Privacy Policy

Shabestan — Our commitment to protecting your personal data

Last updated: May 5, 2026

This Privacy Policy describes how [Company Name — e.g. SHABESTAN SARL] (hereinafter “Shabestan”, “we” or “the Restaurant”) collects, uses and protects the personal data of visitors and users of the website accessible at https://shabestan.webflow.io/ (hereinafter the “Site”).

True to the art of hospitality that inspires our house, we give the privacy of your information the same care as the experience we offer you at our tables. The purpose of this document is to inform you, transparently, of the processing carried out on your personal data, in accordance with Regulation (EU) 2016/679 of 27 April 2016 (“GDPR”) and amended French Law no. 78-17 of 6 January 1978, known as the “French Data Protection Act”.

1. Data Controller

The controller of personal data collected through the Site is:

  • Company name: [Company name]
  • Legal form and share capital: [Legal form — e.g. SARL with €X share capital]
  • Registered office: [Full registered address]
  • RCS / SIRET number: [Registration number]
  • Intra-EU VAT number: [VAT number]
  • Email: [address@shabestan.fr]
  • Phone: [Phone number]
  • Legal representative: [Name and title of the legal representative]

2. Data Protection Officer (DPO)

For any question relating to the processing of your personal data or to exercise your rights, you can contact our data protection contact:

  • Name of the DPO or contact: [Name and surname — if applicable]
  • Postal address: [DPO’s postal address]
  • Email: [dpo@shabestan.fr]

While the appointment of a Data Protection Officer is not mandatory for our activity, an internal contact remains at your disposal to handle any request relating to your data.

3. Personal data collected

In the course of your browsing of the Site and your relationship with the Restaurant, we may collect the following categories of data:

3.1 Data you provide directly

  • Identification data: last name, first name, title.
  • Contact details: email address, phone number, postal address where applicable.
  • Booking data: date and time of visit, number of guests, special requests (allergies, special occasion, table preferences).
  • Data relating to your enquiries and messages sent via the contact form.
  • Any private hire or private event data: type of event, indicative budget, specific requirements.
  • Data relating to your newsletter subscription (where applicable).

3.2 Data collected automatically

  • Connection and browsing data: IP address, browser type and version, operating system, pages viewed, visit duration, referral source.
  • Data relating to cookies and trackers (see Article 8 below).

No “sensitive” data (origin, political opinions, health, etc.) is knowingly collected by the Site. If you spontaneously share information about your dietary restrictions or allergies during a booking, it is processed solely for your safety and comfort, with your express consent, and is deleted at the end of the service.

4. Purposes and legal bases of processing

Your data is processed for the following specific, explicit and legitimate purposes:

  • Managing table bookings and private hire enquiries — legal basis: performance of pre-contractual or contractual measures (Article 6.1.b of the GDPR).
  • Responding to enquiries submitted via the contact form or by email — legal basis: legitimate interest (Article 6.1.f of the GDPR).
  • Sending our newsletter and marketing communications — legal basis: consent of the data subject (Article 6.1.a of the GDPR).
  • Improving the Site, audience statistics and performance analysis — legal basis: consent for non-essential cookies, legitimate interest for anonymised statistics.
  • Compliance with our legal and regulatory obligations (accounting, anti-fraud, record-keeping) — legal basis: legal obligation (Article 6.1.c of the GDPR).
  • Site security and prevention of malicious acts — legal basis: legitimate interest.

5. Recipients of your data

Your personal data is strictly limited to authorised personnel within [Company name] and, where applicable, to subcontractor service providers acting on our behalf. These recipients include in particular:

  • Authorised Restaurant staff: reservations team, management, sales and events department.
  • Our online booking provider: [Provider name — e.g. SevenRooms, TheFork, etc.].
  • Our hosting and Site development provider: Webflow, Inc.
  • Our email and newsletter provider: [Provider name — e.g. Mailchimp, Brevo].
  • Our audience analytics tools: [Provider name — e.g. Google Analytics, Plausible].
  • Competent administrative or judicial authorities, where required by law.

All our subcontractors are carefully selected and provide sufficient guarantees regarding the implementation of appropriate technical and organisational measures within the meaning of Article 28 of the GDPR. A Data Processing Agreement (DPA) governs their involvement.

6. Data transfers outside the European Union

Some of our technical providers (notably Webflow, Google or other marketing tools) may process your data outside the European Economic Area. In such cases, we ensure that these transfers are framed by appropriate safeguards within the meaning of Articles 44 and following of the GDPR, including:

  • An adequacy decision by the European Commission, where applicable;
  • Standard contractual clauses adopted by the European Commission;
  • Or any other safeguard provided for by the GDPR.

You can obtain a copy of these safeguards by sending us a request to the contact details mentioned in Article 13 of this policy.

7. Data retention periods

We retain your personal data only for as long as necessary for the purposes for which it was collected, in compliance with applicable legal retention periods:

  • Reservation data: 3 years from the last visit, for customer relationship purposes.
  • Prospect data (contact form, quote request): 3 years from the last contact from you.
  • Newsletter subscriber data: until consent is withdrawn, and at most 3 years after the last engagement.
  • Accounting data and invoices: 10 years, in accordance with the legal obligations of the French Commercial Code.
  • Connection data and technical logs: 12 months maximum, in accordance with applicable regulations.
  • Cookies: 13 months maximum, in line with CNIL recommendations.

At the end of these periods, your data is irreversibly deleted or anonymised.

8. Cookies and trackers

The Site uses cookies and other trackers to ensure its proper operation, measure its audience and, where applicable, offer you tailored content. A cookie is a small file placed on your device during your browsing.

8.1 Categories of cookies used

  • Strictly necessary cookies: essential to the operation of the Site, they do not require your consent (security, remembering your cookie preferences, session management).
  • Audience measurement cookies: these allow us to analyse Site traffic and improve its usability. These cookies require your consent, except when configured to respect CNIL exemptions.
  • Personalisation and social sharing cookies: these enrich the user experience, particularly through the integration of third-party content (Instagram, YouTube, Google Maps). These cookies require your prior consent.
  • Marketing or advertising cookies: used, where applicable, to send targeted communications. They require your express consent.

8.2 Managing your consent

On your first visit to the Site, an information banner allows you to accept, decline or customise the placement of cookies. You can change your preferences at any time via the “Manage my cookies” link accessible in the Site’s footer.

You can also configure your browser to block or delete cookies. However, blocking strictly necessary cookies may cause parts of the Site to malfunction.

9. Data security

We implement appropriate technical and organisational measures to ensure the confidentiality, integrity and availability of your personal data, including:

  • Encryption of communications via the HTTPS protocol;
  • Limiting access to authorised personnel only, bound by a duty of confidentiality;
  • Rigorous selection of providers offering high technical guarantees;
  • Regular backups and security incident management procedures.

Despite these measures, no transmission over the Internet can be guaranteed entirely secure. We undertake to notify you, and the CNIL where applicable, of any data breach likely to result in a high risk to your rights and freedoms, under the conditions provided for by the GDPR.

10. Your rights

In accordance with Articles 15 to 22 of the GDPR and the French Data Protection Act, you have the following rights regarding your personal data:

  • Right of access: obtain confirmation that your data is being processed and receive a copy.
  • Right to rectification: request the correction of inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”): request the deletion of your data under the conditions provided for by law.
  • Right to restriction of processing: request the temporary suspension of certain processing.
  • Right to object: object, on grounds relating to your particular situation, to processing based on legitimate interest, as well as to any commercial prospecting.
  • Right to data portability: receive, in a structured and commonly used format, the data you have provided to us.
  • The right to withdraw your consent at any time, where processing is based on it.
  • The right to define directives regarding the fate of your data after your death.

To exercise these rights, you can send your request by email to [address@shabestan.fr] or by post to the address mentioned in Article 1, attaching proof of identity in case of reasonable doubt about your identity. A reply will be provided within one month of receiving your request.

11. Complaint to the supervisory authority

If, after contacting us, you believe that your rights are not being respected, you can lodge a complaint with the French data protection authority (CNIL):

  • Postal address: 3 Place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07.
  • Phone: 01 53 73 22 22.
  • Website: www.cnil.fr.

12. Changes to this policy

This Privacy Policy may evolve to reflect legal, regulatory, judicial or technical changes. Any substantial change will be brought to your attention by a visible notice on the Site or, where applicable, by individual notification. We invite you to regularly consult the current version, whose date is indicated at the top of this document.

13. Contact

For any question relating to this Privacy Policy or the processing of your personal data, you can contact us:

Shabestan thanks you for the trust you place in us. It is in this same spirit of hospitality, discretion and respect that we take care of your data as we take care of our guests.

BOOKING

Where would you like to book?

Three Paris neighbourhoods, the same family.
Shabestan
Shabestan - Champs Elysées

Champs Elysées

66 rue de Provence 75009
Shabestan
Shabestan - La Fayette

La Fayette

5 rue du Commandant Rivière 75008
Shabestan
Shabestan - Grenelle

Grenelle

98 boulevard du Grenelle 75015

Follow us on Instagram

Shabestan

Champs Elysées

@shabestanchampselysees
Shabestan

La Fayette

@shabestanlafayette
Shabestan

Grenelle

@shabestangrenelle