COOKIE POLICY

1. Data Controller

The Controller of personal data collected through the website www.justbob.shop (hereinafter the “Site”) via cookies and similar technologies is:

ESPACE ECOMMERCE FRANCE SARL

• Legal form: Société à Responsabilité Limitée (SARL) under French law
• Registered office: 16 rue Cuvier, 69006 Lyon (France)
• EU VAT number: FR62920502598
• SIREN: 920 502 598
• SIRET: 920 502 598 00013
• NAF/APE code: 47.91A
• Share capital: 2,000.00 EUR
• Email: info@justbob.shop
• Telephone: +44 2030514261 (Monday to Friday, 10:00 to 17:00 CET, excluding public holidays)
• Website: www.justbob.shop

This Cookie Policy complements the Privacy Policy of the Site, to which reference is made for the general aspects of the processing of personal data, including the rights of the data subject and the security measures applied.

For any question relating to this Cookie Policy or to the processing of data collected through the Site, the user may contact the Controller at info@justbob.shop.

2. What is a cookie

Cookies are small text files that a website stores on the user’s terminal device (computer, tablet, smartphone) during the visit. They allow, among other things, the storage of user preferences, the facilitation of navigation and the proper functioning of the services provided.

Cookies do not damage the user’s device and cannot access other data stored on it that are not strictly related to the website that installed them.

In addition to cookies, the Site may use similar technologies such as the local storage of the browser (local storage, session storage) and pixel tags. This Cookie Policy applies to all such technologies, to the extent that they are used to track the user or to operate the Site.

From a legal standpoint, cookies are classified according to the criteria followed by European supervisory authorities as follows:

• Strictly necessary technical cookies: their sole purpose is the transmission of a communication over an electronic communications network or the operation of the service explicitly requested by the user; they are exempt from the prior consent requirement under Article 5(3) of the ePrivacy Directive 2002/58/EC and the corresponding national transpositions.
• Analytics cookies: their purpose is the creation of aggregated statistics on the use of the website, without individual profiling. If they are configured in a non-minimising way, they require consent; if, on the other hand, they are configured with minimising technical measures and their purpose is exclusively technical, they may fall within the consent exemption.
• Profiling, marketing, advertising cookies: they always require prior, express and informed consent. The Site does NOT use cookies of this type.

3. Applicable legal framework

This Cookie Policy has been drawn up in accordance with the following normative sources:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation, GDPR), in particular Articles 4(11) (definition of consent), 5 (principles of processing), 6 (lawfulness of processing), 7 (conditions of consent), 13 (information obligations), 32 (security of processing), 56 (lead supervisory authority) and 77 (right to lodge a complaint).
• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (ePrivacy Directive), as amended by Directive 2009/136/EC, in particular Article 5(3) on the storage of and access to information on the user’s terminal equipment, and the corresponding national transpositions in each Member State of the European Union and the European Economic Area.
• Guidelines of the European Data Protection Board (EDPB), in particular Guidelines 05/2020 of 4 May 2020 on consent under the GDPR and Guidelines 03/2022 of 14 March 2022 on deceptive design patterns.
• Guidelines and positions of the Commission nationale de l’informatique et des libertés (CNIL), as the lead supervisory authority of the Controller, on cookies and tracking technologies, in their current version (available at www.cnil.fr).
• Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the adequacy of the level of protection of personal data under the EU-US Data Privacy Framework, the validity of which was confirmed by the General Court of the European Union with judgment T-553/23 Latombe of 3 September 2025.
• Judgment CJEU C-673/17 “Planet49” of 1 October 2019 and subsequent case-law of the Court of Justice of the EU on cookie consent.

In accordance with Article 5(3) of the ePrivacy Directive, the storage of information on the user’s terminal equipment or the access to information already stored is permitted only where the user has given his consent on the basis of clear and comprehensive information. Two cases are exempted from this rule:

1. the storage or access serves exclusively the transmission of a communication over an electronic communications network;
2. the storage or access is strictly necessary to enable the provider of an information society service explicitly requested by the user to provide such service.

4. Cookies used on the Site

4.1 General classification

All cookies used on the Site are strictly necessary technical cookies, classified as described in Section 2.

Since they are exclusively technical cookies necessary for the provision of the service requested by the user, these cookies are exempt from the prior consent requirement under Article 5(3) of the ePrivacy Directive 2002/58/EC and the corresponding national transpositions. The deactivation of these cookies may affect the proper functioning of the Site, in particular as regards basket management, the completion of the order process and the receipt of transactional communications relating to orders.

The Site does NOT use profiling cookies, marketing cookies, remarketing cookies, social media cookies, third-party advertising cookies, behavioural advertising cookies. There is no cross-site or cross-device tracking; no individual user profiles are created for advertising purposes; no data is shared with advertising networks.

4.2 Cookies used in detail

Below is the detail of each cookie used on the Site, grouped by technical function.

A) Basket management and e-commerce session (WooCommerce)

These cookies are essential for the operation of the basket and the order process within the WooCommerce environment.

B) CMS function, session management and age gate (WordPress)

These cookies are required for the operation of the content management system (WordPress), the management of the server session and the age gate preference, adopted in accordance with JustBob’s commercial policy that reserves access to the Site to adult users only, in compliance with national legislation on the protection of minors.

C) Technical monitoring of Site performance (Google Analytics 4)

The Site uses Google Analytics 4 as a tool for the technical monitoring of Site performance. The Site’s GA4 property is identified by the code G-234X8ZMV9W.

Google Analytics 4 is configured in technical mode, with the following measures: anonymisation of the IP address (IP-Masking active, IP address truncated before processing); the data collected is not used for advertising purposes (Google Signals deactivated, no sharing with Google Ads / Display & Video 360, no connectors to marketing or remarketing tools); the data is not cross-referenced with other Google services for profiling purposes (personalisation and advertising features deactivated in the GA4 property settings, no BigQuery export); maximum retention period: 14 months; exclusive purpose: technical monitoring of Site operation.

In detail, the technical configuration of the GA4 property includes the following operational measures:

• Anonymisation of the IP address: the IP-Masking function is active; the IP address is truncated before each processing by Google (truncation of the last octet of the IPv4 address); the Site operator does not store full IP addresses.
• No use of data for advertising purposes: the Google Signals function is deactivated in the GA4 property settings; no sharing of data with Google advertising products (Google Ads, Display & Video 360) is active; no connectors to marketing, remarketing or third-party advertising platforms are installed.
• No linking with other Google services for profiling purposes: the personalisation and advertising features are deactivated in the GA4 property settings; no BigQuery export is active; no integration with other products of the Google advertising ecosystem is configured.
• Maximum retention period: 14 months from the user’s last activity (lowest selectable value in GA4 for the retention of user identifiers and event-level data).
• Exclusive purpose: technical monitoring of Site operation (performance, loading times, execution errors, service availability, most visited pages in aggregated form).

The data collected consists exclusively of aggregated statistics on navigation (number of visits, most visited pages, average loading times, possible technical errors, device type and operating system). No names, email addresses, telephone numbers, payment data or other personal identification data are collected; no individual profiles are created; no cross-site or cross-device tracking takes place.

On the basis of the minimising configuration described above and the exclusively technical purpose, the Controller takes the view that the processing complies with the principles of data minimisation and security set out in Article 5 of the GDPR and falls within the scope of the strict necessity exemption under Article 5(3) of the ePrivacy Directive.

The user who nevertheless wishes to object to the technical measurement via Google Analytics may:

• install the official Google opt-out browser add-on at https://tools.google.com/dlpage/gaoptout;
• block or delete the relevant cookies through the browser settings (see Section 5).

Google Privacy Policy: https://policies.google.com/privacy

Google Analytics Terms of Service: https://marketingplatform.google.com/about/analytics/terms/

D) Management of transactional communications (Brevo)

The Site uses Brevo (formerly Sendinblue) exclusively for the management of transactional communications relating to user orders: order confirmations, shipping updates, delivery notifications, technical communications relating to the order flow. These cookies are required to link the user’s navigation session to his order and to ensure the proper delivery of the communication.

• No marketing purposes: Brevo is not used for sending advertising, unsolicited newsletters, commercial communications not related to orders, recovery of abandoned baskets or other advertising purposes.
• No profiling: there is no tracking of navigation behaviours for advertising or profiling purposes; no behaviour-based audience segments are built.
• Data within the European Economic Area: the main Brevo servers are located in the European Union (data centre in France); the data processed via these cookies is not transferred outside the EEA.

Brevo Privacy Policy: https://www.brevo.com/legal/privacypolicy/

5. Cookie management

Although the cookies used on the Site are strictly necessary for its operation, the user may at any time configure his browser to block or delete cookies. It is noted that the deactivation of these cookies may affect the proper functioning of the Site, in particular the basket, the order process and the receipt of transactional communications.

5.1 Instructions for the main browsers

Below are the instructions for cookie management in the most used browsers, with reference to the official support pages in English:

• Google Chrome: Settings, Privacy and security, Cookies and other site data. https://support.google.com/chrome/answer/95647?hl=en
• Mozilla Firefox: Settings, Privacy & Security, Cookies and Site Data. https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox
• Apple Safari: Preferences, Privacy, Cookies and Website Data. https://support.apple.com/en-gb/guide/safari/sfri11471/mac
• Microsoft Edge: Settings, Cookies and Site Permissions, Cookies and Site Data. https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09
• Opera: Settings, Advanced, Privacy and Security, Cookies. https://help.opera.com/en/latest/web-preferences/#cookies

For browsers not listed above, the user may consult the “Help”, “Support” or “Settings” sections of his browser.

5.2 Google Analytics opt-out

If the user wishes to specifically deactivate the technical measurement via Google Analytics on all websites that use it, he may install the official Google opt-out browser add-on:

https://tools.google.com/dlpage/gaoptout

This add-on, available for the main desktop browsers, prevents the Google Analytics JavaScript (gtag.js, analytics.js, ga.js) from sharing information about the use of the Site with Google. It must be installed once and remains active in the user’s browser until any deinstallation.

5.3 Blocking cookies at the system or browser level

The user may also resort to the privacy tools available in the operating system or to third-party browser extensions (for example anti-tracking tools, content blocker extensions, private mode, “Do Not Track” or “Global Privacy Control” features). In such cases, the proper functioning of the Site may be affected, in particular as regards the retention of products in the basket during navigation, the completion of the order process and the receipt of transactional communications. The Controller cannot guarantee the full usability of the Site in case of extended blocking of technical cookies as well.

5.4 Deletion of already installed cookies

In addition to configuring the browser to block cookies in the future, the user may at any time delete the cookies already installed by the Site on his device, using the navigation history and site data management functions provided by the browser. In this way, all previously installed cookies (including those concerning the user’s age verification and the cookie notice already shown) will be deleted, and the user will be shown the corresponding information again upon subsequent visits.

6. International data transfers

Some of the technical providers used by the Site may process data outside the European Economic Area (EEA). In such cases, the Controller ensures the application of appropriate safeguards in accordance with Chapter V of the GDPR.

6.1 Google LLC (Google Analytics 4)

Google LLC, provider of the Google Analytics 4 technical monitoring service, is established in the United States of America (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google LLC has joined the EU-US Data Privacy Framework (DPF), established by Commission Implementing Decision (EU) 2023/1795 of 10 July 2023, which finds the adequate level of protection of personal data by DPF-certified American providers. The validity of the EU-US Data Privacy Framework was confirmed by the General Court of the European Union with judgment T-553/23 Latombe of 3 September 2025.

The transfer to Google LLC is therefore based on an adequacy decision within the meaning of Article 45 GDPR and does not require additional measures (such as standard contractual clauses or Transfer Impact Assessments). The DPF certification of Google LLC can be consulted publicly at https://www.dataprivacyframework.gov.

As an additional safeguard, the technical GA4 configuration applied on the Site provides for the anonymisation of the IP address (IP-Masking), so that the data actually transmitted to Google LLC does not allow the identification of the user.

6.2 Brevo SAS

Brevo SAS, provider of the transactional communication service, has its corporate seat in France (7 rue de Madrid, 75008 Paris, RCS Paris 498 019 298) and its main production servers are located in the European Union (data centre in France). The data processed via Brevo is not transferred outside the EEA.

6.3 Planetel S.p.A.

Planetel S.p.A., provider of the Site’s hosting services, is an Italian company with registered office at Via Mattei 10, 24060 Brusaporto (BG), Italy. The servers are located within the European Union. The data is not transferred outside the EEA.

6.4 Available redress mechanisms

DPF-certified providers are subject to the redress mechanism established by the Data Privacy Framework, which provides for the possibility for Union citizens to lodge complaints directly with the American provider and, in second instance, with the DPF supervisory authority at the US Department of Commerce, as well as access to an independent redress mechanism (Data Protection Review Court) for complaints concerning data access by US intelligence services or security agencies. These safeguards were assessed by the European Commission as adequate when adopting Implementing Decision 2023/1795.

6.5 Supplementary information

For additional information on the safeguards applied to international data transfers, the DPF certification of Google LLC, the data processing agreements concluded with the providers (Data Processing Addendum) or the technical and organisational measures adopted, the user may contact the Controller at info@justbob.shop.

7. Retention period

The duration of each cookie is indicated in the tables of Section 4. In summary, the table below summarises the retention periods by functional category.

The aggregated data collected via Google Analytics 4 is retained on Google’s servers for a maximum of 14 months from the user’s last activity, in accordance with the Data Retention parameter configured by the Controller in the GA4 property. After the expiry of this period, data at the user identifier and event level is automatically deleted from Google’s systems. The aggregated data in standard reports (not attributable to individual user identifiers) may, on the other hand, be retained for longer periods for purposes of historical comparability, without in any way allowing the identification of the user.

No cookie used on the Site has a duration longer than 14 months. The Controller regularly reviews the proportionality of the retention periods in relation to the pursued purpose, in accordance with the storage limitation principle set out in Article 5(1)(e) of the GDPR and with the recommendations of the EDPB and the CNIL.

8. Data subject rights

In relation to the data processed through the Site, including data relating to cookies, the user may exercise the following rights recognised by Regulation (EU) 2016/679 (GDPR):

• Right of access (Article 15 GDPR): to obtain confirmation as to whether or not personal data is being processed and, if so, access to such data and to the information required by law.
• Right of rectification (Article 16 GDPR): to obtain rectification of inaccurate personal data and completion of incomplete data.
• Right of erasure (“Right to be Forgotten”) (Article 17 GDPR): to obtain erasure of his personal data in the cases provided for by law.
• Right to restriction of processing (Article 18 GDPR): to obtain restriction of processing in the cases provided for.
• Right to data portability (Article 20 GDPR): to receive the personal data provided in a structured, commonly used and machine-readable format and to transmit such data to another controller.
• Right to object (Article 21 GDPR): to object at any time to the processing of his personal data on grounds relating to his particular situation.
• Right to withdraw consent at any time (Article 7(3) GDPR): if the processing is based on consent, the user may withdraw his consent at any time, without prejudice to the lawfulness of the processing carried out on the basis of the previously given consent before withdrawal.

To exercise his rights, the user may contact the Controller at the following address: info@justbob.shop.

The Controller provides the user with information on the actions taken on the request without delay and in any event within one month of receipt of the request. This period may be extended by two months where necessary, taking into account the complexity and number of requests; in such case, the Controller informs the user within one month of receipt of the request of the extension and the reasons for the delay, in accordance with Article 12(3) of the GDPR.

The exercise of rights is free of charge. Only in cases of manifestly unfounded or excessive requests, in particular where they are repetitive, the Controller may charge a reasonable fee to cover the costs incurred or refuse to comply with the request, in accordance with Article 12(5) of the GDPR.

Considering the nature and scope of the data processed via cookies and in the absence of the conditions of Article 37(1) of the GDPR, the Controller is not required to designate a Data Protection Officer (DPO).

9. Right to lodge a complaint with the supervisory authority

If the user considers that the processing of his personal data infringes the GDPR, the ePrivacy Directive or other applicable provisions, he has the right to lodge a complaint with a supervisory authority, in accordance with Article 77 of the GDPR, in the manner indicated below.

9.1 Lead Supervisory Authority

In accordance with Article 56 GDPR, the lead supervisory authority of the Controller is the Commission nationale de l’informatique et des libertés (CNIL) in France, in view of the Controller’s main establishment in Lyon.

CNIL contact details:

• Registered office: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 (France)
• Telephone: +33 (0)1 53 73 22 22
• Website: www.cnil.fr
• Online complaint: www.cnil.fr/fr/plaintes

9.2 National supervisory authority of the user’s habitual residence

The user, as a person established in a Member State of the European Union or the European Economic Area, retains the right under Article 77 of the GDPR to lodge a complaint with the supervisory authority of his country of habitual residence, of his place of work or of the place of the alleged infringement. The complete and updated list of national supervisory authorities of the European Union is available on the website of the European Data Protection Board:

• www.edpb.europa.eu/about-edpb/about-edpb/members_en

The one-stop-shop mechanism set out in Articles 56 and 60 of the GDPR does not deprive the user of the possibility of approaching the national authority of his habitual residence.

9.3 Effective judicial remedy

In addition to the complaint to a supervisory authority, the user is also entitled to an effective judicial remedy:

• against the supervisory authority, in accordance with Article 78 GDPR, before the competent national courts;
• against the Controller or the data processor, in accordance with Article 79 GDPR, before the competent courts at the user’s habitual residence or place of work, in accordance with Regulation (EU) 1215/2012 (“Brussels I bis”), Articles 17 to 19.

The user is also entitled to claim compensation for any material or non-material damage suffered as a result of unlawful processing, in accordance with Article 82 GDPR. The complaint to the supervisory authority and the judicial remedy may be exercised alternatively or cumulatively.

10. Updates and supplementary information

The Controller reserves the right to amend this Cookie Policy at any time, in order to adapt it to legislative developments, case-law developments, decisions of the supervisory authorities, technological developments or changes in the tools used by the Site.

Any material amendment will be communicated through a notice published on the Site with reasonable notice prior to the entry into force of the new provisions. In the event of the introduction of new cookies requiring user consent or of a change in the purposes of processing requiring new consent, the Controller will invite the user to give his new consent in accordance with the applicable rules.

It is recommended to consult this Cookie Policy regularly, by checking the “Last updated” date indicated above, which provides the time of the last amendment.

For all supplementary information on personal data processed through the Site, including processing purposes, legal bases, recipients, retention periods and rights of the data subject, reference is made to the Privacy Policy of the Site, which complements this Cookie Policy.

For any question, request or communication relating to this Cookie Policy, the user may contact the Controller at the following address:

ESPACE ECOMMERCE FRANCE SARL

• Postal address: 16 rue Cuvier, 69006 Lyon (France)
• Email: info@justbob.shop
• Telephone: +44 2030514261 (Monday to Friday, 10:00 to 17:00 CET, excluding public holidays)
• Website: www.justbob.shop

Last updated: 30 April 2026