Privacy policy
Last updated: 28 May 2026.
This policy describes how Virginie Derrouet collects, processes and protects your personal data when you use this website, in accordance with the General Data Protection Regulation (GDPR, EU 2016/679) and the French Informatique et Libertés law of 6 January 1978, as amended.
The site was built with a strict data minimisation mindset: no public user accounts, no newsletters, no advertising tracking, no third-party audience cookies.
1. Data controller
The data controller is Virginie Derrouet, whose professional address is 17 boulevard des Évadés de France, Espace commerciale Épicentre, 66200 Elne, France.
For any question about this policy or your data, write to us at derrouetvirginie@gmail.com.
No data protection officer (DPO) has been appointed, as the activity does not require one under article 37 of the GDPR.
2. Data we collect
We collect only the data strictly necessary for the purposes described below:
Contact form data: first name, last name, email, phone number, message - entered by you when you submit the form.
Session data: a consent cookie and, where applicable, a technical session cookie - see the "Cookies" section below.
Anonymous technical data: aggregated visit statistics without any personal identifier (see "Audience measurement").
Server logs: IP address, user-agent, requested URL, response code - kept temporarily for security and debugging.
Sensitive data: no health data is processed through this site. Anything shared during a session remains strictly confidential and is never entered on the website.
3. Purposes, legal bases and retention periods
Processing | Legal basis (art. 6 GDPR) | Retention |
|---|---|---|
Reply to a contact request | Pre-contractual measures at your request | 30 days after the request is archived |
Storage of your GDPR consent choice | Legal obligation (CNIL) | 12 months (cookie), 24 months (audit log) |
Site security and abuse prevention | Legitimate interest | 30 days (info) to 1 year (incidents) |
Anonymous audience measurement | Legitimate interest (anonymous processing, exempt from consent) | No individual data is stored |
4. Recipients and subcontractors
Your data is never sold, rented or transferred to third parties. It is accessible to Virginie Derrouet as well as to the following technical subcontractors, which act on our instructions and are bound by confidentiality and security commitments:
Infomaniak Network SA - site hosting (Geneva, Switzerland). Switzerland benefits from an adequacy decision from the European Commission, guaranteeing a level of protection equivalent to the EU.
Agence twini - site designer, technical maintainer and host of the internal services listed below (Saint-Estève, France). Accesses site data only during occasional maintenance and keeps no copy outside of these services:
a self-hosted instance of the open-source Plausible Analytics software for cookieless, anonymous audience measurement (see "Audience measurement" below);
a self-hosted instance of Cap Antispam to protect public forms (proof of work).
These services run on the agency's infrastructure, located in the European Union. No data is sent to upstream vendors (Plausible Inc., etc.).
Resalib - external appointment-booking platform accessible via the "Book an appointment" button. When you click that button you leave this site and enter Resalib's, which has its own privacy policy.
5. Cookies set on this site
In line with the ePrivacy directive and the CNIL's recommendations, this site uses no advertising cookies and no third-party audience cookies. Only strictly necessary cookies are set:
Cookie | Purpose | Duration | Type |
|---|---|---|---|
| Stores your GDPR consent choice (HMAC-signed). | 12 months | Necessary |
Necessary cookies are, by nature, exempt from consent (article 82 of the French Informatique et Libertés law). You may delete them at any time through your browser settings, bearing in mind that this may impair the site's behaviour.
6. Anonymous audience measurement (Plausible)
This site uses a self-hosted instance, operated by Agence twini, of the open-source Plausible Analytics software (European Union). No data is sent to the upstream vendor Plausible Inc.: statistics are computed and stored internally, on the agency's infrastructure.
Plausible is designed to be privacy-by-design:
No cookie is set.
No IP address is stored. A rotating daily hash is generated locally from your IP and user-agent and immediately discarded: it is not possible to trace an individual visitor.
The data collected is exclusively aggregated (page views, country, device type, traffic source).
No data is shared with third parties or used for advertising purposes.
This setup does not require prior consent, in line with the CNIL's recommendation on anonymous audience measurement.
7. Search referencing and Google Search Console
This site is registered with Google Search Console in order to monitor its indexing by the Google search engine. This tool analyses, on Google's side, queries made on the public search engine; it sets no cookie on this site and collects no personal data about you when you visit. The search statistics provided to Virginie Derrouet are aggregated and anonymised by Google.
8. Spam protection (Cap)
Public forms are protected by Cap, an anti-spam system based on a proof of work performed by your browser. No cookie is set, no personal data is transmitted: only a cryptographic challenge is exchanged to verify that you are a human and not a robot.
9. Your rights
Under articles 15 to 22 of the GDPR, you have the following rights over your personal data:
Access: obtain a copy of the data we hold about you.
Rectification: correct any inaccurate or incomplete data.
Erasure ("right to be forgotten"): request the deletion of your data.
Restriction of processing: temporarily freeze the use of your data.
Objection to processing, in particular those based on legitimate interest.
Portability: receive your data in a structured, commonly used, machine-readable format.
Post-mortem directives: set the fate of your data after your death (article 85 of the French Informatique et Libertés law).
Withdrawal of consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.
To exercise these rights, write to us at derrouetvirginie@gmail.com, specifying your request. We will reply within a maximum of one month (article 12.3 GDPR).
If, after contacting us, you consider that your rights are not respected, you may lodge a complaint with the French data protection authority (CNIL).
10. Security
We implement technical and organisational measures appropriate to the risk: end-to-end TLS encryption (HTTPS), restricted and authenticated admin access, access logging, regular backups, automatic security updates, network segmentation on the hosting side.
In the event of a data breach likely to result in a risk to your rights and freedoms, we commit to notify the CNIL within 72 hours and to inform you directly if the risk is high.
11. Changes to this policy
This policy may evolve to reflect legal, technical or organisational changes. The date of the last update is shown at the top of this page; the applicable version is the one in force at the time of your visit. Where a substantial change occurs, additional information will be provided.
12. Useful links
Legal notice: information about the site's publisher, host and design.
CNIL: French data protection authority.
Full text of the GDPR on EUR-Lex.