Access to and use of the website www.tapilou.com (hereinafter referred to as the “ Site ”) may require you to provide a certain amount of personal data (hereinafter referred to as “ Personal Data ”) concerning you.

In order to maintain your trust, we, the TAPILOU company, invite you to read our policy on this matter, which describes the data collected, the use made of it, and the rights you have with regard to it.

1. DEFINITIONS

“Client” means the client user of the Site.

“Customer Account” means the account that you have created as a Customer and user and which is accessible using your Identifiers.

“Geolocation Data” means data that identifies your location in a reasonably specific manner, such as using latitude and longitude coordinates obtained through GPS, Wi-Fi or mobile triangulation.

“Personal Data” means any information relating to an identified or identifiable natural person; an “ identifiable natural person ” is deemed to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

“Identifiers” means your email address and password.

“Data Protection Act” means Law No. 78-17 of January 6, 1978 relating to data processing, files and freedoms (amended by Law No. 2018-493 of June 20, 2018).

“ Product(s) ” means the play mat(s) for babies and toddlers sold by the Company on the Site.

“EU Regulation 2016/679” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Services” means all the functionalities made available to you through the use of the Site.

“Site” means the TAPILOU website which is intended exclusively for you as a user and non-professional customer (individual) and accessible at the URL www.tapilou.com .

“Terminal” means the smartphone, tablet or any other hardware with an operating system compatible with the Site and from which you access the Content and Services.

2. WHO COLLECTS YOUR DATA?

The website www.tapilou.com is published by the company TAPILOU, a simplified joint-stock company with a capital of 1,000 euros, registered in the Marseille trade and companies register under number 882 014 095, whose registered office is located at 58 montée de saint menet, 13011 Marseille – FRANCE, represented by Mrs. Déborah Goldberg, in her capacity as president.

As part of the use of the Site, we collect and process a certain amount of Personal Data concerning you.

We are therefore responsible for processing within the meaning of the Data Protection Act and EU Regulation 2016/679.

3. WHAT PERSONAL DATA DO WE COLLECT?

We only collect, via the Site, your Personal Data which is strictly necessary for the proper execution of the services offered, namely:

• The creation of a Customer Account;
• Payment for your orders;
• Delivery of your orders;
• Archiving your orders and issuing invoices;
• Sending a newsletter;
• Contact via the contact form.

You agree to provide complete and accurate information to enable the proper performance of the Site's Services.

3.1 Data collected as part of the creation and management of your Customer Account

The Personal Data we collect to create your account are: your first name, last name, email address and password.

This data is collected to allow you to create a Customer Account and have access to the Services.

3.2 Data collected as part of the payment for the Products

We collect the data strictly necessary to complete the payment of your order, namely, depending on the payment method chosen:

• the card number, expiry date and visual cryptogram in the case of payment by bank card via the STRIPE payment solution;
• PAYPAL account email address and password in case of payment via your PAYPAL payment solution;
• the name of the banking institution, the IBAN and the BIC of the banking institution in the event of payment in three installments via the ALMA split payment solution.

IT IS STRONGLY RECOMMENDED TO READ THE PRIVACY POLICIES OF OUR PAYMENT SOLUTION PROVIDERS BEFORE ANY ORDER VALIDATION [1] .

We guarantee to take all appropriate organizational and technical measures to preserve the security, integrity, and confidentiality of your banking data against any unauthorized access, use, misappropriation, communication, or modification by using secure payment systems that comply with the state of the art and applicable regulations. This data is encrypted using a reputable "strong" algorithm.

3.3 Data collected as part of the management of your orders

The Personal Data that we collect for the management of your orders are: your last name, your first name, your email address, your delivery address, your telephone number, your billing address, and possibly the first and last name of the person to whom you wish to offer a Product or a gift card.

This data is collected to enable us to manage your order and deliver the Products to the person concerned.

3.4 Data collected through the contact form

Through the contact form, we collect data relating to your first name, last name, email address as well as the subject and content of the message you wish to send us.

The contact form allows you to contact us to learn more about our products, make a comment about them, or ask us a general information question. Data is collected so that we can contact you in return to respond to your message.

3.5 Data collected as part of the Newsletter

The Personal Data we collect to subscribe you to our Newsletter is limited to your email address.

This allows us to send you our Newsletter.

3.6 Geolocation data

We also collect your geolocation data if you authorize us to receive it by activating access to geolocation data through the settings of your smartphone, tablet or any other device with an operating system compatible with the Site.

4. WHY DO WE COLLECT YOUR DATA?

We collect your data:

• To operate the Site and provide the Services, in particular to authenticate your access to your Customer Account and make payment for your order and deliver the Product(s) to you;
• To manage our business needs, such as tracking, analyzing, and improving the performance and functionality of the Site. For example, we analyze your behavior and conduct research on how you use the Site;
• To protect the Site and you against fraud by verifying your identity, and helping to detect and prevent fraud and abuse of use of the Site;
• To comply with our obligations and enforce our terms and conditions of use of the Site and to comply with all applicable laws and regulations.
• For statistical processing and to improve our services. These processes are completely anonymized and therefore not covered by the aforementioned Regulation 2016/679.

5. WHAT JUSTIFIES THIS COLLECTION?

The data will be collected and processed in a fair and lawful manner, and will be used to provide the services offered on the Site.

In the context of the orders you place on the Site, the legal basis for the collection and processing is the execution of the sales contract concluded between TAPILOU and the Customer.

Regarding other processing, we only collect your Personal Data to the extent that you have expressly given your consent.

You may withdraw your consent at any time by sending a request to this effect to the following contact details:

• By email: contact@tapilou.com .
• Or by post: TAPILOU 58 montée de saint menet, 13011 Marseille – FRANCE

The withdrawal of your consent only applies to the future and does not affect the lawfulness of processing carried out prior to the withdrawal of your consent.

6. WOULD YOU LIKE TO RECEIVE OUR NEWSLETTER AND/OR OUR COMMERCIAL OFFERS?

You can consent or object to the use of your email address when you provide your data, so that we can send you our newsletter or commercial offers electronically.

You can object to this prospecting at any time via the link provided for this purpose in all the emails you receive.

7. WHO DO WE SHARE YOUR DATA WITH?

TAPILOU is the sole recipient of all data collected and processed. Only duly authorized TAPILOU personnel may access it.

Our service providers responsible for delivering your Products also have access to only the data necessary for the proper performance of their delivery service, namely: your surname, first name, email address, telephone number and your delivery address.

Our payment solution providers also have access to only the data necessary for the proper performance of their service as specified in article 3.2 hereof.

Finally, our subcontracted IT service providers may possibly have access to the data during their maintenance operations, but may under no circumstances carry out any other data processing operation, such as modification or use of the data.

Your personal information will never be sold, exchanged, transferred, or given to any other company for any reason whatsoever, without your consent, other than what is necessary to fulfill a request from you.

No data is transferred outside the European Union or to a country that does not ensure a sufficient and appropriate level of data protection in accordance with European Union regulations on Personal Data.

Anonymized data, however, may be provided to other parties for marketing, advertising, or other uses.

8. WHO ARE OUR SUBCONTRACTORS?

As part of the data processing carried out, we use the company SHOPIFY, a company incorporated under Canadian law, whose premises are located at 151 O'Connor Street - Ottawa, Ontario K2P 2L8 - Canada, which provides:

• the hosting of all Personal Data processed on the Site and
• maintenance of the Site.

We guarantee that our subcontractors host the data within the European Union or in a country ensuring a sufficient and appropriate level of data protection and provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of EU Regulation 2016/679 and the Data Protection Act.

In any event, any subcontracting carried out is carried out in strict compliance with this document. Consequently, we guarantee that our subcontractors do not under any circumstances exceed the processing methods defined in this document.

The subcontractor may itself be authorized to subcontract all or part of its operations subject to strict compliance with the provisions of Article 28 of EU Regulation 2016/679 and this document.

However, as data controllers, we remain your sole point of contact.

9. WHAT ARE YOUR RIGHTS?

In accordance with current regulations, you have rights over your Personal Data.

To exercise these rights, you must write to us specifying the subject of your request and provide proof of receipt of your request.

Any request for information about your rights or any request to exercise one of your rights should be sent to the following contact details:

• by email: contact@tapilou.com .
• or by post: TAPILOU, 58 montée de saint menet, 13011 Marseille – FRANCE

Any request to exercise your rights will be accompanied by a copy of your identity document in order to avoid any fraud and/or illicit access to your data.

However, some personal information may be exempt from such requests in certain circumstances, for example if it infringes the rights and freedoms of others. If an exception applies, we will let you know when responding to your request.

9.1 Rights of access, opposition, limitation, erasure and rectification of data

In accordance with current regulations, you have the right:

• to access any of your Personal Data that we hold about you;
• to update any of your Personal Data that is not up to date or incorrect;
• to restrict how we process your Personal Data;
• to ask us to provide you with a copy of any of the Personal Data we hold about you;
• to object to the use of your Personal Data;
• to oppose the use of your Personal Data for prospecting purposes.

9.2 Right to data portability

You have the right to the portability of your data, which must be returned to you by us in a structured, commonly used and machine-readable format, if you wish.

You can only exercise this right to portability with respect to data that you have actively and consciously declared or that you have generated through your activity, in particular in the context of using the contact form, to the exclusion of any other data that is calculated, derived or inferred from the data that you have provided.

Furthermore, only data processed automatically and collected on the basis of your consent or the performance of a contract are affected by this right.

We reserve the right not to comply with your request to the extent that the data concerned by your request does not meet the above-mentioned conditions.

For all data not meeting the above criteria, you can only exercise the rights mentioned in the previous clause.

We will not prevent the transfer of data covered by the right to portability to another data controller, either through you or directly where this is technically possible. If the direct transfer of data to another data controller is not technically possible, we will inform you and offer you an alternative solution.

We are not responsible for the processing you carry out on data resulting from the right to portability once you have retrieved it. We are also not responsible for the processing carried out by the company that retrieved your data following a request you have made to this effect.

9.3 Right to formulate advance directives

In accordance with current regulations, you can formulate advance directives on the use of your data after your death (for example: retention, deletion, disclosure).

You may change or withdraw your instructions at any time.

9.4 Right to lodge a complaint with the CNIL

You are informed of your right to contact the CNIL in the event of non-compliance with legal and regulatory provisions on our part in the management of your Personal Data.

To do this, you can contact the CNIL using the following link: https://www.cnil.fr/fr/plaintes

Notwithstanding the above, as data controller, we remain your sole point of contact.

10. HOW LONG DO WE KEEP YOUR DATA?

10.1 We keep your Personal Data in an identifiable format only for the period strictly necessary to manage our commercial relationship and to comply with our legal and/or regulatory obligations.

To the extent that you are a Customer and hold a Customer Account, some of the data collected about you is kept for a period of five (5) years following the year in progress at the time of the end of the contract between us (deletion of the Customer Account) in intermediate archives [2] in order to be able to respond to you in the event of a dispute.

10.2 The data collected from the contact form is kept for the duration necessary for us to respond to you and, possibly, for the duration of successive exchanges that may be established between you and us. We subsequently archive this data for a period not exceeding one (1) year from its collection or from the last message you sent to us.

10.3 The banking data collected on the Site as part of the payment for the Products are kept until the last payment due date. The banking data are then kept in intermediate archives [3] for thirteen (13) months following the debit date or fifteen (15) months in the case of deferred debit payment cards, and may only be used in the event of a dispute over the transaction by the Customer, for evidentiary purposes, in accordance with Article L.133-24 of the Monetary and Financial Code.

10.4 In the event that you have not objected to commercial prospecting, the Personal Data concerning you will be kept for a period of three (3) years from their collection or from the last contact from you (for example, a request for documentation or a click on a hyperlink contained in an email constitutes a contact from you. However, opening an email cannot be considered as a contact from you). At the end of this period of three (3) years, we may contact you to find out if you wish to continue receiving commercial solicitations. In the absence of a positive and explicit response from you, the data will be deleted.

10.5 In the event of exercising the right of access or rectification, data relating to identity documents are kept for the period provided for in Article 9 of the Code of Criminal Procedure, i.e. one (1) year.

In the event of exercising the right to object, data relating to identity documents may be archived for the limitation period provided for in Article 8 of the Code of Criminal Procedure, i.e. three (3) years.

In the event of exercising the right to object to receiving commercial prospecting, the data necessary to take into account the exercise of your right, such as your email address, are kept for three (3) years from the exercise of your right and cannot be used for any other purpose.

10.6 Furthermore, we may retain anonymous or anonymised data using an irreversible process for an unlimited period for statistical processing purposes. Given the anonymous nature of this data, it is not considered personal data within the meaning of EU Regulation 2016/679.

11. HOW DO WE USE COOKIES AND TRACKING TECHNOLOGIES?

Browsing the Site may result in the installation of cookies on your Terminal.

11.1 Why use cookies?

A cookie is a small file, which does not allow your personal identification, but which nevertheless records information relating to the navigation of a Terminal on a website.

These cookies improve access to our website and identify repeat visitors. In addition, our cookies enhance your experience by tracking and targeting your interests.

The cookies used on the Site are placed by us or by third parties.

We place cookies on the Site that are strictly essential for browsing the Site, cookies whose sole purpose is to enable or facilitate electronic communication, and audience measurement cookies whose purpose is limited to measuring the audience of the content viewed in order to enable an evaluation of the published content and the ergonomics of the Site.

Google Analytics and Hotiar cookies intended for audience measurement are placed by third parties.

We automatically receive and record information from your Device and browser, including your IP address, software and hardware, and the page you request.

Collecting your IP address is essential to allow you to communicate on the Internet, but does not provide more precise information than the city, and the IP address is anonymized once geolocation is done.

Cookies used in addition to cookies strictly necessary for browsing the Site are used for the following purposes:

• Audience measurement: these cookies allow us to establish visitor statistics;
• Social buttons: these cookies allow you to share the content of the Site on social networks;
• Tracking and advertising spaces: these cookies allow promotional content to be placed in advertising spaces and offer targeted advertising based on your interests.

Cookies that are not strictly necessary can be disabled by following the instructions given in the “ How to configure cookies? ” section below.

11.2 What are your rights?

Cookies that are strictly necessary for the provision of a service on the Site expressly requested by you do not require your consent.

However, cookies that are not strictly necessary for browsing the Site require your consent. Until you have given your consent, these cookies cannot be stored or read on your Device. You will be informed of this by the appearance of a banner.

You can withdraw your consent to the storage or reading of certain cookies on your Terminal at any time.

The validity period of this consent is thirteen (13) months. At the end of this period, your consent will be collected again.

Cookies are stored for a maximum period of thirteen (13) months on your Terminal. Beyond this period, cookies are permanently deleted from said terminals. This period is not extended under any circumstances in the event of a new visit to the Site.

The data collected via cookies is not combined with any other data processing.

You have the option to object to cookies through an opposition mechanism by sending a request to this effect to the following address: contact@tapilou.com .

If you exercise such a right, no data concerning you will be collected.

You are informed that refusing to install a cookie may make it impossible to access certain services on the Site.

11.3 How to configure cookies?

In order to refuse the installation of cookies that are not essential for browsing the Site, you can configure your internet browser settings as follows:

• In Firefox: " Firefox/Preferences " tab. Click on " Privacy " and choose " Never " under " Accept third-party cookies ". You can also choose to only keep cookies until Firefox is closed;
• In Google Chrome: " More " tab. Click " Settings " then " Advanced settings ". In the " Privacy and security " section, click " Content settings ", then click " Cookies " and disable " Allow sites to save/read cookie data ". You can also choose to enable it;
• In Safari: " Safari/Preferences " tab. Click on " Privacy " and choose " Always block " under " Cookies and website data ". At the end of your browsing, you can also click on " Delete all website data ". You can also choose to activate the " do not track " function;
• under Edge: “ Internet Options ” tab, then “ privacy ”, where you can configure the internet zone and limit cookie access by choosing the “ High ” confidentiality option which blocks cookies with insufficient confidentiality policies as well as cookies which record information without users’ consent;
• In Opera: " Preferences " tab. Click on " Advanced " then click on " Cookies ". You can choose to accept all cookies, only those from the site you are visiting, or never accept cookies.

Please note, however, that your consent is processed using a cookie. Therefore, if you delete all cookies stored on your device through your internet browser, we will be unable to know that you have chosen this option.

Please note : if you systematically refuse the installation of all cookies on your Terminal, including those strictly necessary for browsing, via the “ block all cookies ” options, your browsing on the Site may be limited, and access to certain services may be impossible.

For more information, you can consult the CNIL website via the following link:

https://www.cnil.fr/fr/cookies-les-outil-pour-les-maitriser .

12. HOW TO CONTACT US?

You can contact us if you have any general questions or concerns about this Privacy Policy or how we process your Personal Data at contact@tapilou.com or via the contact form.

13. MODIFICATION OF THIS PRIVACY POLICY

We may update this privacy policy at any time if our practices change, including changes to the Site's features.

If our privacy policy changes, we will necessarily update the " updated date " of this policy. We will not fail to inform you of any substantial changes relating to the processing of your data by placing a visible notice on the Site.

[1] Hypertext links:

https://stripe.com/fr/privacy

https://getalma.eu/legal/data

https://www.paypal.com/fr/webapps/mpp/ua/privacy-full

[2] Intermediate archiving means data which is still of administrative interest to the services concerned (in the event of litigation, for example), and whose retention periods are set by legal limitation rules.