1. Data controller
The company TRANSPORTS TMD, a French SAS with share capital of €15,000, registered with the Salon-de-Provence Trade and Companies Register under number 819 965 674, whose registered office is at La Feuillane - Lot 78 - ZA de la Feuillane, 13270 Fos-sur-Mer (France), operating the website atlantiqbox.com under the trade name «Atlantiq Box» (hereinafter "Atlantiq Box"), is the controller of your personal data within the meaning of article 4 of the General Data Protection Regulation (GDPR — EU 2016/679) and article 3 of the amended French Data Protection Act no. 78-17 of 6 January 1978.
Contact details of the data controller: see our legal notice.
2. Data Protection Officer (DPO)
In accordance with article 37 of the GDPR, Atlantiq Box has appointed a Data Protection Officer. Their contact details are provided at the bottom of this page and on request.
The DPO can be contacted for any question regarding the processing of your data or the exercise of your rights.
3. Categories of data collected
Atlantiq Box collects only data strictly necessary for the purposes described below. The data collected is as follows:
3.1 Identification data
- title, surname, first name;
- professional or personal email address;
- phone number (E.164 international format).
3.2 Business data (B2B only)
- company name, legal form;
- SIREN, SIRET or European equivalent number;
- EU VAT number;
- EORI number (import/export operations).
3.3 Delivery and billing data
- delivery and billing addresses;
- site constraints (access, opening hours).
3.4 Transaction data
- quotation, order and invoice history;
- payment method used (without storing full card data — see 6.2);
- order status and after-sales history.
3.5 Technical data (strictly necessary cookies)
- user session, cart, language preference, selected currency;
- CSRF token (form security).
See our cookie policy for details.
3.6 Communication data
- after-sales conversations.
No sensitive data within the meaning of article 9 of the GDPR (health, political opinions, religion, sexual orientation, etc.) is collected.
4. Legal bases and purposes
Each processing relies on a legal basis compliant with article 6 of the GDPR:
| Purpose | Legal basis (Art. 6 GDPR) | Retention period |
|---|---|---|
| Customer account creation and management | Performance of contract (a) | Account lifetime + 3 years inactivity |
| Order and quotation processing | Performance of contract (a) | 3 years from end of commercial relationship |
| Invoicing, accounting, taxation | Legal obligation (c) | 10 years (Commercial Code art. L123-22) |
| Customer service and after-sales | Performance of contract (a) | 5 years after last interaction |
| Commercial outreach (B2B email) | Legitimate interest (f) | 3 years from last contact or opt-out |
| Site security (logs, anti-fraud) | Legitimate interest (f) | 1 year |
| Anti-payment-fraud measures | Legitimate interest (f) + legal obligation | As per applicable legal obligations |
| Response to GDPR rights requests | Legal obligation (c) | 3 years |
5. Recipients and processors
5.1 Internal recipients
Data is accessible, strictly within the limits of their duties, to authorised Atlantiq Box staff (sales team, accounting, after-sales, sales administration).
5.2 Processors
Atlantiq Box uses the following processors, governed by GDPR clauses compliant with article 28 of the Regulation:
| Processor | Purpose | Data location |
|---|---|---|
| Stripe | Card payment processing | EU (Ireland) + USA (standard contractual clauses) |
| Site hosting provider | Application and data hosting | EU |
| Partner carriers | Order delivery | EU / UK / CH |
| Transactional email service | Sending of service emails | EU |
No data is sold or transferred to third parties for commercial purposes.
6. Data security
6.1 Technical measures
- TLS 1.2+ encryption for all communications;
- password storage as bcrypt hashes with random salt;
- CSRF tokens on all sensitive forms;
- two-factor authentication policy (TOTP) available for Customers;
- logging of access to sensitive data;
- weekly backups handled at the hosting provider level.
6.2 Bank data
Atlantiq Box does not store or directly process bank card numbers. Payments are entirely handled by Stripe, certified PCI-DSS Level 1 (the highest standard for payment-card processing).
6.3 Breach notification
In the event of a personal-data breach posing a risk to the rights and freedoms of data subjects, Atlantiq Box notifies the CNIL within 72 hours and informs data subjects without undue delay, in accordance with articles 33 and 34 of the GDPR.
7. Transfers outside the European Union
In principle, your data is stored and processed within the European Economic Area (EEA).
Where a transfer to a third country is necessary (in particular for Stripe, which may process certain data in the United States), Atlantiq Box ensures that the transfer is governed by the Standard Contractual Clauses adopted by the European Commission (decision 2021/914 of 4 June 2021), ensuring a level of protection equivalent to that guaranteed within the European Union.
8. Your rights
In accordance with articles 15 to 22 of the GDPR, you have the following rights over your personal data:
8.1 Right of access
You may obtain confirmation that data concerning you is being processed and obtain a copy thereof, free of charge (Art. 15).
8.2 Right to rectification
You may request the correction of any inaccurate or incomplete data (Art. 16).
8.3 Right to erasure ("right to be forgotten")
You may obtain the erasure of your data in the cases provided for in article 17, subject to legal retention obligations (in particular invoices retained for 10 years).
8.4 Right to restriction of processing
You may request restriction of processing of your data in certain situations (Art. 18).
8.5 Right to object
You may object at any time to the processing of your data for commercial outreach purposes (Art. 21).
8.6 Right to data portability
You may receive your data in a structured, commonly used and machine-readable format (Art. 20).
8.7 Post-mortem instructions
You may give instructions concerning the retention, erasure and communication of your personal data after your death (article 85 of the French Data Protection Act).
8.8 How to exercise your rights
To exercise these rights, contact our DPO by email or send your request together with a copy of an identity document (which will be destroyed after verification) to the postal address shown in our legal notice.
Atlantiq Box responds to your request within one month, extendable by two months if necessary due to the complexity or number of requests (Art. 12.3 GDPR).
9. Complaint to a supervisory authority
If you consider that the processing of your data does not comply with the regulation, you may lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL):
3 place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07, France
Phone: +33 1 53 73 22 22
Website: cnil.fr
You may also contact the competent supervisory authority of your country of residence (list of authorities at edpb.europa.eu).
10. Cookies
For details of the cookies used and how to manage your preferences, see our cookie policy.
11. Minors
Atlantiq Box does not knowingly collect any data from children under 16. The services offered are aimed at adult customers (adult individuals) or business customers. If you consider that a minor under 16 has provided us with their data, contact our DPO to obtain its erasure.
12. Automated decisions and profiling
Atlantiq Box does not engage in solely automated decision-making producing legal effects within the meaning of article 22 of the GDPR. Any contractual decision involves human intervention (sales, accounting).
13. Amendment of the policy
This policy may evolve to incorporate new legal obligations, new services or new best practices. The applicable version is the one published on this page on the date of your interaction. Substantive changes are notified by email to existing Customers.