Preamble.
Restaurant La Panthère, operated by the company BAVI SASU, attaches fundamental importance to respecting your privacy and protecting the personal data you entrust to us. The purpose of this privacy policy is to inform you, in full transparency, about the data processing carried out in connection with the use of the website restaurantlapanthere.com and our services.
This policy applies to all data collected via: the website, the online booking module, the contact form, newsletter sign-up, the blog comment system, as well as any interactions by email or telephone.
It is drafted in accordance with the General Data Protection Regulation (GDPR — EU 2016/679), which came into force on 25 May 2018, and the French Act No. 78-17 of 6 January 1978 as amended, known as "Informatique et Libertés".
Data controller.
The controller responsible for processing the personal data collected on the website is:
- Company
- BAVI SASU
- Represented by
- MANOTHARAN Jeyapiratha, Chair
- Registered office
- 11 Rue de la Paix, 67300 Schiltigheim, France
- SIRET
- 838 271 252 00028
- Data protection contact
- contact@restaurantlapanthere.com
- Telephone
- 03 88 83 50 34
No Data Protection Officer (DPO) has been appointed, as such appointment is not mandatory given the nature of our activity (Article 37 of the GDPR). Any question relating to your personal data may be addressed directly to contact@restaurantlapanthere.com.
Data collected.
We collect only the data strictly necessary for the purposes described below. The exact scope varies according to your interaction with the website:
Online booking
When you make a booking through our booking module, we collect: surname, first name, email address, telephone number, requested date and time, number of guests, as well as any special requests you may have (allergies, special occasion, table preference, etc.). No payment information is collected at this stage — payment is made on site.
Contact form
When you write to us via the contact form: name, email address, subject, message, and any additional information you choose to share spontaneously.
Newsletter
When you sign up for our newsletter: email address only (the first name is optional). No other data is required.
Blog comments
When you post a comment on an article: pseudonym or name, email address (not published, used for moderation), connection IP address (retained for abuse prevention and spam protection), and the content of your comment.
Technical browsing data
When you simply visit the website, certain technical data is collected automatically by our hosting provider and our audience-measurement tools: IP address, browser type and version, operating system, pages viewed, visit duration, referring site, device type. The details can be found in our cookie policy.
Purposes and legal bases.
Each processing of your data is based on a precise legal basis within the meaning of Article 6 of the GDPR:
- Booking
- Performance of a contract (preparation and confirmation of your table) — Art. 6(1)(b) GDPR
- Contact
- Legitimate interest of the restaurant in responding to enquiries from its guests — Art. 6(1)(f) GDPR
- Newsletter
- Explicit consent, revocable at any time — Art. 6(1)(a) GDPR
- Blog comments
- Legitimate interest in fostering an editorial community + legal moderation obligation (LCEN Art. 6) — Art. 6(1)(f) and (c) GDPR
- Audience measurement
- Consent (except measurement cookies exempted under CNIL ruling) — Art. 6(1)(a) GDPR
- Website security
- Legitimate interest in preventing attacks and abuse — Art. 6(1)(f) GDPR
- Accounting and tax obligations
- Legal obligation (French Commercial Code, Tax Procedures Code) — Art. 6(1)(c) GDPR
Retention periods.
Your data is retained only for as long as strictly necessary for the purpose pursued, in accordance with the principle of storage limitation (Art. 5(1)(e) GDPR):
- Honoured booking
- 3 years from the last visit (customer prospecting)
- Cancelled booking
- 13 months maximum
- Contact message
- 3 years after the last interaction
- Newsletter sign-up
- Until consent is withdrawn, and at most 3 years after the last interaction (click, open)
- Blog comment
- Lifetime of the article + 3 years after the article is deleted
- Connection logs (security)
- 12 months maximum (CNIL recommendation)
- Accounting data (invoiced bookings)
- 10 years (obligation under French Commercial Code Art. L.123-22)
- Analytics cookies
- 13 months maximum (CNIL recommendation)
- Cookie consent
- 6 months (CNIL recommendation)
At the end of these periods, your data is either irreversibly anonymised (for retention for statistical purposes only) or permanently deleted from our systems.
Data recipients.
Your personal data is accessible only to authorised persons within the restaurant, within the limits of their duties, and to our technical processors acting strictly on our instructions and bound by contract (Art. 28 GDPR).
Internal recipients
The front-of-house team (booking management), management (commercial and accounting follow-up), and the editorial team (blog moderation).
Technical processors
- Website hosting
- Cloudflare, Inc. (United States) via Cloudflare Pages
- Booking module
- Darkin Production — Digital agency (France)
- Sending of transactional emails and newsletter
- Brevo (Sendinblue SAS) — to be confirmed depending on the tool selected
- Audience measurement
- Microsoft Clarity (Microsoft Corporation, United States)
- Maintenance and development
- Darkin Production — Digital agency (France)
Your data is never sold, rented or exchanged for commercial purposes with third parties. It is disclosed to public authorities only upon judicial request or express legal obligation.
Transfers outside the European Union.
As some of our technical processors are established in the United States (Cloudflare, Microsoft), using their services involves a technical transfer of your data outside the European Economic Area.
Safeguards in place. These transfers are governed by the standard contractual clauses adopted by the European Commission (Decision EU 2021/914 of 4 June 2021), and where applicable by the Data Privacy Framework EU–US for certified processors. These mechanisms ensure a level of data protection equivalent to that required by the GDPR.
The privacy policies and compliance commitments of our main processors are publicly accessible: Cloudflare Trust Hub, Microsoft Privacy.
Data security.
In accordance with Article 32 of the GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk:
— Encryption of communications: the entire website is served over HTTPS via a TLS certificate (end-to-end encryption between your browser and our servers);
— Secure hosting on the Cloudflare Pages infrastructure, with protection against denial-of-service attacks (DDoS) and a web application firewall;
— Restricted access to data through strong credentials and two-factor authentication for administrator accounts;
— Regular backups of the website content and logging of access;
— Awareness training of the team on data protection and GDPR best practices;
— Notification procedure to the CNIL in the event of a data breach within the legal time limit of 72 hours.
Your rights.
In accordance with Articles 15 to 22 of the GDPR and the French Data Protection Act, you have the following rights over your personal data at any time:
- Right of access
- Obtain confirmation that your data is being processed and receive a copy of it
- Right to rectification
- Correct any inaccurate or incomplete data
- Right to erasure
- Request the deletion of your data ("right to be forgotten"), subject to our legal obligations
- Right to object
- Object to processing based on legitimate interest, in particular for direct marketing
- Right to restriction
- Request the temporary suspension of processing in the event of a dispute
- Right to data portability
- Retrieve your data in a structured, commonly used format
- Right to withdraw consent
- At any time, without affecting the lawfulness of processing carried out beforehand
- Right regarding post-mortem fate
- Set instructions on what happens to your data after your death (French Digital Republic Act)
Frequently asked questions.
To help you understand this policy, here are the answers to the most common questions about the processing of your data. If your question is not covered here, contact us at contact@restaurantlapanthere.com.
Does Restaurant La Panthère sell or rent my data to third parties?
No, never. Your data is neither sold, rented nor exchanged for commercial purposes. It is used solely to manage your relationship with the restaurant: confirming your booking, replying to your messages, or sending you the newsletter if you are subscribed.
Only our technical processors (hosting provider, email-sending tool) have access to it, strictly within the limits of their service and under contracts compliant with Article 28 of the GDPR.
How long is my booking data retained?
Three years from your last visit if the booking was honoured. Thirteen months maximum if the booking was cancelled.
Accounting data linked to an invoice is retained for ten years, as required by the French Commercial Code (Article L.123-22). Full details can be found in the Retention periods section above.
How can I permanently delete my data?
Simply send an email to contact@restaurantlapanthere.com requesting the deletion of your data. Where possible, specify the name and email used when making your booking or signing up.
We process your request within one month maximum, in accordance with the GDPR. To verify your identity and prevent a third party from making a request on your behalf, we may ask you for a copy of an identity document — it will be destroyed immediately after verification.
Will I receive advertising if I subscribe to the newsletter?
Our newsletter contains only information relating to the restaurant: new dishes, events, special offers, blog articles. No third-party advertising, no resale of your email address.
You can unsubscribe at any time via the unsubscribe link at the bottom of every email, or by writing to us directly.
Can my blog comment be deleted at my request?
Yes, at any time. Send your request to contact@restaurantlapanthere.com, specifying the article concerned and the pseudonym used. We will carry out the deletion as soon as possible.
Why might my data be transferred through the United States?
Our website is hosted on Cloudflare Pages and we use Microsoft Clarity to measure audience figures in an anonymised way — both services are operated by US companies.
These transfers are governed by the standard contractual clauses adopted by the European Commission (Decision EU 2021/914) and, where applicable, by the Data Privacy Framework EU–US, ensuring a level of protection equivalent to the GDPR.
Does the website use advertising or tracking cookies?
No. We use no advertising cookies, no Meta pixel, no retargeting.
The only non-essential cookies are anonymised audience-measurement cookies (Microsoft Clarity), placed solely with your explicit consent via the cookie banner. You can withdraw this consent at any time from our cookie page.
What happens if I decline cookies?
No impact on your experience: you can browse the website, book a table, read the blog and use all features normally.
Only the audience-measurement cookies will not be placed, which simply deprives us of anonymised visitor statistics. It in no way degrades your browsing.
How to exercise your rights.
To exercise any of these rights, you can contact us in one of the following ways:
— By email: contact@restaurantlapanthere.com
— By post: Restaurant La Panthère — 11 Rue de la Paix, 67300 Schiltigheim
To safeguard the confidentiality of your data, we may ask you to prove your identity (copy of an official identity document). This document will be destroyed immediately after verification.
We undertake to respond to your request within a period of one month from receipt, in accordance with Article 12 of the GDPR. This period may be extended by a further two months in the case of a complex request or a high volume, in which case you will be informed within the initial month.
Lodging a complaint with the CNIL.
If, after contacting us, you consider that your rights have not been respected, you have the option of lodging a complaint with the French supervisory authority:
- Authority
- Commission Nationale de l'Informatique et des Libertés (CNIL)
- Address
- 3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
- Telephone
- 01 53 73 22 22
- Website
- www.cnil.fr/fr/plaintes
Protection of minors.
The website restaurantlapanthere.com is not specifically aimed at minors and does not knowingly collect data from persons under the age of 15. In France, the minimum age to consent on one's own to the processing of one's personal data is set by law at 15 years (Art. 45 of the French Data Protection Act).
If you are under 15, the consent of one of your parents or legal guardians is mandatory before any newsletter sign-up or publication of a comment. Should we discover that a minor under 15 has provided us with data without parental consent, we will delete it without delay. To report such a situation: contact@restaurantlapanthere.com.
Cookies and trackers.
The use of cookies and other trackers on the website is the subject of a dedicated policy, accessible at any time via the cookie policy link. You can manage your cookie preferences via our consent manager, also accessible at the bottom of every page.
Changes to this policy.
This privacy policy may evolve to reflect regulatory, case-law, technical or organisational developments. The last-updated date, shown at the top of the page, allows you to check the version in force.
Any substantial change (new processing purpose, new major processor, significant change to a retention period) will be the subject of prior notice, by means of an information banner on the website and, where applicable, by email to newsletter subscribers. We encourage you to consult this page regularly.