Article 1 - Data Controller
The data controller for personal data collected via WhatsApp Business is:
Kréaïa – Handcrafted Jewelry
Email : contact@kreaia.mu
WhatsApp Business Number: +230 58553372
Article 2 - Applicable Legal Framework
This policy complies with the following regulations:
Data Protection Act 2017 (Republic of Mauritius) – As Kréaïa is established in Mauritius, this legislation constitutes the primary legal framework.
Regulation (EU) 2016/679 (GDPR) – Applicable when Kréaïa processes data of individuals located in the European Union.
Article 3 - Personal Data Collected
In the context of communications via WhatsApp Business, Kréaïa may collect the following categories of data:
3.1 Identification Data
Mobile phone number, first and last name (as displayed on the WhatsApp profile), profile picture (if visible).
3.2 Communication Data
Content of exchanged messages (texts, images, documents, voice messages), timestamps of communications, read and delivery receipts.
3.3 Transactional Data
Order-related information (product references, delivery addresses, customization preferences), commercial interaction history.
Article 4 – Purposes and Legal Bases for Processing
The collected data is processed for the following purposes:
4.1 Customer Relationship Management and Order Fulfillment
Purpose: Responding to inquiries, processing and tracking orders, managing deliveries, after-sales service.
Legal basis: Performance of a contract (Article 6.1.b of the GDPR) or pre-contractual measures at the request of the data subject.
4.2 Customer Support and After-Sales Service
Purpose: Handling complaints, managing returns and exchanges, technical assistance.
Legal basis: Performance of a contract (Article 6.1.b of the GDPR).
4.3 Commercial Prospecting
Purpose: Sending information about new products, promotions, and Kréaïa events.
Legal basis: Prior consent of the data subject (Article 6.1.a of the GDPR). This consent may be withdrawn at any time.
4.4 Service Improvement
Purpose: Analysis of communications to improve customer service quality.
Legal basis: Legitimate interest of Kréaïa (Article 6.1.f of the GDPR) in improving its services.
Article 5 – Data Recipients
Data collected via WhatsApp may be shared with the following recipients:
5.1 Meta Platforms (WhatsApp)
As the operator of the WhatsApp Business API platform, Meta Platforms Ireland Limited (for the EU) and Meta Platforms Inc. (United States) have access to communication metadata. Messages are end-to-end encrypted and are not accessible to Meta.
5.2 Technical Subcontractors
Commercial Management Platform (CRM/ERP): Odoo, hosted in France. Data is integrated for order tracking and customer relationship management.
Workflow Automation: n8n, hosted in France. Used for automating certain processes (notifications, data synchronization). Azure OpenAI hosted in France.
Article 6 – Data Transfers Outside Mauritius and the EU
The use of WhatsApp Business API involves data transfers to the United States (Meta Platforms Inc.).
These transfers are governed by the EU-US Data Privacy Framework, an adequacy decision adopted by the European Commission on July 10, 2023.
Warning: This legal framework could be challenged by a ruling from the Court of Justice of the European Union, as was the case with its predecessors (Safe Harbor, Privacy Shield). Kréaïa commits to adapting its practices in the event of changes to the legal framework.
Processing carried out via Odoo, Azure OpenAI and n8n remains located in France and is not subject to any transfer outside the European Economic Area.
Article 7 – Data Retention Period
Personal data collected via WhatsApp is retained for a period of twelve (12) months from the last communication.
At the end of this period, data is deleted from our systems, with the exception of data required for compliance with legal obligations (accounting, taxation) or for the establishment, exercise, or defense of legal claims.
Data stored in Odoo, Azure OpenAI and n8n is subject to the same retention period.
Article 8 – Rights of Data Subjects
In accordance with applicable regulations, you have the following rights regarding your personal data:
- Right of access: obtain confirmation that data concerning you is being processed and receive a copy.
- Right to rectification: have inaccurate data corrected or incomplete data completed.
- Right to erasure: request the deletion of your data under the conditions provided by regulations.
- Right to restriction: request the suspension of processing of your data in certain circumstances.
- Right to data portability: receive your data in a structured, commonly used format.
- Right to object: object to the processing of your data on legitimate grounds, or at any time for commercial prospecting.
- Right to withdraw consent: when processing is based on your consent, you may withdraw it at any time.
To exercise these rights, submit your request via our contact form or by WhatsApp message to the number indicated in Article 1.
You also have the right to lodge a complaint with the competent supervisory authority: the Data Protection Office of Mauritius (for Mauritius residents) or the CNIL (for EU residents).
Article 9 – Data Security
Kréaïa implements appropriate technical and organizational measures to protect your personal data:
- End-to-end encryption of communications via WhatsApp.
- Hosting of Odoo, Azure OpenAI and n8n data in France, subject to European security standards.
- Data access restricted to authorized personnel only.
- Data backup and recovery procedures.
Article 10 – Policy Amendments
Kréaïa reserves the right to modify this policy at any time. In the event of a substantial modification, users will be notified via WhatsApp. The current version is available upon request.