This site has limited support for your browser. We recommend switching to Edge, Chrome, Safari, or Firefox.

🎃 Halloween Edition: -20% on the entire site with HALLOWEEN20

Your cart 0

Congratulations! Your order qualifies for free shipping More than 35€ for free delivery
Pair with

No more products available for purchase

Products
Subtotal Free
Shipping, taxes, and discount codes are calculated at checkout

Your Cart is Empty

PRIVACY POLICY

PREAMBLE

The purpose of this privacy policy (the “ Policy ”) is to provide clear and transparent information on how BAAL-r / SAS AGAM (“ BAAL-r ”, “ we ”) collects and processes your personal data (“ Personal Data ”) when using the baalr.com website (the “ Site ”).

BAAL-r implements these treatments in accordance with the regulations in force, and in particular:
Regulation (EU) 2016/679 of 27 April 2016 ( GDPR ),
– and to Law No. 78-17 of January 6, 1978, as amended ( Information Technology and Freedoms , “ LIL ”).

This Policy may be updated to reflect legislative and regulatory developments, changes to our practices or any improvement to our services. In the event of a substantial modification , BAAL-r will inform the persons concerned by any appropriate means (information banner on the Site, email, time-stamped update of the Policy, etc.).

ARTICLE 1 – DEFINITIONS

For the purposes of this Policy, the terms below have the following meanings:

  • “Order” : operation by which a User purchases one or more Products on the BAAL-r Site.

  • “Account” : personal space created (or activated) by the User following a first Order, associated with their identification information and the history of their Orders.

  • “Personal data” : any information relating to an identified or identifiable natural person within the meaning of Art. 4.1 GDPR (e.g. surname, first name, email, address, pseudonymised payment data, identifiers, browsing data, etc.).

  • “Data Subjects” / “You” : any natural person whose Data is processed by BAAL-r within the framework of the Site and the Services.

  • “Products” : clothing and underwear offered for sale by BAAL-r on the Site.

  • “Data controller” : the legal entity which determines the purposes and means of the Processing (here, SAS AGAM – BAAL-r ).

  • “Services” : all the functionalities made available via the Site (navigation, account, placing/tracking Orders, after-sales service, reviews, marketing, etc.).

  • “Subcontractor” : any entity processing Data on behalf of the Controller, on the latter’s instructions (e.g. Shopify host/e-commerce platform, PSP, logistician).

  • “Processing” / “Process” : any operation carried out on Data (collection, recording, organization, storage, extraction, consultation, use, communication, interconnection, limitation, erasure, destruction) – art. 4.2 GDPR.

  • “User” : any natural person who accesses the Site and uses its Services, acting as a consumer.

ARTICLE 2 – IDENTITY OF THE DATA CONTROLLER & CONTACTS

2.1 Data controller

Your Personal Data is collected and processed by SAS AGAM (BAAL-r) , which determines the purposes and means of the Processing (art. 4.7 GDPR).
Address : Savignac, 12410 Salles-Curan , France
SIREN : 915 000 889 – SIRET : 915 000 889 00013 – VAT : FR67915000889

2.2 “Privacy” / GDPR contact point

BAAL-r has not appointed a DPO within the meaning of Art. 37 GDPR. For any questions or to exercise rights (see Art. 11):

  • Email : contact@baalr.com

  • Mail : BAAL-r / SAS AGAM – RGPD, Savignac, 12410 Salles-Curan, France

We acknowledge receipt and respond within one (1) month , extendable by two (2) months taking into account the complexity and number of requests (art. 12 GDPR). You will be informed in the event of an extension.

2.3 Identity verification

As part of the exercise of your rights, BAAL-r may ask you for proof of identity when necessary to prevent unauthorized access (art. 12.6 GDPR). A copy of this proof is kept for a maximum of one (1) year (see Art. 8).

2.4 Complaints to the supervisory authority

Without prejudice to any other recourse, you have the right to lodge a complaint with the competent authority (in France: CNIL , www.cnil.fr ) if you believe that the Processing of your Data constitutes a violation of applicable regulations.

ARTICLE 3 – CONTEXT OF THE PROCESSING

BAAL-r collects and processes Data about you when using the Services. This Data may be provided by you , generated automatically during navigation, or come from authorized third parties .

3.1 Origin of the data

  • Data you provide : Account creation/management, Order, contact forms, after-sales service/return requests, submission of reviews, participation in games/surveys, newsletter registration, exercise of GDPR rights.

  • Data collected automatically : technical and browsing data (IP, cookies/tracers, logs, pages viewed, device, OS, browser), audience measurement.

  • Data received from third parties :
    PSP (e.g. bank card, PayPal/Klarna if offered): payment confirmations, statuses, anti-fraud;
    Logistics/transport : delivery/tracking information;
    Review & emailing tools : management of product reviews and campaigns (if consent is given);
    Social networks : if you interact with our accounts/sharing buttons (depending on your settings).

3.2 Collection times

Navigation; creation/use of Account; placing/tracking Order; payment; contacting customer service; newsletter subscription; submitting reviews; games/surveys; exercising rights.

3.3 Mandatory nature

Some Data is required to provide the Services (e.g. delivery, invoicing, payment). Otherwise, we may not be able to fulfill the Order or respond to your request. Mandatory fields are indicated at the time of collection.

3.4 Minors

Services intended for adults (18+) . If we are informed of the collection of Data from a minor, we delete this Data as soon as possible, unless valid parental consent is required.

3.5 Accuracy and Update

You agree to provide accurate and up-to-date information, and to notify us of any changes (e.g. address).

ARTICLE 4 – PURPOSES AND LEGAL BASES

We only collect strictly necessary data. Each purpose is based on a legal basis provided for by the GDPR. Consent can be withdrawn at any time (see Art. 11).

  1. Contacts / complaints / after-sales service : receipt/processing of requests, history – legitimate interest / execution of the contract / consent if required.

  2. Order Management : placing/executing the contract, preparing/shipping, tracking, returns/credits/refunds – contract execution .

  3. Accounts : creation, authentication, history – contract execution ; options not required – consent .

  4. Payment : processing via PSP , 3-D Secure/SCA, anti-fraud, accounting – contract execution / legal obligations .

  5. Prospecting / newsletters : sending offers/news, subscription management, performance measurement – ​​consent (opt-in) or legitimate interest for customers (simple opt-out).

  6. Product reviews : collection/publication/moderation – consent ; moderation – legitimate interest .

  7. Security / administration / analytics : IT security, maintenance, audience measurement, non-intrusive A/B tests – legitimate interest ; non-essential cookies – consent .

  8. GDPR/LIL rights : management of requests (access, rectification, erasure, opposition, etc.) – legal obligation .

  9. Legal obligations : conservation, litigation, responses to authorities, taxation/accounting – legal obligation / legitimate interest (legal defense).

  10. Transparency of legitimate interest : balancing available on request (see Art. 2).

ARTICLE 5 – DATA COLLECTED

5.1 Identification & contact details

Title, last name, first name; email; telephone; billing/delivery addresses; Account (username, hashed password ), preferences, history.

5.2 Order data & business relationship

Order references, contents, amounts, discounts; delivery method and status; returns/credit notes/refunds; after-sales service exchanges and timestamps.

5.3 Payment data (via PSP)

Payment method used; transaction status, references, timestamp; anti-fraud signals (IP/session).
BAAL-r does not store the full card number ( PAN ) or CVV ; this data is processed only by the compliant PSP (e.g. PCI-DSS). Transaction identifiers may be stored for evidence and anti-fraud purposes (see Art. 8).

5.4 Prospecting & subscriptions

Email, preferences, open/click metrics, unsubscribes.

5.5 Product Reviews & Content Provided

Pseudonym/name, email (not published), review text, possible photo; “verified buyer”; moderation elements.

5.6 Technical data & navigation (cookies/tracers)

IP, device/OS, browser, language; logs (page views, paths, time, referrer, UTM); cookies/identifiers. See Art. 9 for categories, durations and choices.

5.7 Data from third parties

PSP, logistics, emailing/notifications, social networks (depending on your settings).

5.8 Data not collected (minimization)

No intentional collection of special categories of data (Art. 9 GDPR: health, political opinions, religious beliefs, etc.). Please do not send us any medical information; limit customer service messages to what is necessary.

ARTICLE 6 – DETAILS ON PAYMENT SERVICES

6.1 PSP (Payment Service Provider)

Payment is redirected to a PSP (e.g., credit card, PayPal/Klarna if offered). The PSP applies its own terms/policies.

6.2 Data exchanged

Amount, currency, order references; basic identity (name, email), sometimes addresses; technical security elements (IP, session) for anti-fraud. No retention by BAAL-r of PAN/CVV .

6.3 Fight against fraud / AML-CFT

The PSP carries out its own controls (KYC, risk scoring, AML-CFT obligations) under its responsibility .

6.4 Quality of manager / subcontractor

For collection: contract execution basis (BAAL-r responsible; PSP subcontractor or independent manager depending on the flow). For AML-CFT/accounting: independent manager (PSP).

6.5 DSP2 / Strong Authentication (SCA)

The PSP may require strong authentication (3-D Secure). Lack of SCA may prevent completion.

6.6 Incidents and disputes

In case of refusal/chargeback/suspicion of fraud: suspension/cancellation possible; requests for additional information. Basis: performance of the contract / legitimate interest (security).

6.7 Conservation

Supporting documents/transactions: 13 months (15 months for deferred debit cards) for proof purposes; accounting documents 10 years (see Art. 8).

ARTICLE 7 – RECIPIENTS OF THE DATA

7.1 Internal recipients (BAAL-r / SAS AGAM)

Customer Service/After-Sales Service; Logistics; Accounting/Finance; Marketing/CRM; IT/Security. Least privilege access and appropriate logging.

7.2 Subcontractors (art. 28 GDPR)

  • Hosting & e-commerce platform: Shopify (site, database, backups);

  • PSP (payments, SCA, anti-fraud);

  • Transport/Logistics (preparation, delivery, returns);

  • Support/ticketing ; Emailing & marketing automation ; review collection/moderation ; analytics & A/B testing ; application security ; archiving & backups ; accountants/auditors ; legal advice .
    Each subcontractor is bound by a contract imposing confidentiality , security and compliance with our instructions .

7.3 Independent managers

PSP (for own obligations), social networks (if interaction), external review platforms (if you publish with them).

7.4 Authorities and bodies

Communication limited to what is necessary to meet legal obligations (judicial, administrative, tax, CNIL, mediators, ODR).

7.5 Reorganization operations

In the event of a merger/sale/restructuring, supervised transmission (confidentiality/security/subsequent information if required).

7.6 Cookies & third-party trackers

See Art. 9 (audience measurement, marketing, social).

7.7 Aggregated/Anonymized Data

Possible production of non-identifying statistics.

ARTICLE 8 – RETENTION PERIODS

BAAL-r keeps your Data for the time necessary for the purposes then deletes/anonymizes, or archives in a restricted manner (proof). Excerpts:

Purpose Data (examples) Duration
Contacts / After-sales service identity, message, coins Processing time + up to 3 years after last contact
Orders details, deliveries, returns Execution + 5 years (contractual proof)
Invoicing / accounting invoices, writings 10 years (legal obligation)
Payments (PSP) transaction ref., tokens 13 months (15 months deferred debit) – proof
Customer account identifiers, history 3 years after last access/interaction
Prospecting email, preferences, metrics Until withdrawal of consent / 3 years after last contact
Product reviews content, metrics Until consent is withdrawn; moderation rejected: 1 year
Security / logs technical journals 6–12 months (major incidents: up to 5 years )
Cookies identifiers Cookies ≤13 months ; associated measurements ≤25 months
GDPR Rights application file Duration of treatment + 6 years (proof); ID copy ≤1 year
Disputes parts / exchanges During the procedure + limitation period (≈ 5 years in civil law)

Technical backups: limited rolling retention (≈ 30–90 days), very restricted access.

ARTICLE 9 – COOKIES AND OTHER TRACKERS

9.1 What is a cookie/tracker?

Small file/identifier placed on your device (or equivalent mechanism: LocalStorage, pixels, SDK, etc.). It allows us to remember your choices, secure the session, measure the audience or adapt our content/offers.

9.2 Who files?

  • BAAL-r : “first-party” cookies necessary for operation.

  • Third parties : audience measurement, advertising, social networks, emailing, A/B testing (their policies apply).

9.3 Legal basis

  • Necessary : ​​placed without consent (legitimate interest in providing a functional and secure site).

  • Non-essential (targeted advertising/retargeting, advanced personalization, non-exempt audience measurement, social): only with your consent (banner). Opt out at any time.

9.4 Categories & indicative durations

  • Necessary/technical (session, shopping cart, security) – without consent​​12-month session;

  • Exempt audience measurement (CNIL conditions) – without consent – ​​cookies ≤13 months , measurements ≤25 months ;

  • Advanced measurement / personalization / marketing / socialwith consent​​3 to 13 months (cookies) / ≤25 months (measurements).

9.5 Possible tools

Analytics/performance; non-intrusive A/B testing; advertising pixels; emailing; social integrations. Some may involve transfers outside the EU (see Art. 10).

9.6 Your choices

On arrival: consent banner (accept all, refuse all, configure).
At any time: “ Configure my cookies ” link in the footer.
Browsers/mobile: possible settings (total blocking may degrade certain functions).

9.7 Do Not Track (DNT)

Supported when using compatible tools; also use our preference manager.

9.8 Transparency & Updates

The list of categories and purposes is kept up to date in the consent manager. This section may change.

ARTICLE 10 – DATA TRANSFERS OUTSIDE THE EU/EEA

10.1 Principle

We prefer to process data within the EU/EEA . However, some providers (e.g., Shopify , CDN, email, analytics, support, PSP) may involve transfers or access from third countries.

10.2 Legal framework

  • Commission adequacy decisions ;

  • Standard Contractual Clauses (SCC) (EU 2021/914), with additional measures if necessary;

  • BCR when available;

  • Exceptions to Art. 49 GDPR only in exceptional circumstances (explicit consent, contractual necessity, legal defense).

10.3 Additional measures (post-Schrems II)

Transfer Impact Assessments ( TIAs ), strong encryption in transit/at rest, pseudonymization/minimization, access control, logging, enhanced contractual obligations (confidentiality, notification, deletion/return).

10.4 Transparency

Additional information (guarantees, categories of recipients) on request at contact@baalr.com Some information may be withheld for security/business secrets reasons.

ARTICLE 11 – YOUR RIGHTS

In accordance with the GDPR/LIL, you have the following rights:

  • Access (art. 15), rectification (16), erasure (17), limitation (18);

  • Opposition (21), in particular to prospecting (unsubscribe link in each email);

  • Portability (20) for data provided, automated processing based on consent/contract ;

  • Withdrawal of consent (7) at any time;

  • Automated decision : no decision producing legal effects taken exclusively in an automated manner without human intervention;

  • Post-mortem instructions (art. 85 LIL).

Exercise your rights : contact@baalr.com (specify the right exercised, the scope and a reply address).
Deadlines : 1 month (extendable for 2 months). Proof of identity possible (see Art. 2.3).
Manifestly unfounded/excessive requests: BAAL-r may refuse or demand reasonable fees (reasons provided).
Complaint : CNIL ( www.cnil.fr ).

ARTICLE 12 – SECURITY OF PERSONAL DATA

BAAL-r implements appropriate technical and organizational measures (art. 32 GDPR):

12.1 Governance & responsibilities

Security policy; privacy by design/by default principles; minimization; confidentiality commitments; awareness/training of authorized personnel.

12.2 Access control & authentication

Principle of least privilege ; logging; MFA for sensitive accounts; strong passwords ( hashed storage).

12.3 Encryption & Key Management

Up-to-date TLS in transit; encryption at rest according to service provider capabilities; controlled key management.

12.4 Secure Development & Patches

Best practices (e.g. OWASP ), vulnerability management and prioritized patches.

12.5 Logging, Monitoring & Detection

Sensitive access/action logs; monitoring of abnormal events; alerts.

12.6 Physical security & accommodation

Recognized providers (including Shopify ), physical access controls, redundancies, environmental protections.

12.7 Backups, PCA/PRA

Periodic backups; restoration tests; limited retentions (see Art. 8).

12.8 Subcontracting chain

Contracts art. 28 GDPR (confidentiality, security, assistance, incident notification, deletion/restitution, audits).

12.9 Payment Data

Processing via compliant PSP (e.g. PCI-DSS ). BAAL-r does not store PAN/CVV.

12.10 Testing, auditing & improvement

Vulnerability scans; key service provider audits; continuous improvement plan.

12.11 Incidents & Violation Notification

Internal procedure; CNIL notification ≤72 hours in the event of risk (art. 33); information of individuals if high risk (art. 34).

12.12 User Responsibilities

Unique/strong password; do not share your login details; log out on shared workstations; keep your systems up to date; report any suspicious activity.

12.13 Limits

Since no system is invulnerable, BAAL-r undertakes to take due care to prevent and deal with any incident in accordance with regulations.

12.14 Safety Contact

contact@baalr.com (subject: “Security – Potential Incident”).

ARTICLE 13 – THIRD-PARTY LINKS / SERVICES & SOCIAL NETWORKS

13.1 Outgoing links & embedded content

The Site may contain links/embeds to third-party services (carriers, reviews, social networks, PSPs). By interacting, you leave our environment or authorize third-party trackers (see Art. 9). These third parties act under their own responsibility .

13.2 Social Plugins, Pixels and SDKs

“Share” buttons, advertising pixels:

  • Legitimate interest for strictly necessary measures;

  • Consent for marketing/retargeting and non-essential features.
    Withdrawal at any time via the cookie manager.

13.3 Social messaging & after-sales service consolidation

If you contact us via social media, your messages are processed by BAAL-r to respond (legitimate interest/contract performance) and by the platform according to its policy. For sensitive information, please use contact@baalr.com .

13.4 Social Login (SSO)

If proposed: transmission of profile data with your agreement , revocable; deletion of the BAAL-r Account does not entail that of the third-party account.

13.5 Advertising & Custom Audiences

Subject to your consent , possible use of advertising pixels/"audiences" (hashed emails); opt-out at any time (unsubscribe link / cookie manager / platform settings).

13.6 Official Pages & Limited Co-Liability

For certain pages (e.g. “Insights”), the platform remains responsible for the trackers; BAAL-r only receives aggregated statistics. Exercise of rights possible with the platform and/or BAAL-r.

13.7 Competitions, sponsorship, influence

Regulations specifying data and responsibilities; transfers outside the EU possible (see Art. 10).

13.8 Marketing Traceability & UTM

Attribution measurements (UTM) – legitimate interest / consent if marketing tags enabled.

ARTICLE 14 – POLICY CHANGES & EFFECTIVE DATE

14.1 Principle of evolution

BAAL-r may modify the Policy to take into account:
– legal/regulatory developments (GDPR, LIL, CNIL lines, DSP2, etc.),
– organizational changes (providers/tools),
– technical developments (Site/Services),
– the extension of the purposes/categories of Data.

14.2 Nature of modifications & information

  • Substantial : prior information by appropriate means; consent obtained if required (e.g. new non-essential cookies).

  • Non-substantial : effective upon publication .

14.3 Effective Date

Unless otherwise stated, the Policy is effective upon publication ; for processing requiring consent, changes apply after obtaining consent.

14.4 Continued Use

Use of the Site after it comes into force constitutes acceptance of the updated version, without prejudice to your rights (opposition, withdrawal of consent, see Art. 11).

14.5 Access to previous versions

Upon request, BAAL-r can provide a summary of material changes that have occurred (some information may be withheld for security/business secrets).

14.6 Version, Effective Date & Contact

Version : 1.0 – Effective date : 16/10/2025
Contact (questions / rights): contact@baalr.com

14.7 Linguistic prevalence

In the event of translation, the French version shall prevail in the event of any discrepancy in interpretation.

Useful contact details (reminder)

BAAL-r / SAS AGAM – Savignac, 12410 Salles-Curan , France
GDPR contact : contact@baalr.com

Fast delivery

Comfort doesn't wait, so we offer free delivery with no minimum purchase.

Returns

If you don't feel the difference within 30 days, we'll refund you.

Secure payments

Your payments are 100% secure by credit card, PayPal, Amex, etc.

images bambou baal-r