1 - What are the key concepts of the General Data Protection Regulation (GDPR)?

In addition to the notions already defined in the general terms and conditions, the following terms are added, the meaning of which is defined by the "General Data Protection Regulation" (GDPR), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC:

Personal Data: any information that allows, in any form whatsoever, the identification of the natural persons to whom it applies. An identifiable individual is one who can be identified by reference to a name, an identification number or one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

Data subjects: persons who can be identified, directly or indirectly, within the framework of the Company's activities (commercial activity, marketing, customer relations, etc.), i.e. all Users, Customers and Prospects of Skyloud.

Data controller: organization that - alone or jointly with others - determines the "why" and the "how" of data processing, i.e. its purpose (objectives pursued) and its means (conditions of implementation, in particular on the technical, material and organizational level).

Subcontractor: an organization that processes data on behalf of and at the direction of another organization, the Data Controller.

Processing of Personal Data: any operation applied to data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction

2 - Who is the Data Controller of your Personal Data?

The Company Skyloud determines the purposes and means of processing your Personal Data. Within the framework of the edition of the Site and the management of the Accounts, the Company therefore acts as the Data Controller within the meaning of Article 4 of the RGPD.

‍3 - What are the categories of Personal Data concerned?

Identification data: first and last name; e-mail address; password; telephone number; profession; company (name, company name or SIRET).

Connection data: country of connection; IP address; log; User ID, etc.

Web data: cookies and browsing data; reviews and comments left on multiple channels, such as our websites or social networks.

Financial data: data relating to the credit card of the Person concerned within the framework of the payment of the subscription carried out via a service provider.

Banking Data: data relating to the Data Subject's bank account in the context of the bank synchronization carried out through a service provider.

4 - What are the purposes associated with the processing of Personal Data?

5 - Who are the recipients of your Personal Data?

Access to Personal Data is strictly controlled. The Company ensures that the data is only accessible to authorized internal or external recipients.

Internal recipients:

• Authorized personnel from the marketing, sales, customer relations, administrative and technical departments as well as their line managers.
• The authorized personnel of the departments in charge of the audit (auditor, department in charge of the internal audit procedures, etc.).

External recipients:

• The Company's partners and subcontractors and, more specifically, their personnel authorized to access only the data necessary for the implementation of their services.
• Agencies, judicial and ministerial officers, within the framework of their debt collection mission.
• The recipients of your Personal Data within the Company are subject to a specific confidentiality obligation. The Company decides which recipient is entitled to receive data internally.

The clearance policy is updated regularly and takes into account the arrival and departure of Company employees with access to data. If an employee becomes aware that he or she has access to data to which he or she should not have access, he or she is required to notify the appropriate department immediately. All accesses concerning the processing of Personal Data of Data Subjects are subject to a traceability measure.

In addition, your Personal Data may be transmitted to third-party service providers who are required to use it only for the purposes for which the Company has entrusted it to them, including :

• For the implementation of the bank synchronization, the Company is in relation with a financial company with which it has signed a specific partnership agreement.
• When the Company uses subcontractors and independent contractors to assist in the provision of a number of services, such as customer messaging platforms, advertising, statistics, data management and hosting, and payment services, the Company may use these contractors to provide services to the Company. These service providers have limited access to Data Subjects' data for the strict purpose of providing these services.
• When the Person concerned publishes, in the free comment areas (blog, Facebook page, etc.), information accessible to the public.
• When the Data Subject authorizes a third party's website to access his/her data.

In this context, the Company ensures that the security of your Data is preserved through strict control:

• In the event that Personal Information is transferred within the European Union, the Company ensures that such third party service providers adhere to the principles of the "General Data Protection Regulation" (GDPR).
• In the event that personal information is transferred outside the European Union, the Company ensures that the third country concerned has a level of protection deemed adequate by European regulations (e.g. in the case of a transfer of data to the United States, checking the adherence of the third party service provider to the "Privacy Shield" principles).
• Your Personal Data may also be communicated to any authority legally entitled to know it. In particular, the Company may transmit data to follow up on claims made against it and to comply with administrative and judicial procedures. In this case, the Company is not responsible for the conditions under which the personnel of these authorities have access to and use your data.

6 - How long do you keep your Personal Data?

The Company retains your data for a certain period of time in order to provide you with its services or assistance. The Company may also retain some of your information if necessary, even after you have closed your account or it no longer needs it to provide its services to you. Your Personal Information will not be transferred, rented or exchanged to third parties. The length of time the Company retains your Personal Information is determined by the Company in accordance with legal and contractual requirements and, if not, according to its needs:

Retention periods for each category of Personal Data

User and Customer data (identification data, web data, customer relationship management): The data relating to Users and Customers are kept for the entire duration of the opening of the Account and up to 90 days thereafter. This duration can be increased by 3 years for animation and prospecting purposes and by 5 years for archiving purposes as of the deletion of the Account or unsubscription.

Prospect data (identification and web data): Prospect data is kept for a maximum of 3 years from the date of collection or last contact from the Prospect.

Technical data (connection data and cookies): Connection data (IP addresses and logs of the Persons concerned) are kept for a period of one year from the last connection or last use of Skyloud. Cookies can be kept for a period of 13 months from the last manifestation of consent.

Financial data (payment methods): The financial transactions relating to the payment of subscription fees via the site are entrusted to a payment service provider who ensures the hosting, the smooth running and the security. The recipient of your Personal Data relating to your credit card numbers, it collects and stores them in our name and on our behalf during the execution of the payment operations. We never have access to your payment data.

Banking data (connection data, account synchronization and historical data): The collection of banking transactions is outsourced to a banking synchronization provider who ensures the hosting, the smooth running and the security. They collect and store login and bank transaction data on our behalf for the duration of your use of Skyloud. We never have access to the identification data of the banking interface.

The data used to establish proof of a right or a contract (customer data, etc.) or kept to comply with a legal obligation (invoicing data, etc.), are subject to an intermediate archiving policy for a period not exceeding the time required for the purposes for which they are kept, in accordance with the provisions in force.

After the set time limits, the data is either deleted or kept after being anonymized, in particular for statistical purposes. Data Subjects are reminded that the deletion or anonymization of data stored in its systems are irreversible operations and that the Company is not, thereafter, able to restore them.

‍7 - What security measures are applied on your Personal Data:

As a Data Controller, the Company is committed to aligning its practices to comply with European regulations and guarantee a level of security appropriate to the risk (Article 32 §1 of the GDPR).

The organizational security measures taken by the Company in the context of its processing of Personal Data include, but are not limited to, the following measures:

• All staff are trained and regularly informed of developments in data security and personal data protection;
• In order to protect the confidentiality of Personal Data, employment contracts signed by staff members include a clause obliging them to recognize their duty to protect the confidentiality of all data to which they have access in the course of their duties;
• Only authorized personnel may have access to Personal Data, provided such access is necessary. Measures to prevent access to Personal Information by unauthorized persons are in place;
• A method of accessing Personal Data has been developed internally so that an appropriate level of authorization is required;
• No Personal Data is resold by the Company, even anonymously and for any purpose.

The technical security measures taken by the Company in connection with its processing of Personal Data include, but are not limited to, the following measures:

• Passwords and usernames are requested before accessing any electronic environment in which Personal Data is stored and an access log is kept;
• Any electronic media and software on which Personal Data is stored is regularly updated and protected against malware and unauthorized access;
• Appropriate security measures (e.g. firewalls etc.) are implemented at the interface between the environments accessible to third parties and the company's storage areas, as well as measures to combat virtual attacks that threaten data security (IDS/IPS etc.);
• The transmission of Personal Data is always done through encrypted communication services (email, FTP, file sharing, HTTPS security mode);
• The environment (servers, etc.) where Personal Data is stored on behalf of the Data Controller is physically protected and access to it must be controlled and limited to authorized personnel;
• Personal Data can be anonymized or deleted using appropriate methods. The deletion of Personal Data stored in an electronic environment has the effect of making it impossible to retrieve the data.

8 - What are your rights regarding your Personal Data and how to exercise them?

In order to allow a regular update of the personal data collected by the Company, this one will be able to solicit the Persons concerned who will have for obligation to satisfy the requests of the Company. In accordance with the regulations applicable to personal data, the Persons concerned have the following rights:

Right of access (Article 15 of the RGPD): they can exercise their right of access, to know the Personal Data concerning them.

Right of rectification (Article 16 of the RGPD): if the Personal Data held by the Company are inaccurate, they can request the update of the information; The persons concerned are informed that the Company will not proceed to any so-called "comfort" modification, these being possible from the "Profile" tab in the "Settings" section of the Skyloud account. Only substantial modifications to the civil status, identity, profession and contact details of the person concerned will be made.

Right of deletion (Article 5 of the GDPR concerning the "purging" of data and Article 17 of the GDPR concerning the deletion of data or "right to be forgotten"): Data Subjects may request the deletion (in whole or in part) of their Personal Data, in accordance with applicable data protection regulations.

Right to limit processing (Article 18 of the GDPR): Data Subjects may request the Company to limit the processing of their Personal Data in accordance with the assumptions set forth in the GDPR.

Right to object to data processing (Article 21 of the GDPR): data subjects may object to their data being processed in accordance with the assumptions set forth in the GDPR.

Right to portability (Article 20 of the GDPR): they can claim that the Company hands over the Personal Data they have provided to them for transmission to a new entity, within the strict framework of the applicable data protection regulations.

You can exercise one or more of these rights by contacting us via the dedicated module. This one-month period may be extended by two months if the complexity of the request and/or the number of requests require it. In order to protect us from any risk of data leakage or identity theft, some requests will need to be accompanied by a photocopy of a signed, valid identity document.

‍9 - How to contact our Data Protection Officer?

A Data Protection Officer is available for any questions or requests for further clarification relating to Skyloud's Privacy Policy. You can contact him via the dedicated module.

For any other more general information on the protection of Personal Data, you can consult the website of the National Commission for Information and Liberties (CNIL) at the following address: www.cnil.fr

‍10 - Under what conditions does our Privacy Policy apply?

Continued browsing of Skyloud's sites constitutes unreserved acceptance of the provisions of this Privacy Policy. The version currently online - effective May 25, 2020 - is the only version that is enforceable during the entire time you use the site and until a new version replaces it.

Our policy on Personal Data (in terms of confidentiality and cookies) may be modified or amended at any time in the event of legal or jurisprudential developments, decisions and recommendations of the CNIL (the French Data Protection Authority) or practices. Any new version of this Policy will be brought to the attention of the Persons concerned by any means defined by the Company, including electronically (e.g. distribution by e-mail or online).