This privacy policy (hereinafter referred to as the “Privacy Policy“) sets out the legal framework for the collection, use and processing by TREMAU (hereinafter referred to as the “Company“) of personal data relating to persons browsing or using the services offered by the Company (hereinafter referred to as the “Users“) on the “Tremau” platform accessible at https://tremau.com/ (hereinafter referred to as the “Platform“) designed, developed and operated by the Company.

Under the terms of the Privacy Policy, the person responsible for processing personal data (the data controller) is TREMAU, a simplified joint stock company whose registered office is located at 10 RUE PHILIBERT DELORME, 75017 Paris, registered in the Paris Trade and Companies Register under number 903 710 176.

As the data controller, the Company retains full control over the Personal Data and determines the object, nature, purposes, means and duration of the processing of the Personal Data collected.

The information of the Personal Data collected under the Privacy Policy is mandatory and necessary for the processing and provision of the services offered by the Company (hereinafter referred to as the “Services“). Failure to provide this information will prevent the proper functioning and provision of the Services offered.

The Company undertakes to comply with the applicable regulations on the protection of personal data and in particular the obligations arising from the European Regulation No. 2016/679 on the protection of personal data (hereinafter referred to as the “GDPR“).

The Company collects Personal Data only in accordance with the terms of this Privacy Policy and any reasonable and legal instructions given by the User at any time.

ARTICLE 1: DATA COLLECTION

1.1 Throughout the use of the Platform and/or the Services, the Company is likely to collect personal data (hereinafter referred to as “Personal Data“) relating to the Users, i.e. any information, allowing the User to be identified directly or indirectly.

At the time of the first order or the transmission of a contact form on the Platform, the User expressly consents to the processing of his Personal Data within the limits of a processing strictly necessary for the proper functioning of the Platform and the Services.

1.2 Personal Data relating to Users are communicated directly by Users or indirectly when the Company collects them from third parties in accordance with the conditions required by the applicable regulations (commercial partners for example). Personal Data may also be created by the Company in the course of providing the Services.

This includes Personal Data relating to the identity of the User and in particular: surname, first name, e-mail address, telephone number, address and postal code, photograph.

1.3 The Company (including its technical service providers) is also likely to collect indirectly and automatically:

• Data relating to the User’s activity,
• Data relating to the User’s browsing, in particular the anonymized IP address, the browser used, the browsing time, the operating system used, the language and the pages viewed,
• Data relating to the use of the Platform by the User, including traffic data, number of notifications, number of visits, number of data updates, number of launches of the Platform and any other data or communication resources that the User uses when accessing the Platform.

ARTICLE 2 : USE OF PERSONAL DATA COLLECTED (PROCESSING PURPOSES)

The Company uses, stores and processes Personal Data for the following purposes and legal bases:

Purpose	Legal Basis
Access to the Platform and Services	The processing is necessary for the execution of the contract concluded between the User and the Company
Contact request (contact form)	The processing is necessary for the execution of the contract concluded between the User and the Company
Processing of User’s requests	The processing is necessary for the execution of the contract concluded between the User and the Company
Provision of the Services	The processing is necessary for the execution of the contract concluded between the User and the Company
Publication of content on the Platform (comment form, publication of articles)	The processing is necessary for the performance of the contract concluded between the User and the Company for the legitimate interests pursued by the Company
Processing of comments (moderation, spam detection)	The processing is necessary for the performance of the contract concluded between the User and the Company for the legitimate interests pursued by the Company
Fulfilling the legal obligations of the data controller	The processing is necessary for the Company to comply with its legal obligations
Response to possible questions/complaints from Users – Assistance	The processing is necessary for the purposes of the legitimate interests pursued by the Company
Management of requests for access, portability, deletion, rectification and opposition rights	The processing is necessary for the execution of the contract concluded between the User and the Company
Management of disputes, unpaid bills, litigation	The processing is necessary for the execution of the contract concluded between the User and the Company
Development, improvement of the Platform, creation of an environment of trust	The processing is necessary for the purposes of the legitimate interests pursued by the Company
Commercial communications relating to the Company’s services and products, similar to those already used by the User	The processing is necessary for the purposes of the legitimate interests pursued by the Company as it is in line with the reasonable expectations of the data subjects
Marketing purposes (communications and/or newsletters about the Company’s activities, initiatives and commercial offers, carrying out market research and surveys to measure the quality of the services offered)	The processing is carried out on the basis of the Users’ consent
Audience measurement / Statistics	The processing is necessary for the purposes of the legitimate interests pursued by the Company

The Company may make automated decisions about the User using the Personal Data and the Company and perform profiling processing through specific technologies such as Artificial Intelligence.

Finally, the Company grants itself the right to review, scan or analyze Personal Data, including communications exchanged between the Company and Users through the Platform or otherwise, to comply with its legal obligations and in particular for fraud prevention, risk assessment, regulatory compliance and investigation purposes.

ARTICLE 3 : DATA RETENTION

Personal Data is retained only as long as necessary to fulfill the purpose for which the Company holds such data, to meet the needs of Users or to fulfill its legal obligations.

To establish the duration of the retention of Personal Data, the Company applies the following criteria:

Type of processing	Duration of storage
Access and use of the Platform by the User – Provision of Services	Retention until the end of a period of 5 years from the end of the Services or inactivity and within the limits of legal requirements
Fulfillment of legal obligations / legitimate interests	Retention for the duration of the legal prescription concerned (2, 5 or 10 years)
Marketing	Retention up to 3 years after collection or last contact with the User
User’s request (Contact, assistance, exercise of rights)	Retention for as long as necessary to process this request
Cookies	Retention for the duration of a session and for any period defined in accordance with applicable regulations

At the end of the periods or the end of the use of the Services by the User, the Personal Data will be destroyed or the Company will proceed to their anonymization. 

However, the Company may keep certain Personal Data collected on separate storage spaces in order to justify, if necessary, the perfect execution of its contractual or legal obligations. The data thus stored will be limited to what is strictly necessary.

ARTICLE 4: SHARING AND DISCLOSURE OF PERSONAL DATA

The Company states:

• To have delivered in writing any instructions regarding the processing of Personal Data by the processor,
• To ensure, in advance and throughout the processing, that the obligations set out in the European Regulation on the protection of Personal Data are complied with by the processor,
• Supervise the processing, including carrying out audits and inspections of the processor.

The Company undertakes that the processor:

• Processes Personal Data only for the sole purpose(s) for which it is being subcontracted,
• Processes the Personal Data in accordance with the Company’s instructions,
• Guarantees the confidentiality of the Personal Data processed,
• Has undergone the necessary training in the protection of Personal Data,
• Takes into account, with regard to its tools, products, applications or services, the principles of protection of Personal Data by design and protection of Personal Data by default,
• Informs the Company immediately if it considers that an instruction constitutes a violation of the European Regulation on the protection of Personal Data or of any other provision of the law of the Union or of the Member States relating to the protection of Personal Data.

Personal Data may also be transmitted to business partners that allow the Company to properly perform the Services, their management, processing and payment under the contractual conditions signed between the partner and the Company that cannot derogate from the conditions of this Privacy Policy.

Only with the express consent of the User, the Company may reuse the Personal Data or transmit them to partner companies for the purpose of sending commercial information by e-mail.

The Company declares that it will receive from the subcontractor all the documentation necessary to demonstrate compliance with the obligations and to allow audits, including inspections, to be carried out by the Company or another auditor that it has appointed, and to contribute to these audits.

The Company remains solely responsible to Users for the provision of the Services entrusted to a Personal Data processor.

4.3 The Company uses the services of the company (o) acting as host of the Personal Data. The servers are located in (o).

Pursuant to Decree No. 2011-219 of February 25, 2011 on the retention and communication of data identifying any person who has contributed to the creation of content posted online, the User is informed that the host of the Platform is obliged to retain for a period of one year from the day of the creation of content, for each operation contributing to the creation of a content:

• The identifier of the connection at the origin of the communication,
• The identifier assigned by the information system to the content that is the object of the operation,
• The types of protocols used for the connection to the service and for the transfer of content,
• The nature of the operation,
• The date and time of the operation,
• The identifier used by the author of the operation when he/she has provided it.

In the event of termination of the contract, the host must also retain for one year from the date of termination of the contract the information provided at the time of the subscription of a contract (order) by the User or at the time of the creation of a customer space, namely:

• At the time of the creation of the customer space: the identifier of this connection,
• The first and last name or the company name,
• The associated postal addresses,
• The pseudonyms used,
• The e-mail addresses or account addresses associated,
• Telephone numbers,
• The password as well as the data allowing to verify or modify it, in their last updated version.

Finally, the Platform host must, when the contract subscription (order) is paying, keep for one year from the date of issue of the invoice or payment operation, for each invoice or payment operation, the following information relating to the payment:

• The type of payment used,
• The payment reference,
• The amount,
• The date and time of the transaction.

ARTICLE 5:  SECURITY

The processing of Personal Data is carried out, both on paper and in electronic form, by means of collection, recording, organization, conservation, consultation, elaboration, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of data.

The Company ensures that the Personal Data is adequately and appropriately secured and has taken the necessary precautions to preserve the security and confidentiality of the data and in particular to prevent it from being distorted, damaged or communicated to unauthorized persons.

Personal Data is protected in such a way as to minimize the risk of destruction, loss (including accidental loss), unauthorized access/use or use incompatible with the original purpose of collection.

The Company will implement all technical and organizational measures necessary to respect the protection of personal data, to combat unauthorized processing

The Company has implemented measures to protect the security of Personal Data in accordance with its data security policy, which is available at any time upon request from the Company’s human resources department.

When the Company becomes aware of a breach of rights in the processing of Personal Data, such breach will be notified to the CNIL within a period of no more than seventy-two (72) hours after becoming aware of it.

Any violation relating to the processing of Personal Data will be notified by e-mail, within one (1) month, by the Company to the User concerned.

ARTICLE 6:  DATA SUBJECTS’ RIGHTS

In any case, Users benefit as a data subject, if the limitations provided by law do not apply, from the following rights:

• Right of access: (a) Users may obtain confirmation of the existence or otherwise of their Personal Data, even if not yet registered, and that such data is made available to them in an intelligible form; (b) to obtain an indication and, where appropriate, a copy of the origin and category of the Personal Data; the logic applied in the event of processing carried out with the aid of electronic instruments; the purposes and modalities of processing; the identification data of the holder and of the data controllers; the subjects or categories of subjects to whom the Personal Data may be communicated or who may become aware of it, especially if they are recipients located in third countries or international organizations; if possible, the duration of data storage or the criteria used to determine such duration; the existence of an automated decision-making process and, if so, the logic used, its importance and the foreseen consequences for the data subject; the existence of adequate guarantees in case of transfer of data to a third country or an international organization.
• Right of rectification: to obtain, without undue delay, the updating and rectification of inaccurate data or, where you have an interest, the integration of incomplete data.
• Right of modify options consent: to revoke at any time, easily, without hindrance, the consents given, using, if possible, the same channels as those used to give them.
• Right to erasure: obtain the erasure, transformation into anonymous form or blocking of data: (a) processed unlawfully; (b) no longer necessary for the purposes for which they were collected or subsequently processed; (c) if the consent on which the processing is based is revoked and there is no other legal basis; (d) in the event of opposition to the processing and if there is no overriding legitimate reason for continuing the processing; (e) in the event of compliance with a legal obligation; (f) in the case of data concerning minors.

The Data Controller may refuse erasure only in the event of: a) the exercise of the right to freedom of expression and information; b) compliance with a legal obligation, the performance of a task in the public interest or the exercise of public authority; c) reasons of public health interest; d) archiving in the public interest, scientific or historical research or statistical purposes; e) the exercise of a legal right.

• Right of limitation: to obtain the limitation of the processing in case of: (a) contesting the accuracy of the personal data; (b) unlawful processing by the Controller to prevent their erasure; (c) exercising a right of the Controller in court; (d) verification of the predominance of the legitimate grounds of the Controller over those of the data subject.
• Right to portability: To receive, if the processing is carried out by automatic means, without hindrance and in a structured, commonly used and readable format, the personal data of the data subject, in order to transmit them to another Controller or, if technically possible, to obtain direct transmission by the Controller to another Controller. The right to portability is limited to the data provided by the User concerned and applies on the basis of the prior consent of said User. Upon request, the Company undertakes to transmit within 30 days, and in an open and readable format, any document of collection of Personal Data to the User in order to implement the right to portability. The costs related to the recovery of the data are at the expense of the User making the request.
• Right of opposition: to oppose, in whole or in part, for legitimate reasons relating to the particular situation of the person concerned, the processing of personal data concerning him/her.
• Right to file a complaint with the data protection authority: In this case, if necessary, the Data Controller will inform third parties to whom the personal data are communicated of the possible exercise of the data subject’s rights, except in specific cases (for example, when this proves impossible or involves a manifestly disproportionate use of means in relation to the protected right).

These rights must be exercised with the Company, if necessary with its Data Protection Officer (DPO) by electronic means at (o) or by post at (o).

These rights must be exercised by indicating the name, surname, home address, e-mail address, telephone number of the User, as well as the subject of the request.

In accordance with the regulations in force, all requests must be signed and accompanied by a photocopy of an identity document bearing the User’s signature, if requested by the Company.

If you believe, after having contacted us, that your rights with regard to data processing and liberties are not being respected, you can send a complaint online to the CNIL or by post.

ARTICLE 7 : COOKIES 

The Company also informs Users that cookies and other tracers record certain information that is stored in the memory of their hard disk.

The Company undertakes to comply with the applicable regulations on the protection of personal data and cookies, in particular the obligations arising from the GDPR, Directive 2002/58/EC of July 12, 2002, known as the ePrivacy Directive, and the deliberation of the CNIL n°2020-091 of September 17, 2020.

These tools allow to make the Platform work properly, to offer a better user experience, to understand how the Platform works, to analyze where it needs to be improved and how it can speed up future interactions of Users with the Platform.

Some cookies are essential for the User to enjoy all the features of the Platform and do not collect confidential information about Users.

Some third-party cookies are used for non-essential purposes such as understanding how the Platform works and how the User interacts with the Platform, generating audience statistics, providing personalized advertisements, offering products based on those already selected during previous visits.

The cookies present on the Platform are in particular:

• Statistical cookies that store information such as the number of visitors to the Platform, the pages of the Platform that have been visited, the IP address and all information relating to the use of the Platform,
• Advertising cookies that use information to personalize the advertisements displayed on the Platform,
• Functional cookies that enable certain features of the Platform, whether essential or not, including preference cookies that store Users’ browsing preference settings.

An alert message, in the form of a banner, asks each person visiting the Platform (on the home page or on another page of the Platform), if they wish to accept cookies. On this occasion, the User is informed of the precise purposes of the cookies used and of the possibility of opposing them and changing the cookie settings.

The deposit of cookies will not be carried out if the User does not express, by a clear act of acceptance or refusal, his will and the continuation of his navigation does not constitute an agreement to the deposit of cookies on his terminal.

The User may at any time choose to deactivate cookies and other tracers. The User’s browser can be configured to notify the User of cookies that are deposited on the User’s terminal and to ask the User to accept them or not.

The configuration of each browser is different. It is described in the browser’s help menu, which will allow the User to know how to modify his wishes regarding cookies.

» Firefox: https://support.mozilla.org/fr/kb/cookies-informations-sites-enregistrent

• Click on the menu button and select “Options”.
• Select the “Privacy” panel.
• Set the “Retention Rules” menu to “Use custom settings for history”.
• Uncheck the “Accept Cookies” box.
• Any changes you make will be automatically saved.

» Internet Explorer : https://support.microsoft.com/en-us/products/windows?os=windows-7

• Click on the Tools button, then on “Internet Options”.
• Click on the “Privacy” tab, then under “Settings”, move the slider up to block all cookies or down to allow all cookies, then click OK.

» Google Chrome: https://support.google.com/chrome/answer/95647?hl=fr

• Select the Chrome menu icon.
• Select “Settings”.
• At the bottom of the page, select “Show Advanced Settings”.
• In the “Privacy” section, select “Content Settings”.
• Select “Block all sites from storing data.”
• Select OK.

» Safari: https://www.apple.com/legal/privacy/fr-ww/cookies/

• Click on “Settings” > “Safari” > “Privacy” > “Cookies and Website Data

The Company uses the following cookies on its Platform: (o)