Privacy Policy

Effective date: 29.08.2025

1. Controller and contact details

The personal data controller is MISRULE SAS, 36 RUE DU LOUVRE, 75001 Paris, France, TVA: FR43937998417, SIRET: 937 998 417 00011. Contact for privacy matters/DPO: privacy@misrule-sas.com

2. Data categories and sources

  1. We process: identification, contact, and address data; account data; Order data (including payment identifiers); logistics data (tracking numbers, statuses); declarations and consents (age, acceptances); technical logs (IP, device identifiers, timestamps); data from cookies/SDK; marketing preferences.
  2. Data is obtained directly from the Customer, from payment systems, from Carriers, and from the Customer's device (cookies/SDK).

3. Purposes and legal bases for processing

  1. Performance of a contract (registration, handling purchases, payments, deliveries, returns, complaints) – Art. 6(1)(b) GDPR.
  2. Fulfillment of legal obligations (accounting, tax settlements, OSS procedure and archiving of proof of place of consumption, product safety, responses to authorities) – Art. 6(1)(c) GDPR.
  3. Age verification, fraud prevention, pursuing claims – Art. 6(1)(c) and (f) GDPR.
  4. Communication regarding public law obligations in destination countries (e.g., reminders about recipient formalities) as part of order processing and the duty to inform – Art. 6(1)(b) and (c) GDPR.
  5. Own marketing, analytics, and personalization – respectively, consent (Art. 6(1)(a)) or legitimate interest (Art. 6(1)(f)) in compliance with ePrivacy; always with the right to object.
  6. Maintenance and security of the Service (logs, fraud prevention, testing) – Art. 6(1)(f) GDPR.

4. Data recipients

  1. Data may be transferred to: payment providers, logistics operators and Carriers, hosting and IT service providers, CRM/CS systems, accounting office, law firms, providers of marketing and analytical tools, and competent public authorities when required by law (including fiscal/customs).

5. Transfers outside the EEA

  1. If selected providers are based outside the EEA, we ensure legal bases for the transfer (EU Standard Contractual Clauses) and adequate security measures; a copy can be obtained by contacting us.

6. Retention periods

  1. Account data and purchase history – for the period of using the Account, and then for the time resulting from accounting regulations and the statute of limitations for claims.
  2. Tax data and evidence for OSS purposes – in accordance with regulations (as a rule, 10 years from the end of the tax year).
  3. Marketing data – until consent is withdrawn/objection is raised or for a period of inactivity indicated in our retention policy.
  4. Age verification data – to the minimum extent and time necessary; if we exceptionally process a copy of a document, we store it for a short term and in a limited form (unnecessary fields masked).

7. Rights of data subjects

You have the right to: access, rectification, erasure, restriction, portability, object (including to marketing and profiling), withdraw consent (without affecting the lawfulness of processing before withdrawal). A complaint can be lodged with the CNIL or with the authority competent for your place of habitual residence.

8. Automated data and profiling

We do not make decisions that produce legal effects solely based on automated processing. We may use profiling for analytics and offer personalization; you have the right to object at any time.

9. Cookies and similar technologies

  1. The Service uses cookies and similar technologies (e.g., local storage) for the purposes of: ensuring functionality, traffic analytics, and marketing.
  2. We use a consent mechanism (banner) that allows you to choose categories: Necessary, Analytical, Marketing; settings can be changed in the footer.
  3. Data from cookies may be linked to your account after logging in – solely based on consent.

10. Security and breach reporting

We apply adequate technical and organizational measures (encryption, access control, pseudonymization, security tests). We report data breaches in accordance with the GDPR; in case of high risk, we inform the affected individuals.

11. Minors

The Service is not intended for persons under 18 years of age and does not knowingly collect their data.

12. Policy changes and contact

We reserve the right to change the Policy; we will inform about significant changes on the Service and – where possible – by e-mail.

For data protection matters, please contact: privacy@misrule-sas.com; correspondence address: 36 RUE DU LOUVRE, 75001 Paris, France.

BigVapoteur Logo
warning Do not enter if you are not of legal age.

By entering this site, I certify that I am of legal age according to the laws of my country to access products containing nicotine.

Enter your birth date: