1.PREAMBLE

Alimpex, a simplified joint-stock company with a share capital of 31,200.00 euros, having its registered office at 3 rue du traducteur – 68126 BENNWIHR GARE, registered with the Trade and Companies Register of Colmar under number 333211480, whose intra-community VAT number is FR79333211480, in its capacity as data controller, attaches great importance to the protection and respect of privacy. It undertakes to its customers and users of the nomad Solution (hereinafter the “nomad Solution”), the nomad Mobile Application (hereinafter the “nomad Mobile Application”), and the Saas services (hereinafter the “Saas Services”), to respect the principles of personal data protection in accordance with the General Data Protection Regulation (“GDPR”) and French law no. 78-17 of 6 January 1978 relating to information technology, files and freedoms as amended. This privacy policy (hereinafter “Privacy Policy”) applies to the processing of personal data carried out by Alimpex in the course of its business and aims to inform its customers and users of the Solution, the Nomad Mobile Application, or the SaaS Services about the practices regarding the collection, use, and sharing of information that customers and users provide when using the services and applications offered by Alimpex. By downloading and using the Mobile Application, creating a user account on the Web Application, and subscribing to services offered by Alimpex, customers and users acknowledge and, where applicable, accept the processing of their personal data by Alimpex in accordance with applicable law and the provisions of this Privacy Policy.

2.LEGAL FRAMEWORK

The Data Controller declares that it processes Personal Data in accordance with the GDPR and French law no. 78-17 of 6 January 1978 relating to information technology, files and freedoms as amended.

3.DATA CONTROLLER

The Data Controller is Mr. Jérôme Sciacchitano, Manager.
Address: 3 rue du traducteur – 68126 Bennwihr Gare
Email: [email protected]
Telephone: +33 6 32 31 04 36

4.PERSONAL DATA COLLECTED, PURPOSES AND BASIS OF COLLECTION

This Privacy Policy applies to Personal Data that the Data Controller may collect from Data Subjects, particularly from the following resources:
- User Account creation form
- Profile personalization settings
- Mobile Application, etc.

As part of our business activities and your access to our services, we may collect and process the following Personal Data:
PURPOSE(S) OF PROCESSING PERSONAL DATA COLLECTED LEGAL BASIS(S)
Customer relationship management (processing, management and monitoring of the contractual relationship, creation of user accounts, invoicing, accounting, debt collection) - Civil status (surname, first name);
- Professional contact details (telephone number, postal address, email address)
- Performance of pre-contractual and contractual obligations

Compliance with legal and regulatory obligations
Management of sample identification (mobile device identity, location, voice recordings) - Civil status (user's surname, first name*)
- Personal contact information* (telephone number, IP address, personal email address)
- Professional contact information*: company name and address, GPS location of the sample, professional address, professional telephone number, IP address, professional email address
- Nature of production
- Company equipment
- Images: images of the production environment (potentially including images of the person present)
- Voice: voice recordings, free-form user comments. Performance of pre-contractual and contractual obligations

Compliance with legal or regulatory obligations
Customer information (sending newsletters and promotional offers) - Email address Legitimate interest pursued by the Data Controller (developing its business)

Consent (beyond three (3) post-contractual years)
Information for prospective non-customers (sending newsletters and promotional offers) - Email address Consent of the Data Subject
GDPR Request Management - Last Name
- First Name
- Telephone Number
- Email Address
- Copy of National Identity Card Compliance with legal or regulatory obligations
*: If the Customer has chosen to associate the mobile number with their telephone number, the User's name, the User's professional or personal email address.

To enable the Data Controller to fulfill its obligation to ensure the accuracy and updating of Personal Data, Data Subjects undertake to inform the Data Controller of any changes to their Personal Data.

If the Data Controller wishes to process Personal Data for a purpose other than that mentioned above, and for which the Data Subject has been informed and/or given consent, the Data Controller undertakes to provide the Data Subject with all relevant information regarding this new purpose and any other relevant information beforehand.

5.RETENTION PERIOD FOR PERSONAL DATA FINALITIES

Customer Relationship Management: The duration of the contractual relationship plus six (6) years from the end of the contractual relationship.

Direct Debit Identification Management: The duration of the contractual relationship plus six (6) years from the end of the contractual relationship.

Regarding IP addresses, 90 days unless they are located at the Customer's address.
Prospect Information: Three (3) years after the end of the contractual relationship.

Beyond three (3) years after the end of the contractual relationship, the data will be retained, with the Data Subject's consent, for a further three (3) years from the date of the Data Subject's express consent or the date of withdrawal of consent.

Prospect Information: Three (3) years from the date of consent given by the Data Subject or the date of withdrawal of consent.

GDPR request management Personal data will be kept for as long as necessary for the Data Controller to fulfill its legal and regulatory obligations, without prejudice to retention obligations or limitation periods.

6.STORAGE OF PERSONAL DATA

All personal data collected and processed is stored on servers located within the European Union, in compliance with applicable regulations.

7.RECIPIENTS OF PERSONAL DATA

The Data is never made available or transferred to third parties pursuing their own commercial purposes.
The Data Controller ensures that access to Personal Data is strictly limited to the Data Controller's employees and agents authorized to process it by virtue of their duties and in accordance with the purposes of the processing.
The information collected may be communicated, strictly to the extent necessary, to third parties contractually bound to the Data Controller (partners, service providers, or subcontractors) for the performance of outsourced tasks, without requiring the Data Subject's consent.
This Privacy Policy forms the basis of the requirements that the Data Controller will require to be met in terms of data protection and security.
The Data Controller will require its carefully selected data processors, all located within the European Union, to process data exclusively for the tasks entrusted to them and in accordance with applicable law.
Potential recipients:
- Platform hosting provider
- Platform and web application development provider;
- Marketing provider.
Any recipients of the data are located entirely in France or, failing that, within a member state of the European Union.
It is specified that, in the course of performing their services, third parties have only limited access to the data and are obligated to use it in accordance with the provisions of applicable legislation regarding the protection of personal data.
Except as stated above, the Data Controller undertakes not to sell, rent, transfer, or grant access to the data to third parties without the prior consent of the Clients, unless legally required to do so for a legitimate reason (legal obligation, combating fraud or abuse, exercising the right to defend oneself, etc.).

8.TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

The Data Controller does not intend to transfer personal data to a third country or international organization.

9.RIGHTS OF INDIVIDUALS

The data subject has the right to:
- Right of access (Article 15 of the GDPR) In all cases
- Right to rectification (Article 16 of the GDPR) In all cases
- Right to erasure (Article 17 of the GDPR) Only for processing not justified by compliance with a legal obligation, the performance of a task carried out in the public interest, for archiving purposes, or necessary for the establishment, exercise or defence of legal claims
- Right to restriction of processing (Article 18 of the GDPR) In all casesü Droit d’opposition au traitement (article 21 du RGPD) Uniquement pour les traitements n’ayant pas pour fondement juridique l’exécution du contrat ou l’exercice d’une obligation légale
- Right to data portability (Article 20 of the GDPR): Only for processing based on consent, the performance of a contract, or if the processing is carried out by automated means.
- Right to lodge a complaint with the CNIL: In all cases.
- Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal: Only when the processing is based on the data subject's consent to the processing of their personal data for one or more specific purposes.
Data subjects may exercise all the rights mentioned above by sending a formal request to the Data Controller, accompanied by a copy of proof of identity, to the following address:
- Email: [email protected]
- Post: Alimpex, 3 rue du Transformateur, 68126 BENNWIHR GARE

Data subjects also have the right to lodge a complaint with the French supervisory authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), via its website (www.cnil.fr) or by mail (3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07).
Finally, if a data subject believes that a GDPR violation has occurred, they may appoint an association or body listed in Article 43 ter, IV of the French Data Protection Act of 1978 to seek redress against the data controller or processor before a civil or administrative court or before the CNIL.

10.AUTOMATED DECISION MAKING AND PROFILING

Unless otherwise stated in the specific provisions, no profiling within the meaning of Article 22 of the GDPR will be carried out and more generally no automated decisions will be made on the basis of Personal Data.