Global Privacy Policy
LAST UPDATED: SEPTEMBER 10TH, 2024
1. What is the purpose of this policy?
This policy aims to give you information about how Mirakl collects and processes your personal data in connection with the activities described in Section 2 below.
References in this policy to "you" or "your" are references to individuals whose Personal Data Mirakl processes in connection with those activities. References in this policy to "Mirakl", "we", "us" or "our" are references to Mirakl SAS and the other Mirakl Affiliates (together "Mirakl's group"). Mirakl SAS is a Société par Actions Simplifiée established 12, rue de Lübeck 75016 Paris.
This policy should be read together with Mirakl's other privacy policies, which cover specific processing activities not addressed here. In the event of any conflict between this policy and another Mirakl privacy policy applicable to a specific processing activity, the specific policy shall prevail.
This policy does not cover cookies. For information about how Mirakl uses cookies, please refer to our Cookie Notice accessible here.
2. What is the scope of this policy?
This privacy policy ("policy") applies to the processing of personal data by Mirakl in respect of the personal data of:
its prospects and clients' employees and business contacts (including prospects contacted in the context of Mirakl's business development activities);
the visitors of Mirakl premises;
its suppliers' employees and business contacts;
the visitors of the Mirakl website (
For information about how Mirakl processes personal data in the context of recruitment, please refer to our dedicated Recruitment Privacy Policy.
For the sake of clarity, this policy does not apply to the use by Mirakl clients' employees of Mirakl's cloud services, such use being covered by the policy made accessible in the relevant Mirakl cloud service.
3. Who is the controller for the personal data processed?
A "controller" is a person or an organisation who alone or jointly determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed.
This policy is issued on behalf of Mirakl as controller. Unless we notify you otherwise Mirakl is the controller for your personal data.
4. What personal data do we process?
"Personal data" includes any information relating to an identified or identifiable natural person. It does not include data that cannot be linked to an individual (anonymous data).
We collect, use, store and transfer different kinds of personal data about you. We have grouped together the following categories of personal data to explain how this type of information is used by us. These terms are used throughout this policy:
Category | Description and examples |
Identity Data | First name, middle names, last name |
Contact Data | Email address and telephone number |
Professional Information | Your job title, email address, phone number |
Marketing and Communication Data | Information on when you receive and read marketing communications from us, which of our events you attend and marketing and communication preferences |
Usage Data | Includes information about your use of our Website, as well as our local area networking facilities (including WiFi) and similar electronic services, such as interactions with our mobile applications, information collected progressively when you visit our Website, including your referral website, pages you visit, actions you take, information on last viewed/visited site and details of the content viewed including when and how many times the content was viewed, patterns of page visits, time details per visits (e.g. visit duration, number of visits, time spent on each page, frequency of visits), details about the path followed with special reference to the sequence of pages visited, interactions, functionalities and modules used, chat messages. |
Technical Data | Includes technical information collected when you access our websites, our electronic portals and platforms, including your internet protocol (IP) address or domain names of the devices that are used, your login data, browser type and version, uniform resource identifier (URI) address, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you are using. |
CCTV and physical security data | CCTV footage and other information relating to access of our facilities obtained through electronic means, such as swipe card records. |
5. How is personal data collected?
We use different methods to collect personal data from and about you, including through the channels set out below:
When you give us your personal data in your direct interactions with us, notably (i) by filling in forms on our website, (ii) by corresponding with us by email or post, (iii) by contacting us on social media, or (iv) by speaking to us in person or over the telephone.
When you visit our website, review the publications or newsletters we send you, or when you visit our facilities. We also collect your personal data by using cookies, server logs and other similar technologies.
When we are provided with your personal data by third-party sources, including when you provide it to them for the purpose of sharing it with us, for instance professional intermediaries or event organizers. In relation to the use of our website, we may also receive Technical Data from analytics providers such as Google.
When you navigate on our websites, review the publications or newsletters we send you, and visit our facilities.
When we collect your data for prospection purposes.
6. What are the purposes and legal basis for which we will use your personal data?
We will only process your personal data when the law allows us to, that is, when we have a legal basis for the processing. Our processing activities may, depending on the context, be subject to the following legal basis:
"Performance of a contract": where we need to perform a contract which we are about to enter into or have entered into with you as a party or to take steps at your request before entering into such a contract.
"Legal or regulatory obligation": where we need to comply with a legal or regulatory obligation that we are subject to.
"Legitimate interests": where the processing is necessary for our interests (or those of a third party), provided that your fundamental rights do not override such interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.
"Consent": where you have provided your consent to our processing of your personal data.
In relation to our clients, prospects and visitors
Purpose and/or activity | Type of data | Legal basis for processing |
To manage our commercial relationships with prospects and clients, including maintaining contact records, reaching out about our services, and managing event participation | Identity Data, Contact Data, Professional Information, Marketing and Communication Data | Legitimate interests: developing and maintaining business relationships and promoting Mirakl's services |
To manage our contractual relationship with you and deliver the agreed services | Identity Data, Contact Data, Profile Data, Usage Data, Technical Data, Professional Information, CCTV Data | Performance of a contract |
To manage and protect our business, including improving data security, troubleshooting data and systems, system maintenance and testing, data hosting, managing our offices and other facilities | Identity Data, Contact Data, Profile Data, Usage Data, Technical Data, Marketing and Communications Data, Professional Information | Legitimate interests: ensuring the efficient and secure running of our business, including through office and facilities administration, maintaining information technology services, network and data security, fraud prevention and improving or reorganising our infrastructure or the Mirakl group |
To invite you to take part in marketing or other promotional events, or client seminars or similar events, and to manage your participation in them | Identity Data, Contact Data, Profile Data, Usage Data, Technical Data, Marketing and Communications Data, Professional Information, Professional History | Legitimate interests: ensuring our client records are up-to-date, promoting our client services and visitor services, receiving feedback, improving our services and identifying ways to grow our business |
To identify services or products which might interest you, and to send you marketing or to contact you by other means to offer you our client services or visitor services | Identity Data, Contact Data, Profile Data, Usage Data, Technical Data, Marketing and Communications Data, Professional Information, Professional History | Legitimate interests: promoting our client services and visitor services, identifying ways to grow our business |
To ask you for feedback about our client services or visitor services, and to manage, review and act on the feedback we are getting | Identity Data, Contact Data, Profile Data, Marketing and Communications Data, Professional Information | Legitimate interests: reviewing how clients use, and what they think of, our client services and visitor services, improving them and identifying ways to grow our business |
In relation to Suppliers and Service Providers
Purpose and/or activity | Type of data | Legal basis for processing |
To check whether we would have a conflict of interest in appointing you as a supplier | Identity Data, Contact Data | Legal or regulatory obligation |
To take you on as a new supplier including performing background checks | Identity Data, Contact Data, Financial Data, Services Data, Professional Information | Legitimate interests: ensuring we do not deal with proceeds of criminal activities or assist in any other unlawful or fraudulent activities for example terrorism |
To manage payments, fees and charges | Identity Data, Contact Data, Financial Data, Professional Information | Performance of a contract |
Where we provide you access to our systems or our offices, we need to manage and protect our business, including improving data security, troubleshooting data and systems, system maintenance and testing, data hosting, managing our offices and other facilities | Identity Data, Contact Data, Profile Data, Usage Data, Technical Data, Professional Information | Legitimate interests: ensuring the efficient and secure running of our business, including through office and facilities administration, maintaining information technology services, network and data security |
In relation to use of our Website
Purpose and/or activity | Type of data | Legal basis for processing |
To manage and protect our business and our Website, including improving data security, troubleshooting data and systems, system maintenance and testing, data hosting and reporting | Contact Data, Identity Data, Technical Data, Usage Data | Legitimate interests: ensuring the efficient and secure running of the Website, including through maintaining information technology services, network and data security |
To deliver relevant Website content to you and measure or understand the effectiveness of the content we serve to you | Contact Data, Identity Data, Technical Data, Usage Data | Legitimate interests: providing relevant content and identifying ways to grow our business |
To use data analytics to improve our Website, our services, marketing, customer relationships and experiences | Technical Data, Usage Data | Legitimate interests: reviewing how clients use and what they think of our Website, improving our Website and identifying ways to grow our business |
In relation to CCTV and physical security
Purpose and/or activity | Type of data | Legal basis for processing |
Detection and prevention of crime; detection and prevention of safety incidents; supporting safety, security and internal investigations; supporting criminal investigations. | CCTV and physical security data | Legitimate interests: ensuring the protection of individuals and goods in Mirakl's premises |
7. How do we use personal data relating to other individuals collected from you?
On certain occasions, you may provide us with personal data of individuals who are not aware of our involvement or of our processing of their personal data. In such situations, we are likely to not have direct contact with individuals whose personal data we are processing, or it may for other reasons (for instance, to maintain confidentiality) not be appropriate for us to provide them with a privacy notice setting out how we process their personal data. Before you pass any such personal data to us, you must therefore ensure that the relevant individuals have received any requisite privacy notices and there is an applicable legal basis to pass us such personal data in connection with your use of our Website, electronic portals and platforms, or any other interaction covered by this policy.
8. Who has access to your personal data?
We may have to share your personal data with the entities and persons set out below for the purposes for which we collected the personal data, as detailed in Section 6 (Purposes and legal basis for which we will use your personal data).
Your personal data will be shared within the Mirakl Group between the Mirakl Group Entities (which are listed on our website). As an international firm, we may share your personal data between Mirakl offices and entities to ensure the efficient operation of our company and to provide the highest quality of client services.
Where required, we will (subject to applicable laws, our professional obligations and any terms of business which we may enter into with you) disclose your personal data to:
(i) any person or entity to whom we are required or requested to make such disclosure by any court of competent jurisdiction or by any governmental, taxation or other regulatory authority, law enforcement agency or similar body;
(ii) our professional advisers or consultants, including lawyers, bankers, auditors, accountants and insurers providing consultancy, legal, banking, audit, accounting or insurance services to us;
(iii) any financial institutions providing finance to us;
(iv) service providers and Mirakl's subcontractors who provide information technology and system administration services to us.
If you ask us to do so in relation to services you are providing, we may disclose your personal data to other persons or entities as instructed.
We may share your personal data with persons or entities outside of Mirakl's to whom we may sell or transfer parts of our business or assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, the part of our business that is sold, acquired or is the merged entity may use your personal data in the same way as set out in this policy.
We require any person or entity to whom we disclose personal data to respect the confidentiality and security of your personal data and to treat it in accordance with applicable laws and regulations. We do not allow such recipients of your personal data to use it for their own purposes, and we only permit them to process your personal data for specified purposes and in accordance with our instructions.
Third-party websites
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
9. Where do we transfer your personal data?
In some cases, the parties which we use to process personal data on our behalf are based outside the EEA and/or the United Kingdom, therefore their processing of your personal data may involve a transfer of such data outside the EEA and/or the United Kingdom. Similarly, in the course of our activities involving parties based outside of the EEA and/or the United Kingdom, we may be required to share relevant personal data with them. In such a case, we will only share the minimal amount of personal data necessary for the purpose of processing and, where possible, we will share the personal data in an anonymised form.
Whenever we transfer your personal data out of the EEA and/or the United Kingdom, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission (in the case of transfers out of the EEA) or the United Kingdom Government (in the case of transfers out of the United Kingdom); and/or
Where we use certain service providers, we may use specific contracts approved by the European Commission (in the case of transfers out of the EEA) and/or the United Kingdom Government (in the case of transfers out of the United Kingdom), in both cases which give personal data the same protection it has within the EEA and/or United Kingdom as applicable.
10. How do we keep your personal data safe?
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, including:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
We ensure that those who have permanent or regular access to personal data, or that are involved in the processing of personal data, or in the development of tools used to process personal data, are trained and informed of their rights and responsibilities when processing personal data.
11. How long do we keep your personal data?
We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for. This includes for example the purposes of satisfying any legal, regulatory, accounting, reporting requirements, for the establishment or defense of legal claims.
More precisely, we will comply with the following retention periods:
Data type | Retention period |
Contracts concluded with our clients and partners | 5 years from the end of the contractual relationshipException: 10 years for contracts concluded electronically for an amount exceeding 120€ |
Commercial correspondence (purchase orders, delivery notes, invoices, etc.) | 10 years from the end of the accounting period |
Data processed for prospecting purposes | For clients: 3 years from the end of the commercial relationshipFor prospects: 3 years from the date of collection or from the last contact initiated by the prospect |
Technical data | 1 year from the date of collection |
CCTV | 1 month from the date of collection |
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
12. What are your rights?
Under certain circumstances, you might have the following rights under data protection laws over your Personal Data:
Right to be informed about how personal data is used – you have a right to be informed about how we will use and share your personal data. This explanation will be provided to you in a concise, transparent, intelligible and easily accessible format and will be written in clear and plain language.
Right to access personal data – you have a right to obtain confirmation of whether we are processing your personal data, access to your personal data and information regarding how your personal data is being used by us.
Right to restrict processing of personal data in certain circumstances – you can request the restriction of the processing during a limited period of time, in particular in order to carry out some verifications, where one of the following applies:
you contest the accuracy of your personal data, the processing of which is thus restricted for the period necessary for us to verify the accuracy of such personal data;
you object to the erasure of your personal data on the ground of the processing being unlawful and you request the restriction of their use;
we no longer need your personal data for the purposes of the processing, but you need them for the establishment, exercise or defense of legal claims;
you have objected to the processing, which is thus restricted pending the verification of whether the compelling of our legitimate grounds may override your interests, rights and freedoms.
Right to object to processing of personal data in certain circumstances, including where personal data is used for marketing purposes – you have a right to object to processing being carried out by us if (a) we are processing personal data based on legitimate interests or for the performance of a task in the public interest (including profiling), (b) if we are using personal data for direct marketing purposes, or (c) if information is being processed for statistical purposes.
Right to data portability – in certain circumstances you can request to receive a copy of your personal data in a commonly used electronic format. This right only applies to personal data that you have provided to us (for example by completing a form or providing information through a website). The right to data portability only applies if the processing is based on your consent or if the personal data must be processed for the performance of a contract and the processing is carried out by automated means (i.e. electronically).
Right to have personal data erased in certain circumstances – you can request the deletion of your personal data (or right to be forgotten), where one of the following legal grounds applies:
you object to the processing of your personal data and there are no overriding legitimate reasons justifying to maintain the processing of your personal data;
you object to marketing activities;
you decide to withdraw your consent on which the processing is based;
your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the use that is made of your data does not comply with the applicable legal or regulatory provisions.
If you are based in France, you can define either general or specific guidelines regarding your personal data in the event of your death (for example, their deletion or transmission to any person of your choice). You may revoke your instructions at any time.
If you are based in USA, you have additionally:
the right to request us to restrict the use of your sensitive personal information such as social security number, religious beliefs etc. by limiting its use and disclosure for specific business purposes;
the right to opt out of the sale of your personal information to third parties. Note we are not selling your personal information nor planning to sell it.
the right to know that is materialized by the existence of this policy.
Under certain circumstances, we may ask you for specific information to confirm your identity and ensure the exercise of your rights. This is another appropriate security measure to ensure that personal data is not disclosed to an individual who does not have the right to receive it.
If you have any questions or wish to exercise your rights, you may fill in this form or directly contact us by sending an email to privacy@mirakl.com.
If needed, you may also lodge a complaint with your national data protection authority. This right may be exercised at any time and free of charge, at the exclusion of potential postal fees or expenses related to legal representation or assistance should you choose to engage third party assistance for the procedure.
If you have any concerns or would like to make a complaint about our processing of your personal data, please contact us at privacy@mirakl.com or complete this form.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). We may also contact you to ask you for further information in relation to your request to speed up our response.
In many jurisdictions, including but not limited to in the European Union, you have recourse with your nation's data protection authority. In France, you can contact the CNIL, 3 place du Fontenoy.
Please note that we may update this policy from time to time. We therefore encourage you to review this policy regularly to stay informed of any changes. The current version of the policy is available on our website.