Data protection . GDPR
Privacy policy.
Last updated: 12 mai 2026. Compliant with Regulation (EU) 2016/679 (GDPR) and French Law No. 78-17 of 6 January 1978 as amended.
English translation of the binding French privacy policy. In case of discrepancy, the French version prevails.
GTA GO TO AGENCY takes the protection of your private life and personal data seriously. This policy explains clearly and transparently what data we collect, why, for how long, with whom we share it, and how you can exercise your rights.
1. Data controller
- Identity
- GTA GO TO AGENCY
- Registered office
- À COMPLÉTER — N°, rue, 21000 Dijon
- SIREN
- 944 980 762
- GDPR contact
- rgpd@dijon-conciergerie.com
2. Purposes, legal bases, retention periods
We process your personal data only for the purposes described below, each based on an identified legal ground under article 6 of the GDPR. No further processing is carried out for a subsequent purpose incompatible with those declared below.
Free estimate request (owner form)
- Legal basis
- Pre-contractual measure taken at the request of the data subject (GDPR art. 6.1.b)
- Data
- First name, surname, e-mail, telephone, property address, property type, surface area, current letting situation
- Retention
- 3 years from the last effective contact, then 5-year intermediate archive if a mandate is signed
- Recipients
- Dijon Conciergerie sales team . partner LMNP accountant (on explicit consent)
Performance of the letting management mandate
- Legal basis
- Performance of a contract (GDPR art. 6.1.b) and legal obligation (GDPR art. 6.1.c)
- Data
- Full identity, bank details, owner supporting documents, DPE, property photos, guest booking data, LMNP tax data
- Retention
- Duration of the mandate plus 10 years (accounting and tax obligations, art. L. 123-22 of the French Commercial Code)
- Recipients
- Management team . OTA platforms (Airbnb, Booking, Abritel) . partner accountant . tax authorities on summons
Le Meur Law compliance service (299 € offer)
- Legal basis
- Performance of a contract (GDPR art. 6.1.b)
- Data
- Identity, property address, DPE, current town hall number, LMNP status, tax supporting documents
- Retention
- 10 years (accounting and tax obligations tied to invoicing)
- Recipients
- Compliance team . Declaloc portal (French Ministry of the Economy) . Dijon town hall . Atout France if classification is requested
Referral programme (notaries, financial advisers, accountants)
- Legal basis
- Performance of a contract (GDPR art. 6.1.b)
- Data
- Referrer identity, bank details, SIRET, sector, referrer code, leads transmitted
- Retention
- Duration of the agreement plus 5 years after the last commission paid
- Recipients
- Partnerships team . tax authorities (DAS-2 declaration of commissions paid)
Anonymous audience measurement on the website
- Legal basis
- Legitimate interest (GDPR art. 6.1.f) . cookie-less analysis via Plausible Analytics
- Data
- URL visited, country, traffic source, device type. No nominal data, no fingerprinting
- Retention
- 12 months in aggregated form
- Recipients
- Marketing team . Plausible Analytics (Germany, EU)
Sending commercial communications (newsletter)
- Legal basis
- Free, specific and informed consent (GDPR art. 6.1.a) . opt-in
- Data
- E-mail, first name, town (Dijon or nearby)
- Retention
- Until consent is withdrawn, or 3 years after the last effective click
- Recipients
- Marketing team . sending provider (Resend/SendGrid)
Response to GDPR requests (access, objection, etc.)
- Legal basis
- Legal obligation (GDPR art. 6.1.c and articles 12 to 22 of the GDPR)
- Data
- Requester identity, identity proof, request content
- Retention
- 5 years after closing the request (proof of response in case of CNIL audit)
- Recipients
- DPO or internal compliance officer only
3. Sub-processors and technical partners
Under article 28 of the GDPR, we use sub-processors offering sufficient guarantees on data protection. Each sub-processor is bound by a Data Processing Agreement imposing compliance with the GDPR.
| Sub-processor | Role | Country |
|---|---|---|
| Hetzner Online GmbH | Hébergement | Allemagne (UE) |
| Plausible Analytics (auto-hébergé) | Analyse audience sans cookie | Allemagne (UE) |
| Documenso (auto-hébergé) | Signature électronique conventions partenaires | Allemagne (UE) |
| Amazon Web Services (SES) | Envoi e-mails transactionnels | Irlande (UE) |
| Anthropic, PBC | Modèle de langage (rédaction rapports et e-mails) | USA (clauses contractuelles types) |
| Airbnb Ireland UC | Référence éditoriale (marque tierce) | Irlande (UE) |
| Booking.com B.V. | Référence éditoriale (marque tierce) | Pays-Bas (UE) |
4. Data transfers outside the European Union
Some technical operations may involve a transfer of data to the United States (Vercel hosting, transactional e-mail). These transfers are governed by the Standard Contractual Clauses approved by the European Commission (Decision 2021/914 of 4 June 2021), under article 46 of the GDPR.
Vercel Inc. is also certified under the EU-U.S. Data Privacy Framework (DPF) in force since 10 July 2023, which is a complementary guarantee of adequate protection recognised by the European Commission.
5. Data security
Under article 32 of the GDPR, we put in place appropriate technical and organisational measures to ensure a level of security suited to the risk:
- Systematic TLS 1.3 encryption of communications (HTTPS)
- AES-256 encryption at rest for sensitive data (bank details, supporting documents)
- bcrypt hashing of user passwords
- Access limited to strictly authorised staff (least-privilege principle)
- Two-factor authentication on every administrator account
- Daily encrypted backups with 30-day rotation
- Annual penetration tests by an independent provider
- Documented breach notification procedure within 72 hours (GDPR art. 33)
6. Your data rights
Under articles 15 to 22 of the GDPR, you have the following rights at all times:
- Right of access: confirmation whether your data is processed and a copy thereof (art. 15)
- Right of rectification: have inaccurate or incomplete data corrected (art. 16)
- Right of erasure (right to be forgotten): have your data deleted under the conditions set out in (art. 17)
- Right to restriction: temporarily suspend a processing operation (art. 18)
- Right to portability: receive your data in a structured, machine-readable format (art. 20)
- Right to object: object to processing based on legitimate interest or to direct marketing (art. 21)
- Right to withdraw consent: withdraw at any time your consent where processing relies on it (art. 7.3)
- Right to set post-mortem directives on the fate of your data (article 85 of the French Data Protection Act)
To exercise your rights, write to rgpd@dijon-conciergerie.com attaching a copy of an ID document. Reply within 1 month maximum (extendable by 2 months for a complex request, you will be informed).
7. Complaint to the CNIL
If, after contacting us, you consider that your rights have not been respected, you may file a complaint with the French data protection authority (CNIL): 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, by telephone on +33 (0)1 53 73 22 22, or online at cnil.fr/fr/plaintes.
8. Cookies and trackers
The site dijon-conciergerie.com uses no advertising cookies and no third-party trackers requiring prior consent. Audience measurement is provided by Plausible Analytics (hosted in Germany, EU), a privacy-friendly solution recognised by the CNIL as exempt from consent.
Plausible uses no persistent cookie, does not follow any visitor across sites, does not build a user profile and does not fingerprint. All data collected is anonymised and aggregated.
A strictly necessary cookie (6-month lifetime) may be placed to remember your display preference for our cookie information banner. It is the only technical cookie placed by this site and does not require consent (article 82 of the French Data Protection Act).
9. No automated decision-making
GTA GO TO AGENCY carries out no fully automated decision-making (within the meaning of GDPR article 22) producing legal effects or significantly affecting data subjects. Our pricing estimates are systematically reviewed and validated by a human before being sent.
10. Protection of minors
The site and services of GTA GO TO AGENCY are not addressed to minors under 15 (the digital consent age in France under the law of 7 July 2020). We knowingly collect no data concerning minors. If you find out that your child has sent us personal data without parental authorisation, please contact us for immediate deletion.
11. Changes to this policy
This policy may be amended, in particular to reflect changes in regulation, our services or our sub-processors. Any substantial change will be notified by e-mail (if you are a client) and flagged on the site. The last update date is shown at the top of this page.