BEFORE CLICKING ON THE ICON "I HAVE READ AND AGREE WITH THE PRIVACY STATEMENT", YOU MUST READ IT CAREFULLY AND IN ITS ENTIRETY. OUR PRIVACY STATEMENT IS AN APPENDIX TO THE TERMS OF SERVICE (‘TOS’) AND THEREFORE HAS A CONTRACTUAL VALUE. IF THERE IS A CONTRADICTION BETWEEN THE TOS AND THIS POLICY, THE TOS WILL PREVAIL, WHICH THE USER ACKNOWLEDGES AND ACCEPTS.

WE RESERVE THE RIGHT TO MODIFY THIS STATEMENT, TO DELETE AND/OR MODIFY CERTAIN CLAUSES OR ADD NEW ONES. THESE MODIFICATIONS CAN BE MADE AT OUR DISCRETION (I) EITHER BY MEANS OF NOTIFICATION IN THE APPLICATION AND/OR THE USER SPACE, PROVIDED THAT THE USER IS INFORMED BEFOREHAND WITHIN A REASONABLE TIME LIMIT; (II) OR AFTER THE USER'S EXPRESS ACCEPTANCE OF THE MODIFIED VERSION OF THE STATEMENT USING A CHECKBOX OR A BUTTON TO BE VALIDATED IN THE APPLICATION OR USER SPACE.

OUR PRIVACY STATEMENT IS PART OF OUR APPROACH TO TRANSPARENCY IN RELATION TO THE USER CONCERNING THE WAY IT MANAGES THE LATTER'S PERSONAL DATA.
* * *
IF THE USER HAS ANY QUESTIONS CONCERNING THIS PRIVACY STATEMENT, THEY CAN SEND THEIR QUESTION BY E-MAIL TO INFO@BLUECURSEUR.COM

CONTENTS

1. General

Article 1. Definitions

Article 2. What is the purpose of the Privacy Statement?

II. Personal data processed by us

Article 3. What is personal data?

Article 4. Personal data is collected for the creation of the User Account and the use of the Services; how is it processed?

Article 5. Personal data is collected to enable the User to manage their bookings; how is it processed?

Article 6. Data (especially geolocation data) is collected for advertising and market research purposes; how is it processed?

Article 7. What technical and organizational measures are in place to protect personal data?

Article 8. How long is your data stored?

Article 9. What rights do Users have regarding the personal data collected and processed by us, in its capacity as data controller?

1. General

Article 1. Definitions

For the sake of consistency, the definitions set forth in the article entitled "Definitions" of the TOS apply to this Privacy Statement.

Article 2. What is the purpose of the Privacy Statement?

The purpose of this Privacy Statement is to provide the User with information on how we manages its personal data. The purpose of this Privacy Statement is to provide the User with clear information on how we, as the data controller and developer, handles personal data.

The following articles describe the type of data collected and processed by us; the categories of data recipients according to their use; the technical and organisational measures set up to protect the data; Users' rights. Please note that our teams have designed the Application to be GDPR compliant By Design.

II. Personal data processed

Article 3. What is personal data?

According to the most common definition, personal data is any information relating to an identified natural person or to a natural person who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to them.

Article 4. Personal data is collected for the creation of the User Account and the use of the Services; how is it processed?

"Account Data" means the following data: title, surname, first name, postcode, e-mail, password. Account Data is collected to enable the User to create a User Account, access and use the Services, the Website, and the Application. The User can then manage the bookings they benefit from, thanks to the Application's Features. The User's actions performed through the Application (e.g. creating a User Account, adding a booking) are saved in order to allow data restoration, for example in the event of the loss, theft or change of the User's Mobile Device.

In addition to Account Data, we use information collected automatically from the device.

This data may also be used in an aggregated and anonymous manner for market research conducted by us.

The recipients of this data are: (i) our relevant departments and our employees (in particular: IT, sales/marketing departments) and (ii) the service providers who assist us in operating and/or exploiting the Website and the Application, and in particular the departments and employees of AWS, the company that hosts the Website and the Application.

The User may access their Account Data and modify it at any time, in the section corresponding to their profile in the Application or their User Space. The User may delete all of their Account Data in the Website's Profile section.

Article 5. What technical and organisational measures are in place to protect personal data?

As the data controller, we work towards and is committed to making the security of collected data a priority. In particular, it applies the following methods to guarantee the protection of its databases.
Technical measures:

• Software security (Information System (IS) protected against external physical and digital intrusions and internal malicious acts);
• Use and regular updating of antivirus software and installation of a firewall;
• Logging connection events: all connections are recorded in log files that are logged and stored;
• Protection against SQL injections. In addition, the data sent by Users is secured and verified before insertion, and cannot be injected directly into the content of our SQL queries;
• All transactions involving our databases are encrypted with the latest SSL encryption methods.

Organizational measures:

• Employee confidentiality agreement;
• Our employees are made aware of the security measures (obligation for each employee to turn off their computer or to set up a password-protected screen saver in case of absence even for a few seconds, setting up individual passwords specific to each employee in order to protect access to computer equipment, etc.);
• Protection of access to our premises;
• Physical security (data center protected against intrusion and break-ins);
• Access to the server is restricted to authorized persons only;
• Only our IT & data development teams can have access to the IS;
• Only our sales, marketing and IT teams have individual access to the Application's back office, with a personal login and password.

Article 6. How long do we keep data?

Personal data collected by ErSusaGo is kept for the duration of the legal contractual relationship.

We do not store geolocation data.

Article 7. What rights do Users have regarding the personal data collected and processed by us, in its capacity as data controller?

If we are the data controller, the User has the following rights with regard to the data collected and processed by us:

• Right of access to their personal data collected through the Application,
• Right to modify it,
• Right to delete it,
• Right to object to its use on legitimate grounds,
• Right to oppose its processing by withdrawing their consent, accessible in the "Data Settings" and "My Authorizations" sections of the User's "Profile",
• Right to benefit from the portability of their data, requested by e-mail,
• Right to lodge a complaint with the supervisory authorities.

The articles above present certain means available to the User through the Application and their Mobile Device, to access, modify, and delete certain data or oppose its collection.

The User may exercise their rights at any time by sending an e-mail with a copy of their ID to the Data Protection Officer (DPO): info@bluecurseur.com