Privacy Policy
Privacy Policy
This Privacy Policy describes how SARL Le Trabet processes personal
data collected through letrabet.com, in accordance with the General
Data Protection Regulation (Regulation (EU) 2016/679, “GDPR” /
“RGPD”) and French Loi Informatique et Libertés.
Versions in other languages. The French version of this policy is
the legal-binding version under French law. Other language versions are
provided for the convenience of international readers; in case of any
discrepancy, the French version prevails.
1. Data controller
The data controller (responsable du traitement) is:
| Field | Value |
|---|---|
| Legal entity | SARL Le Trabet |
| Represented by | Claudia Löhner, Gérante |
| Registered office | Le Trabet, 11170 Moussoulens, France |
| Phone | +33 7 82 75 20 06 |
| cl*****@******et.com |
Full legal identity (SIREN, RCS, TVA, etc.) is given in the
Legal Notice.
For any question regarding personal data, including the exercise of the
rights described in §6 below, contact Claudia Löhner directly using the
email address above.
2. What personal data we collect and why
We process personal data only for the specific purposes listed below.
We do not sell, rent, or trade personal data to third parties. We do
not use personal data for advertising profiling.
2.1 Booking enquiries via the contact form
| Data collected | Name, email address, subject, message content |
| Purpose | Respond to your enquiry and, where applicable, prepare a booking agreement |
| Legal basis | GDPR Art. 6(1)(b) — pre-contractual measures taken at your request |
| Recipients | SARL Le Trabet (Claudia Löhner). The message is delivered by email through our hosting and email provider, Gandi SAS (see §3). |
| Retention | Until the enquiry is resolved, then archived for up to three years to honour follow-up communication. Booking-related correspondence may be retained longer to comply with French commercial-record obligations. |
2.2 Guest reviews on /reviews/
When you submit a review through the Leave-a-Review form, we collect:
| Data collected | Name (or chosen display name), email address, review title, review text, gîte name, approximate date of stay. Optionally a photograph, if you upload one. |
| Purpose | Publish your review on the public /reviews/ page to help future guests; verify that the review is genuine before publishing. |
| Legal basis | GDPR Art. 6(1)(a) — your explicit consent given by submitting the form. |
| What is displayed publicly | Name, review title, review text, gîte, approximate date of stay, photograph (if uploaded). Your email address is never displayed publicly; it is used only to verify the review and contact you if we have a question. |
| Retention | Indefinite while the review remains published, unless you ask us to remove it (see §6). |
2.3 Cookies and similar technologies
A separate Cookie Policy describes each cookie set
by this website, including its purpose, duration, and consent
mechanism. By default no non-essential cookie is set before your
consent is given through the consent banner.
2.4 Server logs
Our hosting provider (Gandi SAS) maintains technical server logs in
the ordinary course of operating the website:
| Data collected | IP address, user-agent, requested URL, timestamp, HTTP response code |
| Purpose | Security monitoring, abuse prevention, technical debugging |
| Legal basis | GDPR Art. 6(1)(f) — legitimate interest of SARL Le Trabet in operating a secure and functional website |
| Retention | Up to 12 months (Gandi’s default retention; CNIL-recommended maximum for security logs) |
We do not consult, export, or analyse these logs for marketing or
profiling purposes.
3. Third parties involved in processing
Some operations require us to share personal data with service
providers (“sous-traitants” under GDPR Art. 28) acting on our written
instructions. We have selected providers that offer GDPR-compliant
processing terms.
| Provider | Role | Country | Data shared | Legal safeguard |
|---|---|---|---|---|
| GANDI SAS | Hosting, DNS, email transport | France (EU) | Everything stored on or transmitted through the website | EU establishment; processor contract (DPA) integral to Gandi’s standard terms |
| Cloudflare, Inc. | CDN and security layer in front of the site | United States (Anycast network with EU edge nodes) | Network metadata: IP address, user-agent, request headers | Cloudflare’s EU Standard Contractual Clauses (SCC), EU–US Data Privacy Framework certification |
| CleanTalk | Anti-spam filtering of form submissions | EU servers (per provider’s own documentation) | Form submission content, submitter IP, at the moment of submission | Provider DPA; data deleted from CleanTalk after 7 days per their retention policy |
| Google LLC (Google Maps, Google Fonts when used) | Maps rendering in the sidebar; web fonts | United States (with EU caching) | IP address, user-agent, referrer at the moment the resource loads | SCC for the United States transfer; we are working to self-host the affected resources to remove this transfer |
We use no analytics services (no Google Analytics, no
tracking pixels, no Facebook pixel, no Meta pixel) and no
marketing-automation platform on this website.
4. International transfers
Personal data we process is primarily stored within the European
Union, on Gandi infrastructure. Limited transfers to the United States
occur where Cloudflare and Google resources are involved (see §3). All
such transfers are protected by the EU Standard Contractual Clauses
(SCC) and, where applicable, the EU–US Data Privacy Framework
adequacy decision.
5. Data retention
| Data category | Retention period |
|---|---|
| Contact-form enquiry | Until resolved + up to 3 years archived |
| Booking-related correspondence | Up to 10 years (French commercial-record obligation) |
| Guest review (published) | Indefinite while consent stands; immediately on erasure request |
| Server logs | Up to 12 months |
| Cookie consent state | Up to 12 months, then re-prompted |
| Backups containing the above | Per backup cycle (rotational); on full erasure, the next backup cycle replaces the backup containing your data |
6. Your rights
Under GDPR Articles 15 to 22 and the French Loi Informatique et
Libertés, you have the following rights regarding personal data we
process:
| Right | What it means |
|---|---|
| Access (Art. 15) | Obtain confirmation that we process your data and a copy of that data |
| Rectification (Art. 16) | Have inaccurate data corrected |
| Erasure (Art. 17, “right to be forgotten”) | Have your data deleted, subject to legal-retention obligations |
| Restriction (Art. 18) | Have processing restricted in certain circumstances |
| Portability (Art. 20) | Receive a structured, machine-readable copy of data you provided |
| Object (Art. 21) | Object to processing based on legitimate interest |
| Withdraw consent (Art. 7(3)) | Withdraw any consent you previously gave; this does not affect prior processing |
| Define instructions on the fate of your data after death | French Loi Informatique et Libertés Art. 85 |
To exercise any of these rights, contact us by email at
cl*****@******et.com. We will respond within one month of receipt.
We may ask for proof of identity if there is reasonable doubt about
who is making the request.
If you believe your data has been processed in violation of the GDPR
or French data-protection law, you have the right to lodge a complaint
with the French supervisory authority:
Commission Nationale de l’Informatique et des Libertés (CNIL)
3 place de Fontenoy, TSA 80715
75334 Paris Cedex 07, France
https://www.cnil.fr/
7. Children
This website is not directed at children under 15 (the French age of
digital consent). We do not knowingly collect personal data from
children. If you believe a child has provided personal data through
this website, please contact us so we can delete it.
8. Security
We rely on Gandi’s infrastructure security (encryption in transit via
HTTPS, encryption at rest, access controls), supplemented by
WordPress-side hardening (admin two-factor authentication where
available, IP-based admin protections, anti-spam filtering). No system
can guarantee absolute security; we report personal-data breaches as
required by GDPR Art. 33–34.
9. Changes to this policy
We may update this Privacy Policy from time to time to reflect
changes in our processing or in legal requirements. The current
version date is shown below. Material changes will be notified through
a prominent notice on the website.
Last updated: 2026-05-29.