Privacy and Personal Data Policy

OUR POLICY ON THE PROCESSING OF PERSONAL DATA INTENDED FOR PROFESSIONALS

Version applicable as of 03/12/2018

Contents

1. WHAT IS THE PURPOSE OF THIS POLICY AND WHO IS IT FOR?2. WHAT IS NUMVISION’S ROLE IN THE PROCESSING OF YOUR USERS’ PERSONAL DATA?3. WHAT PERSONAL DATA DOES NUMVISION PROCESS VIA OUR SOLUTIONS?4. HOW DOES NUMVISION PROCESS PERSONAL DATA ON BEHALF OF ITS CLIENTS?5. WHO CAN ACCESS AND PROCESS YOUR USERS’ PERSONAL DATA?6. WHAT DATA DOES NUMVISION PROCESS ON YOUR BEHALF?7. HOW LONG DOES NUMVISION KEEP YOUR USERS’ PERSONAL DATA FOR?8. WHERE IS YOUR USERS’ PERSONAL DATA PROCESSED?9. WHAT SECURITY MEASURES DOES NUMVISION TAKE?10. WHAT STEPS MUST BE TAKEN TO RESPECT THE RIGHTS OF USERS AS DATA SUBJECTS?11. WHAT HAPPENS IN THE EVENT OF A PERSONAL DATA BREACH?12. OTHER INFORMATION

1. What is the purpose of this Policy and who is it for?

NUMVISION, an SAS (simplified joint stock company) with a capital of 88,414 euros, with registered office at Chemin de la Farlède, Zone des Playes, 83500 La Seyne-sur-Mer, listed in the Toulon Corporate Registry under number 510 202 393 00052, is a publisher of software solutions (hereinafter called the “Solutions”).NUMVISION is a Visiativ Group company. The Visiativ Group refers to the company Visiativ SA (Lyon Corporate Registry n° 395 008 246), companies in which Visiativ SA holds a participating interest, which are under its direct or indirect control, or which control it, within the meaning of Articles L 233-1 et seq. of the French Code of Commercial Law.

The Solutions are marketed either directly by NUMVISION, or indirectly through approved third-party resellers. This Policy is intended to inform our existing and future business Clients, wishing to use the Solutions for the purposes of their own professional activity and make them available to their users (natural persons such as employees, customers, etc., hereinafter called the “Users”), about the way in which we (NUMVISION and its approved resellers) process Users’ personal data passing through our Solutions (hereinafter called the “Personal Data”).

We are committed to ensuring full compliance with the EU General Data Protection Regulation n°2016/679 of 27 April 2016, which came into force on 25 May 2018, and French Data Protection Act n°78-17 as amended by Act n° 2018-493 of 20 June 2018 (referred to hereinafter as the “Data Protection Regulations”).

This Policy is published here for information only. It is not exhaustive, and may include other provisions concerning the technical aspects of our Solutions and security measures taken, which may vary depending on the Solution or service concerned.

To find out more and obtain the related documentation, please write to: privacy@visiativ.com. We will reply as quickly as possible.

Should you choose to subscribe to any of our services or Solutions, you will be required to sign a contractual agreement stipulating the obligations of each party, pursuant to Data Protection Regulations.

2. What is NUMVISION’s role in the processing of your users’ personal data?

Within the meaning defined by Data Protection Regulations, professional Clients using our Solutions are considered to be the “Data Controllers” responsible for processing their Users’ Personal Data. As the “Data Processor” acting on your behalf, we undertake to act solely as instructed by you.

As Data Controller, you are bound by certain obligations, particularly as regards transparency for your Users, and are required to obtain their consent should you believe it to be necessary. You must also allow them to exercise their statutory rights, including the right to object, withdraw consent, and restrict processing. Where possible, depending on its Solutions and the means available, NUMVISION will assist you in complying with your obligations, according to the terms and conditions of your agreement with NUMVISION or its approved resellers.

To this end, Clients using the Solutions are permitted to reproduce and make adaptations to this Policy, although this will in no way affect your legal obligations as Data Controller.

Please note that this Policy is not intended to replace any other information that Users are entitled to expect from the Data Controller. It is your responsibility to ensure that Users are provided with the necessary information.

3. What Personal Data does NUMVISION process via our Solutions?

This depends on you and the service contracted. In principle, we have no direct access to Users’ Personal Data (with the exception of basic details needed for User registration, specifically last name and first name, telephone number [not required], email address) passing through our Solutions. In order to meet our respective obligations, we will ask you to collect all Personal Data which may potentially pass through our Solutions. We will make every effort to adapt our security and organizational measures for the Personal Data as necessary, depending on the Solutions available.

In particular, we must be expressly notified of any Personal Data considered to be “sensitive”. We reserve the right to refuse to process such data on your behalf.

If, whether now or in the future, the Solutions include discussion areas such as blogs, communities or help forums, the Client must ensure that his Users are aware that any information they give in these areas may be read, collected and used by any other persons with access.

4. How does NUMVISION process Personal Data on behalf of its Clients?

In the course of supplying the Solutions, and subject to the options subscribed, NUMVISION may carry out the following data processing operations: potential access to Personal Data for the purposes of registration, maintenance of Solutions or on-site installation; hosting of Solutions; display, copying, retrieval, storage, restoration, and deletion of Data; transmission of Personal Data between internal departments, or to NUMVISION Group companies or partners bound by privacy obligations and only where necessary in order to provide the services.

In all cases, NUMVISION will only process Personal Data where strictly necessary in order to carry out the tasks requested by you.

5. Who can access and process your Users’ Personal Data?

5.1. NUMVISION Group approved resellers

NUMVISION may use partner companies to market its Solutions and perform certain services (such as on-site installation at the Client’s premises, or level 1 support). In this case, NUMVISION will ensure that these approved resellers, as “Data Processors” processing your Personal Data, comply with Data Protection regulations and this Policy, insofar as they have access to Personal Data in the course of their services, as defined in your agreement with them.

5.2. Approved third party providers

To provide you with an optimal service, we allow expressly approved third parties to access certain Personal Data directly or indirectly. We have taken care to establish partnerships with several selected providers, whose services and solutions complete, facilitate and improve our own services or are necessary for their provision.

These providers include: server co-location and hosting providers; communications networks operators and content delivery networks; IT and data security service providers; billing and payment service providers; domain name registrars; fraud detection and prevention service providers; web analytics, email distribution, session recording and remote access, and performance metrics service providers; content providers; legal and financial advisors.

5.3. VISIATIV Group entities

Other Visiativ Group companies may have access to Personal Data, solely for the requirements of the services.

5.4. Administrative and judicial authorities

To comply with statutory obligations, NUMVISION may be forced to disclose certain Personal Data to administrative or judicial authorities, notwithstanding professional secrecy restrictions.

In this case, we will take all necessary precautions when sending Personal Data, and notably ensure that there are due legal grounds for their disclosure.

6. What data does NUMVISION process on your behalf?

NUMVISION (and its approved resellers) process only Personal Data strictly necessary in order to provide the services ordered, in accordance you’re your instructions and our contractual agreements. All other use is prohibited without your express prior consent.

In all cases, NUMVISION will expressly refrain from renting or reselling your Users’ Personal Data.

7. How long does NUMVISION keep your Users’ Personal Data for?

NUMVISION undertakes to use your Users’ Personal Data only for the duration of our contractual relationship and, if required by the services ordered, for a longer period to be agreed between us.

After this retention period, and except where statutory obligations require otherwise, NUMVISION will destroy or return your Users’ Personal Data, based on the services ordered, in accordance with our agreements.

8. Where is your Users’ Personal Data processed?

Personal Data is processed on secure servers located in France or the European Union, depending on the chosen reseller.

NUMVISION provides full technical details of the hosting arrangements for its Solutions upon request.

If recipients of Personal Data identified in point 5 above are located outside the European Union, NUMVISION will ensure that data processing carried out by them is monitored by means of at least one of the compliance tools mentioned above (except if the recipients are administrative or judicial authorities, or any other public or private body authorized to receive Personal Data, and with which NUMVISION does not have a contractual relationship).

9. What security measures does NUMVISION take?

9.1. General points

NUMVISION has introduced measures to guarantee that your Users’ Personal Data is processed securely. These measures include: physical security of premises; organizational security; authorization process for access to computer systems processing Data; logical security: password policy, protection of sensitive computer environments by up-to-date antivirus software for Windows operating environments; deployment of checks and internal self-assessment procedures and checks to maintain security levels.

Please contact us if you require more details about available security measures.

Naturally, in order for these measures and precautions to be effective in guaranteeing security, the Personal Data you provide must be completely free of any viruses, worms, Trojan horses and other malware which could damage our information systems and infringe the rights of Users.

9.2. The Cloud

NUMVISION is a software publisher and markets its software either through partner resellers, or directly to clients. Its hosting partners are Orange and Aquaray, whose data centers are located in France. NUMVISION reserves the right to change Partner at any time without notice.

Clients who have purchased SaaS Solutions may write to NUMVISION requesting documentation on hosting.

10. What steps must be taken to respect the rights of Users as Data Subjects?

As the Data Controller in direct contact with your Users, you are responsible for: clearly informing Users about the way data is processed via the Solutions, the broad lines of which are described in this Policy, subject to specific features dependent on the service ordered and the Solution concerned; obtaining consent from Users if necessary; answering requests from Users about their rights and ensuring they are able to exercise their rights.

In general, the standard versions of our Solutions do not include a policy on personal data processing intended for Users, nor do they include arrangements for managing consent or handling Users’ requests to exercise their rights, under your own responsibility.

We will consider any specific request on these issues, in order to assist you in complying with your own obligations where possible.

11. What happens in the event of a Personal Data breach?

NUMVISION undertakes to inform you promptly of any Personal Data breach that comes to our attention, and vice versa.

NUMVISION will provide you with all of the information in our possession, to enable you to comply with your obligation to inform and remedy the situation with the competent supervisory authority and the persons concerned.

12. Other information

Where our services include links to other websites or services, NUMVISION accepts no liability for the privacy and data protection policies of such websites or services.

This Policy does not apply to third party websites and related services. Consequently, you are invited to read the applicable third party privacy statements.

Finally, NUMVISION reserves the right to amend this Policy if its deems necessary. You are invited to refer to it occasionally to identify any changes of which you have not already been informed by NUMVISION.