Update 27/11/2025
Sothys Paris attaches great importance to protecting your privacy and personal data and, to this end, has implemented this policy.
This policy describes how Sothys Paris, in its capacity as data controller within the meaning of EU Regulation No. 2016/679 of the European Parliament and of the Council of April 27, 2016, known as the “GDPR,” uses your personal data collected when you use the website www.sothys.fr (hereinafter the “Site”), as well as when you view our communications or interact with us (hereinafter collectively referred to as the “Services”). The purpose of this policy is to provide you with an overview of all the situations in which Sothys Paris may collect your personal data. However, you may not be affected by all of the situations described below.
This policy applies to all Services offered by Sothys Paris, referred to interchangeably as “Sothys Paris,” “We,” or “Our.”
This policy does not apply to sites and services that have a separate charter or policy that does not incorporate or refer to this policy.
By using our Services, you agree to provide us with accurate and verifiable information about yourself.
What is personal data?
This refers to any data that can directly (e.g. a name) or indirectly (e.g. an identifier, a code) identify a natural person).
What data do we collect?
When you interact with us, we collect personal data about you. This data varies depending on the purpose of our interactions.
You can provide us with your personal data in various ways, as specified in the table below:
- either directly: in particular via a form;
- or indirectly: cookies.
We do not collect personal data from third parties.
We take care to collect only data that is strictly necessary in order to offer you the most enjoyable experience tailored to your needs and to provide you with the Services you require.
To this end, your consent will be required if necessary.
If your data is collected via a form, we ensure that the necessary legal notices are included on this medium, as well as a reference or link to this policy. Mandatory fields are marked with an asterisk. Failure to complete fields marked with an asterisk may affect our ability to provide you with the desired Services or manage your requests.
The personal data that may be processed, the purposes for which we may process it, the applicable legal bases for processing, and the retention periods for your data are as follows, depending on the circumstances in which it is collected:
| Situation that may lead to a collection of personal data | Nature of data collected | Purpose of the treatment carried out by us | Legal Basis | Length of data retention |
| Creation of a customer account | Last Name, First Name, Email, login data | Managing the customer relationship; sending personalized offers statistical data (Site audience) | Execution of a contract (to be able to answer the service you have subscribed) Legitimate Interest | 3 years from the end of the commercial relation 2 years from collection |
| Request for information via a contact form on the Website | Last name, first name, postal address, Phone number, email, message content | Handling your request | Consent | 3 years in the active database from the date of collection or your last contact |
| Sending of a newsletter | | Sending information about the brand | Consent | 3 years in the active database from the last contact or until unsubscribing |
| Sending marketing communication | | Sending commercial communications | Consent | 3 years in the active database from the last contact or until unsubscribing |
| Last Name, First Name, age, profession, Postal address, Email, Phone number, Health informations | Managing and monitoring cosmetovigilance cases | Legal obligation | 2 years in the active database from the date of registration of the cosmetovigilance case (subject to closure of the case: otherwise, until the case is closed) | |
| Cosmetovigilance in United States | Last Name, Postal address, Email, Phone number,date of birth, sex, gender, weight, race, ethnicity, Health informations, retailer’s name, retailer’s postal address | Managing and monitoring cosmetovigilance cases | Legal obligation | Duration required for the purpose of this operation |
| Registration in the Sothys Academy™ model registry via Microsoft Forms form | Last name, First name, Email address, Phone number, Age range, Availability, Medical information, Aesthetic treatment preferences | Management and monitoring of the Sothys Academy™ model registry Management and monitoring of cosmetovigilance cases | Legitimate Interest Legal obligation | 3 years in the active database from the last contact See report of a cosmetovigilance case. |
| Customer relationship management via Social Media | Last name, First name, Pseudonym | Social media management and moderation Customer relationship management via social media, including the Sothys image | Legitimate Interest | In accordance with the personal data policy of each Social Media |
| Promotional operation (contest) | Last name, First name, Postal address, Phone number of contestant, Email, Social network page(s) | Participation and execution of the promotional operation | Consent Legitimate Interest | Duration required for the purpose of this operation |
| Management of requests to exercise the rights of individuals | Last name, first name, email address, content of the request, ID document (if verification required) | Management of requests to exercise people’s rights under the GDPR | Legal obligation | 5 years from the date of the application or the closure of the application |
| Product recall management | Last name, First name, Email address, Telephone number, Order details. | Management of product recalls with customers affected by the recalled products | Legal obligation Legitimate Interest | 10 years from the date of the recall |
| Navigation (data collected by cookies) | (On these points, see paragraph dedicated to cookies) | |||
It should be noted that the retention periods indicated cover storage in active databases and intermediate archives. Beyond the periods indicated, your personal data will be anonymized or deleted in accordance with our personal data lifecycle management policy.
Who is in charge of the processing?
The controller is the person who determines the purposes and means of the processing. He is directly responsible for compliance with the obligations regarding the protection of personal data.
We are the controller.
Who are the recipients of your data?
Your personal data is intended exclusively for authorized and specific recipients, for the sole purpose of performing the requested Services.
Therefore, in addition to internal members of our company, certain data may be processed by the following subcontractors (hereinafter referred to as the “Subcontractors”):
- for hosting the Website: Amazon Web Services EMEA SARL;
- for promotional activities: Sothys International;
- for cosmetovigilance: to Soredec, which manages cosmetovigilance activities on behalf of our company; to the technical service providers used by this company and, in this capacity, for cosmetovigilance cases in the United States, to Registrar Corp: https://www.aers.me/privacy-policy/ ; to third parties whose product may be implicated; to healthcare professionals; to notified bodies responsible for product evaluation; to national or foreign public bodies responsible for vigilance in the exercise of their duties; to international health authorities or agencies;
- for registration in the Sothys Academy™ model registry: to Microsoft, in its capacity as developer and host of the Microsoft Forms form: https://www.microsoft.com/en-us/privacy .
- when using social media buttons: to the relevant social media platform in accordance with its terms of use, which we invite you to consult directly on their website.
- to any third party concerned by one of the aforementioned purposes in the context of the performance of its tasks, including in particular the technical service providers used by the aforementioned recipients, third parties whose product may be implicated in the context of cosmetovigilance, healthcare professionals, notified bodies responsible for product evaluation, public bodies responsible for vigilance and transparency obligations, national and/or international health authorities or agencies.
In this regard, we inform you that your personal data may be transferred outside the European Union, and in particular to the United States, in connection with the provision of services by our Subcontractors.
In all cases, we ensure that our Subcontractors comply with the applicable European regulations on the protection of personal data and that transfers are carried out in accordance with these regulations.
How is the security of your personal data ensured?
Your personal data is protected by technical and organizational measures that comply with French and European legal and regulatory requirements, ensuring its security and confidentiality.
In particular, Sothys Paris uses protection technologies such as encryption systems.
Sothys Paris ensures, through written commitments, that its service providers and subcontractors offer guarantees and implement sufficient security measures to ensure the protection of the personal data entrusted to them for processing in accordance with the requirements of personal data protection legislation.
What are your rights?
In accordance with current regulations, you have the right to information (receive concise, transparent, understandable and easily accessible information un clear and simple terms), the right to access your personal data, the right to rectify, oppose, erase and limit your personal data, by contacting us: dpo@sothys.net.
If you exercise your right to object and/or erase and/or transfer your personal data:
- we may be unable to provide certain Services;
- we will be unable to comply with your request when the legal basis for the processing in question is compliance with a legal obligation.
You may withdraw your consent to the collection and processing of your personal data at any time.
You may refuse to be contacted for commercial purposes by telephone by registering free of charge on the cold calling opposition list available on the Bloctel - Espace consommateur website, or by writing to Bloctel - 6, rue Nicolas Siret - 10000 Troyes.
You will no longer receive telephone calls from us, except in connection with the performance of a current contract, in accordance with the provisions of Article L 223-1 of the Consumer Code.
You also have the right to lodge a complaint with the CNIL:
- on the CNIL website at https://www.cnil.fr/fr/plaintes ; or
- by post, writing to: CNIL – Service des Plaintes – 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07.
and/or to seek legal actions.
Updates:
This policy may be updated at any time, in particular to take into account any new processing of personal data, regulatory, legal, or technological changes. The update becomes effective as soon as it is posted online.
