CHARTER FOR THE PROTECTION OF DATA OF A PERSONAL NATURE RISING STONE attaches great importance to the protection of and respect for the private life and personal data («Personal Data») of the users of its web site (hereinafter, the «Site»). RISING STONE undertakes to employ adequate means to protect the confidentiality and security of Personal Data in accordance with the regulations in force in France and in the European Union, in particular the Règlement Général sur la Protection des Données Personnelles (General regulation for the protection of Personal Data) UE 2016/679 of 27 April 2016 and the rules under national law created for its application. In this charter (the «Charter»), users are advised of the practices and processing inherent in the collection and use of the Personal Data by RISING STONE as the organisation responsible for processing. Accordingly, RISING STONE invites users to read this document carefully to acquaint themselves with and to understand the processing relating to Personal Data. It is specified that in browsing on the Site, users accept this Charter as well as the general conditions of use.________________________________________ Article 1. Personal Data collected Users are required to supply their Personal Data in digital format when using the Site. 1.1 Principles applicable to the collection of Personal Data In general, users may browse on the Site without necessarily being required to provide RISING STONE with their Personal Data. RISING STONE only collects the Personal Data necessary for the processes it carries out («privacy by design») and guarantees a high level of protection («privacy by default»). In this respect, the processes requiring the collection of data are as follows: • Replying to requests for information (contact forms for requests for information and/or additional photographs of a property); • Taking part in polls aimed at improving the relationship with and experience of RISING STONE’s clients; • Sending information letters («newsletters»), informative or marketing e-mail alerts; • Job applications. In such cases, the personal information collected from users is the minimum: (i) Surname(s), (ii) Forename(s), (iii) E-mail address, (iv) Telephone number, (v) Postal address, (vi) Country. These Personal Data are then retained for the time necessary for the fulfilment of the user’s request. Should the request not be materially fulfilled, they are deleted within the timescale recommended by the CNIL, i.e. at the end of three years from their collection by the Site, subject to the options and legal obligations covering archival storage, conservation obligations relating to certain data and /or anonymity. 1.2 Users’ browsing information During the use of the Site or certain services related to the Site, certain data is gathered automatically such as: (i) IP address, (ii) reference of the browsing software used, (iii) browsing data (date, time, content viewed, search words used, etc.), (iv) reference of the operating system. Amongst the technologies used to gather this information, RISING STONE may have recourse to «php» sessions which store the data of each user by using a unique session identifier. These php sessions retain the data in their memory only for the time of the users’ browsing session. Accordingly, the data collected during browsing are deleted when the user’s browser closes or, where applicable, within a maximum of thirteen months of their collection. ________________________________________ Article 2. Legal basis for the collection and processing of personal data Personal Data are processed by RISING STONE in the circumstances permitted by the regulations in force and under the following conditions: • Free, specific, informed and unambiguous consent is obtained from Users (it is specified that for minors under the age of 18, consent must be given by their legal guardian); • The Personal Data collected is necessary for the fulfilment of the user’s request or enquiry. • Respect for the legal and/or reglementary obligations incumbent on RISING STONE (such as combatting fraud and corruption). • Protection of the legitimate interests of RISING STONE (such as the protection and security of its IT network). ________________________________________ Article 3. Recipients of the personal data collected Only authorised staff members of the group and service providers of RISING STONE may have access to the Personal Data collected and process them without prejudice to any transmission to the organisations responsible for inspections in accordance with the legislation and / or the regulations in force or in order to comply with a judicial or administrative decision. Authorised staff are required not to divulge this information. RISING STONE undertakes not to sell the Personal Data collected to a third party.________________________________________ Article 4. Transfer of personal data The Personal Data collected from users of the Site are retained exclusively in France and are not transferred outside the European Union. Should they have recourse to affiliated organisations and service providers located outside the European Union, RISING STONE undertakes to ensure that the appropriate measures have been put in place to protect users’ Personal Data adequately.________________________________________ Article 5. Data security RISING STONE collects and processes users’ Personal Data with the greatest confidentiality and in compliance with the applicable laws. Users are protected against unauthorised access, modification, divulgence and destruction of their Personal Data. When it is necessary and permitted to divulge Personal Data to third parties, RISING STONE ensures that the third parties guarantee that the Personal Data concerned have the same level of protection in place as that provided by RISING STONE, and requires contractual guarantees that the Personal Data will be processed exclusively for the purposes accepted by the users, with the required confidentiality and security (notably by means of clauses such as that of the European Commission, internal company regulations (« BCR ») or the data protection screen established between the European Union and the United States of America). RISING STONE has put in place technical and organisational measures to ensure that the Personal Data are securely protected throughout the time necessary for the aims to be achieved. Users’ attention is drawn to the fact that no transmission or storage technology is infallible. Additionally, in the event of a known breach of the Personal Data likely to cause a high risk to the users’ rights and freedoms, RISING STONE will inform the appropriate inspection authority of this violation by the means provided for by the applicable regulations. It is up to users to take sensible precautions against any unauthorised access to their Personal Data and notably to their IT and digital devices (computer, smartphone and tablet in particular). ________________________________________ Article 6. Links to other web sites The Site may occasionally contain links to the sites of partners or third party companies which have their own data protection charters. RISING STONE has no control over the content of these sites and cannot be held responsible for the use made of information collected when users click on these links. Accordingly, RISING STONE asks users to acquaint themselves with the data protection policies operated by the editors of these sites before entering any personal details.________________________________________ Article 7. Users’ rights Users are reminded that they have the following rights subject to the limitations provided for by the legislation in force : 7.1. Right of information about the processing of Personal Data RISING STONE undertakes to make every effort to provide concise, transparent and accessible information about the way in which users’ Personal Date are processed. 7.2. Right of access to Personal Data Every user may access their Personal Data processed by RISING STONE and has the right to receive a copy in electronic form (for every additional copy, RISING STONE will be entitled to seek payment of its expenses based on the administrative costs involved). 7.3. Right to delete (« droit à l’oubli ») and correct Personal Data Every user has the right to request that the Personal Data concerning them is deleted and / or corrected when they are incorrect or out of date. It is specified that RISING STONE will be able to retain certain Personal Data when the law so requires or for a legitimate reason. 7.4. Right to object Users may, at any time, object for legitimate reasons to: • The use of their Personal Data for direct marketing purposes or • The reuse of their Personal Data for processing other than that to which they have consented except in the case of RISING STONE in meeting one of its legal obligations. 7.5. Right to limit the processing of Personal Data Users have the right to request that the processing of their Personal Data is limited to what is necessary. This right only applies: • If the user contests the accuracy of their Personal Data; • If the user is able to establish that the processing of their Personal Data is illicit and requests a limitation of their use rather than their deletion; • If RISING STONE no longer needs the user’s Personal Data but they are still necessary for the user to record, exercise or defend their legal rights; • If the user objects to the processing based on the legitimate interests of the processor, during the process of checking if the legitimate reasons for which the processor is acting prevail over those of the user. 7.6. Right to complain to an inspection authority If a user considers that the efforts made by RISING STONE to preserve the confidentiality of their Personal Data do not guarantee their rights, they may submit a complaint to the appropriate inspection authority (CNIL or any other authority on the list available from the European Commission). 7.7. Right to the portability of Personal Data Users have the right of data portability, permitting them to obtain their Personal Data from RISING STONE in a currently used structured format which can be read by IT devices and to request that these Personal Data are sent to another processor. 7.8. Right to decide what happens to Personal Data after death Users also have the right to arrange what happens to their Personal Data after their death by adopting general or specific directives which RISING STONE undertakes to respect. In the absence of any such directives, RISING STONE recognises that the beneficiaries may exercise certain rights, in particular the right of access where it is necessary for the execution of the deceased’s estate and the right of objection. 7.9. How to exercise rights To exercise their rights, users are requested to contact the Délégué à la Protection des Données Personnelles (personal data protection delegate) at RISING STONE in the way outlined in article 10. It is specified that to assist users in the exercise of their rights, model letters are available to them on the CNIL web site (www.cnil.fr). Before processing users’ requests, RISING STONE may check their identity by requesting proof of identity. The Délégué à la Protection des Données Personnelles will respond to their request as quickly as possible and in any event within 1 (one) month of the proof of identity being provided. Where necessary, this timescale may be extended by 2 (two) additional months in the light of the complexity and number of requests, in which case RISING STONE undertakes to notify users of the extension and the reasons for it. ________________________________________ Article 8. Alteration to the Personal Data Protection Charter RISING STONE reserves the right to amend this Personal Data Protection Charter at any time to comply with changes in the law and regulations and / or to improve its processing and Personal Data Protection policy. In the event of an alteration, a new, updated version will be put on line with the date of the «latest update ».________________________________________ Article 9. Applicable law and appropriate court This charter is subject to French law, including the provisions applicable to the rules of international privacy law. If an amicable solution is not reached, the courts within the jurisdiction of the appeal court in Chambéry notwithstanding the number of defendants and /or recourse in warranty has the authority to take cognizance of any dispute relating to the use of the site and/or the validity, execution and interpretation of these General Conditions of Use.________________________________________ Article 10. Contact For any question relating to this Charter for the purposes of correcting, adding to or updating data, users are requested to contact RISING STONE : • By sending an e-mail to the Délégué à la Protection des Données at this address firstname.lastname@example.org ; • Or by completing the on-line contact form on www.rising-stone.com ; • Or by sending a letter to the following address: RISING STONE – For the attention of the Délégué à la Protection des Données, Mme Alexia Dantigny – 200, RUE DES JEUX OLYMPIQUES – 73550 MERIBEL LES ALLUES, FRANCE.