Privacy Policy

Last updated: April 2026

Preamble

Grand Cru & Etiquette ("GC&E", "we", "us") is committed to protecting the personal data of everyone who uses this website or engages with its services. This Privacy Policy explains what data we collect, why we collect it, how we use it, how long we keep it, and what rights you have in relation to it.

This policy is written in compliance with:

  • Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)

  • French Data Protection Act (Loi Informatique et Libertés, as amended)

  • UK GDPR and Data Protection Act 2018 (for users in the United Kingdom)

  • California Consumer Privacy Act (CCPA) (for residents of California, United States)

  • PIPEDA (for residents of Canada)

  • Privacy Act 1988 (for residents of Australia)

The data controller is Grand Cru & Etiquette, 60 rue François 1er, 75008 Paris, France. To exercise any of your rights or to ask any question about how your data is handled, please use the Contact section of the Site at www.grandcruandetiquette.com/contact

1. Data We Collect and Why

GC&E collects personal data only for specific, legitimate purposes. The table below sets out each category of data, the purpose for which it is collected, and the legal basis under the GDPR.

1.1 Data you provide directly

Data Purpose Legal basis Name and email address Newsletter subscription; membership account creation; processing orders; responding to enquiries Consent (Art. 6(1)(a)) or performance of a contract (Art. 6(1)(b)) Billing information (name, address) Processing purchases; issuing invoices Performance of a contract (Art. 6(1)(b)) Professional information (organisation, role, sector) Membership application; advisory enquiry; personalisation of the engagement Consent (Art. 6(1)(a)) Message content Responding to enquiries submitted through the Contact form Legitimate interest (Art. 6(1)(f))

GC&E does not collect payment card data directly. Payment is processed by Stripe and/or PayPal, which are subject to their own privacy policies and PCI DSS compliance obligations.

1.2 Data collected automatically

When you visit the Site, certain technical data is collected automatically by the hosting infrastructure (Squarespace) and, subject to your cookie consent, by analytics tools:

Data Purpose Legal basis IP address Security; fraud prevention; geographic analytics Legitimate interest (Art. 6(1)(f)) Browser type and version Technical optimisation of the Site Legitimate interest (Art. 6(1)(f)) Pages visited, time on page, referral source Understanding how the Site is used; improving content and navigation Consent (Art. 6(1)(a)) — collected only if you accept analytics cookies Device type and operating system Technical optimisation Legitimate interest (Art. 6(1)(f))

GC&E does not build individual behavioural profiles. Automatically collected data is used in aggregate and is not linked to your identity unless you are logged into a member account.

2. Cookies

Cookies are small text files placed on your device when you visit a website. GC&E uses the following categories of cookies:

  • Strictly necessary cookies — required for the Site to function correctly (session management, security, checkout). These cookies do not require your consent and cannot be disabled without impairing the operation of the Site.

  • Analytics cookies — used to understand how visitors use the Site (pages visited, time spent, navigation paths). These cookies are placed only with your explicit consent, which is requested via the cookie banner on your first visit. You may withdraw consent at any time through the cookie settings available in the Site footer.

  • Functional cookies — used to remember your preferences (language, login status). These are placed with your consent.

GC&E does not use advertising or retargeting cookies. Your browsing on this Site is not used to serve you targeted advertising on other platforms.

For full details of the cookies used on the Site, please refer to the Cookie Policy published separately at www.grandcruandetiquette.com/cookie-policy

3. How We Use Your Data

  • Newsletter. If you subscribe to the GC&E newsletter, your name and email address are used to send you editorial dispatches, membership updates and communications about GC&E's services. You may unsubscribe at any time by clicking the unsubscribe link in any email, or by contacting us directly. Unsubscription takes effect within 5 business days.

  • Membership. If you subscribe to the GC&E membership, your account data is used to manage your subscription, provide access to member content, send you monthly newsletters, and communicate with you about your membership. Your data is retained for the duration of your subscription and for a period of 3 years thereafter for accounting and legal compliance purposes.

  • Purchases. If you purchase a publication or register for a workshop, your billing and contact data is used to process the transaction, deliver the product or service, issue an invoice, and communicate with you about your order. This data is retained for 10 years in accordance with French accounting law (Code de commerce, Art. L.123-22).

  • Advisory enquiries. Information provided through the Contact form in connection with an advisory enquiry is used solely to assess and respond to that enquiry. If an engagement proceeds, data shared during the engagement is handled in strict confidence as set out in the written agreement between GC&E and the client.

  • Site improvement. Aggregate, anonymised analytics data is used to understand how the Site is used and to improve its content, structure and performance. This data is not linked to any individual.

4. Data Sharing

GC&E does not sell, rent or trade personal data. We share data with third parties only in the following circumstances, and only to the extent strictly necessary:

Service providers. GC&E uses the following third-party services, each of which processes data on GC&E's behalf under a data processing agreement:

  • Squarespace — website hosting, member area management, e-commerce

  • Stripe / PayPal — payment processing

  • Mailchimp or equivalent — newsletter delivery

Each of these providers is bound by contractual obligations to process data only for the purposes instructed by GC&E and to maintain appropriate technical and organisational security measures.

Legal obligations. GC&E may disclose personal data to competent authorities where required to do so by law, court order, or regulatory obligation.

No data is transferred to any third party for advertising, marketing or commercial purposes unrelated to GC&E's own services.

5. International Data Transfers

Some of the third-party service providers used by GC&E (including Squarespace, Stripe and Mailchimp) are headquartered in the United States. Where data is transferred outside the European Economic Area, GC&E ensures that appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, or reliance on an adequacy decision where applicable.

6. Data Retention

GC&E retains personal data for no longer than is necessary for the purpose for which it was collected, subject to any legal retention obligations. The principal retention periods are as follows:

Data category Retention period Newsletter subscriber data Duration of subscription + 3 years after unsubscription Member account data Duration of subscription + 3 years Purchase and billing data 10 years (French accounting law) Advisory enquiry data (no engagement) 12 months from last contact Contact form messages 12 months from last contact Analytics data (anonymised) 26 months (CNIL recommendation)

At the end of the applicable retention period, data is securely deleted or irreversibly anonymised.

7. Data Security

GC&E implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction or disclosure. These measures include encrypted data transmission (HTTPS), access controls, and reliance on established third-party infrastructure providers who maintain their own security programmes.

No method of electronic transmission or storage is entirely without risk. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, GC&E will notify the relevant supervisory authority within 72 hours and will inform affected individuals without undue delay, in accordance with GDPR Articles 33 and 34.

8. Your Rights

Depending on your country of residence, you have the following rights in relation to your personal data:

  • Right of access — you may request a copy of the personal data GC&E holds about you.

  • Right of rectification — you may request that inaccurate or incomplete data be corrected.

  • Right of erasure — you may request that your data be deleted, subject to any legal retention obligations that require GC&E to retain it.

  • Right to restriction of processing — you may request that GC&E restrict the processing of your data in certain circumstances.

  • Right to data portability — you may request that data you have provided be transmitted to you or to another controller in a structured, machine-readable format, where technically feasible.

  • Right to object — you may object to processing based on legitimate interest. GC&E will cease such processing unless it can demonstrate compelling legitimate grounds that override your interests.

  • Right to withdraw consent — where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

  • Right not to be subject to automated decision-making — GC&E does not make decisions about individuals solely on the basis of automated processing.

To exercise any of these rights, please contact GC&E through the Contact section of the Site. We will respond within one month of receiving your request. Where a request is complex or numerous, this period may be extended by a further two months, of which you will be informed.

You also have the right to lodge a complaint with the relevant supervisory authority:

  • France: Commission Nationale de l'Informatique et des Libertés (CNIL) — www.cnil.fr

  • United Kingdom: Information Commissioner's Office (ICO) — www.ico.org.uk

  • European Union: the supervisory authority in your country of residence

9. Rights of California Residents (CCPA)

If you are a resident of California, you have additional rights under the California Consumer Privacy Act:

  • the right to know what personal information is collected, used, shared or sold;

  • the right to delete personal information held by GC&E;

  • the right to opt out of the sale of personal information — GC&E does not sell personal information;

  • the right to non-discrimination for exercising your CCPA rights.

To exercise these rights, please contact GC&E through the Contact section of the Site. We do not require you to create an account in order to submit a request.

10. Children

The Site is not directed at individuals under the age of 18, and GC&E does not knowingly collect personal data from minors. If we become aware that data has been collected from a person under 18 without appropriate consent, we will delete it promptly.

11. Modifications

GC&E reserves the right to modify this Privacy Policy at any time to reflect changes in applicable law, GC&E's data processing practices, or the services offered. The updated policy will be published on this page with a revised date. Where changes are material, GC&E will notify active subscribers by email with reasonable advance notice.

12. Contact

For any question relating to this Privacy Policy, or to exercise any of the rights described above, please contact GC&E through the Contact section of the Site:

www.grandcruandetiquette.com/contact

All requests are handled personally and confidentially. We respond within one month.