Personal Data Protection

Last updated: September 12, 2025

The protection of our customers’ personal data is at the heart of our concerns.

This document applies to the data we collect online on our websites and mobile applications, through our Reservation Center, as well as the data we collect offline in MMV establishments or during events.

We wish to provide you with all the necessary information to help you understand how your data is used:

Who is responsible for the use of your data?
With whom is your data shared?
When is your personal data collected?
What data do we collect?
How do we use your data and how long do we keep it?
Are there specific measures for children?
Where is your personal data stored?
How is your data secured?
What rights do you have regarding your data?

Any questions? Contact us!

Who is responsible for the use of your data?

When you book and/or access our services, your personal data is processed by MMV, a simplified joint-stock company with capital of €4.44 million, registered with the Antibes Trade and Companies Register under number 411 926 892 –
51 Avenue France d'Outremer – BP39 – 06701 Saint Laurent du Var Cedex – France.

With whom is your data shared?

Your data may be shared with recipients outside MMV:

Technical service providers whose intervention is necessary for the processing mentioned below (IT providers, payment providers, etc.), in order to process your orders and improve our services, strictly within the limits of our instructions.

Your data is hosted by the following providers:

- Septeo

- Selligent

- Moneweb

- LoungeUp

Trusted partners (identified on our website) who offer related products and services on our website or through our Reservation Center. For example, if you purchase products or services provided by third parties on our websites such as Assurinco, Skiset, or companies providing ski lift passes.
Commercial partners As part of certain communications, we may offer you the opportunity to receive offers or news from our partners, without your personal data being shared with them. Your explicit consent (opt-in) only authorises us to send you, on our behalf, communications relating to these partners. The list of relevant partners can be found below. It includes entities belonging to the Compagnie des Alpes group, to which our establishment is affiliated. This list may change over time. You may withdraw your consent at any time, in accordance with the terms set out in this policy.

Futuroscope (Société du Parc du Futuroscope)
Parc Astérix (Grévin et Compagnie)
Walibi Rhône-Alpes (Avenir Land)

Walibi Holland
Walibi Belgium & Aqualibi Belgium (Belpark)
Bellewaerde Park & Bellewaerde Aquapark (Belpark)
Grévin Paris (Musée Grévin)
France Miniature

Family Park
Chaplin’s World (By Grévin)
Belantis (Event Park)
Urban Soccer
Urban Padel
MMV
Travelski (Travel Factory)

Yoonly (Djay)
Mountain Collection (Mountain Collection Immobilier)
Terrésens
Evolution 2 (CDA Evolution 2)
ADS Domaine de Montagne Les Arcs / Peisey-Vallandry (ADS)

Domaine de La Plagne (Société d’Aménagement de la Plagne)
Tignes Domaine Skiable (Société des Téléphériques de la Grande Motte)
Val d’Isère Téléphérique (Société des Téléphériques de Val d’Isère)
Domaine Skiable des Menuires – Saint Martin (Société des Téléphériques de la Vallée des Belleville)

Méribel Alpina
Serre Chevalier Vallée (SCV Domaine Skiable)
Grand Massif Domain (GMDS) – Flaine, Morillon, Samoëns, Sixt-Fer-à-Cheval

Pralognan Mountain Resort

However, MMV is not responsible for how these third parties use your personal data when such use is permitted for their own purposes. We invite you to consult the privacy policies of the third-party companies from whom you have purchased additional services (insurance, ski lifts, etc.).
Only if you expressly consent, your data may also be shared with our partners so that you can receive promotional offers and special deals by email (for example tourism offices). The list of partners will be provided when your consent is requested.
Where required by law, your data may be shared with national or local authorities in the context of investigations or legal obligations.

When is your personal data collected?

We may collect your personal data in different situations:

Online

On our website or mobile application when you:

- book stays

- subscribe to newsletters

- log in to your account

- use our digital services

In our establishments

When you use our facilities alone or with family members:

- reception check-in

- activity registration

- use of public Wi-Fi

- video surveillance

During interactions with you

When you:

- open or reply to newsletters

- participate in satisfaction surveys or competitions

- contact customer service to make a complaint

- contact us via email, telephone, online chat, or social media

Through our partners

When you access our services via an intermediary (for example travel agencies or partner distributors).

What data do we collect?

We only collect the data strictly necessary for its intended use.

Depending on your activity on our website, in our establishments, or when booking a stay through our Reservation Center, we may collect:

- Information necessary to create your customer account (last name, first name, email address, date of birth, postal address, phone number)

- Postal address

- Phone number

- Date of birth

- Passport or identity card for bookings in our establishments

If necessary, and depending on the product purchased, the names and email addresses of relatives for groups or family bookings

Browsing data on our website and mobile application (see our cookie policy for more details)

How do we use your data and how long do we keep it?

Once the retention periods listed below have expired, we delete the data from our systems or anonymize it so that you can no longer be identified.

Processing	Legal basis	Data retention period
Customer account	Contract performance	While your customer account is active and up to 2 years after the last login.
Processing of stay bookings (accommodation, ski passes, ski equipment rental, etc.)	Contract performance	For online purchases: 5 years from the purchase date if the order amount is less than €120; 10 years if the amount is €120 or more (and 5 years for transactions at reception desks). Bank card data is kept 13 months after the last debit for dispute evidence (15 months for deferred debit cards). The security code is not stored beyond the transaction.
Stay in establishments (room access, VIP services)	Contract performance	For the duration of your stay.
Stay in establishments – police registration form retention	Legal obligation	6 months.
Personalization of welcome services in establishments	Legitimate interest (managing our activities and providing requested services)	For the duration of your stay.
Satisfaction surveys	Legitimate interest	For the time necessary to achieve the survey objective, then anonymized.
Competitions / prize draws	Execution of the game	6 months after the end of the competition.
Sending newsletters / marketing campaigns by email or SMS	Consent or legitimate interest (if you are a professional client or have purchased a product on our website or mobile application)	Until consent is withdrawn or according to marketing communication rules.
Abandoned cart reminders	Consent to cookies (provided the user has not opted out of marketing emails)	1 day after order validation.
Processing complaints and after-sales service	Contract performance	5 years after the complaint has been resolved.
Statistical analysis	Legitimate interest	For the time necessary to achieve the statistical objective, then anonymized.
Navigation personalization / profiling	Consent	13 months.
Use of public Wi-Fi provided in establishments	Legal obligation	1 year (technical connection data retention).
Recording customer service phone calls	Legitimate interest	Calls are recorded randomly and kept for 6 months.
Services in the mobile application	Contract performance	For the duration of the use of the mobile application (data stored only on the user’s device).
Video surveillance	Legitimate interest	30 days after image recording.
Image rights authorization	Contract performance	5 years after the end of the authorization period.
Exercise of GDPR rights	Legal obligation	10 years after the request is closed (identity documents deleted once verification is completed).
Dispute management	Legitimate interest	Until all legal remedies have been exhausted.
Job applications	Legitimate interest	2 years after data collection for unsuccessful applications.

Are there specific measures for children?

Although family activities are central to our services, we do not carry out data processing specifically directed at children.

If a person under 15 years old uses our services, we recommend that they do so accompanied by an adult. Parental or legal guardian consent may be requested when their personal data is collected.

Where is your data stored?

All personal data is stored exclusively on servers located within the European Union.

However, even though the data is hosted in the EU, it may be accessible from third countries when we use technical service providers such as AWS, Microsoft, or Google, which are based in the United States.

These accesses are considered data transfers but are necessary for the proper functioning and maintenance of the IT tools they provide.

We ensure that such providers protect your data in accordance with European regulations. Contracts are systematically signed with them, and transfers are governed by Standard Contractual Clauses (SCCs) issued by the European Commission when the destination country does not provide equivalent protection to the GDPR.

Additional technical or legal safeguards may also be implemented.

How is your data secured?

The security of your personal data is a priority.

To preserve confidentiality and protect against unlawful or accidental destruction, loss, alteration, unauthorized disclosure, or access, MMV implements appropriate technical and organizational measures and requires the same level of protection from its subcontractors.

These measures are adapted according to the sensitivity of the data and the level of risk.

MMV has procedures to detect, analyze, and track security incidents or suspected personal data breaches and can block access to data at any time.

Access authorization procedures are also implemented to ensure that access to data is strictly limited.

If you believe you have discovered a vulnerability, you may report it through the vulnerability disclosure form mentioned on our website.

What rights do you have regarding your data?

You have several rights regarding your personal data:

Right to object: stop receiving marketing communications, object to profiling decisions, or withdraw consent.
Right to rectification: update inaccurate data (for example after moving or changing email address).
Right of access: obtain a readable copy of all personal data concerning you.
Right to erasure: request deletion of your account and personal data (except for legally required accounting or legal records).
Right to restriction: temporarily block the use of your data in case of disputes.
Right to data portability: receive certain data so that you can reuse or transfer it elsewhere.

Our contact details are provided below to exercise these rights.

Any questions? Contact us!

Do you have a question? Would you like to stop receiving our newsletters or delete your account?

We have appointed a Data Protection Officer (DPO) responsible for answering your questions and ensuring the protection of your personal data.

You may contact them:

By completing the dedicated form (your request will be processed within one month)

By email: dpo@mmv.fr

By post:
Compagnie des Alpes
Data Protection Department
52 Boulevard Haussmann
75009 Paris – France

If there is serious doubt about your identity, you may be asked to provide proof of identity solely to ensure that we are responding to the correct person.

If you consider our response insufficient despite our efforts, you may contact the French data protection authority (CNIL):
https://www.cnil.fr/fr