🇬🇧

❓ We need you (5 min)

🚀 Beta launch!

🛍️ First collection in the shop

CHARTER ON PRIVACY AND PERSONAL DATA PROTECTION (GDPR)

Last updated: October 22, 2025

Preamble

This privacy charter (the "Charter") aims to formalize our commitment to respecting the privacy of users of the website drawnlights.show and its subdomains (the "Site", "Service" or "Application") operated by SASU Drawn Lights.

The Charter and the Site's General Terms and Conditions form a contractual whole. All capitalized terms not defined in this Charter are defined in the General Terms and Conditions available here: /terms-of-service.

As part of providing our Site, we process your personal data in compliance with the General Data Protection Regulation 2016/679 of April 27, 2016 ("GDPR") and under the conditions set out below.

Personal data means any information relating to an identified or identifiable natural person. We collect and process personal data exclusively as part of providing our Services or communicating about these Services, in strict compliance with the GDPR.

We only collect personal data that is adequate, relevant and limited to what is necessary for the purposes for which it is processed. Therefore, you will never be asked to provide personal data considered "sensitive", such as your racial or ethnic origins, political, philosophical or religious opinions.

Drawn Lights and your personal data

We may collect and retain your personal data, including:

Navigation on the Service

Connection data. During each access to the Service, we collect technical information such as your IP address, your device's hardware identifier, the date and time of connection, as well as information related to the browser or operating system used. This data is processed to measure audience, personalize your experience, ensure Service security and improve its performance.

Navigation data. We collect information about your journey on the Service, including pages viewed, viewing duration and links you click. This data may be collected through cookies or other trackers, in accordance with section 6.

Performance data. We collect information such as loading times, error messages and other technical measures useful for maintenance, optimization and Service security.

Approximate location data. We collect your approximate location, derived from your IP address, to offer adapted content and facilitate user experience personalization.

Occasions:

Access to the Service
Journey on the Service
Personalization

Collected data (optional):

IP addresses (extrapolated approximate location)
Date and time of connection
Information related to User's browser/operating system
Pages viewed, time spent, links clicked

Processing purposes:

Audience measurement.
Experience personalization.
Service security
Performance improvement.
Technical maintenance.
Service optimization.
Offering adapted content via approximate location.

Legal bases:

Legitimate interest: service security, fraud prevention, audience measurement, performance improvement
Consent: compliant cookie consent banner

Recipients:

Authorized internal teams in charge of security, maintenance and audience analysis
Technical hosting and cloud service providers
Analytics and performance measurement providers
Fraud and intrusion detection and prevention providers
Competent authorities in case of legal obligation or requisition

Retention periods:

Connection data: 6 months then anonymized
Navigation data & cookies: subject to consent are kept for a maximum period of thirteen months
Performance data: 6 months then anonymized
Location data: Not saved, processed in session for personalization purposes. No persistent storage

User account management

Access to certain Services requires prior creation of a User Account. In accordance with the General Terms and Conditions, providing certain personal data is required to create and manage your space, secure access, execute the contractual relationship and provide associated features. When you access via a third-party authentication service, certain data is transmitted to us to allow your connection. You can update this information at any time from your reserved space.

During registration, a valid email address is used to manage your account and transmit important information. A username or pseudonym identifies your profile. A password, encrypted according to current practices, protects access unless a third-party service is exclusively used for authentication. A payment and invoice history is generated without storing complete bank card data, processed exclusively by a PCI DSS certified provider. An avatar allows you to personalize your visual presence. Your first and last name facilitate certain interactions and support. The country allows adaptation of certain content and constraints. The Discord account activates community features. The preferred language adjusts the interface and communications.

Occasions:

Creation of a User Account
Access to a User Account
Update of a User Account

Collected data:

Email address (mandatory)
Username or pseudonym (mandatory)
Password (mandatory except for exclusively third-party use)
Presence and role in Organizations (mandatory)
Payment history and invoices (mandatory, automatically generated)
Avatar (optional)
First and last name (optional)
Date of birth (optional)
Country (optional)
Discord account (optional)
Preferred language (optional)
Age of majority reached or not (optional)
Capacity (personal, company representative or community) (optional)

Purposes:

Authentication
Contract execution
Security
Support
Community integration
Personalization

Legal bases:

Contract execution (account management and Service access)
Consent (optional features and third-party integrations)

Recipients:

Authorized internal teams in charge of account administration, support and billing
Platform hosting provider
PCI DSS certified payment providers (no local card data storage)
Third-party authentication providers if used (e.g. Single Sign-On)
Communication and transactional email sending providers
Community management providers for Discord features linked to the account
Competent authorities in case of legal obligation, investigation or judicial injunction

Retention periods:

3 years after the last activity of the User Account. This period is postponed in case of activity on the Platform.

Subscription to our Newsletter and marketing communications

When you subscribe to our newsletter and marketing communications, we collect your email address and any communication preferences. This data is used to send you information about the Service, product news and tailored offers.

You can unsubscribe via the link at the bottom of each message.

No marketing communication is sent without your prior consent.

Occasions:

Newsletter subscription
Acceptance of marketing communications

Collected data:

Email address (mandatory)
Information related to User's browser/operating system (mandatory)

Purposes:

Email address (mandatory)
Information related to User's browser/operating system (mandatory)

Legal bases:

Consent (opt-in). You can unsubscribe at any time via the link in each message or from your account.

Recipients:

Authorized internal teams in charge of marketing and communication
Marketing and transactional email sending providers (routing platforms)
Engagement analysis providers (open rates, clicks, unsubscribes)
Technical Service hosting providers
Inactive or fraudulent address detection providers
Competent authorities in case of legal obligation or regulatory control

Retention periods:

Email addresses are retained as long as the user does not object to receiving communications. In case of unsubscription, they may be kept solely for exclusion purposes to ensure that no further messages are sent.

Registration and participation in our events

When you register or participate in one of our events, we collect personal data necessary for your registration, participation management, and audience measurement. For public or live-streamed events, pseudonyms, images or captures may appear in published content. Where applicable, additional information is specified in the specific conditions of each event. Visible identities are anonymized when possible.

You can withdraw your participation before the event takes place according to the methods indicated in the information provided.

Occasions:

Contests
Webinars
Live broadcasts
Personalized onboarding
Drone shows
Invitations

Collected data:

Email address (mandatory)
First and last name (mandatory except for live broadcasts)
Username on our Platform (optional, can be cross-referenced automatically)
Display username on videoconferencing or streaming tools (mandatory where applicable)
Age range (optional)

Purposes:

Event registration
Administrative management
Access and attendance management
Attribution of rewards or benefits
Production of audience and participation statistics
Potential broadcasting of event content

Legal bases:

Contract execution or pre-contractual measures (registration and participation management)
Legal obligation (keeping accounting records for rewards or prizes)
Legitimate interest (audience analysis, continuous event improvement)
Consent (broadcasting of your image during public events if required by local law)

Retention periods:

Registration-related data: up to 12 months after the end of the event
Anonymized audience data: kept without identifiable exploitation limit
Publicly broadcast content: publication lifespan, except upon removal request within applicable law limits

Recipients:

Authorized internal teams in charge of organization, logistics and event communication
Technical registration, ticketing or event management providers
Videoconferencing, streaming or live broadcasting platforms
Audiovisual capture and production providers
Analytics providers for audience and participation measurement
Logistics providers related to reward or benefit attribution
Competent authorities in case of legal obligation or regulatory control

Filling out one of our forms

When you fill out one of our forms, certain personal data is collected to analyze your responses and improve our services.

Occasions:

Surveys
Polls
Satisfaction questionnaires
Internal studies
Feedback forms

Collected data:

Email address (optional depending on form)
First and last name (optional)
Username on our Platform (optional)
Age or age range (optional)
Content of entered responses
Possible segmentation criteria (optional)

Purposes:

Overall feedback analysis
Satisfaction measurement
Continuous improvement of products and services
Production of anonymized statistics

Consent (voluntary form submission)
Legitimate interest (user experience optimization)

Recipients:

Authorized internal teams in charge of product analysis, quality and user experience
Survey, poll or form tool providers
Statistical analysis or data visualization providers
Hosting providers supporting response collection and storage
Competent authorities in case of legal obligation or regulatory request

Retention periods:

Raw responses: 12 months after collection then anonymized
Anonymized data: kept without identifiable limit
Statistical data: operational duration of analyses

Interactions on our social media pages

When you interact on our social media pages, certain personal data may be collected or viewed depending on the features used and platform settings.

Joint responsibility: For certain pages (e.g. Facebook, Instagram), we may be considered joint controllers with the platform regarding audience data collection. In this case, essential information on responsibility distribution is provided by the platform itself.

Occasions:

"Like", "Reactions" mentions and subscriptions
Comments and publications
Participation in integrated contests or polls
Private messages sent to our accounts
Content sharing

Collected data:

Public profile identifier
Display name
Public profile picture
Published content (comments, messages, responses)
Public information associated with your account (according to your settings)
Participation metadata (date, interaction type)

Purposes:

Community management
Public content moderation
Private message responses
Engagement and performance analysis
Organization of activities and contests

legal

Legitimate interest (moderation and community animation)
Contract execution or pre-contractual measures in case of contests
Consent when using optional social features

Recipients:

Authorized internal teams
Social media management providers
Social platforms operating the service

Retention periods:

Public interactions: visible as long as the user does not delete their content or as long as the publication remains available
Private messages: up to 12 months after exchange closure
Contest-related data: according to legal obligations

Use of our Discord server

Our Discord server constitutes the main space for exchanges and community animation. When you participate, certain personal data is visible or processed via the Discord platform.

Responsibility linked to the Discord platform: Discord remains responsible for processing carried out via its own systems and settings (visibility settings, account security, usage policy). We act as administrator on our space but do not control Discord's internal processing.

Additional internal rules: Specific moderation, administration and behavior rules for the server may apply. They are accessible directly on Discord and complement these policies.

Occasions:

Participation in text or voice discussions
Attribution of community roles or levels
Direct exchanges with our team
Participation in thematic channels or internal events

Collected data:

Discord identifier
Display name and public avatar
Shared text or voice content
Assigned roles and permissions
Server entry date

Purposes:

Community animation
Exchange moderation
Attribution of roles, privileges, or private access
Event animation and targeted communications

Legal bases:

Legitimate interest (structured community space management)
Consent for optional features (voice channels, events)

Recipients:

Moderation teams
Community administrators
Discord as platform

Retention periods:

Message history visible as long as the user remains on the server and does not delete their messages
Moderation logs: up to 12 months after the concerned event

Contacts with our Customer Support teams

When you contact our Customer Service, certain personal data is used to process your request and confirm your identity.

Occasions:

Support chat
Phone support
Email
Social media

Collected data:

Email address
First and last name
Username on our Platform (optional, possible cross-referencing)
Social media profile used for contact
Phone number

Purposes:

Processing your assistance request
Identity verification
Service quality monitoring
Internal analysis for support improvement

Legal bases:

Contract execution or pre-contractual measures (account-related assistance)
Legitimate interest (support management and continuous improvement)
Consent if contact initiated via optional channel

Recipients:

Authorized internal teams
Technical support providers

Retention periods:

Support history and associated exchanges: 24 months after request closure
Technical logs related to support: up to 12 months for diagnosis and security
Anonymized service improvement data: kept without identifiable limit

Personal data management in the context of recruitment

When you send us your CV or apply for a position, we collect certain personal data necessary to study your application.

Occasions:

Spontaneous applications
Applications for a published position
Scheduled interviews
Exchanges with our HR team

Collected data:

Last and first name
Email address
Contact details
Professional experience
Academic background
Skills and certifications
CV content and cover letter
Professional links (e.g. public profiles)

Purposes:

Application analysis
Interview organization
Skills assessment
Recruitment process management
Talent pool constitution

Legal bases:

Pre-contractual measures execution
Legitimate interest (efficient recruitment management)
Consent for extended retention

Recipients:

Internal teams in charge of recruitment
Managers involved in the concerned position
HR tool providers if used

Retention periods:

Unsuccessful application file: 24 months maximum after process closure, with withdrawal option upon request
Successful file: integrated into employee file according to legal obligations

How do we protect your personal data?

We have implemented technical and organizational security measures to ensure the security, integrity and confidentiality of all your personal data, to prevent it from being distorted, damaged or accessed by unauthorized third parties. We ensure an appropriate level of security, taking into account the state of knowledge, implementation costs and the nature, scope, context and purposes of processing as well as risks and their probability.

However, it is specified that no security measure being infallible, we are not able to guarantee absolute security for your personal data.

Furthermore, it is your responsibility to ensure the confidentiality of the password and all authentication methods allowing you to access your User Account. Do not communicate this information to anyone. If you share your computer equipment, don't forget to log out before leaving a Service.

Details on data transfers outside the European Union

Transfers outside the EU

When service providers (hosting, analytics, email, support) are located or host data outside the EU/EEA, we frame transfers by:

European Commission Standard Contractual Clauses, supplemented by appropriate technical and organizational measures;
or, to the United States, the provider's adherence to the EU-US Data Privacy Framework when applicable.

Transfers only concern data strictly necessary for the purposes indicated in this Charter. We will never share, without obtaining your prior consent, your personal data with third-party companies for marketing and/or commercial purposes.

Sharing with authorities

We may be required to disclose your personal data to administrative or judicial authorities when their disclosure is necessary for the identification, arrest or prosecution of any individual likely to harm our rights, any other user or a third party. We may finally be legally required to disclose your personal data and cannot oppose this.

How long do we keep your personal data?

In any case, we will keep your personal data for a period not exceeding that necessary for the purposes for which it is processed in accordance with the uses set out in this Charter and in compliance with laws and regulations.

Personal data security

Encryption in transit (TLS 1.2+)
Encryption at rest on hosting infrastructure
Role-based access management
MFA for sensitive internal accounts
Logging and alerts
Periodic security testing
Backup and restore policy

Cookies: how do we use them?

What is a cookie?

A cookie is a text file that may be stored on a terminal when consulting an online service with browsing software. A cookie file allows its issuer, during its validity period, to recognize the concerned terminal each time this terminal accesses digital content containing cookies from the same issuer.

Non-necessary cookies (non-exempt audience measurement, personalization, marketing) are only deposited after your explicit consent via our preference module. You can accept, refuse or configure by purpose, and withdraw your consent at any time from the same module, with an equivalent level of ease. Cookies have a maximum duration of 13 months. Choices are kept for a minimum of 6 months.

What are the cookies issued on our Site used for?

The cookies we issue allow us to:

establish statistics and volumes of attendance and use of the various elements composing our Site (sections and content visited, paths), allowing us to improve the interest and ergonomics of the Site and, where applicable, our products and services;
adapt the presentation of our Site to your terminal's display preferences (language used, display resolution, operating system used, etc.) during your visits to our Site, according to the hardware and visualization or reading software that your terminal includes;
memorize information related to a form you filled out on our Site (registration or access to your account) or to products, services or information you chose on our Site (subscribed service, shopping cart content, etc.);
allow you to access reserved and personal areas of our Site, such as your User Account, through identifiers or data you may have previously entrusted to us and implement security measures, for example when you are asked to reconnect to content or service after a certain period of time.

When browsing the Site, social network cookies may be generated particularly through sharing buttons that collect personal data.

How can you control the cookies used?

You can at any time configure your browsing software so that cookies are saved on your terminal or, on the contrary, that they are rejected (either systematically or according to their issuer). You can also configure your browsing software so that the acceptance or refusal of cookies is offered to you occasionally, before a cookie can be saved on your terminal.

Warning: any configuration is likely to modify your Internet browsing and your conditions of access to certain services requiring the use of cookies. We decline all responsibility regarding the consequences related to the degraded functioning of our services resulting from the impossibility of recording or consulting cookies necessary for their operation and which you would have refused or deleted. This would be the case if you tried to access our content or services that require you to identify yourself. This would also be the case when we (or our service providers) could not recognize, for technical compatibility purposes, the type of browser used by your terminal, its language and display settings or the country from which your terminal seems connected to the Internet.

How to configure your browsing software?

For cookie management and your choices, the configuration of each browser is different. It is described in your browser's help menu, which will allow you to know how to modify your wishes regarding cookies. You will find below information concerning the main browsers:

Internet Explorer / Edge – Internet Options > Browsing History > Settings > View Files.
Firefox – Tools > Options > Privacy > Show Cookies.
Safari – Preferences > Privacy.
Google Chrome – Preferences > Advanced Settings > Content Settings > Cookies.

For more information about cookies, you can visit the CNIL website.

What are your rights?

You alone have communicated to us the data in our possession, through the Site. You have rights over your personal data. In accordance with regulations on personal data protection, particularly articles 15 to 22 of the GDPR, and after having justified your identity, you have the right to request access to personal data concerning you, their rectification or erasure.

Furthermore, within the limits set by law, you also have the right to object to processing, to limit it, to decide on the post-mortem fate of your data, to withdraw your consent at any time and the right to portability of provided personal data.

You can contact our Services to exercise your rights at the following email address: contact@drawnlights.show by attaching to your request a copy of an identity document.

Furthermore, you can unsubscribe from our newsletter at any time by clicking on the unsubscribe link at the bottom of each email. You can also unsubscribe by sending a message to the following address: contact@drawnlights.show

Resources: https://www.cnil.fr/en/site-web-cookies-and-other-trackers

Profiling and personalization

We may establish segments (e.g. content preferences, engagement level) to personalize the experience. No decision producing legal or similar effects is made exclusively automatically. You can oppose this personalization in your Account settings.

Minors' access

The Service is accessible to persons aged 15 and over. If you hold parental authority and believe that a minor has communicated data to us without authorization, write to contact@drawnlights.show

Can we modify the Charter?

We reserve the right to modify the Charter at any time. You are therefore recommended to consult it regularly. In case of modification, we will publish these changes on this page and in places we deem appropriate depending on the object and importance of the changes made.

Your use of the Site after any modification means that you accept these modifications. If you do not accept certain substantial modifications made to this Charter, you must stop using the Site.

Data Protection Officer (DPO) and contact

We do not have a Data Protection Officer, however for any question concerning your personal data or if you wish to delete your Account, please contact us by email at contact@drawnlights.show. If a DPO is subsequently appointed, their contact details will be added here.

Personal data processing controller

Drawn Lights, SASU
12 promenade des pins, 92400 Courbevoie
contact@drawnlights.show

The National Commission on Informatics and Liberty ("CNIL")

You can contact CNIL directly on the CNIL website or by mail at the following address: National Commission on Informatics and Liberty (CNIL), 3 Place de Fontenoy - TSA 80715, 75334 PARIS CEDEX 07. Resources: https://www.cnil.fr/en/act