requests: Assist and manage User requests to POPPINS.

‍

• Provide targeted advertising to Users: We may use the Data to develop and display content and advertising (and work with third-party providers who do so) tailored to the User's interests and/or location and to measure its effectiveness.

‍

• For company transfers: We may use the Data to evaluate or conduct a merger, disposition, restructuring, reorganisation, dissolution, or other sale or transfer of some or all of POPPINS' assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which the Data held by POPPINS about the Application Users is among the assets transferred.

‍

• For other purposes: We may use User information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns, and evaluating and improving our Application, products, services, marketing, and your experience.

‍

3. Legal basis for data collection and processing

‍

The legal bases on which POPPINS collects and processes Data are as follows:

‍

• User consent: for Data provided when creating an account, configuring settings or using the Application;

‍

• Legitimate interests: The collection and processing of Data such as process usage Data is necessary for the purposes of the legitimate interests pursued by POPPINS;

‍

• Performance of a contract: the collection and processing of Data relating to the User's identity and location is necessary for the performance of the contract concluded with the User and/or the pre-contractual obligations arising therefrom;

‍

• Legal obligations: The collection and processing of Data is necessary to comply with a legal obligation to which POPPINS or its subcontractors are subject, for example, the identity of the payment card holder is necessary to record a payment.

‍

Article II. Data security and confidentiality

‍

POPPINS implements technical and organisational security measures in line with best practices, particularly with regard to the security of its information system. POPPINS undertakes to implement all necessary measures to preserve the                                                                                                                                                                                                           confidentiality and security of User Data and to prevent it from being altered, damaged, destroyed or accessed by unauthorised third parties.

‍

To this end, POPPINS requires its subcontractors to provide a level of protection similar to that of POPPINS.

‍

Please note that although POPPINS does its best to protect User Data, POPPINS cannot guarantee its absolute security.

‍

Article III. Cookie Policy

‍

Browsing the Platform results in cookies being stored on the User's device. For more information on POPPINS' use of cookies, please consult the Cookie Management Policy by clicking on the following link: Cookie Management Policy 

‍

Article IV. User Rights

‍

In accordance with applicable laws and regulations, the User has the following rights, subject to data retention periods and compelling legitimate reasons for processing POPPINS Data:

‍

• Right of access: to Data processed by POPPINS concerning the User;

‍

• Right to rectification: if the Data is inaccurate or incomplete;

‍

• Right to erasure: to enable the erasure of Data;

‍

• Right to object: to the processing of certain Data;

‍

• Right to portability: the Data is transmitted for possible reuse;

‍

• Right to information: this is the right to obtain information about how POPPINS processes Data.

‍

These rights may be exercised at any time by sending an email to the following address:franco@wearepoppins.com or a letter to 38 Rue Quai Henri IV, 75004 Paris, France. Any request for access, rectification or objection must be accompanied by a copy of a document proving the identity of the person making the request. These identity documents will be kept for one (1) year for the exercise of access and rectification rights and three (3) years for the right to object.

‍

We undertake to respond to each request as soon as possible, whether or not the requests can be satisfied, taking into account the situation and in light of the applicable laws and regulations.

‍

Article V. Recipients of Data

‍

In the context of processing User Data, POPPINS may transmit or give access to such data to the following categories of Data processors:

‍

• The service provider for the development, hosting and maintenance of the Application;

‍

• The service provider that performs penetration testing on the Application;

‍

• Service providers responsible for marketing analysis and customer segmentation; 

‍

• The provider of the statistical analysis solution for cookies and trackers.

‍

• Service providers for monitoring and analysing the use of our Application, for advertising on third-party websites to Users after they have visited our Application, for processing payments, and for contacting Users. The list of current service providers is attached to this privacy policy in Appendix I;

‍

• Affiliated companies: We may share User information with POPPINS affiliates, in which case we will require those affiliates to comply with this Privacy Policy. Affiliates include POPPINS' parent company and any other subsidiaries, joint venture partners or other companies that POPPINS controls or that are under common control with POPPINS;

‍

• Business partners: POPPINS may share User information with its business partners in order to offer Users certain products, services or promotions.

‍

• With other Users: When Users share personal information or otherwise interact with other Users in public areas, that information may be viewed by all Users and may be publicly disseminated outside the service. If Users interact with other Users or register through a third-party social networking service, the User's contacts on the third-party social networking service may see the User's name, profile, photos and description of the User's activity. Similarly, other Users will be able to view descriptions of Users' activities, communicate with them and view their profiles.

‍

• Other parties: With the User's consent, POPPINS may disclose Data for any other purpose to which the User has consented.

‍

Finally, POPPINS may be required to disclose this Data to third parties when such disclosure is required by law, regulation or court order, or if such disclosure is necessary to protect and defend its rights or to ensure the personal safety of Users of the Application or the public. 

‍

Apart from these cases, User Data will not be transferred or made accessible to a third party, subject to any restructuring of POPPINS, including the total or partial contribution of assets, merger, absorption, acquisition, demerger and, more generally, any reorganisation operation.

‍

Article VI. Storage period

‍

POPPINS retains Data for the period strictly necessary to achieve the purposes for which it was collected.

‍

POPPINS may store Data if its storage is reasonably necessary to comply with its legal obligations, meet regulatory requirements, prevent fraud and abuse, and enforce this Privacy Policy and the Terms of Use. POPPINS may retain Data for a limited period of time if required by law enforcement agencies. When Data is anonymised, POPPINS may retain it for as long as necessary for business purposes.

‍

Article VII. Transfer of User Data

‍

User information, including User Data, is processed at the offices of POPPINS or its contractors and at any other locations where parties involved in the processing are located. Consequently, this information may be transferred and stored on computers located outside the User's state, province, country or other governmental jurisdiction, where data protection laws may differ from those in the User's jurisdiction.

‍

The User's consent to this privacy policy, followed by the transmission of such information by the User, represents the User's agreement to such transfer.

‍

POPPINS or its subcontractors will take all reasonable steps necessary to ensure that User Data is treated securely and in accordance with this Privacy Policy, and no transfer of User Data will take place to an organisation or a country unless adequate controls are in place, including the security of the Data and other personal information.

‍

Article VIII. Children's Privacy Rights

‍

Our Application is not intended for persons under the age of 18. We do not knowingly collect personally identifiable information from persons under the age of 18. If you are a parent or legal guardian and you know that your child has provided Data to POPPINS, please contact POPPINS. If we learn that we have collected personal Data from persons under the age of 18 without verifying parental consent, we take steps to delete that information from our servers.

‍

Article XIX. Right to lodge a complaint

‍

Users also have the right to lodge a complaint with their local Data Protection Authority. For a list of Data Protection Authorities in EU Member States, please visit the following page: Data Protection Authorities - European Commission (europa.eu)

‍

For France in particular, Users also have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), 3 place de Fontenoy - TSA 80715 - 75334 Paris Cedex 07, regarding the manner in which POPPINS collects and processes Data.

‍

Article XII. Changes to this privacy policy

We may update this privacy policy at any time. We will notify Users of any changes by posting the new privacy policy on this page.

‍

We will notify Users by email and/or by a prominent notice on our Application before the change takes effect, and we will update the "last updated" date at the top of this privacy policy.

‍

Users are advised to review this privacy policy regularly to be aware of any changes. Changes to this policy are effective when they are posted on this page.

APPENDIX I - List of service providers with potential access to Data

Article I. Analysis

We may use third-party service providers to monitor and analyse the use of our Application. These may include, but are not limited to:

‍

1. Google Analytics

‍

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the collected data to track and monitor the use of our Application. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network.

‍

You can opt out of having your activity on the Application made available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js, and dc.js) from sharing information with Google Analytics about visit activity.

‍

You can disable certain Google Analytics features through your mobile device settings, such as your device's advertising settings, or by following the instructions provided by Google in its privacy policy: https://policies.google.com/privacy).

‍

For more information about Google's privacy practices, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy

‍

2. Algolia  

‍

Algolia is a web search service. You can view their Privacy Policy at: https://www.algolia.com/policies/privacy.

3. Metabase

‍

Metabase is a web analytics service. You can view their Privacy Policy at: https://www.metabase.com/privacy-policies.

‍

4. PostHog

PostHog is a web analytics service. You can view their Privacy Policy at: https://posthog.com/privacy  

‍

5. Adjust

Adjust provides services geared towards analysing and optimising mobile advertising campaigns. You can view their Privacy Policy: https://www.adjust.com/terms/privacy-policy

Article II. Email Marketing

‍

We may use User Data to contact Users and send them newsletters, marketing or promotional materials and other information that may be of interest to them. Users may opt out of receiving any or all of these communications from us by following the unsubscribe link or instructions provided in any email we send or by contacting us.

‍

We may use email marketing service providers to manage and send emails to Users. These may include, but are not limited to:

‍

2.1 Brevo

‍

Brevo is a marketing email service provided by Sendinblue. For more information about Brevo's privacy practices, please see their privacy policy at: https://www.brevo.com/legal/privacypolicy/

‍

2.2 Customer.io

Customer.io is an automated messaging and analytics technology service (including any data or content available through such technology). For more information on the privacy practices of Customer.io, please visit their Privacy Policy:

https://customer.io/legal/privacy-policy

Article III. Payments

‍

We may provide paid products and/or services within the Application. In such cases, we may use third-party services for payment processing (e.g., payment processors).

‍

We do not store or collect Users' payment card details. This information is provided directly to our third-party payment service providers, whose use of Users' personal information is governed by their privacy policies. These payment processors adhere to the standards set by PCI-DSS, as managed by the PCI Security Standards Council, which is a joint effort of brands such as Visa, Mastercard, American Express, and Discover. The requirements of the PCI-DSS standard help ensure the secure processing of payment information.

‍

These may include, but are not limited to, the following:

‍

1. OPP

‍

Their privacy policy can be viewed at: https://onlinepaymentplatform.com/privacy-statement 

‍

2. Wordline

‍

Their privacy policy can be viewed at the following address: https://worldline.com/en/compliancy/privacy 

‍

Article IV. Data processing

‍

4.1 BigQuery 

BigQuery is a data analysis and processing service. Their privacy policy can be viewed at the following address: https://cloud.google.com/terms/cloud-privacy-notice 

‍

4.2 PostgreSQL 

PostgreSQL is a relational database management service. Their privacy policy can be viewed at the following address: https://www.postgresql.org/about/policies/privacy/ 

‍

4.3 Supabase 

Supabase is a database and backend service. Their privacy policy can be viewed at the following address: https://supabase.com/privacy 

‍

Article V. Behavioural remarketing

‍

POPPINS uses remarketing services to advertise to Users after they have accessed or visited our Application. We and our third-party providers use cookies and non-cookie technologies to help us recognise the User's device and understand how Users use our Application so that we can improve our Application to reflect Users' interests and provide them with advertisements that are more likely to be of interest to them.

‍

These third-party providers collect, store, use, process and transfer information about the User's activity on our Application in accordance with their privacy policies and to enable us to:

‍

• Measure and analyse traffic and browsing activity on our Application
• Show advertisements for our products and/or services to Users on third-party websites or applications.
• Measure and analyse the performance of our advertising campaigns

‍

Some of these third-party providers may use cookie-free technologies that may not be affected by browser settings that block cookies. Your browser may not allow you to block these technologies. You can use the following third-party tools to opt out of the collection and use of information for the purpose of delivering interest-based advertising:

‍

• The ICN opt-out platform: http://www.networkadvertising.org/choices/
• The EDAA opt-out platform: http://www.youronlinechoices.com/
• The DAA opt-out platform: http://optout.aboutads.info/?c=2&lang=EN

‍

You can opt out of all personalised advertising by enabling privacy features on your mobile device, such as Limit Ad Tracking (iOS) and Opt Out of Personalised Advertising (Android). Please refer to your mobile device's help system for more information.

‍

We may share information, such as hashed email addresses (if available) or other online identifiers collected on our Application with these third-party providers. This allows our third-party providers to recognise and serve advertisements to Users across different devices and browsers. To learn more about the technologies used by these third-party providers and their cross-device capabilities, please refer to the privacy policy of each provider listed below.

‍

The third-party providers we may use include, but are not limited to:

‍

1. Google Ads (AdWords)

‍

The Google Ads (AdWords) remarketing service is provided by Google Inc.

‍

You can opt out of Google Analytics for Display Advertising and customise Google Display Network ads by visiting the Google Ads Settings page: (http://www.google.com/settings/ads).

‍

Google also recommends installing the Google Analytics opt-out browser add-on:https://tools.google.com/dlpage/gaoptout for your web browser.

‍

The Google Analytics opt-out browser add-on allows visitors to prevent their data from being collected and used by Google Analytics.

‍

For more information about Google's privacy practices, please visit Google's privacy and terms of service web page: https://policies.google.com/privacy.

2. Facebook/Meta

‍

The Facebook or Meta remarketing service is provided by Facebook Inc. and Meta Inc.

‍

You can learn more about Facebook's interest-based advertising by visiting this page: (https://www.facebook.com/help/516147308587266).

‍

To opt out of Facebook's interest-based advertising, follow these instructions from Facebook: https://www.facebook.com/help/568137493302217.

‍

Facebook adheres to the principles of self-regulation for online behavioural advertising established 

by the Digital Advertising Alliance. You can also opt out of Facebook and other participating companies through the Digital Advertising Alliance

Alliance in the United States (http://www.aboutads.info/choices/), the Digital Advertising Alliance of Canada in Canada (http://youradchoices.ca/) or the European Interactive Digital Advertising Alliance in Europe (http://www.youronlinechoices.eu/), or by using your mobile device settings. For more information about Facebook's privacy practices, please see Facebook's data policy: https://www.facebook.com/privacy/explanation

Article VI. Use, Enforcement and Miscellaneous

‍

We may use third-party service providers to improve our Application. These may include, but are not limited to:

‍

1. Intercom

‍

Their privacy policy can be viewed here: https://www.intercom.com/legal/privacy.

‍

2. Facebook Messenger

‍

Their privacy policy can be viewed here: https://www.facebook.com/privacy/policy.

‍

3. 1Password 

‍

1Password is a secure password management service. Their privacy policy can be viewed here: https://1password.com/legal/privacy

‍

4. Cloudflare 

‍

Cloudflare is a security service. Their privacy policy can be viewed here: https://www.cloudflare.com/trust-hub/privacy-and-data-protection/

‍

5. Google Cloud 

‍

Google Cloud is a cloud hosting service. Their privacy policy can be viewed here: https://cloud.google.com/terms/cloud-privacy-notice  

‍

6. Github Actions 

‍

Github Actions is an automation and deployment service. Their privacy policy can be viewed here: https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement

‍

7. OpenAI 

‍

OpenAI is an AI content processing and generation service. Their privacy policy can be viewed here: https://openai.com/policies/row-privacy-policy/ 

‍

8. Stream 

‍

Stream is a real-time data management and distribution service. Their privacy policy can be viewed here: https://getstream.io/legal/privacy/

‍

6.9 LinkedIn

Their privacy policy can be viewed here: https://www.linkedin.com/legal/privacy-policy 

6.10 Branch 

Their privacy policy can be viewed here: https://www.branch.io/gdpr/ 

6.11 Firebase

Their privacy policy can be viewed here: https://firebase.google.com/support/privacy 

7. Social Login

7.1. Google

Poppins allows users to create an account or log in using their Google account.

In this context, and only with your explicit consent, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) transmits to Poppins certain identification data necessary for authentication, such as your surname, first name, email address and Google account ID.

This data is used exclusively to enable the creation and management of your Poppins account and is not used for any other purpose.

The use of this feature is governed by Google's privacy policy and terms of use, available at: https://policies.google.com/privacy.

7.2. Apple

Users may also choose to log in to their Poppins account using their Apple ID ("Sign in with Apple").

In this case, Apple Distribution International Ltd. (Hollyhill Industrial Estate, Cork, Ireland) will provide Poppins, with your permission, with certain data strictly necessary for authentication, such as your surname, first name, and email address (or an anonymised email address if you choose this option).

This data is used solely for the purpose of opening and managing your Poppins account.
The use of this login method is subject to Apple's privacy policy and terms of use, available at: https://www.apple.com/legal/privacy/

‍