1. Data controller
StashMe SAS is the data processor for personal data collected via the platform, within the meaning of the General Data Protection Regulation (GDPR). The Venue (the establishment using the service) is the data controller for its own customers' data.
2. Data collected
2.1 Venue user data (staff)
- Email address
- First and last name
- Password (stored as a bcrypt hash)
- Role (Administrator or Staff)
- Last login date
2.2 Venue customer data (end users)
- Phone number (if required by the Venue)
- First and last name (if required by the Venue)
- SMS marketing consent
- Cloakroom session data (hanger numbers, deposited items, timestamps)
- Payment data (processed by SumUp/Stripe, not stored by StashMe)
2.3 Technical data
- IP address
- Browser User Agent
- Anonymized analytics data (via Umami Analytics)
3. Purposes of processing
Data is collected for:
- Providing the cloakroom management service
- Generating digital tickets and QR codes
- Processing payments via third-party providers
- Sending service-related notifications (returns, reminders)
- Sending marketing communications (only with explicit consent)
- Improving the service through anonymized statistics
- Ensuring security and preventing fraud
4. Legal basis for processing
- Performance of contract : processing necessary for providing the service
- Consent : SMS marketing communications
- Legitimate interest : security, fraud prevention, service improvement
- Legal obligation : retention of billing data
5. Data sharing
Data may be shared with:
- SumUp / Stripe : payment processing
- Brevo : sending transactional emails and invitations
- The Venue : its own customers' data as part of the service
- Competent authorities : when legally required
StashMe never sells personal data to third parties. Data is not transferred outside the European Economic Area (EEA), except in the context of services provided by the above-mentioned providers, which have adequate safeguards (standard contractual clauses).
6. Data security
- Password encryption (bcrypt, 10 rounds)
- Encrypted communications (HTTPS/TLS)
- JWT authentication tokens
- Role-based access control (RBAC)
- PostgreSQL database with encrypted connections
7. Data retention
- User accounts : retained as long as the account is active
- Cloakroom sessions : retained for the duration of the Venue's subscription
- Payment data : retained in accordance with legal obligations (10 years for accounting records)
- Password reset tokens : 1 hour
- Invitations : 7 days
8. Your rights (GDPR)
Under the GDPR, you have the following rights:
- Right of access : obtain a copy of your personal data
- Right to rectification : correct inaccurate data
- Right to erasure : request deletion of your data
- Right to restriction : restrict the processing of your data
- Right to object : object to the processing of your data
- Right to data portability : receive your data in a structured format
- Right to withdraw consent : withdraw your consent at any time
To exercise these rights, contact us at privacy@stashme.io. We will respond within 30 days.
You can also file a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertes): www.cnil.fr.
9. Sub-processing (DPA)
StashMe acts as a data processor within the meaning of Article 28 of the GDPR. A Data Processing Agreement (DPA) is available upon request for Venues that require one.
10. Contact
For any questions regarding the protection of your data: privacy@stashme.io