Privacy policy

At Boostermark, accessible at boostermark.fr, we place the utmost importance on protecting your personal data. This privacy policy describes how we collect, use, store, and protect your information.

Last updated: 01/12/2026

1. Data Controller

  • Controller: Sadeg Yanis — Sole proprietor
  • Trade name: Symplyweb
  • SIRET: 990 263 790 00018
  • Address: 200 RUE de la Croix Nivert, 75015 Paris, France
  • Email: [email protected]

2. Data Collected

2.1. Registration and Profile Data

When creating your account, we collect:

  • Username
  • Email address
  • Password (stored in encrypted form)
  • User roles (buyer, seller, etc.)
  • Account creation date

2.2. Seller Profile Data

If you create a seller profile, we also collect:

  • Full name or business name
  • Business description
  • Logo and banner (optional)
  • Stripe Connect identifier
  • Account verification status

2.3. Transaction Data

When placing an order, we collect:

  • Payment information (processed by Stripe)
  • Transaction amount
  • Transaction date and time
  • Order status
  • Order details (offer, bundle, quantity)
  • Messages exchanged between buyer and seller

2.4. Navigation Data

We automatically collect:

  • IP address
  • Browser type and operating system
  • Pages visited and visit duration
  • Cookies (see dedicated section)

2.5. Dispute Data

In case of a dispute, we retain:

  • Dispute description
  • Exchanges and evidence provided
  • Administrative decisions

2.6. Social Media Data (Optional)

If you connect your social media accounts to your seller profile, we collect:

  • Account identifiers (Instagram, TikTok, Twitch, YouTube)
  • Public statistics (follower count, average views, engagement rate, posts per month)
  • OAuth access tokens (stored securely and encrypted)
  • Last synchronization date

This data is used to display statistics on your public seller profile and is automatically synchronized every 24 hours. You can disconnect your accounts at any time from your seller dashboard.

2.7. Uploaded Files

When using the platform, we store:

  • User avatars
  • Seller profile logos and banners
  • Offer media (photos, videos)
  • Files attached to conversations (buyer instructions, delivery files)

Security: All uploaded files are automatically analyzed by our security system before being stored. If malicious content is detected, the file is immediately deleted and the incident is logged in our security logs.

2.8. Reviews and Ratings

After a transaction, you can leave a review including:

  • Rating (1 to 5 stars)
  • Text comment (optional)
  • Publication date
  • Review status (public, hidden, approved, pending moderation)

Reviews are publicly visible on seller profiles after moderation.

2.9. Business Buyer Tax Data

If you are a business buyer (company, corporation), we collect:

  • Business name or legal name
  • Registered office address
  • Intra-Community VAT number (for businesses established in the European Union)
  • SIREN/SIRET number (for French businesses)
  • Legal structure (SARL, SAS, sole trader, etc.)
  • VAT number validation status (valid, invalid, pending)
  • Date and time of VAT number validation via VIES system

ℹ️ VIES Validation (VAT Information Exchange System): Intra-Community VAT numbers of business buyers are automatically validated in real-time via the European VIES system (managed by the European Commission). This validation is necessary to apply the VAT reverse charge mechanism in accordance with Article 283-2 of the French General Tax Code.

Purpose of collection: This data is used exclusively to:

  • Apply the correct VAT rate on your purchases (French VAT, reverse charge, or export)
  • Generate invoices compliant with French and European legal obligations
  • Comply with tax and customs traceability obligations (Article L. 123-22 of the French Commercial Code)

2.10. Accounting and Tax Documents

For sellers, we generate and retain:

  • Commission invoices (format: FC-YEAR-NUMBER, e.g., FC-2025-0001)
  • Payment receipts
  • Monthly sales statements
  • Accounting journals for export

These documents are generated in compliance with Article 286 of the French General Tax Code (CGI) and French legal obligations regarding invoicing.

3. Processing Purposes

Your data is used for:

  • Account management: Creation, authentication, and management of your account
  • Transaction execution: Processing orders and payments
  • Communication: Messaging between buyers and sellers, notifications
  • Security: Fraud prevention, user protection
  • Dispute management: Resolution of disputes between users
  • Legal compliance: Compliance with tax and legal obligations
  • Tax validation: Validation of intra-Community VAT numbers via the European VIES system to apply the appropriate tax regime (reverse charge, export, French VAT) in compliance with European and French regulations
  • Service improvement: Statistical analysis and platform improvement

4. Legal Basis for Processing

We process your data on the following legal bases:

  • Contract execution: For the provision of marketplace services
  • Legal obligation: For tax compliance and fraud prevention
  • Legitimate interest: For platform security and service improvement
  • Consent: For non-essential cookies and marketing communications

5. Data Sharing

Your data may be shared with:

5.1. Service Providers

  • Stripe: Payment processing and seller account management
  • Hostinger: Website hosting and data storage
  • Scaleway (France): Public media storage (photos, videos) with CDN for fast delivery
  • Email services: Sending notifications and communications
  • Social media APIs: Retrieval of public statistics
    • Meta/Facebook (Instagram): Graph API for Instagram statistics
    • TikTok: Official API for TikTok statistics
    • Twitch: Twitch API for streaming statistics
    • YouTube/Google: YouTube Data API v3 for YouTube statistics

5.2. Other Users

Some information is publicly visible:

  • Username
  • Seller profile (name, description, offers)
  • Ratings and reviews (if applicable)

5.3. Authorities

We may be required to disclose your data to competent authorities in the context of legal obligations or judicial proceedings.

6. Retention Period

  • Account data: Until deletion of your account + 3 years (tax obligations)
  • Transaction data: 10 years (accounting obligations)
  • Dispute data: 5 years from resolution
  • Connection logs: Maximum 12 months
  • Cookies: According to their nature (see cookies section)
  • Uploaded files: Until account deletion + 3 years (legal obligations)
  • Offer media: While offer is active + 3 years after deletion
  • Reviews and ratings: Seller profile lifetime + 3 years after deletion
  • Billing documents: 10 years (French accounting and tax obligations)
  • VIES validation records: 10 years from validation date (legal tax and customs traceability obligation - Article L. 123-22 of the French Commercial Code)
  • OAuth social media tokens: Until account disconnection or seller profile deletion

ℹ️ Important note on tax data: VIES validation records (date, time, validation result, validated VAT number) are retained for 10 years in accordance with French and European legal obligations regarding tax and customs traceability. This retention is necessary to justify the application of the appropriate tax regime in case of tax audit.

7. Cookies

7.1. What is a Cookie?

A cookie is a small text file stored on your device when you visit our site. Cookies allow us to recognize your device and personalize your experience.

7.2. Types of Cookies Used

Essential Cookies (mandatory)

  • Symfony Session (PHPSESSID): Maintains your login session (duration: session)
  • CSRF Token: Protection against CSRF attacks (duration: session)
  • Consent cookie: Records your cookie preferences (duration: 13 months)

Functional Cookies (can be disabled)

  • User preferences: Language, currency, display settings (duration: 12 months)
  • Shopping cart: Cart preservation between sessions (duration: 30 days)

Third-party Cookies

  • Stripe: Secure payment processing (duration: according to Stripe)

7.3. Cookie Management

You can manage your cookie preferences at any time by clicking the "Manage Cookies" link at the bottom of the page or through your browser settings.

Please note that disabling certain cookies may affect the site's functionality.

8. Your Rights

In accordance with GDPR, you have the following rights:

  • Right of access: Obtain a copy of your personal data
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure: Request deletion of your data
  • Right to restriction: Limit the processing of your data
  • Right to portability: Receive your data in a structured format
  • Right to object: Object to the processing of your data
  • Right to withdraw consent: Withdraw your consent at any time

To exercise your rights, contact us at: [email protected]

You also have the right to lodge a complaint with the CNIL (www.cnil.fr).

Important Note on Account Deletion

Account deletion is only possible if you have no pending orders (statuses: awaiting instructions, awaiting seller response, accepted, delivered, disputed).

After deleting your account:

  • Your personal identification data is deleted immediately
  • Completed transaction data is anonymized (dissociated from your identity) but retained for 10 years to comply with our legal accounting and tax obligations
  • Billing documents are archived anonymously for 10 years
  • Your public reviews remain visible but are anonymized (displayed as "Deleted User")

9. Security

We implement appropriate technical and organizational measures to protect your data against loss, misuse, unauthorized access, disclosure, alteration, or destruction.

  • Password encryption
  • Secure HTTPS connection
  • Secure hosting in the European Union (Hostinger)
  • Limited access to personal data
  • Regular backups
  • Protection against CSRF and XSS attacks
  • Automatic analysis of uploaded files by our security system
  • Rate limiting: Limit on requests per IP (DDoS and abuse protection)
  • Automatic detection and blocking of suspicious behavior
  • Mathematical captcha: Brute force protection on login (activated after 3 failed attempts)

10. International Transfers

Your data is primarily hosted and processed in France and the European Union, which offer an adequate level of protection according to the European Commission.

10.1. Hosting and Storage

  • Hostinger (European Union): Main website hosting and database
  • Scaleway (France): Media and public file storage

10.2. Tax Validation Within the EU (VIES)

European Commission - VIES System (VAT Information Exchange System)

If you are a business buyer established in the European Union and provide an intra-Community VAT number, we transfer your VAT number to the European Commission's VIES system for real-time validation.

Transferred data:

  • Intra-Community VAT number
  • Company name (for matching verification - optional)

Legal basis for transfer: Legal obligation (Article 283-2 of the French General Tax Code and VAT Directive 2006/112/EC). The VIES system is managed by the European Commission and data remains within the European Union.

Data protection: The VIES system complies with GDPR and European data protection regulations. For more information: https://ec.europa.eu/taxation_customs/vies/

10.3. Service Providers Outside EU/EEA

Stripe Inc. (United States)

Payment data is processed by Stripe Inc., located in the United States. These transfers are governed by:

  • The EU-US Data Privacy Framework (adopted in July 2023)
  • Standard Contractual Clauses approved by the European Commission
  • Appropriate technical and organizational safeguards (encryption, access controls)

For more information: https://stripe.com/privacy

Social Media APIs (Optional)

If you connect your social media accounts, some data may transit through:

  • Meta/Facebook (United States): For Instagram - EU-US Data Privacy Framework and standard contractual clauses
  • TikTok (Singapore/United States): Standard contractual clauses
  • Amazon Web Services (United States): For Twitch - EU-US Data Privacy Framework
  • Google (United States): For YouTube - EU-US Data Privacy Framework

These transfers are limited to public statistics necessary for displaying your profile.

11. Policy Changes

We reserve the right to modify this privacy policy at any time. Any changes will be posted on this page with an updated date.

We encourage you to regularly consult this page to stay informed of our practices regarding data protection.

12. Contact

For any questions regarding this privacy policy or the processing of your data, you can contact us:

  • By email: [email protected]
  • By mail: Symplyweb, 200 RUE de la Croix Nivert, 75015 Paris, France