Personal data and cookies

Legal bases

Version No. 001 dated 06/11/2025

Department responsible for publication: Hexa-GO

1. Who processes your personal data?

Hexa-GO (hereinafter “we” or “the Company”) places the protection of your personal data at the heart of its priorities.

This Privacy Policy sets out the principles and guidelines for the protection of your Personal Data and aims to inform you about:

  • The Personal Data we collect and why we collect it,
  • How your Personal Data is processed,
  • Your rights regarding your Personal Data.

We are committed to complying with applicable personal data regulations, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), as well as all applicable national regulations (“the Regulation”).

2. What personal data is processed by our services?

We commit to collecting only the data that is strictly necessary for the direct or indirect provision of the subscribed services when these require the processing of personal data of our clients (or our clients’ customers). When optional data is requested, we will clearly inform you which Personal Data is required and which is voluntarily provided by you.

The Company mainly processes Personal Data collected directly from you, such as:

  • Identification data: title, last name, first name, postal address, email address, phone number. For business clients: the above + company name, VAT number.
  • Connection data: logs, browsing data, etc.
3. Why do we process your personal data?

We commit to processing your personal data for specific, explicit, and legitimate purposes, and not to process it in a manner incompatible with those purposes.

Legal bases:

Each processing activity carried out by the Company, as Data Controller, is based on at least one of the legal bases defined by the Regulation:

  • Performance of a contract to which the data subject is a party, or pre-contractual measures taken at their request,
  • Compliance with legal and regulatory obligations applicable to the Company,
  • Protection of vital interests of the data subject or another natural person,
  • Performance of a task carried out in the public interest,
  • Legitimate interests pursued by the Company, provided that the interests, freedoms, and fundamental rights of the data subject are respected,
  • And/or the consent of the data subject for one or more specific purposes.

Purposes:

We process your Personal Data for the following purposes, based on the legal grounds detailed in the table below:

  • Managing the commercial relationship between clients and Hexa-GO
  • Allowing clients and visitors to contact customer support
  • Managing clients’ address books
  • Allowing clients to submit claims
  • Providing clients access to their secure account
  • Allowing clients to track the receipt of their parcels
  • Allowing clients to request parcel consolidation
  • Allowing clients to request a parcel photo verification
  • Allowing clients to subscribe to a Premium plan
  • Allowing clients to request and track parcel shipments
  • Conducting statistics and satisfaction surveys
  • Carrying out commercial prospecting
  • Sending newsletters and/or automated emails (subject to prior consent)
  • Complying with international regulations regarding embargoes and economic/financial sanctions targeting terrorism, fraud, money laundering, arms and drug trafficking
  • Managing rights requests
4. How long is your personal data stored?

The retention period of your personal data depends on the subscribed products and services and the processing carried out by the Company. We commit not to retain your Personal Data longer than necessary to provide those services, in accordance with your contract.

Some of your Personal Data may be retained for longer periods in compliance with legal or regulatory obligations, or to respond to requests from authorities or authorized third parties.

When Personal Data is used for several purposes and subject to different retention periods, the longest retention period applies.

After these periods, we delete your Personal Data in accordance with our internal policy or anonymize it for statistical purposes.

5. How is your Personal Data protected?

In accordance with applicable regulations, we commit to implementing all appropriate technical and organizational measures to ensure a level of security adapted and proportionate to the risks. These measures (e.g., segmentation, anonymization, encryption, restricted access) aim to guarantee the confidentiality, integrity, availability, and resilience of your Personal Data.

The Company ensures that data protection is integrated “by design” into new products and services.

As the data controller, we notify the competent authority—the CNIL—of any personal data breach without undue delay, and where feasible within 72 hours after becoming aware of it. Any breach likely to result in a high risk to your rights and freedoms will also be notified to you without delay.

6. With whom is your Personal Data shared?

Your Personal Data is collected directly from you and used only for purposes that have been communicated to you.

It may be shared with:

  • Subsidiaries of the Company and internal departments responsible for providing the subscribed services (Customer Service, Commercial Department, etc.)
  • Subcontractors, partners, or service providers acting on your behalf or ours
  • Commercial partners (after informing you and allowing you to consent via a checkbox)
  • Authorized administrative or judicial authorities or other authorized third parties (lawyers, auditors, etc.) to comply with legal obligations

Some Personal Data may be collected indirectly from:

– Clients (information about subscribers, beneficiaries, contacts, recipients), necessary for providing subscribed services

– Third parties such as anti-fraud organizations, data providers, international organizations (World Customs Organization), members of the Universal Postal Union

In case of indirect collection, the Company commits to informing individuals as required under Article 14 of the GDPR.

Some services may be used by minors. In such cases, minors must obtain consent from their parents or legal representatives.

7. Is your Personal Data transferred outside the European Union?

We process all Personal Data within the European Union.

However, for certain specific services, we may use subcontractors, partners, or subsidiaries located outside the EU. In such cases, Personal Data is transferred strictly as needed to perform their tasks.

We commit to implementing all appropriate safeguards required by applicable regulations to secure such transfers.

8. What are your rights and how can you exercise them?

When we collect your Personal Data, you receive clear and transparent information on how your data is processed and how you can exercise your rights. You may exercise these rights under the conditions defined by the Regulation.

Your rights include:

  • The right to access your Personal Data, including requesting information about:
    • the categories of data processed,
    • the purposes of the processing,
    • the recipients or categories of recipients of your data,
  • when possible, the data retention period, or where not possible, the criteria used to determine it;
  • The right to have inaccurate or incomplete Personal Data corrected;
  • The right to object at any time to the processing of your Personal Data;
  • The right to be forgotten (erasure of your Personal Data);
  • The right to request restriction of processing;
  • The right to request your Data in a structured, commonly used, machine-readable format to transmit it to another controller (data portability);
  • The right to define instructions regarding the handling of your Personal Data after your death;
  • The right to withdraw your consent at any time (for processing based on consent), including for commercial prospecting.

Any request must include your first name, last name, and the address to which you wish to receive the response. Proof of identity may be required.

You may exercise your rights:

– By email: contact@hexa-go.com

– By post: 33 boulevard Tisseron, 13014 Marseille, France

The Company commits to responding as soon as possible and within legal deadlines.

If you believe, after contacting us, that your rights are not respected, you may lodge a complaint with the CNIL:

CNIL – 3 place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07

Or by phone: 01 53 73 22 22

You are informed of the “Bloctel” telephone marketing opt-out list: https://conso.bloctel.fr

9. How to contact our Data Protection Officer (DPO)?

Hexa-GO has appointed a Data Protection Officer (DPO) registered with the CNIL.

You may contact the DPO at:

Data Protection Officer

Juliette Pairé, admin@hexa-go.com, 04 12 33 30 31

Glossary

“Personal Data”: Any information relating to an identified or identifiable natural person.

“Recipient”: Any service, company, or organization that receives and can access your Personal Data.

“The Company”: The legal entity responsible for drafting this Policy.

“Privacy Policy / Personal Data Protection Policy”: This document outlining the measures implemented for processing and managing your Personal Data.

“Data Controller”: The Company responsible for processing your Personal Data.

“Processing”: Any operation or set of operations performed on Personal Data.

“Personal Data Breach”: Any breach resulting in accidental or unlawful destruction, loss, alteration, disclosure, or unauthorized access.

“Processor”: Any natural or legal person, public authority, service, or organization processing personal data on behalf of the data controller.

Cookies Policy

Scope

Hexa-GO, hereinafter “we” or “the Company,” publisher of the Passerelle Colissimo website(s), hereinafter “the Site,” processes your personal data as the data controller throughout your navigation on the Site.

The Site uses cookies, trackers, and other similar technologies, set and/or read by us or by third parties during your visit. For simplicity, all these technologies are referred to as “Cookies” hereinafter.

This policy aims to inform you about the operation and use of Cookies on the Site. It covers all services associated with the Site as well as its subdomains. This policy complements the Company’s Privacy Policy.

What is a Cookie?

The term “Cookies” is used broadly and covers all trackers set and/or read, for example, during the visit of a website or a mobile application, or during or prior to the activation of a chatbot. For convenience, we use the term “Cookies” to cover all technologies that read or write data on the user’s device. A Cookie or tracker is set by your web browser (e.g., Internet Explorer, Firefox, Safari, or Google Chrome) on a dedicated space of your device’s hard drive, by the Site’s server, or by a mobile application you visit.

The information stored can be sent back to our servers or to the servers of the relevant third parties during a subsequent visit.

Types of Cookies Used on the Site

  • Technical and essential Cookies

These Cookies are necessary for the proper functioning of the Site and to take into account your preferences as a user. Their collection does not require your consent. Functional Cookies facilitate navigation on the Site. They ensure the security and performance of the Site, enabling basic functions such as page navigation and access to secure areas. The Site cannot function properly without these Cookies. They are strictly necessary and cannot be disabled without risking access to the Site or certain services. We use these Cookies based on our legitimate interest. They expire automatically when you leave our Site.

  • Analytics Cookies subject to your consent

Analytics Cookies used on the Site allow us to measure audience and track navigation. These Cookies require your consent.

With your consent, certain analytics Cookies provide additional statistics about Site usage to improve your browsing experience.

With your consent, we also use analytics and personalization Cookies to analyze customer journeys (online and offline), personalize website and mobile app content in real time, and tailor emails and other communications based on your browsing and profile.

Some Cookies may have purposes beyond simple audience measurement for our exclusive use. These Cookies may allow overall tracking of your browsing across different applications or websites.

  • Analytics Cookies exempt from consent

Some analytics Cookies on the Site are exempt from consent, in accordance with Article 82 of the French Data Protection Act and Article 5 of CNIL Deliberation No. 2020-091 of September 17, 2020.

These Cookies are strictly limited to audience measurement for the exclusive benefit of the Company. They only produce anonymous statistical data and do not allow tracking across multiple applications or websites, nor do they allow data to be combined with other processing or shared with third parties.

These Cookies help us understand how users interact with the Site or mobile applications and to improve the design and usefulness of our services. Analytics Cookies are used based on our legitimate interest to analyze pages visited and generate anonymous statistics.

You can object to analytics Cookies exempt from consent at any time, as described in Article 5 of CNIL Deliberation No. 2020-091 (see section “How to manage your consent?” below).

  • Advertising Cookies

Advertising Cookies, with your consent, are used to track users’ navigation on the Site and mobile applications, to display ads that are relevant and interesting to the user. These Cookies may be used to:

  • Display personalized advertising based on your profile and browsing,
  • Measure ad audience,
  • Show targeted ads based on pages you visited on our Site or mobile apps,
  • Personalize editorial content based on your browsing,
  • Display in real-time content adapted to your interests inferred from recent browsing across one or more sites,
  • Enable playback of external multimedia content (e.g., videos hosted by third-party providers),
  • Allow sharing content on social networks. Even if you do not use the share button during your visit, the social network providing this button may identify you through it by setting or reading Cookies and track your navigation on our Site. This requires only that your account on the relevant social network is active on your device during this browsing session.
  • Third-party Cookies

These Cookies are set by third-party advertisers (ad networks or advertisers). The issuance and use of Cookies by third parties are subject to their privacy policies. We inform you about the purpose of Cookies we are aware of and the means available to manage your choices, including opting out. For more information about third-party Cookies, please read their privacy policies. See below for a list of third parties using Cookies on the Site: Passerelle Colissimo.

Which Cookies Are Used on the Site?

Below is a list of Cookies that may be set on your device depending on your choices. This list indicates the publisher, the Cookie name, its duration, and its purpose.

Unless otherwise stated, personal data collected via these Cookies will only be processed by the Company for up to XXXX (XX) months after collection.

For Cookies requiring your consent, your choices will be stored for six (6) months. After this period, you will be asked again to express your preferences.

  • Internal Cookies set directly on the Site domain:
Cookie Publisher Cookie Name Duration Purpose
Hexa-Go PHPSESSID Session duration Technical
REMEMBERME 7 days Functional
Axeptio axeptio_all_vendors 12 months Functional
axeptio_authorized_vendors 12 months Functional
axeptio_cookies 12 months Functional
Google _gid 12 months Analytics
_ga_<ID> 13 months Analytics
_gcl_au 13 mois Publicitaire
_gcl_aw 13 mois Publicitaire
Stripe __stripe_mid 12 months Functional

How Can You Manage Your Consent?

On your first visit, a popup informs you about Cookies.

  • Clicking “Accept All” allows us to set all Cookies that require your consent on your device.
  • Clicking “Reject All” prevents us from setting Cookies that require your consent on your device.
  • Clicking “Manage My Preferences” allows us, after your selection, to set and use the Cookies or categories you chose, as described in this policy.

You can disable Cookies on your device, but the Site may not function properly.

You can manage your Cookie preferences at any time via the management module by clicking here.

How Can You Exercise Your Rights?

To exercise your rights, you can contact us at:

  • contact@hexa-go.com
  • 33 boulevard Tisseron, 13014 Marseille, France

Regarding the Company’s data protection policy, you may also contact our Data Protection Officer, Juliette Pairé, at admin@hexa-go.com or 33 boulevard Tisseron, 13014 Marseille, France.

If you encounter difficulties managing your personal data, you have the right to file a complaint with the French Data Protection Authority (CNIL).

Glossary

  • Data Controller:

Any operation or set of operations on personal data (regardless of the method used, whether automated or not), including collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, transmission, dissemination, or any other form of making data available, combination or interconnection, limitation, as well as blocking, erasure, or destruction.

  • Personal Data:

Any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or one or more elements specific to them (such as name, first name, identification number, email, IP address, voice, photograph, location data, etc.).

  • Legitimate Interest:

One of the legal bases provided by data protection regulations. Processing based on this legal basis is necessary to pursue legitimate interests of the entity processing the data or a third party, while strictly respecting the rights and interests of the data subjects.