Legal

Privacy Policy

The Club Cult is operated by AGENCY CULT SASU, a simplified joint-stock company incorporated under French law.

We are committed to protecting the personal data of every User. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, who receives it, how long we keep it and what rights you have. Terms written with a capital letter have the meaning given in the Legal Definitions Master.

We process personal data in accordance with Regulation (EU) 2016/679 (GDPR), the French Data Protection Act (Loi n. 78-17 of 6 January 1978), the ePrivacy Directive 2002/58/EC as implemented in French law and the guidance of the Commission Nationale de l'Informatique et des Libertés (CNIL).

1. Data Controller

The data controller is Agency Cult SASU, 44 Rue du Bac, 75007 Paris, France. SIRET 937 700 474 00011. RCS Paris 937 700 474. Email legal@theclubcult.com.

Each Expert acts as a separate and independent data controller for the personal data that Expert processes to deliver a Service to a Member. Agency Cult SASU is not responsible for the processing carried out by an Expert in that capacity.

2. Data Protection Officer

You can contact our Data Protection Officer at legal@theclubcult.com or by post at Agency Cult SASU, Data Protection Officer, 44 Rue du Bac, 75007 Paris, France.

3. Categories of personal data

3.1 Identity and account data: name, legal name, date of birth, nationality, email address, telephone number, profile photograph, role (Member, Expert or Curator).

3.2 Professional data (Experts and Curators): occupation and discipline, business registration details such as SIREN or SIRET, VAT number, professional insurance details, portfolio content, references.

3.3 Identity verification data (Experts): a government-issued identity document and bank account details, collected and processed by Stripe for the purpose of onboarding to Stripe Connect and meeting anti-money-laundering obligations.

3.4 Transaction and Booking data: Membership and Subscription records, Booking records, payment records, invoices, refunds. Card details are processed by Stripe and are never stored by us.

3.5 Communications data: messages exchanged through the Platform messaging system, support correspondence, reviews and ratings.

3.6 Usage and technical data: IP address, device and browser type, session logs, features used, crash and performance data.

3.7 Application data: the information you submit when you apply to join, including your discipline, your city, a social or website handle where you provide one and, where you are referred, the name and email of the referring Member.

We do not process special categories of data within the meaning of Article 9 GDPR.

4. Purposes and legal bases

Purpose Legal basis (Art. 6(1) GDPR)
Creating and managing your account and Membership (b) performance of a contract
Reviewing your application to join (a) consent, given on the application form
Facilitating Bookings between Members and Experts (b) performance of a contract
Processing Events and registrations (b) performance of a contract
Processing Subscriptions, Service payments and Expert payouts (b) performance of a contract
Verifying Expert identity for Stripe Connect (c) legal obligation (anti-money-laundering)
Issuing invoices and keeping accounting records (c) legal obligation (tax and commercial law)
Securing the Platform and preventing fraud (f) legitimate interest
Improving the Platform (f) legitimate interest
Sending service messages and push notifications (b) performance of a contract
Sending marketing communications (a) consent
Responding to a legal request or defending a legal claim (c) legal obligation and (f) legitimate interest

Where we rely on legitimate interest we have carried out a balancing assessment, a copy of which is available on request. Where we rely on consent you may withdraw it at any time without affecting processing carried out before withdrawal.

5. Recipients and sub-processors

We share personal data only where necessary, with the recipients below. We do not sell personal data and we do not use it for third-party advertising.

Sub-processor Purpose Location of processing Transfer safeguard
Supabase, Inc. Database, authentication, file storage European Union (Frankfurt, Germany) Data resident in the EU. Controller agreement under Standard Contractual Clauses where the provider entity is outside the EU.
Stripe Technology Europe, Limited Payments, Subscriptions, Stripe Connect, identity verification European Union (Ireland) EU entity. No transfer outside the EEA for this processing.
Brevo SAS Transactional and marketing email France EU entity. No transfer outside the EEA.
Cloudways Ltd Content management hosting European Union (region to be confirmed) Standard Contractual Clauses apply if any infrastructure is outside the EEA.
Expo Inc. Mobile push notification routing United States EU-US Data Privacy Framework (adequacy). DPA executed.
Apple Distribution International Ltd Push delivery (APNs) and App Store distribution Ireland, with delivery infrastructure in the United States Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.

The website frontend is served by Vercel Inc. as a hosting provider. User data is sent directly to Supabase in the European Union, and Vercel does not process, store or persist personal data. We may also disclose personal data to our legal, tax and accounting advisers under confidentiality, and to a competent authority where the law requires it.

6. International data transfers

Personal data is stored within the European Union. Our database is hosted in Frankfurt, Germany by Supabase, payment data is processed within the European Union by Stripe and email is processed in France by Brevo. A limited transfer to the United States occurs only for the delivery of mobile push notifications through Expo and Apple, and only the technical data needed for that delivery, such as a device push token, is involved. Those transfers are governed by the EU-US Data Privacy Framework and, where applicable, by the Standard Contractual Clauses adopted by the European Commission under Decision 2021/914. We have assessed the risk of these transfers and the supplementary measures in place. Details are available on request.

7. Data retention

Data Retention period Basis
Identity and account data Duration of the Membership plus 5 years Limitation period, Code civil Art. 2224
Transaction and Booking records 5 years from the transaction Code de commerce Art. L123-22
Invoices and accounting records 6 years from the end of the fiscal year Livre des procédures fiscales Art. L102 B
Expert identity verification documents 5 years after the end of the relationship Anti-money-laundering law
Messages and support correspondence Duration of the Membership plus 1 year Operation of the service and limitation periods
Security and access logs 12 months CNIL guidance
Consent records 3 years from the consent or last interaction Accountability, GDPR Art. 7
Application data of applicants not yet admitted Kept while the application is pending, deleted on request Consent and legitimate interest

When a retention period ends the data is deleted or anonymised.

8. Your rights

Under the GDPR and French law you have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability in a structured machine-readable format such as JSON or CSV (Art. 20), objection (Art. 21) and the right to withdraw consent (Art. 7). You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22).

To exercise a right, contact legal@theclubcult.com. We respond within one month, which may be extended by two further months for complex requests, in which case we will tell you within the first month. We may ask you to confirm your identity. Requests are free unless they are manifestly unfounded or excessive.

When you delete your account, your personal account data is deleted, while reviews and community content you have published are anonymised so they are no longer attributed to you. This preserves the rights of other Users and the integrity of the Platform, and it is described in the Account Deletion and Data Rights document. Where the law requires full deletion, we delete the content.

9. Automated decision-making

We do not take decisions about you based solely on automated processing that produce legal or similarly significant effects. Applications to join are reviewed by a human admissions committee. An application that is not admitted is held, never automatically rejected. Any ranking or matching feature used on the Platform supports human use and does not produce legal or similarly significant effects within the meaning of Article 22.

10. Security

We apply appropriate technical and organisational measures under Article 32 GDPR, including encryption in transit (TLS) and at rest, hashed passwords, role-based access control, multi-factor authentication for administrative access, logging and monitoring, and security assessment of our sub-processors before engagement.

11. Personal data breach

Where a breach is likely to result in a risk to your rights and freedoms we notify the CNIL within 72 hours under Article 33, and where the risk is high we notify the affected individuals without undue delay under Article 34. We keep an internal breach register.

12. Cookies

The Platform uses strictly necessary cookies only. Our use of cookies is described in the Cookie Policy.

13. Children

The Platform is intended for adults aged 18 and over. We do not knowingly process the data of a minor. If we learn that we have, we delete it.

14. Changes

We may update this Privacy Policy. For a material change we give at least 30 days notice by email and on the Platform before it takes effect. The date of the last update is shown at the top.

15. Contact and right to complain

For any privacy question contact legal@theclubcult.com or write to the Data Protection Officer at the address in section 1. You have the right to lodge a complaint with the CNIL, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, www.cnil.fr. We ask that you contact us first so we can try to resolve the matter. This Privacy Policy is governed by French law.