Privacy Policy

1. Data Controller Identification

In accordance with the European General Data Protection Regulation (GDPR – EU Regulation 2016/679), the entity responsible for the processing of personal data on this website is:

Legal Entity: EV-Adworks (operating under the commercial brand “MaditSpirit”)
Business Status: Sole proprietorship (Micro-entrepreneur) registered in France
Jurisdiction: France
Email Contact: support@maditspirit.com
Hosting Provider: O2Switch – 222 Boulevard Gustave Flaubert, 63000 Clermont-Ferrand, France
Data Processing Location: All data is hosted and processed within the European Union (France)

For legal and privacy reasons, the full postal address of the data controller is available upon legitimate request by competent authorities or concerned individuals, in accordance with Article 13 of the GDPR.

This Privacy Policy is available in English. If you are a French-speaking user and need assistance understanding any part of this document, you may request a translated version by contacting us at support@maditspirit.com.

The data controller ensures full compliance with applicable EU and French data protection laws, and responds to all user inquiries related to personal data rights in a timely and transparent manner.

This Privacy Policy applies to all pages, subdomains, and services accessible via the domain maditspirit.com .

2. Personal Data Collected and Collection Methods

MaditSpirit collects only the data strictly necessary for the operation of its website, service delivery, legal obligations, and customer experience optimization. The types of data collected and the methods of collection are outlined below.

2.1 Data Collected via Forms

We use several forms throughout our website, including:

Contact forms
Personalized diagnostic quizzes or assessments
Coaching or service intake questionnaires

Depending on the form, the following personal data may be collected:

Full name or username (optional)
Email address (mandatory)
Preferred contact method (e.g., Instagram handle, Signal, etc.)
General lifestyle preferences (for example: sleep quality, physical activity, personal goals)
Responses to multiple-choice questions used for content personalization

These responses are stored in our secure internal database to help us tailor our offers, content, and support to better meet our users’ expectations and needs.

2.2 Data Collected During Purchases

When a customer purchases a digital product or coaching service:

An account is automatically created to provide ongoing access to the digital content.
The following data is collected during the checkout process:
- First name and/or last name
- Email address
- Country and billing address
- Order details and history
We keep track of purchase history to:
- Offer customer support
- Process refund requests when applicable
- Provide tailored product recommendations

No sensitive payment information (such as card details) is stored on our servers. All payments are securely processed by Mollie, our PCI-DSS-compliant payment provider.

2.3 Newsletter (Beehiiv)

Newsletter subscriptions are managed separately via our Beehiiv platform.

Only your email address is collected when you subscribe to our newsletter.
This data is not added automatically during purchases, users must opt in voluntarily.
A double opt-in system is used to confirm explicit consent before any communication is sent.

You may unsubscribe from the newsletter at any time using the unsubscribe link in every email or by contacting our support team.

2.4 Cookies & Tracking Tools

Our website uses several cookies and tracking tools, including:

Google Analytics
Meta (Facebook) Pixel
Microsoft Clarity

These tools collect anonymized browsing and usage data such as:

Page views and scroll depth
Click behavior and session duration
Approximate geolocation (based on IP)
Device and browser information

All non-essential cookies are blocked until user consent is obtained through a cookie consent banner powered by Complianz.

2.5 Coaching & Diagnostic Data

When booking a coaching session or filling out a diagnostic form, users may voluntarily provide lifestyle-related information such as:

Personal goals (e.g., sleep improvement, weight loss, stress management)
General habits or routines (e.g., diet, fitness, screen time)

We do not collect or process any health-related data such as medical diagnoses, treatment history, prescriptions, or pathology indicators.

These answers are stored in a secure backend system to:

Analyze trends
Offer personalized support or content
Create targeted offers based on aggregated user interests

We ensure that all such processing is done with purpose limitation, data minimization, and security safeguards in place.

2.6 Data Collected from Advertising and External Platforms

We may collect certain data via:

Social media platforms (e.g., Instagram, TikTok, Twitter/X) through lead generation campaigns or messaging
Advertising campaigns that link to our landing pages, quiz funnels, or sign-up forms

This data typically includes:

Email address
Pseudonym or username
Response behavior (e.g., clicked ad, completed form)

All collection through external platforms complies with their respective privacy policies and your consent choices.

2.7 AI Assistant (MaditSpirit AI): What We Collect and Why

Our website includes an AI assistant (“MaditSpirit AI”) powered by DeepSeek. When you interact with the assistant, we process:

Chat content (messages you type)
Your customer account identifier and session email (to link past conversations and allow you to retrieve them across sessions)
Basic technical metadata generated automatically by the system (e.g., timestamps, session ID), strictly for service delivery, security, and quality monitoring

Purpose. We process this data to provide automated assistance, answer questions, and help you navigate our services in an educational, informational manner.
No medical or professional advice. AI responses are provided for general information only and do not constitute medical, legal, or other professional advice.
Transparency. You are informed that you are interacting with an AI system. You may always contact human support at support@maditspirit.com.
Voluntary use. Access to the AI chat is available to logged-in customers. You may choose not to use it; if you do not start a conversation, no chat data is created or stored.

3. Legal Grounds and Purposes of Data Processing

In accordance with the General Data Protection Regulation (GDPR – EU Regulation 2016/679), MaditSpirit processes personal data based on one or more of the following legal grounds:

3.1 Consent

We collect and process certain types of personal data only with your explicit, informed, and prior consent, in the following cases:

Subscribing to our newsletter or promotional email campaigns
Acceptance of non-essential cookies for analytics or advertising (Google Analytics, Meta Pixel, Clarity)
Submission of diagnostic or personalized assessment forms, where the customer voluntarily provides personal details to receive targeted product or service recommendations

Consent is collected via clear opt-in mechanisms and may be withdrawn at any time via the unsubscribe link or by contacting us directly.

3.2 Performance of a Contract

We process essential personal data to fulfill our contractual obligations, including:

Processing orders and payments for digital or physical products
Granting access to purchased trainings, ebooks, or coaching services
Delivering personalized follow-ups and support after a sale
Creating user accounts for training dashboards or content access

This data is strictly required to complete your purchase or deliver the product or service you requested.

3.3 Compliance with Legal Obligations

To comply with our legal and fiscal obligations under French law, we retain and process certain data for:

Bookkeeping and accounting purposes
Issuing invoices and keeping tax-related records (10-year legal retention)
Ensuring proper handling of refunds, guarantees, or returns

3.4 Legitimate Interests

We may process certain personal data for the following purposes, based on our legitimate interests (as defined by Article 6(1)(f) of the GDPR), provided that your fundamental rights are not infringed:

Site optimization and performance tracking (e.g. analytics, load times, UX)
Detection and prevention of fraud or abuse (login attempts, payment anomalies)
Internal analysis of completed forms (e.g. diagnostic tools) to improve offer relevance
Marketing and advertising (e.g. retargeting, lookalike audiences), excluding intrusive profiling
Customization of our product recommendations and offer segmentation based on prior interactions or preferences

These activities are designed to improve our services and your user experience, without compromising your privacy or autonomy.

3.5 Automated Decision-Making & Profiling

We may use automated tools and algorithms to analyze data submitted through forms or purchase history in order to:

Offer tailored product recommendations (e.g., suggesting a specific training based on quiz answers)
Customize emails, offers, or discounts according to previous actions
Improve our internal segmentation of clients and visitors

However:

No automated decision produces legal effects or significant consequences without human intervention
All personalized recommendations are subject to human review and are purely informational
Clients retain full freedom of choice and may contact support to challenge or bypass algorithm-based suggestions

3.6 No Processing of Sensitive Data

We do not process any sensitive data within the meaning of Article 9 of the GDPR, including:

Health status or medical records
Genetic, biometric, or psychological data
Religious or political opinions
Sexual orientation or identity

Even though our diagnostic forms may touch on lifestyle goals (e.g., energy, focus, sleep), no health data is collected, inferred, or stored. The platform is not intended for medical use and no information is used for clinical profiling.

3.7 Legal Basis for AI Assistant

Processing of AI chat data is based on legitimate interests (Article 6(1)(f) GDPR): delivering helpful, efficient customer assistance and maintaining service quality. This processing does not result in automated decisions producing legal or similarly significant effects on you. You may choose not to use the AI assistant at any time and can contact our team for human-handled support.

4. Data Retention Policy

(How Long We Store Your Personal Data)

MaditSpirit is committed to processing your personal data in full compliance with the General Data Protection Regulation (GDPR – EU Regulation 2016/679) and applicable French data protection and fiscal legislation. This section explains how long we retain your data, for what purposes, and under what legal basis.

All personal data is stored only for the time strictly necessary to fulfill the intended purpose, in accordance with the principle of data minimization.

4.1 Invoices and Accounting Records

In compliance with Article L123-22 of the French Commercial Code and Article L102 B of the French Tax Code, invoices and tax-related records must be retained for 10 years from their date of issue.

As a micro-entrepreneur, MaditSpirit is not legally obligated to generate invoices systematically. Invoices are therefore created only upon customer request and stored securely for the duration required by French accounting law.

This practice is fully compliant with micro-enterprise tax obligations.

4.2 Customer Accounts and Purchase History

For all purchases made through MaditSpirit (including ebooks, training programs, and coaching services), we retain account and purchase data for a maximum of three (3) years from the date of the last activity (login, access, or support request).

This retention allows us to:

Re-establish access to purchased digital content
Fulfill support or refund requests
Comply with potential legal or fiscal obligations

After three years of inactivity, data is either deleted or anonymized unless legally required for tax, fraud, or dispute resolution purposes.

4.3 Diagnostic Forms and Assessment Tools

When a customer completes one of our diagnostic questionnaires or personalized forms, we may collect data such as:

Email address
Personal wellness goals and preferences
Lifestyle-related information (e.g., stress, sleep, diet)
Preferred method of contact (e.g., social media handles or messaging platforms)

This data is stored in our internal database for analytical and customization purposes and is used exclusively to:

Provide tailored product or service recommendations
Refine our marketing and educational content
Improve relevance of future offerings

This data is retained indefinitely, unless a deletion request is submitted. No diagnostic form data is used for medical, clinical, or therapeutic purposes. No health condition or medical diagnosis is recorded or inferred.

4.4 Newsletter Subscription and Email Data

For users who have subscribed to our newsletter (via Beehiiv), we retain their email address and associated metadata as long as the subscription remains active.

Unsubscribing results in the automatic removal of the email address from our active communication systems within 24 hours. Historical data related to newsletter interactions may be retained for statistical purposes in anonymized form.

No marketing email is sent without prior, verifiable consent (double opt-in).

4.5 Cookies and Tracking Technologies

Non-essential cookies (such as those used for analytics or advertising) are stored on the user’s device only after explicit consent has been obtained through our cookie banner system, managed by Complianz.

In accordance with CNIL and GDPR recommendations, cookies are stored for a maximum of six (6) months, unless the user withdraws consent earlier.

You may change or revoke your cookie preferences at any time by accessing the settings available on our website.

4.6 Technical Logs and Anti-Fraud Measures

In order to prevent fraud, ensure security, and monitor website performance, we retain technical logs such as IP addresses, user agent, and timestamped access data for up to twelve (12) months.

These logs are accessible only to authorized personnel and are automatically deleted after the retention period, unless required for ongoing security investigations or legal proceedings.

4.7 Account Deletion and Data Erasure Requests

User accounts and associated personal data are not automatically deleted due to inactivity.

Any user may request the manual deletion of their account and personal data by contacting: support@maditspirit.com.

Upon receipt of a valid request and verification of identity, the deletion will be processed within 30 calendar days, unless the data must be retained for legal compliance, dispute resolution, or refund processing.

4.8 Ethical Data Management and Minimal Retention

We only retain personal data that is strictly necessary for:

Fulfilling our contractual obligations
Providing customer support
Complying with legal and tax obligations
Protecting our business and services

No sensitive personal data (such as health status, religious beliefs, or biometric identifiers) is collected or processed by MaditSpirit. Our systems are configured to store only the minimal amount of information required to operate effectively and legally.

5. Data Security

MaditSpirit is committed to protecting the personal data of its users and customers by implementing appropriate technical, organizational, and legal safeguards. We take data privacy seriously and adopt industry best practices to ensure the integrity, confidentiality, and availability of all collected data.

5.1 Technical and Organizational Measures

The maditspirit.com website is secured with a valid SSL certificate and uses the HTTPS protocol across all pages.
All administrative access points are protected by strong passwords, and critical accounts have two-factor authentication (2FA) enabled.
The CMS, plugins, and extensions used on the website are updated regularly to address known vulnerabilities.
Access to the website’s administrative dashboard is restricted to the sole administrator and is monitored through IP restrictions, login protection mechanisms, and activity tracking.

5.2 Secure Hosting & Data Protection

MaditSpirit is hosted by O2Switch, a GDPR-compliant hosting provider located in Clermont-Ferrand, France.
All data is stored on servers located within the European Union and protected by firewalls, network isolation, and anti-intrusion protocols.
The databases containing user information (accounts, diagnostics, history) are encrypted where necessary, secured by strict access rules, and not publicly exposed.
Only the authorized site administrator can access the full personal data sets stored in the system.

5.3 Access Control

User and customer data (accounts, diagnostic forms, purchase history, behavioral tracking, etc.) are accessible only by the site administrator.
No third party or subcontractor is granted direct access to personal data, except technical service providers operating under GDPR-compliant contracts (e.g., hosting provider, form processing platforms).
Tools such as Tally (form submissions), LMS systems, and analytics platforms are protected with restricted credentials, enhanced access control, and role-based permissions when applicable.

5.4 Incident Response & Compliance

In the event of a data breach or security incident, MaditSpirit will notify the CNIL (French Data Protection Authority) within 72 hours, as required under Article 33 of the GDPR.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, MaditSpirit will also inform affected users directly, providing full transparency and guidance.
The site is actively monitored for suspicious behavior, unauthorized access attempts, or unusual technical anomalies.
While a formal data processing register is not yet in place, MaditSpirit maintains internal documentation that clearly outlines:
- The types of data processed
- The legal bases for processing
- Retention periods
- Access and sharing policies

6. Data Sharing and Subprocessors

MaditSpirit takes data privacy seriously and ensures that all personal information is handled securely and transparently. While we never sell or rent user data, certain service providers (subprocessors) are involved in delivering our services and products. These partners process personal data solely for the purpose of operating our business, and under strict compliance with GDPR and international standards.

6.1 Service Providers and Subprocessors

We may share certain personal data with the following types of trusted partners:

Payment Processors: Mollie (for secure payment transactions)
Newsletter Platform: Beehiiv (for managing email subscriptions)
Form Builders & Analytics: Tally (for diagnostic and lead generation forms)
Affiliate Partners: In cases where a user is referred by an affiliate, we may share aggregated or campaign-related data with that partner.

These service providers act either as processors (acting on our behalf) or independent data controllers (where legally required), depending on their role and contractual obligations.

We ensure that all partners implement strong data protection safeguards and are subject to appropriate contractual agreements where applicable.

6.2 Data Transfers Outside the EU

Some of our service providers are located or host data outside the European Economic Area (EEA), particularly in the United States. These transfers are conducted under appropriate legal safeguards, including:

Standard Contractual Clauses (SCC) issued by the European Commission, or
Participation in the EU-U.S. Data Privacy Framework (if applicable to the provider)

We ensure that any transfer of personal data outside the EU is made in accordance with GDPR and does not undermine the level of protection granted to our users.

6.3 No Sale or Commercialization of Data

We do not sell, rent, or commercialize any personal data to third parties for advertising or marketing purposes. Our data use is strictly limited to operational needs and user consent.

6.4 No Unauthorized Reuse by Partners

We do not authorize any of our subprocessors to reuse your personal data for their own purposes (e.g., analytics, advertising, profiling) outside of their direct service role to MaditSpirit.

6.5 Sharing of Aggregated or Anonymized Data

We may share anonymized and aggregated data (such as traffic statistics, conversion rates, or diagnostic form insights) with selected partners, particularly affiliates, for the purpose of improving campaigns or adapting offers.

This type of data does not contain any personally identifiable information and cannot be linked back to individual users.

6.6 Public List of Subprocessors

For full transparency, we maintain a list of our main data processors and service providers in this privacy policy. This list may be updated periodically to reflect any changes.

6.7 AI Service Provider (DeepSeek)

For the AI assistant, we use DeepSeek as a technical service provider to process chat content and limited operational metadata solely to deliver the AI functionality.

Training use disabled. We have opted out of provider-side data use for model training or product improvement beyond what is necessary to provide the service to us.
No sale of data. We do not sell or rent AI conversation data.
Contractual safeguards. Processing is governed by GDPR-compliant terms, including appropriate transfer mechanisms where applicable (see Section 11).

This provider acts as a processor on our behalf and is not authorized to reuse your personal data for its own independent purposes.

7. Data Security

At MaditSpirit, we take the protection of your personal data very seriously. We implement robust technical and organizational measures to safeguard all user and customer data, in accordance with the General Data Protection Regulation (GDPR – EU Regulation 2016/679).

7.1 Secure Website Environment

The entire website is secured using SSL encryption (HTTPS), ensuring that all data exchanged between your browser and our server is protected from interception.
All forms, including payment forms, contact pages, and account logins, are protected with secure data transmission protocols.
A Google reCAPTCHA system is used on relevant forms to prevent bots and malicious automated submissions.

7.2 Server & Hosting Security

The website is hosted by O2Switch, a reputable and GDPR-compliant French hosting provider. O2Switch is responsible for infrastructure-level protection, including:
- Firewalls
- DDoS protection
- Physical data center security
- Regular vulnerability monitoring
Our site also employs anti-spam, brute-force protection, and access control mechanisms at the application level.

7.3 Account Protection

Users who purchase digital content will have an account automatically created. All accounts are protected by unique passwords.
We strongly encourage customers to choose strong, unique passwords and never share them with others.
Only the website administrator has access to customer data stored on the backend. No third party has administrative-level access unless legally required or authorized.

7.4 Regular Updates & Maintenance

Our team performs frequent updates of all software, plugins, and themes to patch known vulnerabilities and ensure optimal security.
We conduct manual reviews of the website’s performance, login activity, and file integrity as part of our standard maintenance routine.

7.5 Backups & Recovery

The website and its data are backed up regularly, both through our hosting provider and via internal safeguards.
In the event of data corruption or cyberattack, we are able to restore the site and associated data within a reasonable timeframe.

7.6 Data Breach Notification Protocol

In accordance with GDPR, if a data breach occurs that may affect your rights or personal data, we are committed to:
- Identifying and containing the breach immediately
- Notifying the French Data Protection Authority (CNIL) within 72 hours
- Informing affected users by email, if necessary, with all relevant information and mitigation steps

7.7 Incident Response

While we do not have a formal automated incident response system, we follow industry-standard manual protocols in case of data breach or security incident, including:

Investigating all reported anomalies
Securing compromised areas
Cooperating with hosting partners and regulatory authorities
Maintaining a communication log for transparency

7.8 Strong Security Commitment

We are fully aware of the trust you place in us when you share your information. That’s why we are committed to maintaining the highest possible standards of security, including:

Minimal and secure data collection
Role-based access controls
Encrypted communications
Secure payment gateways (via Mollie)
Hosting with European data protection compliance

If you ever suspect misuse of your data or detect suspicious activity related to our services, please contact us immediately at:

support@maditspirit.com

8. Transfers of Personal Data Outside the European Union

In accordance with Article 44 et seq. of the General Data Protection Regulation (GDPR), MaditSpirit may transfer certain personal data to service providers located outside the European Union, particularly to the United States, for technical and operational reasons.

8.1 Countries Concerned

Personal data may be processed or stored in countries outside the European Economic Area (EEA), including:

The United States: for services such as Beehiiv (newsletter delivery), Meta (advertising and analytics), Google (analytics), Tally (form processing), and certain affiliated tools.
Other countries where service providers maintain backup servers or global infrastructures (e.g., content delivery networks, email infrastructure).

These transfers are strictly limited to what is necessary for the proper functioning of our services and are conducted only with trusted partners.

8.2 Legal Framework for Transfers

Whenever data is transferred outside of the EU/EEA, MaditSpirit ensures that appropriate safeguards are in place to protect your personal information in accordance with Article 46 of the GDPR. These safeguards may include:

Standard Contractual Clauses (SCCs) issued by the European Commission
Binding corporate rules where applicable
DPA (Data Processing Agreements) with each third-party provider
Clear commitments from processors to comply with EU privacy standards

You may request a copy of these guarantees by contacting us at support@maditspirit.com.

8.3 User Information and Transparency

By using our services, you acknowledge that some of your personal data may be processed outside the EU and that these transfers are required for:

Newsletter delivery
Analytics and performance tracking
Payment processing
Personalized marketing or support tools

We are committed to full transparency and will notify users of any material changes to the countries or providers involved.

8.4 No Additional Consent Required

Since all international data transfers are based on legal guarantees and are strictly necessary for the performance of our services, no separate user consent is required beyond the initial acceptance of this Privacy Policy.

However, users may request further information at any time regarding the exact nature, scope, and location of such transfers by contacting our Data Protection Officer.

9. Cookies and Tracking Tools

In order to provide a high-quality user experience, analyze site performance, and deliver relevant marketing, MaditSpirit uses cookies and other tracking technologies on its website. These tools are deployed in strict compliance with the General Data Protection Regulation (GDPR – EU Regulation 2016/679) and applicable French data protection laws, including the latest guidance from the CNIL (Commission Nationale de l’Informatique et des Libertés).

This section provides full transparency regarding the cookies we use, their purposes, and your rights as a visitor.

9.1 Cookie Consent Banner and Management

Upon your first visit to our website, a cookie consent banner powered by Complianz is displayed to manage your preferences. This tool ensures that:

No non-essential cookies (analytics, marketing, profiling) are placed on your device without your prior explicit consent.
You may accept all, refuse all, or customize your preferences by category.
Your choices are saved and stored securely for 6 months, in line with CNIL guidelines.

You can modify or withdraw your consent at any time by re-opening the cookie settings from the footer of the website or by clearing your browser cookies.

You can revisit or change your cookie preferences at any time by clicking the “Cookie Settings” link available in the footer of our website.

9.2 Categories and Purpose of Cookies Used

We classify our cookies into the following categories:

a) Strictly Necessary Cookies

These cookies are essential for the website to function properly. They include:

Session management
Security and authentication
Language preferences
Access to user dashboards or protected content

These cookies do not require consent as they are vital for delivering the services you requested.

b) Analytics Cookies

These cookies help us understand how visitors use our website in order to optimize content and navigation. Tools in use:

Google Analytics: Tracks page views, bounce rates, session duration, referral sources, and device types. All data is anonymized and aggregated.
Microsoft Clarity: Collects heatmaps, scroll behavior, and session recordings to analyze user interaction and improve design and usability.

We use these tools exclusively for internal performance analysis, and no personally identifiable information is collected or stored.

c) Marketing and Retargeting Cookies

These cookies allow us to display personalized advertising based on your behavior on our website and elsewhere. They include:

Meta (Facebook) Pixel: Tracks visitor actions (purchases, page views) to measure ad performance and optimize retargeting campaigns on Facebook and Instagram.
Google Ads Tags: Used for conversion tracking and to build relevant audiences for ad targeting.

Consent is mandatory before any of these cookies are activated.

d) Functional Cookies (Optional)

We may use third-party services such as Beehiiv (for managing newsletter subscriptions and opt-ins) that set cookies to remember your preferences or prevent repeated opt-in prompts. These are typically lightweight and non-invasive.

Note: While some third-party platforms like Beehiiv and payment services may operate on separate domains, we mention them here in the interest of full transparency.

9.3 Storage Duration and Cookie Lifespan

Consent log storage: 6 months (as per CNIL recommendations)
Analytics and marketing cookie lifespan: between 6 and 13 months, depending on provider and browser settings
Session cookies (e.g., login authentication): expire automatically when you close your browser

9.4 Legal Basis and User Rights

The legal basis for using cookies varies by category:

Essential cookies: Legitimate interest (no consent required)
Analytics, marketing, and personalization cookies: Explicit consent (Article 6(1)(a) GDPR)

As a user, you have the right to:

Refuse or withdraw consent at any time
Access detailed information about cookies in use
File a complaint with the CNIL if you believe your rights are not being respected

No discrimination or denial of service occurs if you choose to decline optional cookies.

9.5 List of Common Tools and Providers

We currently use or may use the following tools (subject to consent):

Google Analytics (analytics.google.com)
Meta/Facebook Pixel (facebook.com)
Microsoft Clarity (clarity.microsoft.com)
Beehiiv (newsletter management, opt-in tracking)
Complianz (cookie consent management and regulatory compliance)

These providers may process data outside the EU. In such cases, we ensure compliance through standard contractual clauses (SCCs) or equivalent legal safeguards.

9.6 Disabling Cookies and Manual Control

You can configure your browser to block or delete cookies at any time. Please note that doing so may affect site functionality. For your convenience, here are links to cookie settings for common browsers:

Chrome: chrome://settings/cookies
Firefox: about:preferences#privacy
Safari: Preferences > Privacy
Edge: Settings > Cookies and Site Permissions

If you clear your cookies, your preferences will be lost, and the cookie banner may reappear on your next visit.

9.7 Updates and Revisions

We may revise this Cookie Policy to reflect:

Changes in legal or regulatory requirements
Updates to our technology or third-party providers
Adjustments to the types of cookies used

Any substantial changes will be clearly announced on this page or via a pop-up notice. We recommend reviewing this section regularly to stay informed.

10. Security & Data Breach Prevention

MaditSpirit is committed to ensuring the integrity, confidentiality, and availability of all personal data collected and processed through its platform. The following measures are implemented to protect users’ data and maintain a high level of security in compliance with EU GDPR, particularly Articles 5, 32, and 33.

10.1 Website Security and Data Protection Measures

The MaditSpirit website is fully secured via SSL/TLS encryption (HTTPS), ensuring that all communications between the user’s browser and our servers are encrypted and protected against interception.

The platform is hosted by O2Switch, a GDPR-compliant provider offering secure data centers within the European Union, with strong technical and organizational safeguards in place.

We also maintain the following security protocols:

Regular updates of all systems, plugins, and tools (including CMS, LMS, and third-party extensions)
Security monitoring tools are enabled on the website to detect suspicious activity, brute-force attempts, or unauthorized access
Data minimization and limited access: Only authorized personnel and service providers have access to personal data based on operational necessity

10.2 Access Control and Administrator Security

Access to the website’s backend is strictly limited to the site administrator (Esteban V.)
Admin login is protected via strong passwords, two-factor authentication (2FA), and IP filtering
No sensitive personal data is stored locally; only data necessary for platform operations is processed, and it is protected by appropriate user roles and permissions

10.3 Logging, Backups, and Monitoring

Login attempts, suspicious behavior, and access to sensitive areas of the website are monitored and logged
The site undergoes regular backups, with backup files securely stored on encrypted servers to prevent data loss in the event of system failure or attack
A manual data recovery protocol is in place in case of service interruption or technical incident

10.4 Third-Party Security Compliance

MaditSpirit only works with verified and GDPR-compliant processors, including:

Mollie (payment processor)
Beehiiv (newsletter service)
Tally.so (form management)
Hosting provider O2Switch
Analytics and advertising tools (Google, Meta)

Each partner ensures robust data encryption, access control, and storage security. Sub-processors operate under strict confidentiality agreements and data protection policies.

10.5 Data Breach Policy and User Notification

Although no breach has occurred to date, MaditSpirit has committed to the following protocol in the event of a data breach:

CNIL (French data protection authority) will be notified within 72 hours if a personal data breach is likely to result in risk to individual rights and freedoms
Affected users will be informed directly via email if the breach is likely to result in high risk to their privacy, security, or personal rights
A full internal review will be conducted, and remedial actions will be taken immediately to prevent recurrence

10.6 No Automated Incident Response Yet

At this time, MaditSpirit does not operate an automated incident response system, but all logs and alerts are manually reviewed by the site administrator on a regular basis. Escalation procedures are in place to deal with emergencies or threats rapidly.

11. International Data Transfers & Hosting

11.1 Hosting Infrastructure

All data collected through this website is hosted by O2Switch, a French web hosting provider. Their servers are physically located within the European Union, specifically in France. This ensures that all core customer data (including contact forms, accounts, and order details) remains within the jurisdiction of EU data protection regulations.

MaditSpirit has ensured that O2Switch implements adequate technical and organizational security measures to comply with the General Data Protection Regulation (GDPR).

11.2 Transfers of Data Outside the European Union (EU/EEA)

Some tools and services integrated into this website may involve the transfer of user data outside the European Economic Area (EEA), particularly to the United States. This concerns:

Analytics and advertising platforms such as:
- Google Analytics
- Meta (Facebook Pixel, Instagram Ads)
- Microsoft Clarity
Newsletter platform:
- Beehiiv (used to manage email subscriptions and campaigns)
Form processing tools:
- Tally (used for diagnostic forms and custom interactions)

These service providers may process some data (such as IP address, session behavior, and email identifiers) on servers located outside the EU, primarily in the United States.

11.3 Legal Safeguards for International Transfers

To ensure full compliance with Articles 44–49 of the GDPR, MaditSpirit relies on one or more of the following legal safeguards for international data transfers:

Standard Contractual Clauses (SCCs) adopted by the European Commission
Data Privacy Framework (DPF) participation for eligible U.S. entities
Binding corporate rules or additional security and contractual guarantees

Each third-party service is selected for its high privacy standards and active efforts to comply with GDPR obligations. Where required, data processing agreements (DPAs) have been signed with the involved partners.

MaditSpirit regularly reviews its data transfer mechanisms and ensures that external providers implement adequate safeguards and transparency commitments.

11.4 Essential Services Justification

Some services located outside the EU are considered technically essential for the proper functioning of this website or for business operations. For example:

Beehiiv is necessary for managing newsletter subscriptions and campaigns
Meta and Google services are essential for legitimate marketing and performance analysis
Tally is critical for personalized diagnostic forms

These tools are used based on the legal grounds of legitimate interest and/or contractual necessity, and only with the user’s prior consent when applicable (e.g. cookies, newsletter signup, etc.).

11.5 User Rights Regarding International Transfers

If you would like more information about:

The specific countries where your data may be stored or processed
The safeguards in place for each service
A copy of any applicable Standard Contractual Clauses

You may contact us at support@maditspirit.com. We will respond within 30 days, in accordance with GDPR Article 15 and 46.

12. User Rights Under GDPR

In accordance with the European General Data Protection Regulation (GDPR – EU Regulation 2016/679) and relevant French legislation, all users of MaditSpirit have a set of data protection rights regarding the personal data collected and processed via this website.

These rights are outlined below and may be exercised by contacting our Data Controller via email at:

support@maditspirit.com

Requests will be handled with care and transparency. Please note that for security purposes, we may request proof of identity before processing any sensitive request.

12.1 Right of Access (Article 15 GDPR)

You have the right to request a copy of the personal data we hold about you, as well as information about:

The purposes of the processing
The categories of personal data concerned
The recipients (or categories of recipients) with whom your data is shared
The storage duration or applicable criteria
Your rights and how to exercise them

While we aim to fulfill all access requests, please note that due to technical constraints (especially for historical data collected via third-party tools), access may take time and is subject to reasonable limitations.

Requests must be sent via email to: support@maditspirit.com

12.2 Right to Rectification (Article 16 GDPR)

If your personal data is inaccurate, outdated, or incomplete, you have the right to request correction or completion.

This includes updates to your:

Name or email address
Contact details
Preferences related to communication or marketing

To update your data, simply email us at support@maditspirit.com with the corrected information.

12.3 Right to Erasure (Right to Be Forgotten – Article 17 GDPR)

You have the right to request the deletion of your personal data when:

The data is no longer necessary for the original purpose
You withdraw your consent (for optional processing)
You object to processing for legitimate reasons
The data was processed unlawfully

We will delete your account and associated data within 30 days, provided there are no overriding legal obligations (such as tax or invoicing records) that require us to retain certain elements.

For example, invoices requested and issued for purchases must be retained for 10 years, per French tax law. Such retention is non-negotiable and overrides the deletion request.

12.4 Right to Restrict or Object to Processing (Articles 18 & 21 GDPR)

You may request a restriction or objection to specific data processing activities, including:

Receiving marketing emails or promotions
Use of your data for profiling or advertising
Tracking via analytics or remarketing cookies

You can object to these practices by:

Clicking the “unsubscribe” link in marketing emails
Using the cookie settings panel (Complianz) on the website to refuse non-essential cookies
Contacting us directly at: support@maditspirit.com

We will respect your choices and update your preferences accordingly.

12.5 Right to Data Portability (Article 20 GDPR)

You may request that we export your personal data in a structured, machine-readable format (e.g. CSV or JSON), so that you can transfer it to another service provider.

Please note:

This applies only to data that you have actively provided to us (e.g. via contact forms, purchases, or account creation), and only where processing is based on consent or contractual necessity.

While we support your rights, we cannot guarantee real-time data portability for all services. Each request will be evaluated individually and processed within 30 days, when technically feasible.

12.6 Right to Withdraw Consent (Article 7 GDPR)

If you have previously provided consent for:

Marketing or newsletter communications
Non-essential cookies or trackers
Data analysis and personalization

You have the right to withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

To withdraw consent:

Use the cookie banner (Complianz) to update your preferences
Click the “unsubscribe” link in newsletters
Email us directly at: support@maditspirit.com

12.7 Response Time and Identity Verification

All rights requests will be processed within 30 calendar days, in accordance with GDPR standards. In complex cases or multiple requests, this period may be extended by an additional 30 days, but you will be notified.

To ensure the security of your personal data, we may require:

Proof of identity (e.g. official ID)
Order confirmation or other verification details

This verification is mandatory for sensitive requests, such as access, deletion, or portability.

12.8 Automated Processing and Profiling

MaditSpirit may occasionally use automated tools or algorithms (e.g. form analyzers, customer segmentation, offer personalization) to:

Recommend tailored content
Send targeted promotional messages
Adapt product suggestions to user needs

Such profiling is based on your voluntary input (via quiz or form) and aims to improve your user experience. However, no automated decision with legal or significant effect is made without human oversight.

You may object to such profiling or request manual review at any time by contacting our support team.

13. Contact & Complaint Procedures

If you have questions regarding this Privacy Policy, or if you wish to exercise any of your data protection rights (access, correction, deletion, objection, etc.), you may contact us at any time using the following contact method:

Email (preferred and official channel): support@maditspirit.com

We are committed to addressing all requests and inquiries within fifteen (15) calendar days, in accordance with GDPR and applicable French regulations. In complex or exceptional cases, this timeframe may be extended, but you will be notified accordingly.

We encourage you to clearly indicate the nature of your request and provide any relevant details, such as:

The type of data you are referring to
The action you would like us to take (e.g., correction, deletion, access)
Any relevant order number, email address, or account reference

13.1 No Data Protection Officer Appointed

Although MaditSpirit is not required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR, the website administrator assumes full responsibility for ensuring data protection compliance. Any privacy-related requests will be handled internally with the same level of diligence and confidentiality as would be expected from a formal DPO.

13.2 Complaints and Disputes

If you believe that your personal data has been mishandled, or if we have not adequately addressed your request, you have the right to file a formal complaint with the relevant supervisory authority:

CNIL (Commission Nationale de l’Informatique et des Libertés)

Website: https://www.cnil.fr

Phone (France): +33 (0)1 53 73 22 22

Postal Address:

Service des Plaintes – CNIL

3 Place de Fontenoy

TSA 80715

75334 Paris Cedex 07

France

You may also contact your local data protection authority if you reside in another country of the European Union.

13.3 Good Faith Resolution

Although we do not use an external mediation or arbitration platform, MaditSpirit will make all reasonable efforts to resolve your complaint amicably and in good faith, without requiring escalation to legal or regulatory bodies whenever possible.

14. Modifications to This Privacy Policy

MaditSpirit reserves the right to update or revise this Privacy Policy at any time, in order to reflect legal changes, service updates, or the introduction of new features or data processing tools.

14.1 Scope of Changes

All updates apply to both existing and new users, regardless of when they first accepted the policy. Continued use of the website or services after a revised policy is published constitutes acceptance of the new terms.

14.2 Notification of Changes

If substantial changes are made that affect user rights or the way personal data is processed, users will be notified via email using the address provided at the time of purchase or registration. Notifications will outline the nature of the update and any significant impact on data use or user rights.

14.3 Archiving of Previous Versions

All previous versions of this Privacy Policy are archived and available upon request. Users may request an earlier version by contacting support@maditspirit.com.

14.4 Last Updated Date

The most recent version of this Privacy Policy is always available on our website. The “Last Updated” date reflects the effective version. Users are encouraged to review this document periodically.

15. Region-Specific Privacy Disclosures (USA, UK, Australia, New Zealand, Philippines)

In addition to the protections offered under the European General Data Protection Regulation (GDPR), MaditSpirit acknowledges and respects the privacy rights granted to users residing in specific regions outside the European Union.

United States – California Residents (CCPA / CPRA)

If you are a resident of California, you are entitled to certain rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

The right to know what personal information we collect and how we use it
The right to access or delete your personal data
The right to opt out of the sale or sharing of your personal information
The right to correct inaccurate data

MaditSpirit does not sell or rent your personal data to third parties for profit. However, we may use analytics and advertising tools (such as Meta/Facebook Pixel or Google Ads) that involve limited data sharing under CPRA definitions.

To exercise your California privacy rights (access, deletion, or opt-out), you may contact us at:
support@maditspirit.com
Please include “California Privacy Request” in the subject line.

United Kingdom – UK GDPR

For users residing in the United Kingdom, MaditSpirit complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Your rights under UK GDPR are equivalent to those under the EU GDPR, including:

The right to access, rectify, delete, or restrict your data
The right to object to data processing
The right to withdraw consent at any time

To exercise your rights, please contact us at:
support@maditspirit.com

Australia – Privacy Act 1988

MaditSpirit complies with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). If you are an Australian user, you have the right to:

Know how your personal data is collected and used
Request access to or correction of your personal information
File a complaint regarding a potential misuse of your data

All personal data is processed ethically, securely, and in line with the APPs. For all privacy-related inquiries, contact:
support@maditspirit.com

New Zealand – Privacy Act 2020

Under the Privacy Act 2020 of New Zealand, you are entitled to:

Be informed about how your personal data is collected and processed
Request access to or correction of your personal data
Request deletion or restriction under certain conditions

Requests are handled within 30 calendar days. To submit a request, please contact:
support@maditspirit.com

Philippines – Data Privacy Act of 2012

If you are a resident of the Philippines, your data is protected under the Data Privacy Act of 2012 (Republic Act No. 10173). You have the right to:

Be informed about how your data is collected and processed
Access, correct, or delete your personal information
Object to specific forms of data processing

To exercise any of these rights, please contact us at:
support@maditspirit.com
We will process your request within 30 calendar days, in accordance with international data protection standards.

Use of AI under CCPA

In compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), we confirm that AI chat data is not sold or shared with any third parties.

Conversations with our AI assistant are processed solely for service functionality and may be anonymized and used internally for technical improvement purposes only.

You may request full deletion of any AI-related data by contacting our Data Protection Officer at support@maditspirit.com, using the subject line “CCPA AI Data Request.”

We honor all CCPA/CPRA rights, including the right to access, deletion, and the right to opt out of any data sharing for advertising purposes.

Last Updated: 11/07/2025