1. Data Controller
SAS Jalimani (trading as JLMN), SIREN 833 142 631, with its registered office in Normandy, France, processes personal data through the QronoPlay service (qronoplay.fr).
Contact: [email protected]
Designated DPO: [email protected]
2. Purposes and Legal Bases
| Purpose | Legal basis | Retention |
|---|---|---|
| Account creation, subscription management | Performance of the contract (art. 6(1)(b) GDPR) | Contract term + 3 years |
| Management of game entries | Performance of the contract (art. 6(1)(b)) — CNIL recommendation IS001 | 6 months after prize delivery for winners; deletion as soon as the final draw is held for non-winners |
| Fraud prevention, security | Legitimate interest (art. 6(1)(f)) | 12 months (logs) |
| B2B prospecting on generic business email addresses | Legitimate interest (art. 6(1)(f)) | 3 years after last contact |
| Newsletter sending | Consent (art. 6(1)(a)) | Until unsubscription |
| Accounting and tax obligations | Legal obligation (art. 6(1)(c)) | 10 years |
3. Recipients of the Data
Data is accessible to internal departments of SAS Jalimani and to our contractually bound processors:
- OVH SAS (server hosting, France) — 2 rue Kellermann, 59100 Roubaix
- Resend, Inc. (transactional email delivery) — United States
- Mollie B.V. (payment processing) — Keizersgracht 313, 1016 EE Amsterdam, Netherlands
- Stripe Payments Europe (payment processing) — 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland
4. Subprocessor List (art. 28 GDPR)
In accordance with Article 28 of the GDPR, the following is our exhaustive list of subprocessors. We commit to notifying any change 30 days before it takes effect.
| Subprocessor | Service | Country | Data processed | Safeguards |
|---|---|---|---|---|
| OVH SAS | Hosting | France 🇫🇷 | All data (database + storage) | EU hosting — Roubaix / Strasbourg |
| Mollie B.V. | Payment | Netherlands 🇳🇱 | Email + payment data | DPA + strict GDPR compliance |
| Resend Inc. | Transactional email | USA 🇺🇸 ⚠️ | Email + name + email content | SCCs + TIA (Standard Contractual Clauses 2021 + Transfer Impact Assessment) |
| Sentry.io | Error monitoring | USA 🇺🇸 ⚠️ | Stack traces (anonymised) | SCCs + TIA + IP scrubbing configuration |
| Cloudflare Inc. | CDN + WAF | USA 🇺🇸 ⚠️ | IP + HTTP headers | SCCs + TIA + optional EU data residency |
| Trustpilot A/S | Customer reviews | Denmark 🇩🇰 | Email + reviews | Strict EU GDPR compliance |
| Google LLC (reCAPTCHA) | Anti-bot | USA 🇺🇸 ⚠️ | IP + behaviour | SCCs + TIA (hCaptcha alternative under consideration) |
⚠️ US-based subprocessors are subject to specific safeguards described in section 5 below.
5. Transfers Outside the EU
Data is hosted exclusively in France (OVH Roubaix). For US-based subprocessors marked ⚠️, we apply the Standard Contractual Clauses (SCCs 2021) approved by the European Commission, accompanied by a Transfer Impact Assessment in compliance with the Schrems II ruling (C-311/18). These measures ensure a level of protection equivalent to that required by the GDPR.
6. Your Rights
In accordance with the GDPR and the French Data Protection Act, you have the following rights: access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and the right to define post-mortem directives.
To exercise them: [email protected] or by post to SAS Jalimani, Normandy, France.
Response time: 1 month (extended by 2 months for complex requests).
Complaint to the CNIL: www.cnil.fr
To withdraw your consent for partner marketing, use the “Unsubscribe” link included in every email received, or contact the DPO.
7. Cookies
The website uses strictly necessary cookies (sessions, security) without prior consent. Third-party cookies (analytics, marketing) are placed only after explicit consent via the tarteaucitron consent manager. No advertising cookies. Maximum lifetime: 13 months.
8. Security
TLS encryption in transit, encrypted database at rest, daily backups, MFA for admin access, and environment isolation.
9. B2B Customers — Processor Role (art. 28 GDPR)
When you use QronoPlay to collect and process the personal data of your own players, QronoPlay acts as a processor and you are the data controller. A standard Data Processing Agreement compliant with article 28 GDPR is available at qronoplay.fr/dpa.
10. Changes
This policy may evolve. Any substantial change will be notified by email to active accounts 30 days before it takes effect.