Data privacy

For KRESUS TECHNOLOGIES, the protection of Users' personal data is of utmost importance. KRESUS TECHNOLOGIES is committed to implementing appropriate measures to ensure the protection, confidentiality, and security of Users' personal data, in accordance with the applicable European regulations, including Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation - GDPR), as well as French regulations, including national laws implementing the GDPR.

This privacy policy (the "Policy") aims to inform and enlighten Users about the purposes of the collection and processing of their personal data by KRESUS TECHNOLOGIES, acting as the data controller. Therefore, Users are encouraged to read this Policy carefully, print it, and keep a copy. By using the Solution, the User accepts all provisions included in this Policy regarding the collection and processing of their data for the purposes detailed below. Users provide their personal data in digital format when using the Solution.

‍

1. Categories of Personal Data Collected

No sensitive data is collected or processed by KRESUS TECHNOLOGIES. The User data that KRESUS TECHNOLOGIES may collect and process may include (without limitation) the following:

a) Identity: title, last name, first name, company name, address, telephone number (landline and/or mobile), fax number, email addresses, internal processing code allowing customer identification (this internal processing code cannot be a national identification number, bank card number, or identity document number). A copy of an identity document may be kept as proof of the exercise of a right of access, rectification, or objection, or to comply with a legal obligation.

b) Payment details: billing email address, billing address, postal or bank account details, check number, bank card number, card expiration date, CVV code (the latter is not stored in compliance with applicable regulations).

c) Transaction data: transaction number, details of purchases, subscriptions, goods, or services subscribed.

d) Family, economic, and financial situation: marital status, household size, number and age of children, profession, business sector, socio-professional category, presence of pets.

e) Data related to commercial relationship tracking: requests for documentation, trial requests, purchased products, subscribed services or subscriptions, quantity, amount, frequency, delivery address, purchase and service history, product returns, source of sale (seller, representative, partner, affiliate), customer service and support interactions, customer and prospect exchanges and comments, individuals responsible for customer relations.

f) Invoice payment details: payment methods, discounts granted, receipts, balances, and unpaid amounts not leading to exclusion from a right, service, or contract subject to authorization by the Commission as per Article 25-I-4° of the amended Law of January 6, 1978.

g) Data necessary for loyalty, prospecting, study, survey, product testing, and promotional actions, where selection is based solely on the analysis of the data listed above.

h) Data related to contests, lotteries, and promotional activities: participation date, responses to contests, and nature of prizes awarded.

i) Data related to user contributions in the form of product, service, or content reviews, including their username.

j) Data collected through actions referenced in Article 32-II of the amended Law of January 6, 1978.

‍

2. Principles Applicable to the Collection and Processing of Personal Data

Legal Basis for the Collection and Processing of Personal DataUsers' personal data is processed by KRESUS TECHNOLOGIES under the following circumstances:

• Obtaining free, specific, informed, and unambiguous consent from the User (or their legal representative in the case of minors or incapacity) for the processing of their personal data;
• Collection of personal data necessary to fulfill the User's request;
• Compliance with legal and/or regulatory obligations imposed on KRESUS TECHNOLOGIES (such as fraud and corruption prevention);
• Protection of KRESUS TECHNOLOGIES' legitimate interests (such as securing its IT network).

User Navigation Data Applicable to Personal Data Collection and ProcessingDuring the use of the Solution or related services, certain data is collected automatically, such as IP address, browser software references, browsing data (date, time, viewed content, search terms, etc.), and operating system references.

Among the technologies used to collect Users' personal data to improve service quality and better meet their expectations, KRESUS TECHNOLOGIES may use cookies and trackers, as well as "php" sessions or equivalents, which store data using a unique session identifier. These sessions retain such data during Users' navigation. The collected navigation data is deleted when the session is closed by the User or, if applicable, within a maximum of 13 months from their collection.

Purposes of Collecting and Processing Personal DataUsers can use the Solution without necessarily providing personal data to KRESUS TECHNOLOGIES. However, KRESUS TECHNOLOGIES collects and processes Users' data for the following purposes:

1. To execute the mission entrusted by the User, a customer of KRESUS TECHNOLOGIES, as part of the fulfillment of the offer.
2. To improve the Solution and/or KRESUS TECHNOLOGIES' commercial offers, including surveys, studies, and outreach efforts.
3. For billing purposes and communication with the Payment Intermediary (as defined in the Solution's general terms of use) for Subscription payments.
4. To send newsletters, informational or commercial alerts, and KRESUS TECHNOLOGIES news to interested Users.
5. To respond to inquiries via online contact forms.
6. To process job applications (personal data collected: name, first name, email, phone number, CV, and cover letter if attached).
7. To publish on the Solution and/or social networks and/or other communication channels Users' comments and/or reviews regarding the Solution and/or KRESUS TECHNOLOGIES.
8. For any measure or project aimed at enhancing Users' interests or improving customer relationships and experiences.
9. To comply with applicable regulatory requirements.

Duration of retention of personal data. The duration of retention of Users' personal data depends on the purpose concerned. In this context, Users' personal data is kept for the time necessary to complete their request. In the absence of any achievement, personal data is deleted within the time limits recommended by the National Commission. Informatique et Libertés (CNIL), after a period of three years from their collection on the Solution, subject to:

- legal possibilities and obligations regarding archiving,

- obligations to retain certain data, for evidentiary purposes, and/or to anonymize them. The personal data of the User, customer of KRESUS TECHNOLOGIES, collected and processed, for the purposes of executing the offers, are kept for the duration necessary for the management of the contractual relationship.

By way of derogation, the personal data required to establish proof of a right or a contract are archived in accordance with legal provisions (5 or 10 years after the end of the commercial relationship depending on the case).

‍

3. Recipients of the personal data collected

The personal information collected is intended exclusively for KRESUS TECHNOLOGIES and will not be transferred or exchanged to third parties, other than for the purposes referred to in article 2 above, for the User who is a customer of KRESUS TECHNOLOGIES. As such, the billing data of the User who is a customer of KRESUS TECHNOLOGIES will be transmitted to the Payment Intermediary, for the purposes of payment of Subscriptions taken out or renewed by the latter. Only authorized personnel of the group and service providers of KRESUS TECHNOLOGIES may have access to the personal data collected and be required to process them, without prejudice to their possible transmission to the bodies responsible for a control or inspection mission in accordance with the legislation. and/or the regulations in force or for the purposes of responding to a judicial or administrative decision. Subject to their complete anonymization, KRESUS TECHNOLOGIES is entitled, in compliance with the textual provisions in force, to use the personal data of Users, in particular for statistical purposes, measurement, transfer and/or exchange to third parties.

‍

4. Transfer of personal data

The personal data of Users collected is hosted in France. As part of its use of affiliates or service providers located outside the European Union, KRESUS TECHNOLOGIES undertakes to verify that appropriate measures have been put in place so that Users' personal data benefits from an adequate level of protection.

‍

5. Protective measures put in place by KRESUS TECHNOLOGIES

KRESUS TECHNOLOGIES collects and processes Users’ personal data, in compliance with current regulations. When the disclosure of a User's personal data to third parties is necessary and authorized, KRESUS TECHNOLOGIES ensures that these third parties guarantee said personal data the same level of protection as that put in place by KRESUS TECHNOLOGIES. In this context, KRESUS TECHNOLOGIES asks each of its contractual partners for confirmation of compliance with the applicable regulations. KRESUS TECHNOLOGIES puts in place technical and organizational measures to ensure that the retention of Users' personal data is secure and for the period necessary for the exercise of the purposes pursued.

KRESUS TECHNOLOGIES draws Users' attention to the fact that no transmission or storage technology is completely infallible.

Also, in the event of a proven breach of Users' personal data, likely to create a high risk for the rights and freedoms of the latter, KRESUS TECHNOLOGIES will inform the competent supervisory authority of this violation in accordance with the terms provided for by the regulations in force. Users must exercise caution to prevent any unauthorized access to their personal data and in particular to their computer and digital terminals (computer, smartphone, tablet in particular).

‍

6. User Rights

In accordance with current regulations, Users have the following rights, subject to legal and regulatory limitations: Right to information on the collection and processing of personal data. KRESUS TECHNOLOGIES undertakes to make its best efforts to ensure that the information communicated to Users is accessible, precise and transparent on the conditions of collection and processing of their personal data. Right of access / right to erasure (“right to be forgotten”) / right of rectification / right of opposition / right to limitation of processing Any User may, at any time, access personal information concerning them held by KRESUS TECHNOLOGIES. He has the right to receive a copy in electronic form (for any additional copy, KRESUS TECHNOLOGIES will be entitled to require payment of fees based on the administrative costs incurred). Each User has the right to request the deletion and/or rectification of his personal data concerning him when it is erroneous or obsolete. KRESUS TECHNOLOGIES may retain certain personal data when required to do so by law or for legitimate reasons. Users may object at any time for legitimate reasons:

- the use of their personal data for direct marketing purposes, or

- the reuse of their personal data for processing other than those listed in article 2 above, except in the event of execution, by KRESUS TECHNOLOGIES, of one of its legal and/or regulatory obligations. Users have the right to request that the processing carried out on their personal data be limited to what is strictly necessary.

This right is applicable only:

- if the User concerned contests the accuracy of their personal data;

- if the User concerned justifies that the processing of their personal data is unlawful and requests a limitation of their use rather than erasure;

- if KRESUS TECHNOLOGIES no longer needs the personal data of the User concerned and these are still necessary for said User for the establishment, exercise or defense of legal rights;

- if the User concerned objects to the processing of their personal data based on the legitimate interest of the data controller, by justifying a superior legitimate interest.

Right to complain to a supervisory authority; Any User, who considers that the efforts made by KRESUS TECHNOLOGIES to preserve the protection of their personal data do not guarantee respect for their rights, has the possibility of lodging a complaint with the competent supervisory authority (CNIL or any other authority mentioned on the list available from the European Commission). Right to the portability of their personal data; Users benefit from a right to portability of their personal data, authorizing them to obtain from KRESUS TECHNOLOGIES said personal data concerning them, in a structured, commonly used and readable format. Users can in this context request that their personal data be transmitted to another data controller. Right to decide the fate of personal data following death Users also have the right to organize the fate of their personal data after their death by adopting general or specific directives that KRESUS TECHNOLOGIES undertakes to respect. In the absence of such directives, KRESUS TECHNOLOGIES recognizes the possibility for heirs to exercise certain rights, in particular the right of access if it is necessary for the settlement of the deceased's estate and the right of opposition. Exercise, by Users, of their rights To better respond to Users' requests, KRESUS TECHNOLOGIES has spontaneously appointed a delegate for the protection of their personal data ("DPO").

Also, in order to exercise their rights, any User can contact the designated DPO, using the following contact details: KRESUS TECHNOLOGIES 2O BOULEVARD EUGENE DERUELLE 69432 LYON CEDEX 3 (FRANCE) direction@kresus.eu To help them exercise their rights, KRESUS TECHNOLOGIES informs Users that the CNIL has established and made available to them, on its website accessible at the address www.cnil.fr, sample letters. Before processing the Users' request(s), KRESUS TECHNOLOGIES will be entitled to verify their identity, by asking them for any useful supporting documents. The DPO will respond to the requests of each User as soon as possible and in any event one (1) month from the justification, by the User in request, of his identity. In the event of complexity of the requests and/or their number, this period may be extended by two (2) additional months, KRESUS TECHNOLOGIES undertaking in any case to inform the User concerned of the extension and the reasons for the postponement.

‍

7. Modification of the Charter

KRESUS TECHNOLOGIES reserves the right to make, at any time, modifications to the Charter, in order to comply with legislative and regulatory developments and/or to improve its policy of processing and protection of personal data. In the event of modification, a new version will be updated and put online with the Last update date. Any new version of the Charter must be subject to prior acceptance by Users.

‍

‍