Privacy notice
Privacidad
Last updated: 04/05/2026
This privacy notice explains how Montandor Andorra S.L.U. ("Montandor", "we") collects, uses, retains and protects your personal data when you visit boutique.montandor.fr, place an order, or interact with your dedicated concierge via the boutique chat. It is drafted in compliance with Andorran data-protection law (Llei Qualificada de Protecció de Dades, LQPD), the EU GDPR (EU 2016/679) where the visitor is located within the European Union, and French, Spanish, Portuguese, Italian, German and Swiss data-protection rules where they apply.
1. Data controller
Montandor Andorra S.L.U., registered office at Avinguda Carlemany 67, AD700 Escaldes-Engordany, Principality of Andorra. For any privacy enquiry or to exercise your rights, email info@montandor.com or use the boutique chat selecting the "Privacy" category. We respond within the time limits set by applicable law and in any case within thirty (30) days.
2. Data we collect
We collect four categories of data, strictly limited to what is necessary to fulfil your order and manage the commercial relationship:
- Account and order data: full name, company name (if any), billing and shipping addresses, email, phone, order IDs, purchase history. This data is necessary to form and perform the sales contract.
- Payment data: we never store full card numbers. Payment is processed by our PCI-DSS Level 1 certified provider. We retain only the transaction token, the last four digits of the card, the network (Visa, Mastercard, Amex), expiry date and payment status, for accounting and anti-fraud purposes.
- Delivery data: shipping address, door code, delivery instructions, carrier tracking number (Chronopost, Colissimo). Shared only with our carrier and 3PL logistics provider for delivery execution.
- Technical connection data: IP address, user agent, approximate country, page viewed, timestamp. Feeds our access logs for security, fraud prevention and technical diagnostics.
We do not collect any sensitive data within the meaning of GDPR Article 9 (ethnic origin, political opinions, religion, health, sexual orientation, trade-union membership, biometric or genetic data).
3. Purposes and legal basis
| Purpose | Legal basis |
|---|---|
| Process your order, payment, delivery, return | Performance of the sales contract |
| Customer service, order tracking, answering questions | Contract performance / legitimate interest |
| Invoicing, accounting, taxation | Legal obligation (10 years) |
| Security, fraud prevention, logging | Legitimate interest |
| Aggregated anonymous audience measurement | Legitimate interest (service improvement) |
| Newsletter, marketing communication (where applicable) | Consent (explicit opt-in, withdrawable at any time) |
4. Retention periods
- Order and invoicing data: duration of the commercial relationship plus ten (10) years, in line with Andorran and French accounting obligations.
- Payment data: thirteen (13) months for the transaction token and anti-fraud elements, in line with CNIL guidance and PCI-DSS requirements.
- Inactive customer account: three (3) years after last login, then deletion or anonymisation (subject to residual accounting obligations).
- Technical access logs: twelve (12) months, then automatic deletion.
- Aggregated audience measurement: thirteen (13) rolling months.
- Newsletter: until you unsubscribe, instantly via the link in every message.
5. Recipients and processors
Data collected is processed by our internal team and by a limited number of technical processors strictly necessary to execute your order:
- Infrastructure hosting: Microsoft Azure, West Europe region. Data stored within the EU.
- Payment: PCI-DSS Level 1 certified payment service provider (EU).
- Logistics and shipping: 3PL logistics provider in France (Grisolles warehouse, 82170) and carriers (Chronopost, Colissimo) for last-mile delivery.
- Transactional email: Mailgun (EU), to deliver acknowledgements, invoices and shipping notifications.
- Microsoft 365 services: internal professional email, calendars, documentation. Montandor tenant.
Each processor is bound by a Data Processing Agreement (DPA) covering the required contractual, organisational and technical safeguards. The current list is available on request at info@montandor.com.
6. International transfers
Data collected is stored and processed within the European Economic Area (Microsoft Azure West Europe, French logistics warehouse). A transfer to the Principality of Andorra may take place for internal administrative operations — Andorra benefits from a European Commission adequacy decision (2010/625/EU), guaranteeing a level of protection considered equivalent. No transfer to a third country without an adequacy decision occurs without standard contractual clauses or equivalent safeguards.
7. Security
We implement reasonable technical and organisational measures to protect your data: end-to-end TLS 1.3 encryption, tokenised payment (PCI-DSS Level 1), strict access control to internal systems, access logging, multi-factor authentication for admin accounts, daily encrypted backups, separation of production and test environments, periodic security audits. In the event of a breach likely to result in a risk to your rights and freedoms, we notify the competent supervisory authority within 72 hours and, where the risk is high, inform you directly.
8. Automated decisions and profiling
No decision producing legal effects or significantly affecting visitors is made by fully automated processing. We apply automated anti-fraud rules to payment transactions (address verification, suspicious-behaviour detection); any blocking or cancellation decision can be contested by emailing info@montandor.com and triggers a human review by a member of our team.
9. Your rights
Under the GDPR and Andorran LQPD, you have the following rights regarding the data concerning you:
- Right of access to your data.
- Right to rectification of inaccurate data.
- Right to erasure ("right to be forgotten") under the conditions set by law.
- Right to restriction of processing.
- Right to portability of your data to another controller.
- Right to object to processing based on legitimate interest.
- Right to withdraw consent at any time for processing based on consent (e.g. newsletter).
- Right to set post-mortem directives.
- Right to lodge a complaint with the Andorran Data Protection Agency (APDA), the French CNIL or your local EU supervisory authority.
To exercise your rights, email info@montandor.com or use the boutique chat selecting "Privacy". Reasonable proof of identity may be requested to prevent impersonation.
10. Changes to this notice
This notice may evolve. The last-updated date is shown at the top of the page. Substantial changes (change of controller, change of purposes, addition of a new major processor) will be highlighted via a dedicated information banner for thirty (30) days.