Privacy Policy
1. Identity of the Data Controller
This Privacy Policy applies to personal data processed by:
Company name: Citibox France SAS — SIRET / RCS number: 853265577 — Registered office: 43, Avenue de la Grande Armée, 75116 Paris (France) — Email address: citiboxfr@citibox.com.
2. Data processed and individuals concerned
Citibox France SAS operates a network of Pick-Up/Drop-Off Points ("PUDOs"), in partnership with carriers (including Amazon Hub Counter), allowing parcel recipients to collect their shipments at partner local stores.
2.1 Managers and employees of partner stores (PUDOs) — Acting as data controller, Citibox France SAS collects: surname, first name, store company name, postal address, email address, phone number, bank details required to pay the remuneration (€0.25 per parcel handled), volume of parcels handled, opening hours, storage capacity.
2.2 Parcel recipients (end users) — As part of its activity as a pick-up point network on behalf of partner carriers (in particular Amazon Hub Counter), Citibox France SAS may process, as a data processor: parcel identifier, collection code, drop-off and pick-up timestamps, contact details transmitted by the partner carrier in case of incident.
2.3 Website visitors — Through browsing and the use of cookies, Citibox France SAS collects browsing data in accordance with its Cookie Policy.
2.4 Persons who submit the contact form (Leads) — When you submit the "Become a pickup point" form, Citibox France SAS collects: name, business name, postal address, email and phone in order to be contacted by the sales team.
3. Purposes and legal bases of processing
3.1 Management of the PUDO network (store managers) — Purpose: management of contractual relationships, payment of remuneration, incident management, operational support. Legal basis: performance of the contract (Art. 6.1.b GDPR); legal obligation (Art. 6.1.c GDPR) for accounting and tax data.
3.2 Parcel handling on behalf of partner carriers — Purpose: operational handling, traceability, incident management. Legal basis: performance of the data processing agreement (Art. 6.1.b GDPR).
3.3 Operation of the website and cookies — Purpose: ensure proper technical operation, analyse audience, improve user experience. Legal basis: legitimate interest (Art. 6.1.f GDPR) for strictly necessary cookies; consent (Art. 6.1.a GDPR) for analytics and marketing cookies.
3.4 Handling of requests and complaints — Purpose: respond to information requests, complaints, and the exercise of rights. Legal basis: legitimate interest (Art. 6.1.f GDPR) and legal obligation (Art. 6.1.c GDPR).
3.5 Handling of partnership applications (contact form) — Purpose: contact stores who have expressed an interest in joining the network, share eligibility conditions, schedule a sales call. Legal basis: legitimate interest (Art. 6.1.f GDPR) and explicit consent given via the checkbox (Art. 6.1.a GDPR).
4. Data retention period
PUDO managers' data (contractual data): duration of the contractual relationship, then 5 years from the end of the contract (statute of limitations under ordinary law, Art. 2224 of the French Civil Code).
Accounting and tax data: 10 years in accordance with the French Commercial Code.
Operational parcel traceability data: duration set by the partner carrier under the data processing agreement.
Browsing data and cookies: in accordance with the Cookie Policy (maximum 13 months as recommended by the CNIL).
Partnership-application data (Leads): 12 months from the last sales interaction, then deleted unless converted into a contractual relationship.
Incident-recovery log for the contact form (failure cases only): 30 days maximum, on a restricted-access log bucket, used solely to recover the Lead. See section 5 for details.
5. Recipients, international transfers and technical processors
Personal data processed by Citibox France SAS may be disclosed to the following categories of recipients:
— Partner carriers (including Amazon Hub Counter): for the operational management of parcels, under data processing agreements.
— Technical and IT service providers: Google Cloud Platform (hosting), Google Workspace (Apps Script + Google Sheets, storage of contact-form applications). Each processor operates under a GDPR-compliant Data Processing Addendum. Anti-bot verification of the contact form is performed in-house (no third-party processor).
— Competent authorities: insofar as disclosure is required or mandatory under applicable law (judicial authorities, tax administrations).
International data transfers: Citibox France SAS undertakes to transfer personal data to third countries only where appropriate safeguards are in place, in accordance with Articles 44 to 49 of the GDPR (adequacy decisions, European Commission standard contractual clauses, etc.).
Incident-recovery log for Lead recovery: if our submission infrastructure fails to record your contact-form request, we may temporarily store the form contents (name, email, phone, address, message) in our incident-response logs for up to 30 days, solely to manually recover the Lead. Access to these logs is strictly limited to our SRE team and audit-logged. This measure is based on legitimate interest (Art. 6.1.f GDPR) in honouring a request you initiated with us.
6. Rights of data subjects
In accordance with the GDPR and the French Data Protection Act, any person whose data is processed by Citibox France SAS has the following rights: right of access (Art. 15), right to rectification (Art. 16), right to erasure (Art. 17), right to restriction of processing (Art. 18), right to data portability (Art. 20), right to object (Art. 21), right to withdraw consent at any time.
To exercise these rights, you may send your request by email to citiboxfr@citibox.com, stating the right you wish to exercise and attaching a copy of an identity document.
The response time is one (1) month from receipt of the request, which may be extended by two additional months in the case of complex or numerous requests (Art. 12 GDPR).
If you consider that your rights are not being respected, you may lodge a complaint with the French Data Protection Authority (CNIL): www.cnil.fr — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07.
7. Security measures
Citibox France SAS implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures include in particular data encryption in transit and at rest, access control based on the principle of least privilege, and security incident management procedures.
In the event of a personal data breach likely to result in a risk to the rights and freedoms of the persons concerned, Citibox France SAS undertakes to notify the CNIL within 72 hours in accordance with Article 33 of the GDPR.
8. Amendments to the privacy policy
Citibox France SAS reserves the right to amend this Privacy Policy at any time, in compliance with applicable regulations. Any substantial amendment will be communicated to the persons concerned through publication on the Site or by any other appropriate means of communication.