We attach great importance to the protection and confidentiality of your personal data, which we take seriously and trust.

The data privacy policy specifically demonstrates our commitment to ensuring compliance with applicable data protection rules and, in particular, those of the General Data Protection Regulation ("GDPR").

In particular, the privacy policy aims to inform you about how and why we process your data in connection with the services we provide.

The policy applies to you, if you are over 15 years old, wherever you live, whether you are a customer, a potential customer ("prospect"), or simply a visitor to the www.xsior.com website.

If you are under 15 years of age, you are not authorized to use our services without the prior consent of your parent or legal guardian. If you believe that we may be holding information about one of your children under the age of 15 without your consent, you can ask us to delete it at contact@xsior.com.

However, this policy only applies to data processing carried out by us and not to data processing carried out by our customers using our tool's functionalities. If you would like information about the data processed by our customers using these functions, please contact them directly.

Within the framework of the services offered, we are necessarily led to process your personal data for the following reasons and on the following grounds:

• So that you can browse our website and benefit from our services (e.g. create an online account, pay for our online services, use our tools, carry out commercial prospecting, etc.) and to respond to your requests (e.g. requests for information, complaints, etc.) on the basis of our general terms and conditions of sale, our general terms and conditions of use, and our legitimate interest in providing you with the best possible service.
• To keep you informed of our latest promotional offers and events by email, and by telephone, based on our legitimate interest in retaining our customers or contacting you.
• So that you can follow us on social networks and share your opinions on the basis of the general terms of use of the platform used (e.g. Facebook, LinkedIn...) and our legitimate interest in having a dedicated page on social networks.
• To enable you to subscribe to and receive our newsletter, which will inform you of any news concerning our services on the basis of your consent.
• To guarantee and reinforce the security and quality of our day-to-day services (e.g. statistics, data security, etc.) on the basis of our legal obligations, our general terms and conditions of sale and our legitimate interest in ensuring the proper functioning of our services.
• Finally, we may also install "Cookies" on your terminal. For more information on the use of "Cookies", please consult our "Cookies Policy".

We undertake to process your data only for the purposes described above and we guarantee that none of your data will ever be sold to a partner or a third party.

On the other hand, when you voluntarily publish content on the pages we publish on social networks or on our website, you acknowledge that you are entirely responsible for any personal information you may transmit, whatever the nature and origin of the information provided.

We have summarized the categories of personal data we collect directly from you or via databases of potential customers, as well as their respective retention periods.

If you would like to receive further details about our retention periods, please contact us at: contact@xsior.com

• Professional identification data and contact details (e.g. surname, first name, professional e-mail address, business address, etc.) are kept for the entire duration of service provision, plus the legal statute of limitations, which is generally 5 years. A user's account is automatically deleted if inactive for more than 3 years.
• When there is confusion between the name of your structure and your personal name (e.g.: auto-entrepreneur, VSE, etc.), economic and financial data (e.g.: bank account number, verification code, etc.) retained for the time required to complete the transaction and manage invoicing and payments, plus the statutory limitation periods, which are generally 5 to 10 years.
• Data for sales and marketing canvassing and newsletter subscription purposes (e.g. e-mail address, etc.) kept for a maximum of 3 years from the last contact we had with you.
• Connection data (e.g. logs, IP address, etc.) stored for 1 year.

Once the retention periods summarized above have expired, we delete all your personal data to guarantee your privacy for years to come.

The deletion of your personal data is irreversible and we will no longer be able to communicate them to you after this period. At most, we can only keep anonymous data for statistical purposes.

Please also note that in the event of litigation, we are obliged to retain all data concerning you for the duration of the case, even after the expiry of the retention periods described above.

The applicable data protection regulations grant you specific rights which you can exercise, at any time and free of charge, to control the use we make of your data.

• Right to access and copy your personal data, provided this request does not conflict with business secrecy, confidentiality or the secrecy of correspondence.
• Right to rectify personal data that is incorrect, outdated or incomplete.
• The right to object to the processing of your personal data for commercial prospecting purposes.
• The right to request the deletion ("right to be forgotten") of personal data that is not essential to the proper functioning of our services.
• The right to limit the use of your personal data, which allows you to photograph the use of your data in the event of a dispute over the legitimacy of processing.
• The right to data portability, which enables you to recover part of your personal data so that it can be easily stored or transmitted from one information system to another.
• The right to give instructions on what to do with your data in the event of your death, either through you, a trusted third party or a beneficiary.

For a request to be taken into account, it must be sent directly by you to contact@xsior.com. Any request not made in this way cannot be processed.

Requests may not be made by anyone other than yourself. Only in this case may we ask you to provide proof of identity if there is any doubt about the identity of the person making the request.

We will respond to your request as quickly as possible, within three months of receipt, if the request is technically complex or if we receive many requests at the same time.

Please note that we may at any time refuse to respond to any excessive or unfounded request, particularly in view of its repetitive nature.

We will only disclose your data to persons who are duly authorized to use it for the purpose of providing our services. This may include our staff in charge of service implementation, accounting, marketing or even the security of our premises. In the case of candidates, this also includes the HR department and staff looking for a new member.

We may also share your data with public authorities, external consultants and practitioners, and service providers to ensure the smooth operation of our services (e.g. information systems security, etc.).

We implement all the technical and organizational means required to guarantee the security of your data on a day-to-day basis and, in particular, to combat any risk of unauthorized destruction, loss, alteration or disclosure of your data.

For example, our teams' passwords are complex and frequently changed. What's more, your data is backed up by regularly renewed backups, and encrypted to guarantee enhanced security on a daily basis.

Unless strictly necessary and on an exceptional basis, we never transfer your data outside the European Union, and your data is always hosted on European soil. Furthermore, we do our utmost to recruit only service providers who host your data within the European Union.

Should our service providers nevertheless transfer your personal data outside the European Union, we scrupulously ensure that they implement appropriate guarantees to ensure the confidentiality and protection of your data.

Our Data Protection Officer ("DPO") is always available to explain in more detail how we process your data and to answer any questions you may have on the subject at contact@xsior.com.

You may at any time contact the French data protection supervisory authority (the "Commission Nationale de l'Informatique et des Libertés" or "CNIL") at the following address: CNIL Complaints Department, 3 place de Fontenoy - TSA 80751, 75334 Paris Cedex 07 or by telephone at 01.53.73.22.22.

We may modify our privacy policy at any time in order to adapt it to new legal requirements and to new processing operations that we may implement in the future. You will of course be informed of any changes to this policy.

Published on 01/09/2023