Personal Data Protection Policy – CKL Course

Last updated: February 25, 2026

METHODE CKL (hereinafter « CKL », « we » or « us »), as data controller, is committed to complying with the General Data Protection Regulation (GDPR – EU 2016/679) and the French Data Protection Act (law no. 78-17 of 6 January 1978, as amended). This policy explains how we collect, use, share, and protect your data within the CKL program.

  1. Data collected

We collect the following categories of data:

Category Examples Legal basis
Identify Name, surname, email, age, height, initial weight Performance of the contract (Art. 6-1.b GDPR)
Health/Well-being (optional) Weight loss goals, eating habits, physical activity, declared medical history Explicit consent (Art. 6-1.a + 9-2.a GDPR)
Payment Bank details (via Stripe), invoice history Performance of the contract + legal obligation (art. 6-1.b/c)
Technique IP address, device identifiers, platform access logs Legitimate interest (security, maintenance – art. 6-1.f)
Communications Coach/user messages, feedback Contract execution (art. 6-1.b)

Minors (<16 years old) require written parental consent.

  1. Purposes of the processing

Your data is used solely for:

  • Provide and personalize the journey (content, menus, coaching).
  • Manage subscriptions, payments and cancellations.
  • Improve the service (anonymous statistics).
  • Comply with legal obligations (invoicing, litigation).
  • Communicate (newsletters, support – unsubscribe possible).

No data is processed for commercial prospecting without prior consent.

  1. Shelf life
  • Contract details: Subscription duration + 5 years (tax/accounting obligations).
  • Health data: 1 year post-termination (or withdrawal of consent).
  • Logs techniques : 1 an.
  • Payment data: Deleted after 13 months (via PCI-DSS provider).

Data deleted or anonymized upon expiry.

  1. Data Recipients
  • CKL Team (limited access).
  • Secure technical service providers:
Role Localisation
Stripe/PayPal Payments EU/USA (standard contractual clauses)
Amazon Web Services Platform hosting United State
Zoom/Google Meet video appointment EU/USA (clauses GDPR)
Google Workspace Administrative emails UE
  • No transfer to third-party commercial entities. In the event of a legal audit, transmission to the authorities.
  1. Transfers outside the EU

For Stripe/Zoom (USA): Standard Contractual Clauses (SCCs) + GDPR-compliant Privacy Shield. Your data remains encrypted.

  1. Data Security
  • Encryption (HTTPS, AES-256).
  • Restricted access (2FA for coaches).
  • Daily encrypted backups.
  • Annual security audit.
  • CNIL/user notification within <72 hours if high-risk breach.
  1. Your GDPR rights

Practice them for free viacontact@parcours-ckl.fr(Attach proof of identity):

  • Access: Get a copy of your data.
  • RectificationCorrect the inaccuracies.
  • OppositionRefuse treatment (except for legitimate reasons).
  • Limitation: Temporarily suspend use.
  • Portability: Receive data in open format.
  • Suppression(« right to be forgotten »): Outside of legal obligations.
  • Withdrawal of consent: At any time (without retroactivity).

Response within 1 month (extendable to 2 months if complex). CNIL complaint:www.cnil.fr.

  1. Cookies and trackers
  • Essential cookies (navigation, security): 13 months max.
  • Analytics cookies (anonymized Google Analytics): Consent via banner.
  • Manage them via your browser or our banner.
  1. Data Controller

METHODE CKL

LOT 3 186 CHEMIN FABRY

83000 TOULON