Privacy Policy

This privacy policy informs you about how BlueCloud.dev (operating the brand Alto) collects, uses, and protects your personal data, in accordance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and the French Data Protection Act of 6 January 1978 as amended.

1. Data Controller

Entity: BlueCloud.dev — Aymen HAMMOUDA
Trade name: Alto
Legal status: Micro-enterprise (Sole Proprietorship)
SIRET: 101 642 460 000 14
Address: 3 Rue Lavoisier, 92350 Le Plessis-Robinson, France
Email: contact@altowork.shop

2. Data Collected

In connection with your order and relationship with Alto, we collect the following categories of data:

  • Identification data: first name, last name
  • Contact details: postal delivery and billing address, email address, phone number
  • Payment data: transactions are processed directly by Shopify Payments and its authorised partners. Alto never stores your banking details on its own servers.
  • Order data: items ordered, amounts, purchase history, delivery status
  • Browsing data: IP address, browser type, pages visited, collected by the host (Vercel) for security and performance purposes
  • Communications: email address provided when subscribing to our mailing list (with explicit consent)

3. Legal Basis for Processing

Each data processing activity is based on one of the following legal grounds set out in article 6 of the GDPR:

  • Performance of contract (art. 6.1.b GDPR): processing of data necessary to manage your order (identification, delivery, invoicing, after-sales service, refunds)
  • Consent (art. 6.1.a GDPR): sending of commercial communications and newsletters. You may withdraw your consent at any time without affecting the lawfulness of prior processing.
  • Legitimate interest (art. 6.1.f GDPR): fraud prevention, site security, service improvement, aggregated and anonymised usage statistics
  • Legal obligation (art. 6.1.c GDPR): retention of billing data in accordance with French accounting and tax obligations

4. Purposes of Processing

  • Processing and tracking your orders
  • Payment management and invoicing
  • Organising delivery and communicating with carriers
  • Customer service and returns/refund management
  • Sending transactional emails (order confirmation, dispatch tracking, invoice)
  • Sending commercial communications (with your consent only)
  • Fraud prevention and site security
  • Compliance with our legal and accounting obligations

5. Recipients and Sub-processors

Your data is never sold to third parties. It may be transmitted to the following sub-processors, strictly to the extent necessary for the performance of their services:

  • Shopify Inc. — e-commerce platform, order and payment management. Servers may be located in Canada and the United States. This transfer is governed by Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR art. 46).
  • Vercel Inc.— website hosting (340 S Lemon Ave #4133, Walnut, CA 91789, USA). Browsing data and access logs processed in the United States under Vercel's GDPR-compliant DPA.
  • Brevo (Sendinblue SAS) — sending of transactional emails only (order confirmation, dispatch notifications, invoices). Servers located within the European Union. No transfer outside the EU for this processing.
  • Klaviyo, Inc. (Boston, United States) — email marketing, browsing tracking, personalised recommendations. This processing is only activated with your explicit consent. The transfer to the United States is governed by the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR art. 46). Data processed: email address, name, browsing history, purchase history.

6. Data Retention

  • Order and billing data: 10 years from the close of the relevant accounting period (legal obligation — art. L123-22 of the French Commercial Code)
  • Customer data (account, history): 3 years from the last purchase or last active contact
  • Marketing emails: until you unsubscribe or 3 years after the last contact, whichever is sooner
  • Browsing logs: maximum 12 months in line with CNIL recommendations
  • Payment data: not retained by Alto — managed directly by Shopify Payments under their own policies

7. Your Rights

In accordance with the GDPR and the French Data Protection Act, you have the following rights:

  • Right of access (art. 15 GDPR): obtain a copy of your personal data that we process
  • Right to rectification (art. 16 GDPR): correct inaccurate or incomplete data
  • Right to erasure (art. 17 GDPR): request deletion of your data, subject to our legal retention obligations
  • Right to data portability (art. 20 GDPR): receive your data in a structured, commonly used, machine-readable format
  • Right to restriction of processing (art. 18 GDPR): request temporary suspension of the processing of your data
  • Right to object (art. 21 GDPR): object to processing based on legitimate interest or for direct marketing purposes
  • Right to withdraw consent (art. 7 GDPR): you may withdraw your consent at any time (e.g. newsletter unsubscription via the link in each email)

To exercise these rights, send your request by email to: contact@altowork.shop

We undertake to respond within one month of receiving your request (art. 12 GDPR). This period may be extended by a further two months due to the complexity or number of requests, with prior notice.

8. Data Security

Alto implements appropriate technical and organisational measures to protect your data against unauthorised access, loss, destruction, or alteration: SSL/TLS encryption of communications, restricted data access, PCI-DSS certified sub-processors for payments.

9. Cookies

altowork.shop uses technical cookies strictly necessary for its operation (session, cart, display preferences). No advertising or profiling cookies are placed without your prior consent.

10. Right to Lodge a Complaint with the CNIL

If you believe that the processing of your personal data constitutes a breach of the GDPR, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL) — the competent supervisory authority in France (GDPR art. 13.2.d and 77):

CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Website: www.cnil.fr

Last updated: April 2026