PRIVACY POLICY

SUPAFRIENDS

THE PURPOSE OF THIS PRIVACY POLICY IS TO PROVIDE THE USER WITH COMPLETE INFORMATION ON THE COLLECTION AND PROCESSING OF THEIR PERSONAL DATA BY THE COMPANY (AS DEFINED IN THE GENERAL TERMS AND CONDITIONS OF SALE) IN THE CONTEXT OF PROVIDING THE COMPANY'S SERVICES FROM THE INTERNET PLATFORM ACCESSIBLE AT HTTPS://WWW.SUPAFRIENDS.COM/ (HEREINAFTER THE "PLATFORM") TO THE USER.

THE DEFINITIONS PROVIDED IN THE GENERAL TERMS OF SERVICE AND USE ARE APPLICABLE TO THIS PERSONAL DATA CHARTER.

As part of its activities, the Company offers an entertainment service based on the use of artificial intelligence models from its Platform.

To ensure the realization of this service, the Company is required to collect and process personal data relating to Users (hereinafter "Personal Data").

Concerned about protecting the User's privacy and processing their personal data, the Company undertakes, as the Data Controller, to comply with the provisions of Regulation (EU) No. 2016/679 of April 27, 2016, ensuring the highest level of protection of its Users' personal data.

This Privacy Policy thus allows the User to benefit from complete transparency regarding the processing of their personal data by the Company.

1. WHO COLLECTS USERS' PERSONAL DATA?

The Data Controller who collects personal data and implements data processing is the Company, as identified in the GTCU.

2. WHAT PERSONAL DATA IS COLLECTED BY THE COMPANY?

The Company ensures that it only collects personal data that is strictly necessary in view of the purpose for which it is processed.

The different categories of personal data that the Company typically processes as part of its service and in accordance with its regulatory obligations are grouped under the following categories:

• Personal identification data: such as first name, last name and date of birth, as well as data transmitted by third-party services when the User uses their Google, Discord, Facebook or other identifiers to subscribe and connect to the Services, and in accordance with the privacy policy of each third-party service. The list of Personal Data collected on this occasion is in any case mentioned to the User prior to their connection via third-party services;

• User Data: during the User's use of the Services, the Company collects and processes any personal data included in the User Data.

And in general, any personal data spontaneously communicated by the User during their interactions with the Company.

These personal data are collected directly from the User.

The Company also collects and processes other data indirectly, such as IP (Internet Protocol) address, connection and navigation data, email addresses and phone numbers used to contact customer service, the User's order history.

Finally, the Company may process data obtained from third-party organizations to meet its regulatory obligations.

The Company only collects and processes data that is essential for the provision of Services or compliance with its legal obligations.

Users are informed that payments made on the Platform are managed by a payment service provider (as mentioned at the time of payment) approved as an electronic money institution by the French Commission de Surveillance du Secteur Financier (CSSF). The payment service provider processes personal data for which it is responsible, as described in its privacy policy accessible from its website.

Consequently, the Company informs its Users that it does not process data relating to the means of payment used for payments made on the Platform.

3. WHAT ARE THE PURPOSES OF COLLECTING USERS' PERSONAL DATA?

The Company is only authorized to use its Users' personal data if it has a valid legal basis and must ensure that it has one or more of the following legal bases:

• The execution of the contract

• The execution of a legal obligation

• The legitimate interest of the Data Controller

• When the User has given their consent.

The Company collects and records personal data of Clients for the following purposes and according to the following legal bases:

1. Purpose: Execution of the contract

   Legal basis: Management of the commercial relationship with the User.

   Retention period: Duration of the commercial relationship then archiving for 5 years

2. Purpose: Execution of the contract and Consent

   Legal basis: Provision of the Platform, products and services offered on the Platform

   Retention period: 3 years from the last activity on the Platform

3. Purpose: Execution of the contract

   Legal basis: Management of communications and follow-up of exchanges with Users

   Retention period: 3 years from each communication

4. Purpose: Execution of the contract

   Legal basis: Creation of a User Account

   Retention period: 3 years from the last connection to the User Account

5. Purpose: Execution of the contract

   Legal basis: Customer service

   Retention period: 3 years from each solicitation, question and complaint

6. Purpose: Legitimate interest of the Company

   Legal basis: Fraud prevention

   Retention period: 5 years from the closure of the fraud file

7. Purpose: Legitimate interest of the Company

   Legal basis: Constitution of a file of customers and prospects

   Retention period: 3 years from the User's last contact with the Company

8. Purpose: Legitimate interest of the Company

   Legal basis: Commercial prospecting, realization of commercial animations and advertising campaigns for identical and similar products and services.

   Retention period: 3 years from the User's last contact with the Company

9. Purpose: Consent

   Legal basis: Sending newsletters, solicitations and promotional messages

   Retention period: Until consent is withdrawn or 3 years from the User's last contact with the Company

The Company undertakes not to process User Data, and the Personal Data they may contain, to train, improve or develop artificial intelligence models (LLM) via the SUPAFRIENDS Platform, without the explicit consent of the User.

The Company does not sell Personal Data and does not share Personal Data for cross-context behavioral advertising purposes, nor does it process sensitive Personal Data for the purpose of inferring characteristics about a User.

The Company may aggregate or anonymize Personal Data so that it can no longer identify the User, and use this data to analyze the effectiveness of the Services, improve functionalities, conduct research or other similar objectives. In addition, the Company may analyze the general behavior of Users and share aggregated data, such as general statistics, with third parties, or publish them.

4. ARE CLIENTS' DATA TRANSFERRED TO THIRD PARTIES BY THE DATA CONTROLLER?

The personal data collected are only processed by the Company, except in the following cases:

1. Partners and Service Providers

To meet its operational needs and provide certain Services, the Company may share the User's Personal Data with various service providers, such as hosts, customer service providers, cloud solutions, emailing tools, web analysis services, as well as other technology providers.

The Company guarantees the User that these partners will collect, process, access or store Personal Data only to fulfill their obligations to the Company, in accordance with its directives.

2. Communication to Rights Holders and commercial partners

The Company may communicate personal data to Rights Holders, commercial partners and subcontractors of the Company (hosts, mailing sending tools, site security tools, form managers, audience measurement tools, document sharing tools, navigation tracking tools on our sites, customer service and assistance tools, advertising targeting tools on social networks and the Internet), in strict compliance with the purposes defined above. The Company's subcontractors are bound by an obligation of confidentiality and security, as well as other obligations listed by the applicable regulations.

3. Communication to the payment service provider:

The Company may communicate personal data to the Payment Service Provider in charge of managing financial transactions carried out through the Platform. The User's Personal Data are then collected and processed by the payment service provider in its capacity as data controller according to the terms and conditions that govern its general terms of use as well as its privacy policy.

4. Communication to authorities:

The Company may, in compliance with applicable regulations, provide personal data in France or abroad (i) if required by law or if the Company believes in good faith that such action is necessary to comply with a legal obligation, (ii) to protect and defend its rights or property, (iii) in case of detected violation, at its sole discretion, of the GTCU or applicable legislation (iv) to prevent or detect fraud or any illegal activity (v) to ensure the security of its Services, employees, Users or the public, or (vi) for the purpose of establishing, safeguarding or defending a legal right, in the context of administrative or criminal investigations or in the context of legal disputes of any nature.

This data may also be transmitted to third parties in the context of:

• The fight against fraud and the recovery of unpaid debts;

• The performance of maintenance and technical development operations of the Platform, internal applications and the Company's information system;

• The collection of customer reviews;

• The dispatch of the newsletter.

The Company may also share personal data, with the prior and express authorization of the User in case of sale, transfer or merger of the Company or part of it, or if the Company acquires or merges with another company.

If such a transaction takes place, the Company will ensure that the other party complies with data protection legislation.

5. WHAT ARE THE RIGHTS OF USERS REGARDING THEIR PERSONAL DATA?

In application of articles 14 to 22 of Regulation 2016/679 of April 27, 2016, and subject to applicable exceptions, any natural person using the service has the right to exercise the following rights:

• A right to information (which refers to the provision of clear and easily accessible information to the User)

• A right of access;

• A right of rectification;

• A right to object to and erase the processing of their data;

• A right to object to profiling;

• A right to limit processing (which means that the Company cannot, beyond a certain time, continue to process and use the User's personal data);

• A right to data portability (which refers to the User's right to receive the personal data they have provided to the Company, in a structured, commonly used and machine-readable format, and to transmit this data to another data controller, without hindrance from the Company);

• A right of deletion.

Finally, when the Company detects a personal data breach likely to result in a high risk to the rights and freedoms of the User, the User will be informed of this breach as soon as possible.

These rights can be exercised with the Company that collected the personal data by email at the following address: [email protected].

In accordance with current regulations, any request must be signed and accompanied by a photocopy of an identity document bearing the signature of the applicant and specifying the address to which the reply should be sent.

A response will then be sent to the User within two (2) months following receipt of the request.

6. WHAT HAPPENS TO THE USER'S DATA AFTER THEIR DEATH?

The User can send instructions to the Company regarding the retention, deletion and communication of their personal data after their death in accordance with article 40-1 of law 78-17 of January 6, 1978. The User can formulate their advance directives at the following address: [email protected] or on the customer support chat.

7. IS USER DATA SENT OUTSIDE THE EUROPEAN UNION?

For the purposes of the purposes defined above, the Company strives to minimize the transmission of the User's Personal Data to companies located in countries outside the European Union.

However, given the high technicality of the Services offered by the Company, the Company is obliged to use certain service providers, subcontractors of the Company, established outside the European Union, to whom the Personal Data of Users are likely to be transmitted for the proper provision of the Services.

In this context, in the event of transfer of personal data concerning the User to service companies located outside the European Union, the Company guarantees the User that it only uses companies that have undertaken to ensure a sufficient and appropriate level of data protection [in particular through standard contractual clauses (SCC) or binding corporate rules (BCR)].

8. WHAT SECURITY MEASURES DOES THE COMPANY TAKE TO PROTECT CLIENTS' PERSONAL DATA?
   1. Internal measures of the Company

As a data controller, the Company takes all useful precautions to preserve the security and confidentiality of data and in particular, to prevent them from being distorted, damaged, or that unauthorized third parties have access to them, thanks to the security of the computer system to prevent external access to Clients' personal data.

On the other hand, when it uses subcontractors, the Company ensures that they comply with the rules related to data protection.

2. Relations with subcontractors

When it uses subcontractors likely to process the User's personal data, the Company ensures that they provide sufficient guarantees regarding compliance with the rules related to data protection, and at least the same guarantees as those of the Company, by concluding a contract to this effect with said subcontractors.

9. DOES THE COMPANY USE COOKIES, TAGS AND TRACKERS?

When the User uses the Company's Services, it automatically receives and records certain types of information such as the settings of the Internet browser used, the content of the cart or even identifiers to allow the User to connect.

Cookies and trackers strictly necessary for the provision of a service expressly requested by the User do not require their prior consent. Thus, for example, the following trackers do not require Users' consent:

• "session identifier" cookies, for the duration of a session, or persistent cookies limited to a few hours in some cases;

• authentication and consent cookies;

• persistent cookies for customizing the user interface (language or presentation choice).

Any other cookie requires prior information and the express and prior consent of the User, for example:

• cookies related to advertising operations;

• social network cookies generated by social network sharing buttons when they collect personal data without the consent of the persons concerned;

• certain audience measurement cookies.

Upon the User's entry to the Platform, an information message appears to warn them of the use of cookies.

Consent is collected by the appearance of a banner visible on the Platform allowing the User to choose the cookies that will be deposited on their terminal, with the exception of cookies necessary for the provision of Services.

"Cookies" and other unique identifiers are thus used to obtain this information when the User's browser or device accesses the Platform.

1. What is a Cookie?

The term cookie encompasses several technologies that allow tracking of the internet user's navigation and actions. These technologies are multiple and constantly evolving. There are notably cookies, tags, pixels, JavaScript code.

A cookie is a small text file recorded by your computer, tablet or smartphone browser and which allows to keep user data to facilitate navigation and to allow certain functionalities.

2. For what reasons are cookies, tags and trackers used?

Cookies are used by the Company to memorize the User's preferences, to optimize and improve the User's use of the Platform by providing content that is more precisely adapted to their needs.

3. The Cookies that the Company issues on the Platform allow:

• To identify the User during their connection to the Platform;

• To determine the parameters of the User's Internet browser, such as the type of browser used and the plug-ins installed there;

• To establish statistics and volumes of attendance and use of the various elements composing our services (using audience measurement cookies);

• To adapt the presentation of the Platform according to the terminal used;

• To adapt the presentation of the Platform according to the affinities of each User;

• To optimize the services offered on the Platform;

• To communicate with the User in a targeted manner.

Only the issuer of a cookie is likely to read or modify information contained therein.

Some cookies are installed until the User's browser is closed, others are kept for longer.

4. Browser software settings

The User can configure the browser software so that cookies are stored in their terminal or, on the contrary, that they are rejected, either systematically or according to their issuer.

The User can also configure their browser software so that the acceptance or rejection of cookies is offered punctually, before a cookie is likely to be recorded in their terminal.

5. How to exercise this choice, depending on the browser used?

For cookie management, the configuration of each browser is different.

The "help" section of the toolbar of most browsers indicates how to refuse new "cookies" or get a message that signals their reception, or how to disable all "cookies".

The cookies that the Company issues are used for the purposes described above, subject to the User's choices, which result from the settings of their browser software used during their visit to the Platform and their agreement by clicking on the "ok" button of the banner concerning cookies.

Several possibilities are offered to the User to manage cookies. Any setting of the User on the use of cookies will be likely to modify their Internet navigation and their conditions of access to certain services requiring the use of cookies.

The User can choose at any time to express and modify their wishes regarding cookies, directly from the settings of their Internet browser.

As each procedure is different, the User is invited to refer to the documentation relating to their browser, accessible from their editor's Platform.

10. THE COMPANY'S DATA PROTECTION OFFICER

The Company has appointed a data protection officer who can be contacted by email at the following address: [email protected] or on the customer support chat.

11. UPDATE OF THE PERSONAL DATA POLICY

The Company may update this policy occasionally.

In case of significant changes, the Company will notify the User by email or any other means.