Privacy policy

Preamble

The purpose of this Privacy Policy (the “Policy”) is to inform users of the website about:

  • The manner in which their personal data (hereinafter “personal data” or “data”) are collected. Personal data means any information that makes it possible to identify a user. This may include, but is not limited to, first and last name, age, postal or email address, location, or IP address (non‑exhaustive list);
  • The rights they have with regard to such data;
  • The person responsible for processing the personal data collected and processed;
  • The recipients of such personal data.

This Policy supplements the Legal Information, the Terms and Conditions of Use and the Cookie Policy, which may be consulted by users at the following address: Legal Information and Terms and Conditions of Use – oXya.

Principles Governing the Collection and Processing of Personal Data

In accordance with Article 5 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), personal data are:

  • Processed lawfully, fairly and transparently in relation to the data subject;
  • Collected for specified, explicit and legitimate purposes (see Article 3.1 hereof) and not further processed in a manner that is incompatible with those purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Accurate and, where necessary, kept up to date. All reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

 

Processing shall be lawful only if, and to the extent that, at least one of the following applies:

  • The data subject has given consent to the processing of their personal data for one or more specific purposes;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the data controller is subject;
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
  • Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Personal Data Collected and Processed in the Context of Website Browsing

Data Collected

The personal data collected in the course of our activities include:

  • Identification data;
  • Data relating to your personal life;
  • Data relating to your professional life;
  • Economic or financial information;
  • Connection data;
  • Location data;
  • Occasionally (but very rarely), sensitive data.

Such data may be stored in various formats: electronic data, audio information, visual data (photographs or videos).

Purposes of Processing

Within the framework of pre-contractual and/or contractual obligations, we may process your personal data for the following purposes:

  • Responding to your comments and to any other requests you may submit via our website;
  • Managing your participation in online content.

We may also use your personal data in order to:

  • Maintain and improve our website;
  • Ensure website security;
  • Conduct customer satisfaction surveys;
  • Manage discussion forums in which you may participate;
  • Manage recruitment when you apply online for positions;
  • Compile aggregate statistics relating to the use of our website.

These processing activities and purposes are justified and based on our legitimate interest in ensuring that you enjoy your experience when visiting our website and interacting with us.

Finally, subject to your prior and explicit consent, we may also use the personal data you share with us for marketing purposes, including the provision of personalized offers.

Data Retention Period

Retention periods are determined based on:

  • Applicable legal obligations;
  • The purpose of the processing;
  • The duration of the contractual relationship.

We retain personal data under reasonable security conditions for as long as necessary to achieve the purposes for which they are processed.

Certain personal data may be retained beyond these periods in order to comply with legal or regulatory obligations.

Data Transfers

In the course of our activities, we may use service providers located outside the European Economic Area. In such cases, you will be informed of the transfer and your authorization will be requested.

Furthermore, prior to any transfer of personal data to a third country, we ensure that the destination country provides an adequate level of protection for personal data. If such protection is not guaranteed, appropriate safeguards, such as EU Standard Contractual Clauses, will be implemented.

Data Hosting

The website https://www.oxya.com is hosted by:

Alfa‑Safety
Registered office: 4 rue des Olivettes – Passage Douard Bat 7 – 44000 Nantes – France
Contact: +33 (0)2 51 84 34 00

Data Controller and Data Protection Officer

Data Controller

Personal data are collected by oXya, a simplified joint‑stock company (société par actions simplifiée) with a share capital of €1,504,290, registered under number 421 568 965.

The data controller may be contacted as follows:

  • By post: 21 rue Camille Desmoulins, 92130 Issy‑les‑Moulineaux, France
  • By telephone: +33 (0)1 76 76 40 00

Data Protection Officer (DPO)

The Data Protection Officer of oXya is:

Christophe Leleu
Europa Premium
4 rue Johannes Kepler
64000 Pau
Email: privacy@oxya.com

If, after contacting us, you consider that your “Data Protection and Freedoms” rights have not been respected, you may lodge a complaint with the French supervisory authority (CNIL).

Security

In compliance with applicable personal data protection regulations, we undertake to:

  • Implement appropriate technical and organizational measures and safeguards against unauthorized access, loss and disclosure of data;
  • Secure data transmissions.

Your Rights Regarding the Collection and Processing of Personal Data

In accordance with Regulation (EU) 2016/679 and the French Data Protection Act (Law No. 78‑17 of January 6, 1978), you have the following rights:

  • Right of access, rectification and erasure of data (Articles 15, 16 and 17 GDPR);
  • Right to data portability (Article 20 GDPR);
  • Right to restriction of processing (Article 18 GDPR) and right to object to processing (Article 21 GDPR);
  • Right not to be subject to a decision based solely on automated processing;
  • Right to determine the fate of your data after death;
  • Right to lodge a complaint with the competent supervisory authority (Article 77 GDPR).

To exercise your rights, please send your request by post to oXya S.A.S, 21 rue Camille Desmoulins, 92130 Issy‑les‑Moulineaux, France, or by email to privacy@oxya.com.

In order to process your request, you may be required to provide certain information such as your first and last name, postal address, and the subject of your request.

In case of doubt as to your identity, we may request additional information.

We will respond within a maximum period of one month.

For more information about your rights, please visit www.cnil.fr.

Amendments to the Privacy Policy

We reserve the right to modify this Policy at any time in order to ensure compliance of our website with applicable law.

You are encouraged to review this Policy each time you visit our website, without the need for formal notification.

This Policy was issued on January 31, 2026, and last updated on August 21, 2025.