Privacy Policy

This privacy policy supplements the legal notice of the website. Its purpose is to inform users clearly, fairly and transparently of the conditions under which their personal data is collected and processed on the website published under the brands About SXM and Guide Saint-Martin.

It complies with the following texts:

• Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data ("GDPR");
• French Data Protection Act no. 78-17 of 6 January 1978 ("Loi Informatique et Libertés");
• Directive 2002/58/EC of 12 July 2002 ("ePrivacy");
• Guidelines and recommendations of the French data protection authority (CNIL).

Effective date: April 24, 2026. Last updated: April 24, 2026.

Within the meaning of article 4.7 of the GDPR, the data controller is the website publisher (see Legal notice, §1). The controller alone determines the purposes and means of the processing activities carried out.

The website has not appointed a Data Protection Officer (DPO), as this appointment is not mandatory under article 37 of the GDPR given the nature and volume of processing activities. Any request may nevertheless be sent directly to the publisher at contact@about-sxm.com.

The website carries out the processing activities listed below. No processing of so-called "sensitive" data within the meaning of article 9 of the GDPR (health, political opinions, religious beliefs, sexual orientation, etc.) is performed.

Each processing activity is based on one of the legal grounds set out in article 6.1 of the GDPR:

• Performance of a contract or pre-contractual measures (art. 6.1.b): creation and management of the user account, authentication, password reset.
• Legitimate interest (art. 6.1.f): securing the website (logs, fraud detection), service improvement, responding to email inquiries. This legitimate interest is balanced against the rights and freedoms of data subjects and does not override their interests.
• Legal obligation (art. 6.1.c): retention of certain technical logs to respond to requests from judicial authorities (art. 6-II of the French LCEN, decree no. 2011-219).
• Consent (art. 6.1.a): where applicable, for any further processing not covered by the above bases (e.g. future newsletter subscription). Consent is then freely given, specific, informed and unambiguous, and may be withdrawn at any time.

Internal access

Only the publisher has access to the data, strictly limited to what is necessary for the performance of editorial and technical duties.

Processors

In accordance with article 28 of the GDPR, certain technical service providers act as processors, under the responsibility and documented instructions of the publisher:

• Host — IONOS SARL (France, EU): hosting of the website and database.
• Transactional email provider — used for verification and password reset emails. Data transmitted is limited to the email address and technical content strictly necessary.

Each processor provides sufficient guarantees regarding the implementation of the technical and organisational measures required by the GDPR. A processing agreement compliant with article 28.3 of the GDPR governs their involvement.

Legally authorised authorities

Data may be disclosed to judicial, administrative or prosecution authorities upon duly issued legal requisition (article 6-II of the LCEN).

No commercial transfer

Your data is never transferred, rented or sold to third parties for commercial, advertising or prospecting purposes.

Data is processed and stored within the European Union (IONOS hosting – Sarreguemines, France).

No data is currently transferred to a country outside the European Economic Area (EEA). Should such a transfer become necessary in the future, it would only be carried out in the presence of:

• an adequacy decision of the European Commission (art. 45 GDPR), or
• appropriate safeguards such as standard contractual clauses (art. 46 GDPR), or
• one of the derogations set out in article 49 GDPR.

Users would be informed through an update of this policy.

In accordance with the storage limitation principle (art. 5.1.e of the GDPR), data is kept only for the period strictly necessary for the purposes pursued:

At the end of these periods, data is either securely deleted or irreversibly anonymised for statistical purposes.

The publisher implements appropriate technical and organisational measures to ensure a level of security appropriate to the risks (art. 32 GDPR), in particular:

• Password hashing using the bcrypt algorithm (PHP password_hash function) — passwords are never stored or transmitted in clear text;
• Encrypted HTTPS connection (TLS) for all exchanges between the browser and the server;
• Single-use, time-limited tokens for email verification and password reset;
• Protection against SQL injection (prepared statements) and against CSRF and XSS attacks;
• Database compartmentalisation and strict control over administrator access;
• Regular encrypted backups enabling restoration in the event of an incident;
• Regular updates of software components and security patches.

Data breach

In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, the publisher will notify the CNIL within 72 hours (art. 33 GDPR) and, if the risk is high, inform the data subjects as soon as possible (art. 34 GDPR).

In accordance with article 8 of the GDPR and article 45 of the French Data Protection Act, the direct offer of information society services to a minor is lawful only where the minor is at least 15 years old. Below this age, consent must be given jointly by the minor and the holder of parental responsibility.

The website is not specifically aimed at minors. If you are under 15, you must not create an account without the permission of a parent or guardian. If we learn that an account has been created by a minor under 15 without parental authorisation, it will be deleted without delay.

Definition

A cookie is a small text file placed by a website on a user's device (computer, tablet, smartphone) and read during subsequent visits.

Cookies currently used

The website only uses cookies strictly necessary for its operation, exempted from prior consent in accordance with article 82 of the French Data Protection Act and the CNIL recommendation of 17 September 2020:

No third-party trackers

The website currently uses no advertising, analytics or social network cookies (Google Analytics, Meta Pixel, advertising networks, etc.). No third-party tracker is placed on your device.

Should the publisher in the future implement audience measurement or advertising personalisation tools requiring consent, an information banner compliant with CNIL requirements will be displayed prior to any deposit, and your consent will be collected in a free, specific, informed and unambiguous manner (art. 7 GDPR).

Settings

You may at any time configure your browser to accept, refuse or delete cookies. The main browsers offer this feature in their settings:

• Google Chrome
• Mozilla Firefox
• Safari
• Microsoft Edge

Refusing strictly necessary cookies may prevent certain website features from operating, notably login to your account.

This privacy policy may evolve to reflect legislative, regulatory, technical or organisational changes. Any substantial change will be brought to users' attention:

• through an update of the effective date and last updated date at the top and bottom of the document;
• where applicable, through direct notification (information banner or email) if the changes significantly affect your rights.

We recommend that you check this page regularly.