Privacy Policy

Last updated: April 22, 2026 — GDPR compliant (EU Regulation 2016/679)

1. Data controller

The controller of personal data is:
OMAD GROUP
EURL registered with the Paris Trade and Companies Register — SIREN 100 192 830
Registered office: 6 rue d'Armaille, 75017 Paris, France
Legal representative: Omar Addi
Data protection officer email: contact@mecantara.com
Website: mecantara.com

2. Personal data collected

As part of the use of the Site and Service, we collect the following categories of data:

a) Identification and contact data:

• Requester's first name
• Email address
• Phone number (optional, for preview availability notifications)

b) Personalization data (quiz form):

• Song recipient's first name
• Occasion (birthday, wedding, birth, etc.)
• Relationship with the recipient
• Desired musical style and mood
• Qualities, memories and anecdotes freely provided by the User

c) Payment data:

• Processed exclusively and directly by Stripe (payment provider certified PCI-DSS level 1)
• OMAD GROUP does not collect, store or access any bank card number
• Only the Stripe transaction identifier and amount are stored in our systems

d) Browsing data:

• IP address (anonymized)
• Browser type and version
• Operating system
• Pages visited, visit duration, browsing path
• Traffic source (referrer URL, advertising campaign)

3. Purposes and legal bases of processing

Each processing operation is based on a GDPR-compliant legal basis:

• Performance of the contract (Art. 6.1.b): creation and delivery of the personalized song, order management, sending availability notifications (email, WhatsApp), revision management, after-sales service and customer support
• Legal obligation (Art. 6.1.c): retention of billing and accounting data in accordance with the French Commercial Code and General Tax Code
• Legitimate interest (Art. 6.1.f): improvement of the Service, fraud prevention, Site security, anonymized statistical analyses
• Consent (Art. 6.1.a): placing non-essential cookies (Meta Pixel), sending marketing communications (if consent has been obtained)

4. Data retention period

Data is retained for the following periods:

• Order and personalization data: 3 years from the last interaction with the Customer
• Accounting and billing data: 10 years in accordance with the French Commercial Code (Art. L.123-22)
• Browsing data and cookies: 13 months maximum in accordance with CNIL recommendations
• Customer support data: 3 years from ticket closure

At the end of these periods, the data is deleted or irreversibly anonymized.

5. Data recipients

Your personal data may be disclosed to the following processors strictly within the scope of the purposes described:

• Stripe Inc. (United States) — online payment processing. PCI-DSS Level 1 certified. Transfer governed by standard contractual clauses (SCCs) approved by the European Commission.
• Brevo (ex-Sendinblue, Sendinblue SAS) (France/EU) — sending transactional emails (order confirmation, availability notification, support)
• Meta Platforms Ireland Ltd (Ireland / United States) — measurement of advertising conversions via Meta Pixel and the Conversions API. Transmitted data is hashed (SHA-256) before sending. Transfer governed by SCCs.
• Hostinger International Ltd (Cyprus/EU) — hosting of the Site and databases
• WhatsApp (Meta) — sending transactional notifications via the WhatsApp Business Cloud API (only to Users who provided their phone number)

No personal data is sold, rented or transferred to third parties for commercial purposes.

6. Data transfers outside the European Union

Some of our processors (Stripe, Meta) are established in the United States. These transfers are governed by:

• the standard contractual clauses (SCCs) adopted by the European Commission (Decision 2021/914);
• the EU-US Data Privacy Framework for certified companies.

These safeguards ensure a level of data protection equivalent to that offered within the EU.

7. Your rights

In accordance with the GDPR (Articles 15 to 22), you have the following rights over your personal data:

• Right of access (Art. 15): obtain confirmation that data concerning you is being processed and receive a copy
• Right to rectification (Art. 16): have inaccurate or incomplete data corrected
• Right to erasure (Art. 17): obtain deletion of your data ("right to be forgotten"), subject to legal retention obligations
• Right to restriction of processing (Art. 18): request temporary suspension of processing of your data
• Right to portability (Art. 20): receive your data in a structured, commonly used and machine-readable format
• Right to object (Art. 21): object to processing of your data for direct marketing purposes or on legitimate grounds
• Right to withdraw your consent: at any time, without affecting the lawfulness of processing carried out before withdrawal

To exercise your rights, send your request with proof of identity to:
contact@mecantara.com
We undertake to respond within 30 days from receipt of your request. This period may be extended by two months in case of complexity or a high number of requests.

You also have the right to lodge a complaint with the competent supervisory authority:
Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Website: www.cnil.fr

8. Cookies and trackers

We use the following types of cookies:

a) Strictly necessary cookies (exempt from consent — Art. 82 of the French Data Protection Act):

• Django session cookie (authentication, cart)
• CSRF cookie (protection against cross-site attacks)

b) Audience measurement and advertising cookies (subject to consent):

• Meta Pixel (Facebook/Instagram): tracking advertising conversions (PageView, ViewContent, Purchase). Data is hashed before transmission. Duration: 90 days maximum.
• TikTok Pixel and Events API: tracking advertising conversions (PageView, ViewContent, AddToCart, InitiateCheckout, Purchase). Customer data transmitted server-side is hashed before sending. Duration: 90 days maximum.

Consent to non-essential cookies is collected during your first visit. You can change your choices at any time by deleting cookies through your browser settings.

9. Data security

OMAD GROUP implements appropriate technical and organizational measures to protect your data against unauthorized access, disclosure, alteration or destruction, including:

• Encryption of communications via HTTPS (TLS 1.2+)
• Data access restricted to authorized staff, protected by strong authentication
• Hosting on secure servers within the European Union
• Regular encrypted backups
• Monitoring and access logging

10. Minors

The Service is not intended for persons under 16. If we learn that personal data of a minor under 16 has been collected without the consent of a holder of parental authority, we will delete it as soon as possible.

11. Changes to the policy

This Privacy Policy may be modified at any time to reflect legal, regulatory or technical changes. The last update date is indicated at the top of this page. In the event of a substantial change, Users will be informed by any appropriate means.

12. Contact

For any question relating to the protection of your personal data:
OMAD GROUP
Email: contact@mecantara.com
Address: 6 rue d'Armaille, 75017 Paris, France