Confidentiality Policy

This privacy policy (hereinafter referred to as the “Privacy Policy”) defines the legal framework for collection, use and processing by D.H. COMPANY (hereinafter referred to as the” Society ”) personal data, i.e. any information that is directly or indirectly identifying, (hereinafter” Personal data ”) concerning the following persons concerned (hereinafter referred to as” Person (s) Concerned ”):
- The Company's contact persons at customers benefiting from the services offered by the SaaS software solution “FULLWHERE” (hereinafter referred to as “” Solution ”) proposed by the Company (hereinafter referred to as the” Customers ”);
- The Customer's staff who use the Solution in the context of their professional activity (hereinafter referred to as “” Users ”);
- People visiting the website, https://www.fullwhere.com/ (hereinafter referred to as the” Site ”), (hereinafter referred to as” Visitors ”).

Under the Privacy Policy, D.H. COMPANY simplified joint stock company, whose head office is located at 111 boulevard de la Millière 13011 Marseille, registered with the Marseille Trade and Companies Register under number 889.362.398, is the person responsible for processing Personal Data concerning Customers, Users, Visitors, and its own employees.

Through the Solution, the Company's Customers have access to the following Services (hereinafter referred to as “” Services ”):
- Centralization of the interactions of their own customers (hereinafter referred to as “” End Customers ”);
- Tools for communicating with End Customers and for responding to interactions with End Customers;
- Implementation of satisfaction surveys;
- Collaboration and support of the Customer's internal teams in the context of managing the interactions of End Customers.

The Company acts as a subcontractor for the processing of Personal Data concerning End Customers, under documented instructions from the Customer detailed in the framework of a subcontracting contract in accordance with the RGPD.

As data controller, the Company maintains total control over the Personal Data and determines the purpose, nature, purposes, means and duration of the processing of the Personal Data collected.

The Company undertakes to comply with the applicable regulations on Personal Data and in particular the obligations arising from European Regulation no. 2016/679 on the protection of personal data (hereinafter referred to as the “” RGPD ”).

The Company collects Personal Data only in accordance with the terms of this Privacy Policy and any legal and reasonable instructions given by the Data Subject at any time.

ARTICLE 1: DATA COLLECTION
1.1 Throughout the duration of the use of the Solution and/or the Site, the Company is likely to collect Personal Data relating to the Persons Concerned.

When creating an account on the Solution, the User accepts the processing of his Personal Data within the limit of processing strictly necessary for the proper functioning of the Solution.

1.2 Personal Data relating to Data Subjects are communicated directly by the Data Subjects (in particular when they provide their information via the Site or enter into a commercial relationship with the Company).

Personal Data may also be created by the Company as part of the provision of Services.

The following Personal Data is collected:

ARTICLE 2: USE OF PERSONAL DATA COLLECTED (PURPOSES OF PROCESSING)
The Company uses, stores and processes Personal Data, for the following purposes and on the following legal bases (or legal basis for processing):

Finally, the Company grants itself the right to review, browse or analyze Personal Data, including communications exchanged between the Company and the Persons Concerned through the Solution, the Site or not, to comply with its legal obligations and in particular for the purposes of fraud prevention, risk assessment, compliance with regulations and investigation.

ARTICLE 3: PRESERVATION OF PERSONAL DATA
Personal Data is kept only for the time necessary to achieve the purpose for which the Company holds this Personal Data, in order to meet the needs of the Persons Concerned or to fulfill its legal obligations.

To establish the retention period of Personal Data, the Company applies the following criteria:

At the expiration of the periods or the end of the use of the Services by the Data Subject, the Personal Data will be destroyed or the Company will proceed with their anonymization.

However, the Company may keep certain Personal Data collected on separate storage spaces in order to justify, where appropriate, the perfect execution of its contractual or legal obligations. The Personal Data thus retained will be limited to what is strictly necessary.

ARTICLE 4: SHARING AND DISCLOSURE OF PERSONAL DATA
4.1 The Company may disclose Personal Data to administrative and judicial authorities, or to authorized third parties, or to authorized third parties, if required or permitted by law, or if such disclosure is reasonably considered necessary: (i) to comply with the legal obligations of the Company, (ii) in order to comply with the legal process and to follow up on claims presented against the Company, (iii) to respond to verified requests in the context of a judicial investigation or an alleged illegal activity or suspected or any other activity that may expose the Company to legal liability.

4.2 Subject to the authorization of the Data Subject, the Company has the right to subcontract all or part of the execution of the Services in compliance with the legal provisions in force.

Any subcontractor will be authorized to process, on behalf of the Company, for the sole purpose of the proper performance of the Services, within the limits of the contractual conditions signed between the Company and the subcontractor, and not being able to derogate from the conditions of this Privacy Policy.

The Company declares:▪ Have submitted in writing any instructions concerning the processing of Personal Data by the subcontractor;
▪ Ensure, in advance and throughout the duration of the treatment, compliance with the obligations provided for by the European regulation on the protection of Personal Data on the part of the subcontractor;
▪ Supervise the treatment, including carrying out audits and inspections with the subcontractor.

The Company undertakes that the subcontractor:
▪ Processes Personal Data only for the sole purpose (s) that is/are the subject of the subcontracting;
▪ Processes Personal Data in accordance with the instructions of the Company;
▪ Guarantees the confidentiality of the Personal Data processed;
▪ Has undergone the necessary training in the protection of Personal Data of a personal nature;
▪ Take into account, with regard to its tools, products, applications or services, the principles of Personal Data protection by design and the protection of Personal Data by default;
▪ Inform the Company immediately if it considers that an instruction constitutes a violation of the European regulation on the protection of Personal Data or any other provision of Union law or the law of the Member States relating to the protection of Personal Data.

Personal Data may also be transmitted to commercial partners who allow the Company to properly perform the Services, their management, processing and payment under the contractual conditions signed between the partner and the Company, which cannot derogate from the conditions of this Privacy Policy.

Only with the express agreement of the Data Subject, the Company may be required to reuse Personal Data or transmit them to partner companies for the purposes, in particular, of sending commercial information by email.

The Company declares that it receives from the subcontractor all the documentation necessary to demonstrate compliance with the obligations and to enable audits, including inspections, to be carried out by the Company or another auditor appointed by the subcontractor, and to contribute to these audits.

The Company remains solely responsible to the Persons Concerned for the provision of services entrusted to a Personal Data subcontractor.

4.3 The Company uses the services of the company Airtable acting as a host of Personal Data. Airtable servers are hosted in the United States by AWS servers (US-East-1).

Under Decree No. 2021-1362 of October 20, 2021 on the conservation of data allowing the identification of any person who contributed to the creation of online content, taken pursuant to II of article 6 of Law No. 2004-575 of June 21, 2004, the Data Subject is informed that the host provider is informed that the host provider is obliged to keep:
▪ Information relating to the civil identity of the Data Subject (in particular the name, first name, date and place of birth, postal addresses, email addresses, telephone number) until the expiration of a period of five (5) years from the end of validity of the user's contract;

▪ Other information provided by the Data Subject when subscribing to a contract or creating an account (identifier used, pseudonyms used, data intended to allow the user to verify his password or to modify it, if necessary through a double user identification system, in their latest updated version, until the expiry of a period of one (1) year from the end of validity the contract of the Data Subject or the closure of his account;

▪ Payment information (type, reference, amount, amount, date, time and place of the transaction) until the expiration of a period of one (1) year from the end of validity of the User's contract or the closure of his account;

▪ Technical data making it possible to identify the source of the connection or those relating to the terminal equipment used (connection identifier, types of protocols used to connect to the service and to transfer content) until the expiration of a period of one (1) year from the date of connection or use of the terminal equipment;

▪ Traffic and location data (identifier assigned, nature of the operation, date and time of the operation, identifier used by the author of the operation) for a period of one (1) year in the event of an injunction from the Prime Minister. This has been the case since October 10, 2023, and therefore until October 10, 2024, pursuant to Decree No. 2023-933 of October 10, 2023, issuing an injunction in view of the serious and current threat against national security to retain certain categories of connection data for a period of one year for a period of one year.

4.5 Data TransferIn this context, the Company will not transfer Personal Data to third parties established outside the European Union that do not offer an adequate level of protection with regard to legal requirements for the protection of Personal Data.

ARTICLE 5: SAFETY
The processing of Personal Data is carried out by means of operations of collection, recording, organization, organization, organization, storage, storage, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, interconnection, blocking, blocking, blocking, communication, communication, communication, deletion and destruction of Personal Data.

The Company ensures that Personal Data is secured in an adequate and appropriate manner and has taken the necessary precautions to preserve the security and confidentiality of Personal Data and in particular to prevent them from being distorted, damaged or communicated to unauthorized persons.

Personal Data is protected in a manner that minimizes the risk of destruction, loss (including accidental loss), unauthorized access/use, or use that is incompatible with the original purpose of collection.

The Company will implement all the technical and organizational measures necessary to respect the protection of Personal Data, to combat unauthorized processing.

The Company has put in place measures to protect the security of Personal Data in accordance with its Personal Data security policy, accessible at any time on request from the relevant department of the Company, which can be reached at this address: confidentialite@fullwhere.com

When the Company notes a violation of rights in the context of the processing of Personal Data, this violation will be notified to the CNIL within a period that cannot be longer than seventy-two (72) hours after becoming aware of it.

Any violation relating to the processing of Personal Data will be notified by the Company to the Data Subject concerned in case of a high risk for them as affected persons.

ARTICLE 6: RIGHTS OF THE PERSONS CONCERNED
In all cases, the Persons Concerned benefit, if the limitations provided for by law do not apply, the following rights:
▪ Right of access: (a) obtain confirmation of the existence or not of a processing (understood as any operation on Personal Data) of their Personal Data by the Company, even if they are not yet registered, and may request the Company and make this Personal Data available to them in intelligible form, and (b) obtain an indication and, where appropriate, a copy of the following information: the origin and category of the Personal Data; the logic applied in the case of processing carried out using automated instruments; the purposes and methods of processing; the identification data of the owner and the data controllers; the recipients or categories of recipients to whom the Personal Data may be communicated or who may become aware of it, in particular if they are recipients located in third countries or international organizations; if possible, the duration of storage of Personal Data or the criteria used to determine this duration; the existence of an automated decision-making process and, if this is the case, the logic used, its importance and the intended consequences for the person concerned; the existence of adequate guarantees in the event of transfer of Personal Data to a third country or an international organization.

▪ Right to correction: obtain, without undue delay, the updating and correction of inaccurate Personal Data or, when the User has an interest, the integration of incomplete Personal Data.

▪ Right to change: revoke the consents given at any time, easily, without hindrance, using, if possible, the same channels that were used to give them.

▪ Right to erasure (or right to be forgotten): obtain, without undue delay, the erasure, transformation into anonymous form or the blocking of Personal Data when: (a) this Personal Data has been processed unlawfully; (b) are no longer necessary for the purposes for which they were collected or subsequently processed; (c) the consent on which the treatment is based has been withdrawn by the User and that there is no other legal basis for the treatment; (d) the User objects to the treatment and that there is no overriding legitimate reason on the part of the Company to continue the treatment; (e) Personal Data must be deleted to comply with a legal obligation; (f) Personal Data was collected as part of the offer of an information society service to minors.
The Company may refuse deletion insofar as processing is necessary: (a) to the exercise of the right to freedom of expression and information; (b) compliance with a legal obligation, the performance of a task in the public interest or the exercise of public authority; (c) for reasons of public health interest; (d) for archiving purposes in the public interest, for scientific or historical research, or for statistical purposes; (e) to the establishment, exercise or defense of legal claims.

▪ Right of limitation: obtain the limitation of treatment in case of: (a) to contest the accuracy of the Personal Data (right of correction) and for the time of verification by the Company; (b) unlawful processing by the Company in place of their deletion; (c) the exercise of one of its legal rights by the Company; (d) verification of the predominance of the legitimate reasons of the Company over those of the person concerned (in particular in the context of the exercise of the right of opposition).

▪ Right of portability: to receive, if the processing is carried out by automatic means, without hindrance and in a structured, commonly used and legible format, to receive their Personal Data, in order to transmit them to another Data Controller (which may be a competitor of the Company) or, if technically possible, to obtain a direct transmission by the Company to another Data Controller. The right to portability is limited to Personal Data provided by the User concerned to the Company (information directly transmitted by the User and in particular via contact forms, and information obtained by observing the User's activity (example: purchase history)) and applies on the basis of the prior consent of said User.

▪ Right to object: to oppose, at any time, in whole or in part, for legitimate reasons relating to their particular situation, to the processing of Personal Data concerning them.

▪ Right to file a complaint with the authority in charge of data protection (in France it is the CNIL whose site is accessible here: https://www.cnil.fr/fr). In this case, if necessary, the Company will inform the third parties to whom the Personal Data is communicated of the possible exercise of the rights of the person concerned, except in specific cases (for example, when this realization proves impossible or involves a clearly disproportionate use of the means in relation to the protected right).

▪ Right to formulate instructions concerning the fate of your Personal Data after your death, you can modify or revoke these instructions at any time;

▪ Right to withdraw consent: when the processing is based on the legal basis of consent, the Data Subject has the right to withdraw their consent at any time and at no cost.

The exercise of his rights by the Data Subject is free of charge, except when the Company is in a position to justify the payment by the applicant of reasonable costs having regard to the nature of the request. These rights must be exercised with the Company by electronic means at confidentialite@fullwhere.com or by post at the address 111 bd de la Millière, 13011 Marseille.

These rights must be exercised by indicating their identity or by using a means that allows the Company to identify the Data Subject, as well as the subject of the request.

The Company shall respond to the Data Subject within one (1) month, from the date of receipt of the request. However, in the event that the request is particularly complex, this period may extend up to three (3) months from receipt of the request. In this case, the Data Subject will be informed, within one (1) month, of the extension of the deadline, as well as of the reasons justifying such an extension.

In the event that the request is incomplete or lacks clarity, the Company may ask the Data Subject for additional information. In case of doubt about the identity of the applicant, the Company may require the Data Subject to justify his identity.

If the Data Subject considers, after having contacted the Company, that his rights are not respected, he may file a complaint online (using the following address confidentialite@fullwhere.com) or by post (at the address 111 bd de la Millière, 13011 Marseille, 13011 Marseille), or file a complaint with the Personal Data Protection Authority (in France it is the CNIL whose site is accessible here: https://www.cnil.fr/fr).

ARTICLE 7: CONTACT OF THE DATA PROTECTION OFFICER
The Personal Data Protection Officer can be reached at confidentialite@fullwhere.com.