Privacy policy

Last updated : May 15, 2026

REWORKED (Guillaume Masson, micro-entrepreneur) is committed to protecting the personal data of its customers, prospects, and website visitors. This Privacy Policy explains how we collect, use, share, and protect your personal data when you visit our website https://rework-ed.com or interact with our services.

This policy is drafted in accordance with Regulation (EU) 2016/679 of April 27, 2016 (General Data Protection Regulation (GDPR)) and Law No. 78-17 of January 6, 1978 (French Data Protection Act), as amended.

1. DATA CONTROLLER

Guillaume Masson / REWORKED

Micro-entrepreneur (Sole Proprietor)

18 Rue Calliet

69001 Lyon, France

SIRET : 938 614 773 00019

Email : contact@rework-ed.com

Phone : +33 6 01 42 71 70

2. DATA PROTECTION CONTACT

As a micro-enterprise, REWORKED is not required to appoint a Data Protection Officer (DPO). For all questions, requests, or complaints related to the processing of your personal data, please contact :

Guillaume Masson

Email : contact@rework-ed.com

Postal address : 18 Rue Calliet, 69001 Lyon, France

We will respond to your request within one month. This period may be extended by two additional months if the complexity or number of requests warrants it, in which case you will be informed.

3. TYPES OF DATA COLLECTED

We collect the following categories of personal data :

a) Data you provide directly :

• Identity data : first name, last name

• Contact data : email address, phone number, postal address

• Order data : products ordered, order number, order history, amounts paid

• Payment data : payment method used (card details are processed directly by our payment providers and are never stored by REWORKED)

• Communication data : messages sent via our contact form, email, or social media

• Account data : email address and password (if you create a customer account)

• Return/refund data : reason for return, product condition, refund preferences

b) Data collected automatically :

• Technical data : IP address, browser type and version, operating system, device type, screen resolution

• Navigation data : pages viewed, time spent on each page, referring URL, click patterns

• Cookie data : cookie identifiers, session data, preferences (see Section 8 on Cookies)

• Location data : approximate geographic location derived from IP address (country/city level only)

c) Data from third parties :

• Payment confirmation data from payment providers (Shopify Payments, PayPal, etc.)

• Delivery tracking data from shipping carriers

4. PURPOSES AND LEGAL BASES FOR DATA PROCESSING

We process your personal data for the following purposes :

a) Performance of a contract (GDPR Article 6(1)(b)):

• Processing and fulfilling your orders

• Managing your customer account

• Processing returns, exchanges, and refunds

• Communicating with you about your orders (confirmations, shipping notifications, delivery updates)

• Providing customer service in response to your inquiries

b) Compliance with legal obligations (GDPR Article 6(1)(c)):

• Maintaining accounting and tax records as required by French law

• Responding to requests from competent authorities

• Compliance with consumer protection obligations

• Managing withdrawal requests (right of withdrawal)

c) Legitimate interests (GDPR Article 6(1)(f)):

• Improving our website, products, and services

• Analysing website traffic and usage patterns to improve user experience

• Preventing fraud and ensuring the security of our website and systems

• Protecting our legal rights and interests

d) Consent (GDPR Article 6(1)(a)):

• Sending marketing emails and newsletters (you may withdraw consent at any time)

• Placing non-essential cookies (analytics, marketing)

5. RECIPIENTS OF YOUR DATA

Your personal data may be shared with the following categories of recipients, solely for the purposes described in this policy :

a) Shopify Inc. (e-commerce platform and hosting)

• Role : Data processor

• Data shared : All data necessary to operate the online store (customer data, order data, payment data, navigation data)

• Location : Canada and United States

• Privacy policy : https://www.shopify.com/legal/privacy

b) Payment providers

• Shopify Payments / Stripe : Payment processing

• PayPal (if applicable): Payment processing

• Role : Independent data controllers for payment processing

• Data shared : Name, email, billing address, payment information

• These providers are PCI-DSS certified and process payment data in accordance with payment card industry standards

c) Shipping carriers

• La Poste / Colissimo, DHL, UPS, or other carriers as applicable

• Role : Data processors

• Data shared : Recipient name, delivery address, phone number (for delivery notifications), order reference

d) Analytics tools

• Shopify Analytics : Website analytics

• Role : Data processor

• Data shared : Navigation data, technical data, cookie data

e) Email service providers (if applicable)

• For sending transactional emails (order confirmations, shipping notifications) and marketing communications

• Role : Data processors

• Data shared : Name, email address

f) Professional advisors

• Accountant/tax advisor : access to transaction data as required for legal compliance

• Role : Independent data controllers

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

6. INTERNATIONAL DATA TRANSFERS

Some of our data processors are located outside the European Economic Area (EEA), in particular :

• Shopify Inc.: Canada and United States

• Stripe : United States (if applicable)

• PayPal : United States (if applicable)

For transfers to Canada, the European Commission has issued an adequacy decision recognising that Canada provides an adequate level of data protection (for transfers governed by PIPEDA).

For transfers to the United States, these are safeguarded by :

• Standard Contractual Clauses (SCCs) approved by the European Commission

• The EU-U.S. Data Privacy Framework (where the recipient is certified)

• Additional technical and organisational measures as appropriate

You may request a copy of the relevant transfer safeguards by contacting us at contact@rework-ed.com.

7. DATA RETENTION PERIODS

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected :

• Customer account data : For the duration of your account, plus 3 years from the last activity for prospecting purposes (in accordance with CNIL recommendations)

• Order and transaction data : 10 years from the end of the financial year in which the transaction occurred (French accounting obligations, Article L.123-22 of the Code de commerce)

• Invoices and billing data : 10 years (French tax obligations)

• Delivery data : 1 year from delivery date

• Customer service correspondence : 3 years from the date of the last exchange

• Cookie data and navigation data : 13 months maximum from the date of collection (CNIL recommendation)

• Consent records (cookies, marketing): For the duration of the consent, plus 1 year

• Withdrawal/return request data : 5 years (statute of limitations for contractual claims)

• Prospect data (no purchase): 3 years from the date of collection or last contact

• Data related to legal disputes : For the duration of the dispute, plus applicable limitation periods

After these periods, data is either deleted or anonymised.

8. COOKIES AND TRACKING TECHNOLOGIES

a) What are cookies?

Cookies are small text files stored on your device when you visit a website. They serve various functions such as remembering your preferences, enabling core site functionality, and collecting usage data.

b) Types of cookies used :

Essential cookies (no consent required):

• Session cookies : Maintain your browsing session and shopping cart

• Security cookies : Protect against fraud and ensure secure transactions

• Shopify system cookies : Required for the e-commerce platform to function

Analytics cookies (consent required):

• Shopify Analytics : Track visitor behaviour to help us understand how the site is used, which pages are most popular, and how we can improve the user experience

• Data collected : Pages visited, time on page, traffic source, device and browser information

Marketing cookies (consent required):

• Used to track visitors across websites to display relevant advertisements

• These are only activated if you give your consent

c) Managing cookies :

You can manage your cookie preferences at any time :

• Through the cookie consent banner displayed on your first visit

• Through your browser settings (instructions vary by browser - consult your browser's help section)

• By deleting cookies already stored on your device

Disabling essential cookies may prevent you from using core features of the website (such as placing an order). Disabling analytics or marketing cookies will not affect the core functionality of the site.

d) Cookie retention :

Cookies are retained for a maximum of 13 months from the date they are placed, in accordance with CNIL guidelines.

9. YOUR RIGHTS

In accordance with the GDPR (Articles 15 to 22) and French data protection law, you have the following rights regarding your personal data :

a) Right of access (Article 15 GDPR):

You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data along with information about the processing (purposes, categories of data, recipients, retention periods, etc.).

b) Right to rectification (Article 16 GDPR):

You have the right to request the correction of inaccurate personal data or the completion of incomplete data concerning you.

c) Right to erasure / Right to be forgotten (Article 17 GDPR):

You have the right to request the deletion of your personal data when :

• The data is no longer necessary for the purposes for which it was collected

• You withdraw your consent (where processing is based on consent)

• You object to the processing and there are no overriding legitimate grounds

• The data has been unlawfully processed

• The data must be erased to comply with a legal obligation

Note : This right does not apply where the processing is necessary for compliance with a legal obligation (e.g., tax record keeping) or for the establishment, exercise, or defence of legal claims.

d) Right to restriction of processing (Article 18 GDPR):

You have the right to request that processing be restricted in certain circumstances, for example when you contest the accuracy of the data or when you have objected to processing pending verification of our legitimate grounds.

e) Right to data portability (Article 20 GDPR):

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where technically feasible.

f) Right to object (Article 21 GDPR):

You have the right to object at any time to the processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

You have an absolute right to object to processing for direct marketing purposes.

g) Right to withdraw consent (Article 7(3) GDPR):

Where processing is based on your consent (e.g., marketing emails, non-essential cookies), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

h) Right to lodge a complaint :

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the French data protection authority :

French Data Protection Authority (CNIL)

3 Place de Fontenoy, TSA 80715

75334 Paris Cedex 07, France

Website : https://www.cnil.fr

Phone : +33 1 53 73 22 22

i) Right to define post-mortem directives :

In accordance with French law (Article 85 of the French Data Protection Act), you have the right to define directives regarding the retention, erasure, and communication of your personal data after your death.

How to exercise your rights :

You may exercise any of the above rights by contacting us :

• By email : contact@rework-ed.com (subject line : "Data Request")

• By post : Guillaume Masson / REWORKED, 18 Rue Calliet, 69001 Lyon, France

We may ask you to verify your identity before processing your request. We will respond within one month. This deadline may be extended by two months for complex or numerous requests, in which case you will be informed.

10. AUTOMATED DECISION-MAKING

REWORKED does not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.

11. DATA SECURITY

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including :

• Use of SSL/TLS encryption for all data transmitted between your browser and our website (HTTPS)

• PCI-DSS compliant payment processing through certified providers

• Secure access controls and authentication for administrative systems

• Regular review of data processing practices

• Limitation of access to personal data to authorised personnel only, on a need-to-know basis

• Use of Shopify's security infrastructure, which includes firewalls, intrusion detection, and regular security audits

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to taking all reasonable precautions.

12. MINORS

Our website and services are not directed at individuals under the age of 16. We do not knowingly collect personal data from minors under 16. If we become aware that we have collected personal data from a minor under 16 without verified parental consent, we will take steps to delete that data as soon as possible. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at contact@rework-ed.com.

13. CHANGES TO THIS POLICY

We reserve the right to update or modify this Privacy Policy at any time. Any changes will be posted on this page with an updated "Last updated" date. Material changes may be communicated to you by email or through a notice on our website.

We encourage you to review this Privacy Policy periodically.

Your continued use of our website after any changes to this policy constitutes your acceptance of the updated policy.

14. CONTACT

For any questions or requests regarding this Privacy Policy or the processing of your personal data, please contact :

Guillaume Masson / REWORKED

18 Rue Calliet

69001 Lyon, France

Email : contact@rework-ed.com

Phone : +33 6 01 42 71 70