Confidentiality Policy

FOREWORD

This Confidentiality Policy is for you, as the USER of the www.magicstay.com WEBSITE (hereinafter the “WEBSITE”) and its purpose is to tell you how your personal information may, if necessary, be collected and processed by MAGIC STAY.

MAGIC STAY is a French simplified joint stock company (société par actions simplifiée), with share capital of 2,097,806 euros, located at 7 avenue Michel Chevalier, ZI Les Bois de Grasse – 06130 GRASSE, and registered with the GRASSE Trade & Companies Register under Number795 128 248. MAGIC STAY specialises in business tourism and operates the www.magicstay.com WEBSITE (hereinafter “MAGIC STAY” or “We”).

MAGIC STAY makes your privacy and the protection of your personal data a priority.  The purpose of this Confidentiality Policy is to present the content of the personal data processing implemented on the WEBSITE.

MAGIC STAY undertakes in any event to comply with the following two (2) key principles: 

-       You keep control of your personal data;

-       Your data are processed in a transparent, confidential and secure manner. 

The processing of personal data is regulated by: 

-       Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (hereinafter “French Data Protection Act”);

-       Since 25 May 2018: by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “GDPR”).

 

ARTICLE 1. DEFINITIONS 

  • LESSOR: refers to any natural or legal person under private law who or which has subscribed to the SERVICES by registering on the WEBSITE and is offering accommodation for rent advertised online by MAGIC STAY on the WEBSITE. It is understood that a LESSOR can be either a professional or a private individual acting as a consumer.
  • JOINT CONTROLLER: refers to the cases where several entities are responsible for processing the personal data collected on the WEBSITE and determine together the purposes for which and the manner in which any personal data are processed. 
  • MEMBER AREArefers to the dedicated virtual area on the WEBSITE for LESSORS AND LESSEES to search for accommodation, post advertisements online and access their bookings and invoices. The MEMBER AREA is accessed by using the login credentials.
  • LESSEE: refers to the natural or legal person, acting in a professional capacity, who or which is renting accommodation following a booking on the WEBSITE.  
  • DATA CONTROLLERrefers to the entity which, alone or jointly with another entity, determines the purposes for which and the manner in which any personal data are processed.
  • SERVICES: refers to all of the SERVICES provided by MAGIC STAY to the USERS through the WEBSITE. These SERVICES include: 
  • The provision of the WEBSITE’S various functionalities
  • The “TRAVEL INSURANCE” SERVICE
  • The “MAGIC-FLEX” SERVICE
  • WEBSITErefers to the internet site accessible at www.magicstay.com including all the hosted web pages and SERVICES offered to the USERS.
  • SUB-CONTRACTOR: refers to the person processing personal data on behalf of the DATA CONTROLLER, who acts under the authority of the DATA CONTROLLER and upon its instructions
  • USER: refers to any person who accesses and browses the WEBSITE.

 

ARTICLE 2. FRENCH DATA PROTECTION AUTHORITY (CNIL) FORMALITES 

The processing of your personal data is the subject of processing records which are inserted into MAGIC STAY’s register of processing operations.  

  

ARTICLE 3. PURPOSES OF PROCESSING

Your various data may be collected by MAGIC STAY in order to ensure that:

-       The WEBSITE, its services and its functionalities function correctly and continually improve

-       The SERVICES are provided

-       Information is sent to the inbox of registered Internet users

-       Statistical monitoring of the use of the WEBSITE and its different sections is implemented

-       Better knowledge is obtained of the Internet users to respond to their needs and requests in the best way possible by e-mail or by telephone 

-       The newsletter and other alerts are sent to those Users who have requested them

-       Right of access, rectification and opposition requests are handled

These purposes are set out in detail in Articles 4, 5 and 6 of this Confidentiality Policy. 

MAGIC STAY shall also be authorised to use such data in order to fulfil a legal or statutory obligation. 

In any event, and for each defined purpose, MAGIC STAY shall do everything in its power to ensure the security and the confidentiality of the personal data entrusted to it, in compliance with current laws and regulations. 

 

ARTICLE 4. ACCESS TO THE PLATFORM, INTERMEDIATION AND SERVICE PROVISION

4.1. Data controller’s identity

Within the context of the provision of the WEBSITE, the intermediation with the LESSORS and LESSEES and the provision of the SERVICES, MAGIC STAY should be considered as the data controller.  

For more information

If you have any questions about the management and the use made of your personal data, please contact us:

    Either via various forms and functionalities on our www.magicstay.com website, particularly via the contact form

   Or by e-mail, at dpo@magicstay.com

   Or by post to MAGIC STAY, à l’adresse 7 avenue Michel Chevalier, ZI Les Bois de Grasse, 06130 – GRASSE

   Or by telephone on +33 (0)1 79 97 80 00

Legal reminder: under the French Data Protection Act, the DATA CONTROLLER is the person who determines the purposes for which and the manner in which any personal data are processed. When two or more data controllers jointly determine the purposes for which and the manner in which any personal data are processed, they are joint data controllers(or joint controllers). 

4.2. Collection and processing of personal data

As part of the WEBSITE operation, MAGIC STAY may collect personal data about the USERS when they visit the WEBSITE. Such data are processed in accordance with the purposes stated at the time of collection.

MAGIC STAY may, in particular, collect personal data: 

-       When a USER wants to be able to access the WEBSITE-related SERVICES 

-       When you visit the WEBSITE

-       When you use functionalities and/or SERVICES offered on the WEBSITE

-       When you register and during the creation and updating of your MEMBER AREA

-       When interacting with MAGIC STAY via the WEBSITE 

-       When you make a contact request to MAGIC STAY

Furthermore, data about your browsing on our Internet site may also be used to target your needs and interests and to target our commercial and advertising offers accordingly.

Irrespective of the collection method, MAGIC STAY undertakes to inform you of the purposes of the processing, the obligatory or optional nature of the answers to be provided, any consequences, for you, of your failure to reply, the recipients of the data, and the existence of and procedures for exercising your rights of access, rectification and opposition to the processing of your data. 

When it is required under the French Data Protection Act, MAGIC STAY undertakes, as the case may be, to obtain your consent and/or allow you to object to the use of your data for certain purposes.

More details & legal basis

In any event, MAGIC STAY undertakes to process all of the data collected in accordance with the French Data Protection Act No.78-17 of 6 January 1978 as amended, which defines PERSONAL DATA as “any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more factors specific to that natural person. To determine whether a person is identifiable, account should be taken of all the means for enabling him or her to be identified which the data controller or any other person has or may have access to”

You can find out more details about how the cookies which let us achieve this purpose are managed in our Cookie Management Charter

4.3. Consent

As data controller, MAGIC STAY must obtain the WEBSITE USERS’ consent to collect and process their personal data. 

In accordance with the provisions in force, the USER’s consent must be informed, unambiguous and freely given for each designated purpose.  It is given through a statement or a positive action, which is equivalent to the USER’s agreement to the processing of his personal data. 

To be specific, any USER whose data are collected for the aforementioned purposes has: 

-       Either given his consent when he requested access to the SERVICES offered by the WEBSITE

-       Or given his consent when his MEMBER AREA was created

-       Accepted the Cookie Management Charter via the corresponding cookie banner.

For more information

When you open or manage your MEMBER AREA on the WEBSITE, you fill in various forms and communicate your various personal data in order to receive all the services offered by MAGIC STAY. 

All of your data are collected directly from you only, when you register, when you place orders, when you log in and during our interactions (online requests, mail, telephone calls, etc.).

Furthermore, data about your browsing on our Internet site may also be used to target your needs and interests and to target our commercial and advertising offers accordingly.

In any event, you are informed of the purposes for which your data are collected by us via the different online data collection forms, your MEMBER AREA or via our Cookie Management Charter

When necessary, MAGIC STAY undertakes, as the case may be, to obtain your consent and/or allow you to object to the use of your data for certain purposes, like, for example, the possibility of sending you marketing communications or putting third-party cookies on your terminals (mobile telephone, computer, tablet) to measure the audience of our website and our application and to offer you commercial offers and targeted advertisements according to your interests. 

 

ARTICLE 5. BUSINESS TRANSACTION MANAGEMENT AND FOLLOW-UP

5.1. Purposes of the processing

Your various data will be collected in order to: 

-       Book the accommodation

-       Provide USERS with the SERVICES

-       Manage the LESSORS AND LESSEES database (account management, loyalty programmes, sales management, invoices, monitoring of customer relations)

-       Manage complaints and the after-sales service

-       Manage outstanding payments and disputes

5.2. Data controllers' identity

a)     For LESSORS’ data

In connection with the SERVICES, MAGIC STAY collects and processes personal data relating to the LESSORS. All of the LESSOR’S data shall be processed in accordance with the aforementioned purposes. 

b)    For LESSEES’ data

In connection with the aforementioned purposes, MAGIC STAY and the LESSOR shall be joint controllers under Article 26 of the GDPR.Indeed, they shall have to collect and process the personal data of the LESSEES on the WEBSITE in order to perform the services.

In this respect, MAGIC STAY and the LESSOR guarantee that they shall process such data in compliance with the rights and obligations arising from the French Data Protection Act.

It is therefore expressly agreed by the PARTIES that MAGIC STAY and the LESSOR as joint controllers, shall do everything in their power to ensure the security and the confidentiality of the personal data entrusted to them. 

For more information

The data likely to be collected are as follows:

-      Data about your identity: title, surname, first names, address, telephone number, e-mail address

A copy of an identity document may be kept as proof for the exercise of a right of access, rectification or opposition or to meet a legal requirement.

-      Data related to payment methods via payment service providers: a bank or postal account number, cheque number, bank card number, bank card expiry date, security code

-      Data related to the transaction: transaction number, booking details

-      Data related to invoice payments: payment terms, discounts, receipts, balances and outstanding payments 

-      Your connection logs

For the management of our business relationship and customer care

The data likely to be collected are as follows: 

-      Data about your identity: title, surname, first names, address, telephone number, e-mail addresses 

-      A copy of an identity document may be kept as proof for the exercise of a right of access, rectification or opposition or to meet a legal requirement.

-      Data related to the monitoring of the business relationship: requests for documentation and trials, quantities, amounts, frequency, delivery address, order history, purchases and service provision, product returns, possibly, origin of the order or the sale, correspondence with the customer and after-sales service, interaction with and feedback from customers and prospects, person/people in charge of customer relations

-      Data required for carrying out loyalty, prospecting, study, survey, product testing and promotional actions

-      Data related to the organisation and processing of competitions, lotteries and any promotional operations such as the date of participation, the answers given to competitions and the nature of the prizes offered 

-      Data related to your browsing on our website via cookies

5.3. Consent

It is necessary to collect and process the USER’s personal data in order to perform a SERVICE. In view of the fact that the USER has chosen to order the performance of a SERVICE, there is no need for the LESSOR or MAGIC STAY to require the USER’s consent, it being necessary for the performance of the SERVICE. 

 

ARTICLE 6. REGARDING PAYMENT DETAILS

6.1. Regarding the collection and processing of payment details 

The term “payment details” applies to:

-      The details of the payment methods used by the LESSEE on the WEBSITE for purchasing a SERVICE offered by MAGIC STAY, the relevant account and payment details, such as the account number, bank card number, expiry date and name of the account holder

-      The data concerning the result of the transaction, such as the transaction number and the order enumeration

-      The data concerning invoice payment: payment procedures, reduction, receipts and outstanding balances

These data are collected by MAGIC STAY, via the software solution implemented on the WEBSITE, during the ordering process. They are then stored on a secure server and some of them are forwarded to the LESSOR.

It is expressly acknowledged that MAGIC STAY and the other data processing stakeholders:

-      Shall not proceed with data processing which would be incompatible with the specified purposes

-      Shall take all technical and organisational measures to ensure the security and the confidentiality of the LESSEE’s personal data.

6.2. Purposes of the processing 

LESSEES wishing to be provided with a SERVICE must use the payment services. 

The payment services necessary to the WEBSITE are provided by PAYBOX, which processes LESSEES’ transactions and transfers the amounts to MAGIC STAY.

Consequently, PAYBOX, the LESSOR and MAGIC STAY must process the LESSEES’ data for:

-       The provision of payment services

-       The conducting of audit procedures

6.3. Status of stakeholders

PAYBOX should be considered as the data controller for the processing of data related to SERVICE payment management. 

MAGIC STAY, which processes some of the LESSOR’s data as part of the provision of payment services, should be considered as joint controller for the processing of data related to the result of the transaction and invoice payment.

For more information

If you have any questions about the management and the use made of your personal data, please contact us:

     Either via various forms and functionalities on our https://fr.magicstay.com/ website, particularly via the contact form

     Or by email, at dpo@magicstay.com

     Or by post to MAGIC STAY, à l’adresse 7 avenue Michel Chevalier – ZI Les Bois de Grasse – 06130 GRASSE

     Or by telephone on +33 (0)1 79 97 80 00 

Legal reminder: Under the French Data Protection Act, THE DATA CONTROLLER is the person who determines the purposes for which and the manner in which any personal data are processed. When two or more data controllers jointly determine the purposes for which and the manner in which any personal data are processed, they are joint data controllers (or joint controllers). 

6.4. Consent

The customer’s personal data must be processed to carry out the payment for the SERVICE. As the LESSEE has chosen to order the performance of the SERVICE, MAGIC STAY shall not have to ask for its consent, it being necessary for the performance of the supply contract for the related payment services. 

Furthermore, PAYBOX processes the customer data necessary for combating fraud, the financing of terrorism and money-laundering under a legal obligation that falls to it as an approved payment institution.

6.5. Payment data retention period

Except as provided for in the following paragraphs, the bank details shall no longer be kept once the transaction has been performed by MAGIC STAY, that is, once full payment has been received for the desired booking. 

It should be specified that for payments made by bank cards, such data may be stored in temporary files to serve as proof if the transaction is contested, for a period of thirteen (13) months (or fifteen (15) months if the payment is deferred) from the date the debit is made. In any event, the security code is not stored and the bank details are deleted after the expiry of the date indicated above.

 

ARTICLE 7. DATA RECIPIENTS 

Only the people mentioned below may have access to the USERS’ data:

-       Authorised personnel from MAGIC STAY’s different departments (marketing, sales, administration, logistics and IT, those responsible for customer relations and prospecting and those responsible for auditing) 

-       Authorised personnel of subcontractors (if there are subcontractors)

-       If applicable, the relevant courts, mediators, chartered accountants, auditors, lawyers, bailiffs, debt collection agencies

-       The third parties that might put cookies on your terminals (computers, tablets, mobile telephones, etc.) when you consent (For more details, see our Cookie Management Charter).

Your data are not communicated, exchanged, sold or leased to anyone other than those people mentioned above.

 

ARTICLE 8. DATA RETENTION PERIOD

MAGIC STAY undertakes to ensure that the data collected are retained in a form that allows you to be identified for a period not exceeding the period necessary for the purposes for which such data are collected and processed. 

However, data processing is possible for proof of a right or a contract. Such data may also be retained in order to comply with a legal obligation or kept in files in accordance with the applicable laws and regulations.  

By way of exception, the USER’s identification data are retained by MAGIC STAY for a period of three (3) years as of the closure of the MEMBER AREA or the last contact with the USER. The LESSORS’ data are retained for the entire duration of the contractual relationship. 

As for the cookies referred to in Article 10 of this Confidentiality Policy, it is specified that the information stored on your terminal (e.g. cookies) or any other element used to identify you for the purposes of audience statistics are not retained beyond a period of thirty-six (36) months. After this period, the raw visitor data associated with a username are either deleted or anonymised.

Finally, to ensure that the WEBSITE and its functionalities function properly and continually improve, the raw visitor data associated with a username are retained for a period of thirteen (13) months.  After this period, they are deleted or anonymised. 

MAGIC STAY retains USERS’ personal data for a period which does not exceed the time required for the completion of the intended purpose.  

For more information

For the management and follow-up of your contracts, orders, deliveries and invoices

Your data are retainedfor the entire term of the contract.

Your data are stored for five (5) years for providing proof. Your invoices and accounting data are retained for a period of ten (10) years.

In the absence of an appropriate contract, your data are retained for a period of three (3) years from the day they are collected or the day of your last contact with us. 

For bank details data

In principle, your payment data are deleted once the transaction has been performed, then archived / stored for a period of thirteen (13) months after the transaction date.  

For marketing purposes  

If you are a customer: three (3) years from the end of the business relationship.

If you are not a customer yet: three (3) years from the day you last made contact with us.

Your data are then stored for a period of five (5) years, for the purposes of proof, in accordance with the provisions in force (French Insurance Code, Mutuality Code, Commercial Code, Civil Code, Consumer Code, Domestic Security Code, etc.) 

For your identity documents 

1 year in the case where you exercise your right of access or rectification

3 years in the case where you exercise your right of opposition 

For audience and statistics measurements 

36 months, then your data are deleted or anonymised

To ensure that our WEBSITE functions properly and continually improves

13 months, then your data are deleted or anonymised. 

 

ARTICLE 9. YOUR RIGHTS

In accordance with the French Data Protection Act and with the GDPR, you have the following rights:

     The right to access (Article 15 GDPR), rectify (Article 16 GDPR), update and complete your data (find out more)

     The right to block or erase your personal data (Article 17 GDPR), when they are inexact, incomplete, ambiguous, no longer valid or if their collection, use, communication or retention is prohibited (find out more)

     The right to withdraw your consent at any time (Article 13-2c GDPR)

     The right to restrict the processing of your data (Article 18 GDPR

     The right to object to the processing of your data (Article 21 GDPR) (find out more

     The right to data portability for the data you have provided us with, when your data are subject to automated processing based upon your consent or upon a contract (Article 20 GDPR

     The right to define the fate of your data after your death and to choose whether or not we communicate your data to a third party previously designated by you (find out more).

In the event of your death and failing instructions from you, we undertake to destroy your data, unless they need to be retained for purposes of proof or to fulfil a legal obligation.

These rights may be exercised, by simple request sent by email todpo@magicstay.comor by sending a letter to MAGIC STAY, 7 avenue Michel Chevalier – 06130 GRASSE, stating your contact details (surname, first name, address) and providing a legitimate reason as justification when this is required by law (particularly in the case of objecting to the processing).

Where you have forwarded a copy of a form of identification to prove your identity, we shall retain it for one (1) year or three (3) years when it has been forwarded in the context of the exercise of a right of opposition.

To learn more about your rights, you can also consult the French Data Protection Authority's website at the following address: http://cnil.fr

 

ARTICLE 10. LOGIN DATA AND COOKIES

MAGIC STAY makes use on its WEBSITE of login data (date, time, Internet address, the visitor's computer protocol, page viewed) and cookies (small files saved on your computer) for identifying you, memorising your visits and receiving the WEBSITE’s audience statistics and measurements, particularly concerning the pages viewed. 

By browsing the WEBSITE, you agree to MAGIC STAY installing this type of cookie known as “technical” cookies, the sole purpose of which is to allow or facilitate the electronic communication of your terminal equipment with our website, facilitating management and browsing on it. 

Our access to the information stored on your terminal equipment or the registration of information in it shall only take place in the following cases: 

-      To allow or facilitate electronic communication

-      When it is necessary for the provision of our service

As for the other data, you can exercise your right to access these login data either by sending an email requesting to do so to dpo@magicstay.comor by sending a letter to MAGIC STAY, 7 avenue Michel Chevalier – 06130 GRASSE.

If your browser allows you to, you can disable these cookies at any time by following the procedure specified by said browser. However, MAGIC STAY advises you that disabling the cookies may result in slowing down and/or disrupting access to the WEBSITE.

Furthermore, MAGIC STAY informs you that it uses the services of Google Analytics to measure the WEBSITE’s audience.You can refuse to have your browsing on the website monitored by the Google Analytics tool by downloading the Google Analytics Opt-out Browser add-on for your current browser on the WEBSITE from the following address: http://tools.google.com/dlpage/gaoptout?hl=fr.

In any event, the information stored on your terminal (e.g. cookies) or any other element used to identify you for the purposes of audience statistics are not retained beyond a period of thirty-six (36) months.After this period, the raw visitor data associated with a username are either deleted or anonymised.

To learn about the nature of the cookies and other trackers implemented on the WEBSITE, USERS are invited to consult the MAGIC STAY Cookies Charter provided for this purpose and available at the following address [link].

To find out more about cookies (how to manage them, delete them and identify them), consult the French Data Protection Authority (CNIL) website: http://www.cnil.fr/vos-droits/vos-traces/les-cookies/#c5554

 

 

ARTICLE 11. CONTACT DETAILS OF THE DATA PROTECTION OFFICER

Our Data Protection Officer is here to answer any inquiries, including the exercising of rights, relating to your personal data.

You can contact him either via this contact form,or by email at dpo@magicstay.com or by sending a letter to MAGIC STAY, 7 avenue Michel Chevalier – 06130 GRASSE.

 

ARTICLE 12. SECURITY

MAGIC STAY and any of its subcontractors undertake to implement every technical and organisational measure to ensure that our processing of personal data and the confidentiality of your data are secure, in accordance with the French Data Protection Act and the EU regulation on data protection (GDPR) and Law No.2018-133 of 26 February 2018 “bringing a number of provisions into line with EU law in the field of security”.  

As such, MAGIC STAY shall take all necessary precautions, in view of the nature of your data and the risks presented by our processing, to preserve data security and, in particular, prevent them from being corrupted, damaged or accessed by any unauthorised third parties (physical protection of the premises, authentication procedure for our customers with personal and secure access via confidential usernames and passwords, logging of connections, encryption of certain data, etc.). 

 

ARTICLE 13. TRANSFERT OUSIDE THE EU

As part of its activities, MAGIC STAY is required to transfer USERS’ data outside the European Union. 

MAGIC STAY informs the USERS, stating the steps taken to monitor this transfer and ensure that their data is kept confidential.