Privacy Policy
TRUE TRIBE is committed to protecting the privacy and personal data of its clients, visitors, and users. This Privacy Policy explains what personal data we collect, how we use it, the legal bases for processing, and the rights you have under applicable data protection law.
This Privacy Policy is issued in accordance with Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"), the French Data Protection Act (Loi Informatique et Libertés, as amended), and all other applicable data protection legislation.
01 Data controller and contact
The data controller responsible for the processing of your personal data is:
SUNBERG SAS, operating under the brand TRUE TRIBE
Registered office: 5, rue Étienne Marcel, 75001 Paris, France
Trade register: RCS Paris 339 350 431 00047
Primary email (data protection requests and general enquiries): contact@truetribe.paris
Client services (orders, returns, exchanges, after-sales): relations@truetribe.paris
Postal address: 5, rue Étienne Marcel, 75001 Paris, France
For all questions relating to the processing of your personal data, or to exercise your rights, please contact us at contact@truetribe.paris. Data protection requests sent to this address are routed to the relevant team for handling within statutory deadlines.
02 Personal data we collect
We collect the following categories of personal data, depending on your interaction with our Site and services:
2.1 Information you provide directly
Identity data: first name, last name, title, date of birth (where provided).
Contact data: postal address, email address, telephone number.
Account data: username, password (stored in encrypted form via Shopify), account preferences.
Order and transaction data: products ordered, order history, billing and delivery addresses, invoices.
Payment data: payment method selected, last four digits of card, billing details. Full card details are processed exclusively by certified payment service providers (Shopify Payments, PayPal) and are not stored by TRUE TRIBE.
Communication data: messages exchanged with our Client Services team, return and exchange requests, product enquiries.
Marketing preferences: newsletter subscription status, communication preferences (including the 15% first-purchase discount opt-in).
Recruitment data: where you apply for a position with TRUE TRIBE, your CV, cover letter, professional history, and related information.
2.2 Information collected automatically
Technical data: IP address, browser type and version, device type, operating system, language settings.
Usage data: pages visited, time spent on pages, navigation paths, click data, referral source.
Cookie data: information collected via cookies and similar technologies (see our Cookie Policy).
2.3 Information from third parties
Social media data, where you choose to interact with our content or accounts via Instagram, YouTube, TikTok, LinkedIn, or Spotify.
Payment confirmation data from payment service providers.
Delivery status data from shipping carriers.
03 Purposes of processing and legal bases
We process your personal data only where we have a valid legal basis under the GDPR. The following table summarises the main purposes for which we process your data, and the corresponding legal basis:
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Order processing and fulfilment | Identity, contact, order, payment data | Performance of a contract (GDPR Art. 6(1)(b)) |
| Invoicing and accounting | Identity, contact, order, payment data | Legal obligation (GDPR Art. 6(1)(c)) |
| Customer service and after-sales support | Identity, contact, order, communication data | Performance of a contract (GDPR Art. 6(1)(b)) |
| Account management | Account, identity, contact data | Performance of a contract (GDPR Art. 6(1)(b)) |
| Marketing communications (newsletter, 15% offer) | Contact data, marketing preferences | Consent (GDPR Art. 6(1)(a)) |
| Personalisation and product recommendations | Usage, order data | Consent where based on cookies or similar tracking technologies (GDPR Art. 6(1)(a)); legitimate interest where based on non-intrusive first-party purchase history or account preferences (GDPR Art. 6(1)(f)) |
| Fraud detection and prevention | Order, payment, technical data | Legitimate interest (GDPR Art. 6(1)(f)) |
| Site improvement and analytics | Technical, usage data | Consent (cookies) or legitimate interest |
| Recruitment and job applications | Recruitment data | Pre-contractual measures (GDPR Art. 6(1)(b)) or consent |
| Compliance with legal obligations | Various | Legal obligation (GDPR Art. 6(1)(c)) |
| Defence of legal claims | Various | Legitimate interest (GDPR Art. 6(1)(f)) |
04 Recipients of your data
Your personal data may be shared with the following categories of recipients, strictly for the purposes described in this Privacy Policy:
Internal teams: TRUE TRIBE employees authorised to process your data for the purposes set out above.
E-commerce platform: Shopify International Limited (Ireland) and Shopify Inc. (Canada), which provide the platform infrastructure on which the Site operates, acting as data processor under Article 28 GDPR.
Infrastructure and hosting: OVH SAS (France), providing hosting and infrastructure services.
Payment service providers: Shopify Payments (powered by Stripe) and PayPal, which handle transaction processing.
Shipping carriers: DHL and FedEx, and other international carriers used to deliver orders worldwide.
Customs and duty management providers: services used to support the Delivered Duty Paid (DDP) shipping offer, where applicable.
IT and analytics providers: Google (Analytics), and other providers of email, CRM, and customer service tools.
Marketing service providers: email marketing and advertising platforms used for the newsletter and promotional campaigns, subject to your consent where required.
Social media platforms: Meta (Instagram, Facebook), TikTok, YouTube (Google), LinkedIn, Spotify, where you interact with TRUE TRIBE content on these channels.
Professional advisers: accountants, auditors, and legal advisers, where necessary.
Public authorities: tax, customs, judicial, or regulatory authorities, where required by law.
All third-party processors act on our behalf under data processing agreements that comply with Article 28 of the GDPR.
We do not sell your personal data to third parties.
05 International data transfers
TRUE TRIBE operates on the Shopify platform, which stores and processes customer data on servers that may be located outside the European Economic Area (EEA), including in Canada and the United States. Infrastructure services are also provided by OVH SAS with servers based in France. Other service providers (such as Google, Meta, and certain marketing tools) may process data outside the EEA.
Where personal data is transferred outside the EEA, we rely on appropriate safeguards under the GDPR, including:
Adequacy decisions of the European Commission (for example, the EU-US Data Privacy Framework, where applicable to specific providers);
Standard Contractual Clauses (SCCs) approved by the European Commission;
Binding Corporate Rules, where applicable;
Other safeguards permitted under Articles 46 to 49 of the GDPR.
You may request information on the specific safeguards applied to transfers of your data by contacting us at contact@truetribe.paris.
06 Data retention periods
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with applicable law:
| Category of data | Retention period |
|---|---|
| Order and transactional data | 10 years from the date of the transaction (French commercial and accounting law) |
| Customer account data | Duration of the account, plus 3 years from last activity |
| Marketing data (consent-based) | Until withdrawal of consent, or 3 years from last contact |
| Cookies and analytics data | As set out in the Cookie Policy (generally up to 13 months) |
| Customer service communications | 5 years from the last interaction |
| Payment card data (last 4 digits, expiry) | Up to 15 months for fraud prevention purposes |
| Recruitment data (unsuccessful applicants) | 2 years after the last contact, unless the candidate consents to a longer period |
| Recruitment data (successful applicants) | Transferred to the employee personnel file |
| Data necessary for legal claims | Duration of the relevant limitation period (generally 5 years) |
Once the applicable retention period expires, your data is securely deleted or anonymised.
07 Your rights
Under the GDPR, you have the following rights in relation to your personal data:
Right of access (Article 15): You may request a copy of the personal data we hold about you, together with information about how it is processed.
Right to rectification (Article 16): You may request that we correct inaccurate or incomplete data.
Right to erasure (Article 17): You may request that we delete your data, subject to applicable legal retention obligations.
Right to restriction of processing (Article 18): You may request that we limit the processing of your data in certain circumstances.
Right to data portability (Article 20): You may request to receive your data in a structured, commonly used, and machine-readable format.
Right to object (Article 21): You may object to processing based on legitimate interests, or to processing for direct marketing purposes.
Right to withdraw consent (Article 7): Where processing is based on consent, you may withdraw your consent at any time, without affecting the lawfulness of prior processing.
Right not to be subject to automated decision-making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal effects. TRUE TRIBE does not currently engage in such automated decision-making.
Right to give post-mortem instructions: You may set instructions for the management of your data after your death, in accordance with the French Data Protection Act.
To exercise any of these rights, please contact us at contact@truetribe.paris. To verify your identity, we may request a copy of an identity document. We will respond within one month of receipt of your request, which may be extended by up to two further months for complex requests, in which case we will notify you within the first month.
You also have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), the French data protection authority:
CNIL, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Telephone: +33 (0)1 53 73 22 22
Website: www.cnil.fr
08 Marketing communications and unsubscribe
Where we send you marketing communications (such as our newsletter or the 15% first-purchase offer), we do so only with your prior consent or, where permitted by law, on the basis of a pre-existing customer relationship for similar products.
Every marketing email we send includes a one-click unsubscribe link. Unsubscribing is immediate and free of charge. You may also withdraw consent or update your marketing preferences at any time by:
Clicking the unsubscribe link at the bottom of any marketing email;
Updating your preferences in your customer account;
Contacting us at contact@truetribe.paris.
Once you unsubscribe, we will remove you from all marketing correspondence promptly. We may still send you transactional and service messages relating to your orders, as these are necessary for the performance of our contract with you.
09 Security of your data
TRUE TRIBE implements appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
Encryption of data in transit (TLS/SSL) and at rest where appropriate;
Access controls and authentication for systems containing personal data;
Secure payment processing via PCI-DSS compliant providers (Shopify Payments, PayPal);
Regular security reviews, monitoring, and staff training;
Data minimisation: we collect only the data necessary for the purposes described;
Reliance on the Shopify platform's enterprise-grade security infrastructure (Level 1 PCI-DSS compliant) and OVH's certified hosting infrastructure.
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you and the CNIL in accordance with Articles 33 and 34 of the GDPR.
10 Cookies
Our Site uses cookies and similar technologies to ensure the proper functioning of the Site, to analyse traffic, and, where you have consented, for marketing purposes. For full details, please refer to our Cookie Policy, available on the Site.
11 Children's data
The Site is not directed at children under the age of 15 (the age of digital consent in France). We do not knowingly collect personal data from children under this age. If you believe we have inadvertently collected data from a child, please contact us at contact@truetribe.paris and we will take steps to delete it.
12 Changes to this privacy policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or services. The most current version is always available on the Site. The version number and effective date are indicated at the top of this document. Material changes will be communicated to you by email or via a prominent notice on the Site.
13 Contact
For any questions about this Privacy Policy or how we process your personal data, or to exercise your rights, please contact us at:
Primary email (data protection and general enquiries): contact@truetribe.paris
Client services (orders, returns, after-sales): relations@truetribe.paris
Postal address: SUNBERG SAS / TRUE TRIBE, 5 rue Étienne Marcel, 75001 Paris, France
TRUE TRIBE · SUNBERG SAS