Privacy Policy

Effective date: 29.08.2025

1. Controller and contact details

The controller of personal data is MISRULE SAS, 36 RUE DU LOUVRE, 75001 Paris, France, TVA: FR43937998417, SIRET: 937 998 417 00011. Contact for privacy matters/DPO: privacy@misrule-sas.com</span >.

2. Data categories and sources

  1. We process: identification, contact, and address data; account data; Order data (including payment identifiers); logistic data (tracking numbers, statuses); declarations and consents (age, acceptances); technical logs (IP, device identifiers, timestamps); data from cookies/SDK; marketing preferences.
  2. Data is obtained directly from the Customer, from payment systems, from Carriers, and from the Customer's device (cookies/SDK).

3. Purposes and legal bases for processing

  1. Performance of a contract (registration, purchase processing, payments, deliveries, returns, complaints) – Art. 6(1)(b) GDPR.
  2. Fulfillment of legal obligations (accounting, tax settlements, OSS procedure and archiving of consumption location evidence, product safety, responses to authorities) – Art. 6(1)(c) GDPR.
  3. Age verification, fraud prevention, exercising claims – Art. 6(1)(c) and (f) GDPR.
  4. Communication regarding public law obligations in destination countries (e.g., reminders about recipient formalities) as part of order processing and information duty – Art. 6(1)(b) and (c) GDPR.
  5. Own marketing, analytics, and personalization – respectively consent (Art. 6(1)(a)) or legitimate interest (Art. 6(1)(f)) respecting ePrivacy; always with the right to object.
  6. Maintenance and security of the Service (logs, fraud prevention, testing) – Art. 6(1)(f) GDPR.

4. Data recipients

  1. Data may be transferred to: payment providers, logistic operators and Carriers, hosting and IT service providers, CRM/CS systems, accounting office, law firms, providers of marketing-analytical tools, and competent public authorities when required by law (including fiscal/customs).

5. Transfers outside the EEA

  1. If selected providers are based outside the EEA, we ensure legal bases for the transfer (EU Standard Contractual Clauses) and adequate security measures; a copy can be obtained by contacting us.

6. Retention periods

  1. Account and purchase history data – for the period of using the Account, and then for the time resulting from accounting regulations and the statute of limitations for claims.
  2. Tax data and evidence for OSS purposes – in accordance with regulations (as a rule, 10 years from the end of the tax year).
  3. Marketing data – until consent is withdrawn/objection is raised or for a period of inactivity indicated in our retention policy.
  4. Age verification data – to the minimum extent and time necessary; if we exceptionally process a copy of a document, we store it for a short term and in a limited form (unnecessary fields masked).

7. Rights of data subjects

You have the rights: of access, rectification, erasure, restriction, portability, objection (including to marketing and profiling), withdrawal of consent (without affecting the lawfulness of processing before withdrawal). A complaint can be lodged with the CNIL or with the authority competent for the place of habitual residence.

8. Automated data and profiling

We do not make decisions producing legal effects based solely on automated processing. We may use profiling for analytics and offer personalization; you have the right to object at any time.

9. Cookies and similar technologies

  1. The Service uses cookies and similar technologies (e.g., local storage) for the purposes of: ensuring functionality, traffic analytics, and marketing.
  2. We use a consent mechanism (banner) allowing you to choose categories: Necessary, Analytical, Marketing; settings can be changed in the footer.
  3. Data from cookies may be combined with the account after logging in – solely based on consents.

10. Security and breach reporting

We apply adequate technical and organizational measures (encryption, access control, pseudonymization, security testing). We report data protection breaches in accordance with the GDPR; in case of high risk, we inform the affected individuals.

11. Minors

The Service is not intended for persons under 18 years of age and does not knowingly collect their data.

12. Policy changes and contact

We reserve the right to change the Policy; we will inform about significant changes on the Service and – where possible – by e-mail.

In matters of data protection, contact: privacy@misrule-sas.com</span >; correspondence address: 36 RUE DU LOUVRE, 75001 Paris, France.

Doctorvape Logo
warning Do not enter if you are not of legal age.

By entering this site, I certify that I am of legal age according to the laws of my country to access products containing nicotine.