PRIVACY POLICY
AND PERSONAL DATA PROTECTION
In accordance with Regulation (EU) 2016/679 (GDPR)
| Website | https://www.vipoc.org |
|---|---|
| Data Controller | Vitiligo International Patient Organizations Committee – VIPOC |
| Registered Office | 10 rue Lacuée, 75012 Paris, France |
| Publication Director | Jean-Marie Meurant |
| DPO Contact | dpo@vipoc.care |
| Last Updated | 20 March 2026 |
1. Introduction
The Vitiligo International Patient Organizations Committee (“VIPOC”) is committed to protecting the privacy of users of its website https://www.vipoc.org and its services.
This privacy policy describes how VIPOC collects, uses, stores and protects your personal data, in accordance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR), French Law No. 78-17 of 6 January 1978 as amended (Data Protection Act) and Directive 2002/58/EC (ePrivacy Directive).
For any questions regarding this policy, you can contact our Data Protection Officer (DPO) at: dpo@vipoc.care.
2. Data Controller
The data controller for personal data collected on this website is:
Legal name: Vitiligo International Patient Organizations Committee – VIPOC
Registered office: 10 rue Lacuée, 75012 Paris, France
Legal representative: Jean-Marie Meurant, Publication Director
Contact email: contact@vipoc.org
Data Protection Officer: dpo@vipoc.care
3. Personal Data Collected
We collect different categories of personal data depending on the services you use:
3.1. Data provided directly by you
- Identification data: surname, first name, postal address, email address, phone number
- Account data: username, password (encrypted)
- Payment data: billing information (where applicable)
- Content of comments and messages sent through contact forms
3.2. Data collected automatically
- Browsing data: IP address, browser type and version, operating system, pages visited, date and time of visit
- Cookies and tracking technologies (see section 8)
3.3. Collection methods
Data is collected through the following means: forms on the website, email exchanges, telephone or in person.
4. Purposes and Legal Bases of Processing
In accordance with Article 6 of the GDPR, each data processing operation is based on a legal basis. Details are as follows:
| Purpose | Legal Basis (Art. 6 GDPR) | Retention Period |
|---|---|---|
| User account management | Performance of a contract (Art. 6.1.b) | Duration of registration + 3 years after closure |
| Responding to contact requests | Legitimate interest (Art. 6.1.f) | 3 years from last contact |
| Sending newsletters and communications | Consent (Art. 6.1.a) | Until withdrawal of consent |
| Payment management and invoicing | Legal obligation (Art. 6.1.c) | 10 years (Art. L.123-22 French Commercial Code) |
| Audience measurement and statistics | Consent (Art. 6.1.a) or CNIL exemption if anonymised cookies | 25 months maximum |
| Spam detection (Akismet) | Legitimate interest (Art. 6.1.f) | Duration necessary for moderation |
| Information about VIPOC services | Legitimate interest (Art. 6.1.f) | Duration of relationship + 3 years |
5. Recipients and Processors
Your personal data may be shared with the following recipients, acting as processors in accordance with Article 28 of the GDPR:
| Processor | Role | Location | Safeguards |
|---|---|---|---|
| OVH SAS | Website and data hosting | France (Roubaix) | EU servers – GDPR compliant |
| Simboti Tech | Website development and maintenance | South Africa | Standard Contractual Clauses (Art. 46.2.c GDPR) |
| Automattic (Akismet) | Anti-spam filter for comments | United States | Data Privacy Framework (DPF) or Standard Contractual Clauses |
| Automattic (Gravatar) | Avatar display | United States | Data Privacy Framework (DPF) or Standard Contractual Clauses |
Apart from these processors, your personal data is never transmitted, sold or rented to third parties.
6. International Data Transfers
Some of our processors are located outside the European Economic Area (EEA). In such cases, data transfers are governed by the following safeguards, in accordance with Articles 44 to 49 of the GDPR:
- Simboti Tech (South Africa): Standard Contractual Clauses approved by the European Commission (Implementing Decision 2021/914).
- Automattic Inc. (United States): EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses.
You can obtain a copy of the safeguards in place by contacting our DPO at dpo@vipoc.care.
7. Your Rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Right of access (Art. 15) | Obtain confirmation that your data is being processed and receive a copy. |
| Right to rectification (Art. 16) | Request the correction of inaccurate or incomplete data. |
| Right to erasure (Art. 17) | Request the deletion of your data under the conditions set out in the GDPR. |
| Right to restriction (Art. 18) | Request the restriction of processing of your data. |
| Right to portability (Art. 20) | Receive your data in a structured, machine-readable format. |
| Right to object (Art. 21) | Object to processing based on legitimate interest or direct marketing. |
| Withdrawal of consent (Art. 7.3) | Withdraw your consent at any time, without affecting the lawfulness of prior processing. |
| Post-mortem directives | Define directives regarding the fate of your data after your death (French law). |
To exercise your rights, please send your request together with a copy of a photo ID to: dpo@vipoc.care. We undertake to respond within one month of receiving your request.
If you are not satisfied with our response, you may lodge a complaint with the French Data Protection Authority (CNIL): www.cnil.fr.
⚠ Note: CNIL sanctions may reach up to 4% of global annual turnover or €20M (Art. 83 GDPR).
8. Cookies and Tracking Technologies
8.1. What is a cookie?
A cookie is a small text file placed on your device (computer, tablet, smartphone) when you visit a website. It allows the site to remember certain information about your visit.
8.2. Cookies used on this website
| Cookie | Type | Purpose | Duration | Legal Basis |
|---|---|---|---|---|
| WordPress session | Strictly necessary | Authentication | Session / 2 weeks | Exempt from consent |
| Screen preferences | Functional | Display preferences | 1 year | Consent |
| Comments | Functional | Form pre-fill | 1 year | Consent |
| Audience measurement | Analytics | Traffic statistics | 25 months max. | Consent (or CNIL exemption) |
8.3. Managing your cookie preferences
On your first visit, a consent banner allows you to accept, refuse or configure non-essential cookies. You can change your preferences at any time by clicking the “Manage my cookies” link available in the page footer.
You can also configure your browser to block cookies. Please note that refusing certain cookies may limit access to some features of the website.
9. Embedded Content and Third-Party Websites
Articles on this website may include embedded content (videos, images, articles) from other websites. This embedded content behaves in the same way as if you were visiting those third-party websites directly: they may collect data, place cookies and use tracking tools.
VIPOC is not responsible for the data processing carried out by these third-party websites. We encourage you to review their respective privacy policies.
10. Data Security
VIPOC implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR:
- Firewalls and antivirus software
- Encryption of sensitive data (SSL/TLS)
- Access controls and authorisation management
- Regular backups
- Hosting on dedicated servers in France (OVH)
We also recommend that you keep your login credentials confidential and report any suspicious use of your account.
11. Data Breach Notification
In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, VIPOC undertakes to:
- Notify the CNIL within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.
- Inform the affected individuals without undue delay if the breach is likely to result in a high risk, in accordance with Article 34 of the GDPR.
12. Data Protection Impact Assessment
DPIA Status: Completed
As an association potentially processing data revealing the health status of its members (patients with vitiligo), VIPOC has carried out a Data Protection Impact Assessment (DPIA) in accordance with Article 35 of the GDPR. This assessment was conducted in coordination with the Data Protection Officer and has enabled the identification and implementation of the measures necessary to mitigate the risks associated with the processing of our members’ personal data.
13. Website Host
Legal name: OVH SAS
Address: 2 rue Kellermann, 59100 Roubaix, France
Phone: 1007
Website: www.ovh.com
14. Changes to This Policy
VIPOC reserves the right to modify this privacy policy at any time. In the event of a substantial change, registered users will be informed by email or by a notice visible on the website. The date of last update is indicated at the top of this document.
Date of last update: 20 March 2026
15. Contact
For any questions regarding this policy or to exercise your rights, you can contact us:
By email: dpo@vipoc.care
By post: VIPOC – Data Protection Officer, 10 rue Lacuée, 75012 Paris, France
You also have the right to lodge a complaint with the CNIL:
Website: www.cnil.fr
Address: CNIL, 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
