Privacy Policy

Last updated: {{6 March 2026}}

1. Who We Are and How to Contact Us

This Privacy Policy explains how Manor & Maker SAS ("we", "us", "the Operator") collects, uses, and protects personal data in connection with the operation of the AtelierBound platform (the "Platform"). AtelierBound is a listing directory and enquiry platform for retreats and workshops in art, craft, writing, and culinary disciplines.

The data controller for the purposes of the General Data Protection Regulation (GDPR) is:

Manor & Maker SAS SIREN 985 232 529 Dordogne, France info@atelierbound.com

If you have any questions about how your personal data is handled, or wish to exercise your rights under the GDPR, please contact us at the address above.

2. Who This Policy Applies To

This Privacy Policy applies to:

  • Guests — individuals who create an account on the Platform to browse listings and contact hosts
  • Hosts — retreat and workshop providers who create an account and pay a subscription to list on the Platform
  • Visitors — individuals who browse the Platform without creating an account (see Section 7 for how visitor browsing is measured)

References to "you" throughout this Policy apply to any of the above categories as relevant.

3. What Personal Data We Collect

3.1 Account Data

When you create an account, we collect:

  • Name
  • Email address
  • Account type (guest or host)
  • Password (stored in hashed form; we do not have access to your plain-text password)
  • Profile details you choose to provide (optional)

3.2 Host Listing Data

When a host creates a listing, we collect the information provided in the listing, which may include:

  • Business or trading name, contact details, and location
  • Retreat or workshop descriptions, pricing, and images
  • Billing name and address, for the purpose of issuing subscription invoices

3.3 Invoicing Data (Hosts Only)

AtelierBound does not process payments on-platform. Hosts are invoiced directly by Manor & Maker SAS for their listing fees. No payment card data is collected or stored by the Operator or the Platform. Payment is made by the host in response to an invoice issued by the Operator, using the host's preferred payment method outside of the Platform. The Operator retains invoice records, including billing name, address, and transaction amounts, in accordance with French accounting law.

3.4 Communications Data

When you use the Platform's on-platform messaging system, we hold records of messages sent between guests and hosts. These records are held within the Platform's infrastructure (provided by Sharetribe Oy, as described in Section 6) and are not used for any purpose other than facilitating your use of the messaging feature.

3.5 Pre-Launch Sign-Up Data

Prior to the Platform's public launch, we offer a guest sign-up option for individuals who wish to be notified when the Platform goes live. For this purpose, we collect only an email address and consent to notification. No other data is collected at this stage.

3.6 Usage Data

We use Plausible Analytics, a cookieless and privacy-first analytics service operated by Plausible Analytics OÜ (Estonia), to collect aggregate information about how visitors use the Platform. Plausible does not use cookies, does not collect any personally identifiable information, and does not track users across websites. Data is collected at an aggregate level only: page views, referrer sources, and device type.

3.7 Data We Do Not Collect

We do not collect or process payment card data or banking information from hosts or guests. Host subscription fees are settled via direct invoice outside the Platform. Payments between guests and hosts for retreat bookings take place entirely off-platform, directly between guest and host. The Operator is not involved in or privy to those transactions.

4. Lawful Basis for Processing

We process personal data on the following lawful bases under Article 6 of the GDPR:

Account creation and management Lawful basis: Contract (Art. 6(1)(b)). Data: account data. Retention: duration of account plus 2 years.

On-platform messaging Lawful basis: Contract (Art. 6(1)(b)). Data: communications data. Retention: duration of account plus 12 months.

Subscription invoicing Lawful basis: Legal obligation (Art. 6(1)(c)). Data: host billing name, address, and invoice records. Retention: 10 years (French accounting law, Code de commerce article L123-22).

Transactional emails (account confirmation, listing live notification, renewal reminders) Lawful basis: Contract (Art. 6(1)(b)). Data: email address and name. Retention: duration of account plus 12 months.

Platform automations via Zapier (where applicable) Lawful basis: Contract (Art. 6(1)(b)) or Legitimate interest (Art. 6(1)(f)), depending on the specific automation. Data: limited to the data necessary for each automation workflow, which may include account data and email address. Retention: as per the underlying processing purpose. We will update this Policy as specific automations are deployed.

Pre-launch notification sign-up Lawful basis: Consent (Art. 6(1)(a)). Data: email address. Retention: until notified or until consent is withdrawn, whichever is earlier.

Aggregate usage analytics Lawful basis: Legitimate interest (Art. 6(1)(f)). Data: no personal data collected by Plausible. Retention: aggregate data only.

Advertising and conversion tracking via Meta Pixel and Google Ads tags (forthcoming) Lawful basis: Consent (Art. 6(1)(a)). Data: browsing behaviour data collected by Meta and Google via their respective tracking technologies, activated only after visitor consent is given via the Tarteaucitron consent tool. Retention: as per Meta's and Google's own data retention policies, which govern data processed under their independent controller status. This entry will be updated when advertising is live.

Where we rely on your consent, you have the right to withdraw it at any time by contacting us at info@atelierbound.com or by using the unsubscribe link in any email we send. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

5. How We Use Your Personal Data

We use the personal data we collect for the following purposes:

  • To create and maintain your account on the Platform
  • To enable you to create and manage listings (hosts) or to browse and make enquiries (guests)
  • To facilitate on-platform messaging between guests and hosts
  • To issue subscription invoices to hosts and maintain records of those transactions in accordance with our legal obligations
  • To send you transactional communications, including account confirmation, listing approval notifications, enquiry confirmations, and subscription renewal reminders
  • To send pre-launch notifications to users who have signed up to be informed of the Platform's launch (with consent, and solely for that purpose)
  • To automate operational workflows via Zapier where this improves the reliability or speed of the service
  • To monitor and improve the Platform's performance using aggregate, anonymised usage data
  • To comply with our legal obligations under applicable French and EU law

We do not use your personal data for automated decision-making or profiling. We do not sell your personal data to any third party.

6. Third-Party Processors and Service Providers

We use the following third-party service providers to operate the Platform. Where a provider is based outside the European Economic Area, the legal mechanism for the international transfer of personal data is noted. See Section 8 for further detail on international transfers.

Sharetribe Oy — Finland (EU) Role: Platform infrastructure. Processes account data, listing data, and messaging data. Hosted on EU servers. Operates as a data processor under a data processing agreement.

Brevo (Sendinblue) — France (EU) Role: Transactional email. Processes email addresses and names to send account and listing notifications. No marketing use. Operates under a data processing agreement.

Plausible Analytics OÜ — Estonia (EU) Role: Web analytics. Collects no personal data. Cookieless and aggregated analytics only.

Infomaniak Network SA — Switzerland Role: Business email hosting for the Operator's internal correspondence only. Switzerland holds an adequacy decision from the European Commission; no additional safeguards are required for this transfer.

Tarteaucitron — France (EU) Role: Cookie consent management (forthcoming). Tarteaucitron is being deployed to manage visitor consent for non-essential cookies prior to the introduction of advertising cookies on the Platform. Tarteaucitron itself collects no personal data; it manages user consent preferences locally in the browser. This Policy will be updated when Tarteaucitron is live.

Meta Platforms Ireland Ltd — Ireland (EU), with infrastructure in the United States (forthcoming) Role: Advertising and conversion tracking via the Meta Pixel. When deployed, the Meta Pixel will only be activated following explicit visitor consent via the Tarteaucitron consent tool. The Meta Pixel may collect browsing behaviour data for the purpose of measuring advertising performance and enabling interest-based advertising on Meta platforms (Facebook and Instagram). Meta Platforms Ireland Ltd operates as an independent data controller for the data it collects via the Pixel. For further information, see Meta's Privacy Policy at https://www.facebook.com/privacy/policy. Transfer mechanism: Standard Contractual Clauses (EU–US) for any data processed on US infrastructure.

Google Ireland Ltd — Ireland (EU), with infrastructure in the United States (forthcoming) Role: Advertising and conversion tracking via Google Ads tags. When deployed, Google Ads tracking will only be activated following explicit visitor consent via the Tarteaucitron consent tool. Google Ads tags may collect browsing behaviour data for the purpose of measuring advertising performance and enabling interest-based advertising on Google platforms. Google Ireland Ltd operates as an independent data controller for the data it collects via its tags. For further information, see Google's Privacy Policy at https://policies.google.com/privacy. Transfer mechanism: Standard Contractual Clauses (EU–US) for any data processed on US infrastructure.

Wix.com Ltd — Israel (with infrastructure in the United States) Role: Domain registration and DNS management. Wix holds the domain registration record for atelierbound.com and manages DNS routing. In the course of providing this service, Wix may process limited technical data, including IP addresses. Wix is subject to Israeli data protection law; Israel holds an adequacy decision from the European Commission. Wix's infrastructure providers in the United States are covered by Standard Contractual Clauses. Transfer mechanism: adequacy decision (Israel) and Standard Contractual Clauses (US infrastructure).

Zapier, Inc. — United States Role: Workflow automation between Platform services. Zapier may process account data and email addresses as part of automated operational workflows (for example, triggering a welcome email sequence when a new host account is created). We limit the data passed through Zapier to the minimum necessary for each workflow. Zapier does not use this data for any purpose beyond executing the automation. Transfer mechanism: Standard Contractual Clauses (EU–US), as published in Zapier's Data Processing Agreement.

7. Cookies

AtelierBound currently uses a minimal cookie footprint. Our analytics provider, Plausible Analytics, is cookieless: it collects no personally identifiable information and sets no cookies on your device.

Cookies currently set by the Platform include:

  • Session cookies — strictly necessary, used to keep you logged in during a session. Deleted when you close your browser. No consent is required for strictly necessary cookies.
  • Preference cookies — may be used to remember your language or display preferences. These are functional and do not require consent.
  • Wix technical cookies — Wix may set cookies in connection with DNS and infrastructure operations. These are technical and functional in nature.

Forthcoming: advertising cookies and consent management

We intend to introduce paid advertising on Google and Meta platforms in the near term. Before any advertising tags or tracking pixels are deployed, we will install Tarteaucitron, a French open-source consent management tool, to manage visitor consent. Advertising cookies will only be set on your device after you have actively given consent via the consent banner displayed on your first visit to the Platform. The default state will be no consent; no advertising cookie will fire until you choose to accept.

When advertising cookies are active, the following categories will apply:

  • Advertising and conversion tracking cookies (Meta Pixel) — used to measure the performance of advertising campaigns on Facebook and Instagram, and to enable interest-based advertising. Active only with consent.
  • Advertising and conversion tracking cookies (Google Ads) — used to measure the performance of advertising campaigns on Google platforms. Active only with consent.

You will be able to accept or decline each category independently, and to update your preferences at any time via the cookie settings link in the Platform's footer. This section will be updated when the consent tool and advertising tags are live.

The Platform does not currently use advertising cookies, tracking pixels, or cookies associated with third-party advertising networks.

8. International Transfers of Personal Data

Some of the service providers we use are based outside the European Economic Area (EEA), or process data using infrastructure located outside the EEA. This means that personal data may be transferred to countries that do not have the same level of data protection law as EU member states.

Where such transfers occur, we ensure that appropriate safeguards are in place, as required by Chapter V of the GDPR. The safeguards we rely on are as follows:

Adequacy decision — transfers to Switzerland (Infomaniak) and Israel (Wix) are made on the basis of adequacy decisions granted by the European Commission, which recognise those countries as providing an essentially equivalent level of data protection.

Standard Contractual Clauses (SCCs) — transfers to the United States (Zapier, Wix's US infrastructure, and forthcoming Meta and Google advertising infrastructure) are made on the basis of the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914). Each of these providers has published SCCs or a Data Processing Agreement incorporating SCCs as part of their compliance documentation.

You may request a copy of the relevant safeguards by contacting us at info@atelierbound.com.

9. Data Retention

We retain personal data for no longer than is necessary for the purposes for which it was collected, and in accordance with our legal obligations:

  • Account data — retained for the duration of your account, plus two years following account closure or last activity
  • On-platform messages — retained for the duration of the relevant accounts, plus 12 months following account closure
  • Host invoicing and billing data — retained for 10 years in compliance with French accounting law (Code de commerce, article L123-22)
  • Pre-launch sign-up email addresses — retained until the notification has been sent, or until consent is withdrawn, whichever is earlier
  • Analytics data — no personal data is collected or retained by Plausible
  • Zapier automation logs — retained for the minimum period required by Zapier's standard log retention, currently 30 days, after which logs are deleted automatically

When data is no longer required, it is deleted or anonymised. Where deletion is not technically immediate, data is marked as inactive and not accessible to Platform users or third parties.

10. Your Rights Under the GDPR

As a data subject under the GDPR, you have the following rights:

  • Right of access (Article 15) — you may request a copy of the personal data we hold about you
  • Right to rectification (Article 16) — you may request that inaccurate or incomplete data be corrected
  • Right to erasure (Article 17) — in certain circumstances, you may request that your personal data be deleted
  • Right to restriction of processing (Article 18) — in certain circumstances, you may request that we restrict the processing of your data
  • Right to data portability (Article 20) — where processing is based on your consent or a contract, you may request your data in a structured, machine-readable format
  • Right to object (Article 21) — you may object to processing based on legitimate interest at any time
  • Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at info@atelierbound.com. We will respond within one month. In complex cases, we may extend this period by a further two months, but we will inform you of any extension within the first month.

You also have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), the French data protection supervisory authority, at www.cnil.fr, or with the supervisory authority in your country of residence if you are located in another EU member state.

11. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. These measures include:

  • Password hashing — user passwords are stored in hashed form and are never held in plain text
  • HTTPS encryption — all data transmitted between your device and the Platform is encrypted in transit using TLS
  • Access controls — access to personal data is restricted to those with a legitimate operational need
  • No payment data storage — the Operator does not collect or store payment card data at any point; host subscription fees are settled via direct invoice

No method of data transmission or storage is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with Articles 33 and 34 of the GDPR.

12. Children's Data

AtelierBound is not directed at children under the age of 18 and we do not knowingly collect personal data from children. If we become aware that data has been submitted by a person under 18 without appropriate consent, we will delete that data promptly. If you believe we have inadvertently collected data about a child, please contact us at info@atelierbound.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the law, our data processing activities, or the Platform's features. Where changes are material, we will notify you by email or by a prominent notice on the Platform before the changes take effect. The date at the top of this Policy indicates when it was last updated.

Continued use of the Platform after notification of changes constitutes acceptance of the updated Policy.

14. Contact and Supervisory Authority

For any privacy-related queries, requests, or complaints, please contact:

Manor & Maker SAS Trading as AtelierBound SIREN 985 232 529 Dordogne, France info@atelierbound.com

You also have the right to submit a complaint directly to the CNIL:

Commission Nationale de l'Informatique et des Libertés (CNIL) 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 www.cnil.fr