Moneco's Personal Data Protection Policy

Effective as of December 15, 2023

1. Purpose

We may ask you to provide us with personal data about yourself in the following cases:

• When you register for our newsletter or submit a spontaneous application;
• When you comment in the Comment section of our Blog;
• When you register on our Destination France tool;
• When you subscribe to an offer from the Welcome Pack with one of our partners: Luko; Smart Garant; Livin France; SFR.
• When you use the Moneco Application (hereinafter referred to as the "Application") to register and access the services offered in the Application and enable you to use them optimally;
• When you contact our teams via chat in the Application, social networks, or our emails.

The purpose of this Policy is to inform you about the means we implement to process your personal data, in strict compliance with your rights.

We inform you that in processing your personal data, we comply with the Law No. 78-17 of January 6, 1978 on Information Technology, Files and Freedoms, in its current version (hereinafter the "Information Technology and Freedoms Act"), as well as the Regulation (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the "GDPR").

2. Definitions

The following definitions are those derived from the GDPR and the Information Technology and Freedoms Act:

PERSONAL DATA or DATA - Personal data is any information relating to an identified or identifiable natural person. This person can be identified directly (e.g., name and surname) or indirectly (e.g., by a telephone number or license plate number, an identifier such as social security number, a postal or email address, as well as voice or image), by means of a single piece of data or by the combination of several pieces of data (e.g., a woman living at a certain address, born on a certain day, and a member of a certain association).

RECIPIENT - The natural or legal person, public authority, service, or any other body authorized to receive communication of data recorded in a file or processing by virtue of its functions.

FILE - A file is a data processing operation that is organized in a stable and structured set of data. The data in a file is accessible according to specific criteria.

DATA CONTROLLER - The Data Controller is the legal entity (company, municipality, etc.) or natural person who determines the purposes and means of a processing, i.e., the objective and the way to achieve it. In practice and in general, it is the legal entity embodied by its legal representative.

PROCESSOR - The Processor is the natural or legal person (company or public organization) who processes data on behalf of another organization ("the Data Controller") as part of a service or provision.

PROCESSING - Processing of personal data is an operation or set of operations involving personal data, regardless of the method used (collection, recording, organization, storage, adaptation, alteration, extraction, consultation, use, communication by transmission or dissemination, or any other form of provision, reconciliation). Processing of personal data is not necessarily computerized: paper files are also affected and must be protected under the same conditions. Processing of data must have a specific objective and purpose prior to the collection and use of the data.

3. Who is Responsible for Processing Personal Data?

The entity that collects and processes your personal data is the company Moneco France, a simplified joint-stock company registered with the Paris Trade and Companies Register under number 915 343 768, with its registered office at 99 Avenue Achille Peretti 92200 Neuilly-sur-Seine (referred to herein as "Moneco" or "We").

A dedicated contact person for data protection can be contacted at the following address: privacy@moneco.app.

Whenever Moneco has determined the purposes of processing your personal data as well as the means of processing used, it will be qualified as the Data Controller and will assume all the obligations imposed by the Regulations. We act as the Data Controller for the processing of your data collected during the following events:

• Your visit to our website;
• Your subscription to our newsletter;
• Your submission of a spontaneous application;
• Your registration on our Destination France tool;
• Your download and registration on the Moneco Application as a Limited User, as defined in our General Terms of Use.

For the account and payment card management services offered in the Application, we act as the Processor for the company Xpollens, which is the Data Controller for your data in this context. The privacy policy of Xpollens can be consulted at the following link: https://www.xpollens.com/en/data-protection/

We are also Processor for the following partners, which are the Data Controllers for the data they collect for the services offered:

• Home insurance offer: Luko; Smart Garant
• Online guarantee offer: Smart Garant;
• Student housing solutions offer with: Livin France;
• Prepaid SIM card offer: SFR.

4. How are your personal data collected?

4.1 Personal data you provide to us directly

These are the personal data that you provide to us directly by responding to our collection forms, including those available online on our website or application, or during the following actions:

• Newsletter registration: your email and/or phone number
• Commenting on the blog: your name or username, your email, and any other information you wish to bring to our attention
• Submitting a spontaneous application: your email, contact details, and any other information you wish to bring to our attention
• Spontaneous communication with our teams via Chat in the Application, our ticketing tool, by email, or by mail: your contact details and any other information you wish to bring to our attention
• Registration on Destination France: your email and/or phone number;
• Subscribing to our SFR offer: your name and surname, date of birth, email address, and postal address
• Registering on the Moneco Application: your email, name and surname, phone number, date of birth, mobile PIN code

The data collected by Moneco is either mandatory or optional. The mandatory nature is identified within each form by an asterisk for each of the relevant fields. When data is collected orally, we will specify whether the information is mandatory or optional. All the data that you spontaneously provide to us are, by definition, optional.

In the context of the payment services offered by Xpollens, we collect the following personal data:

• Identification data: name, first names, postal address, email, telephone number, tax identifiers
• Authentication data when accessing the Application or exercising your access or rectification rights: photographs and information on identity documents that you provide for this purpose
• Data relating to your means of payment: bank details, IBAN, account-card and payment card details opened via the Application
• Data relating to your transactions in the Application: dates and times of transactions
• Data relating to invoices and contracts generated via the Application: history of your use of our services
• Data relating to your connection to the Application: IP address, number of connections, their duration, and history
• Data from recordings of exchanges between you and our customer service: including the content of the exchanges, their dates.

4.2 Personal data we collect automatically

We collect certain personal data from you automatically.

When you visit the website or register on the Application, data is automatically recorded through your browsing traces on our website, either:

• Indirectly through third-party cookies,
• Directly through server event logs (log files) by persons responsible for managing the website or application (either within Moneco or as an IT service provider).

This concerns your browsing data.

When the collection of this browsing data is mandatory, it is collected to ensure the availability of the website or application, improve them, and maintain a secure environment.

When the collection is optional, your consent is obtained in advance for the browsing data used to measure the audience of our website, the performance of our campaigns, optimize lead management, analyze your behavior as an internet user, and/or to increase the interactivity of our website or application and offer you targeted advertising. Please refer to our Cookie Policy.

This may include:

• Data relating to your connection to the website or application: for example, your IP address, the website address you visit, your search engine and its settings, the date and time of the connection, how you navigate on the website or application, and any other usage tracking data.
• Data relating to the equipment you use to access the website or application: depending on the equipment you use and the activated settings, the following data may be collected: the type of equipment (mobile phone, tablet, PC, MAC, etc.) and the operating system you use, as well as their settings.

5. For what purpose and how long do we use your personal data?

5.1 Purposes of Processing your Personal Data

We process your personal data for one or more of the following purposes:

• Manage your access to certain services available on the website or in the Application and their use, including account and payment card management services carried out on behalf of Xpollens via the Application and services offered by our partners Luko, SFR, Smart Garant, and Livin France via our website;
• Carry out operations related to customer management regarding contracts, orders, deliveries, invoices, and follow-up of the customer relationship;
• Establish a file of registered members, users, customers, and prospects;
• Send newsletters, solicitations, and promotional messages. If you do not wish to receive them, you have the option to express your refusal during the collection of your data;
• Personalize responses to your information requests;
• Compile commercial and traffic statistics for our services;
• Manage defaults and any disputes regarding the use of our products and services;
• Comply with our legal and regulatory obligations;
• Offer tailored offers and services;
• Improve our services.

5.2 Legal basis for the Processing of your Personal Data

The Processing of your Data is based on the following legal grounds:

• The performance of a contract to which you are a party or pre-contractual measures concerning you;
• Compliance with a legal obligation, including our reporting obligations:
  • In the context of the fight against money laundering and the financing of terrorism,
  • Under the systematic communication of information (COSI) to TRACFIN.
• Your explicit consent to the Processing of your Data for one or more specific purposes, including the use of cookies. Your consent can be revoked at any time.
• Our legitimate interest in using your Data, including:
  • Responding to your information requests on the website or the Application and the services we offer,
  • Verifying your identity as part of a customer knowledge process (KYC),
  • Sending newsletters, solicitations, and promotional messages when you are already a user of our products and services,
  • Tracking your requests to exercise your rights,
  • Defending or asserting our rights in the event of a dispute,
  • Improving our services,
  • Offering you tailored offers and services.

5.3 Retention period for your Personal Data

5.3.1 Data related to customer and prospect management

Your personal data will not be kept beyond the period necessary for the management of our commercial relationship with you. However, data necessary to establish proof of a right or contract, which must be kept for legal reasons, will be kept for the duration provided by the applicable law. Data concerning customers registered on the Application may be kept for a period of 5 (five) years from the end of the commercial relationship, in particular to comply with our legal obligations. Exceptionally, in the event of a refusal of registration by a customer on the Application or abandonment by that customer of that registration, this data may be kept for a period of 1 (one) year from the date of notification of this refusal or abandonment. Personal data concerning a prospect, who is not a customer, may be kept for a period of 3 (three) years from their collection or the last contact from the prospect. At the end of this 3-year period, we may contact you again to find out if you wish to continue receiving commercial solicitations.

5.3.2 Requests to exercise your rights

The information necessary for the management of your requests to exercise your rights under the GDPR will be kept for 2 (two) years from the request. However, in the event of the exercise of the right of access, rectification, or opposition, the data relating to identity documents produced for this purpose will be kept only for the time necessary to verify your identity. In the event of legal proceedings, personal data concerning you will be kept in order to allow Moneco to defend its interests.

5.3.3 Documents related to customer knowledge (KYC)

The Data relating to the Know Your Customer (KYC) documents that we collect at the time of your registration, in our capacity as agent of the electronic money institution Xpollens, to check that a business relationship can be established with you are kept:

• In the event that Xpollens refuses to open a payment account: for a period of 1 (one) year from the date of submission of the Know Your Customer (KYC) documents;
• If a payment account is opened or a payment card is issued by Xpollens: for a period of 5 (five) years from the closure of your payment account.

5.3.4 Management of opposition lists for prospecting

The information allowing us to take into account your right to object is kept for a minimum of 3 (three) years from the exercise of the right to object.

5.3.5 Recording of our exchanges

Recordings of our exchanges by email or via the Chat in the Application are kept for a period of 6 (six) months. The analysis documents of the content of the exchanges are kept for a period of one year.

5.3.6 Management of the Website and Mobile Application

The data allowing the technical administration of the Website and/or the Application (maintenance, hosting), their security, the improvement of the user experience or the production of audience and usage statistics of the services are kept for a maximum of 13 (thirteen) months.

For more information on cookies, including the different types of cookies and how to configure them, please refer to our Moneco Cookie Policy.

5.3.7 Data transmitted as part of a spontaneous application

If you have submitted a spontaneous application on the Website and it has not been accepted, we will contact you to ask if you want us to keep your personal data in order to offer you another position in the future or if you want us to destroy it. In any case, your personal data will be automatically destroyed 2 years after your last contact with Moneco.

6. Who are your personal data intended for?

6.1 Within Moneco

Whether individually or in aggregate form, your personal data is processed by Moneco employees.

In any case, only the data strictly necessary for the performance of the intended processing is transmitted to the only employees authorized to have access to it by virtue of their functions. All persons likely to have access to your personal data are contractually bound by an obligation of confidentiality.

In the specific case, only the following have access to your personal data:

• The legal representatives of Moneco;
• The Moneco personnel responsible for the management of the Website and the Application;
• The Moneco sales manager and the personnel responsible for Moneco Customer Service;
• Moneco members responsible for technical operations related to the exercise of individuals' rights.

6.2 Transfers outside Moneco

Several categories of third parties mentioned below may have access to your personal data. Only the personal data strictly necessary for the purpose(s) pursued by the envisaged processing is transmitted to them.

The following may have access to your personal data:

• Control services (including statutory auditors);
• Our subcontractors (email service providers, office tools, CRM tools, analytical data visualization tools, cookie consent management tools, mailing and SMS/notification sending tools, audience measurement and analysis service providers, online conversational bots, online advertising tools, remote identity verification tools, affiliate partnership tracking tools, customer billing service providers, card payment collection service providers, electronic signature tools, ticketing and internal issue tracking tools, hosting service providers);
• The following partners:
  • The company Xpollens, with whom you contract for account and payment card management services,
  • Advertising platforms to present personalized ads based on your interests when you browse them.

Public bodies (including tax and social organizations) may also be recipients of your personal data, at their request in the context of information requests or to comply with our legal obligations, judicial and auxiliary authorities in the context of judicial proceedings, ministerial officers and organizations responsible for debt collection.

For the account and payment card management services offered in the Application, we act as a subcontractor of Xpollens, which is the Data Controller of your Data in this context.

Moneco undertakes not to transmit your personal data to third parties unless:

• You have given your prior consent for the sharing of your personal data with third parties,
• The sharing of your personal data with said third party is necessary for the provision of the requested products or services,
• A competent judicial or administrative authority requires Moneco to communicate such personal data.

6.3 Transfers outside the European Union

No personal data related to your payment services, collected for Xpollens via the Application, is transferred to a partner located outside the European Union.

As part of the tools we use to provide our services on the Website or the Application, some of your data may be subject to transfers outside the European Union, particularly to the United States, by our subcontractors.

The transfer of your data in this context is secured using the following tools:

• Either this data is transferred to a country recognized by the European Commission as providing an adequate level of protection;
• Or the data is transferred to a country that does not offer adequate protection but whose transfer is permitted under applicable regulations, in particular because it is regulated by the European Commission's standard contractual clauses, which the French Data Protection Authority (CNIL) has previously recognized as ensuring an adequate level of protection of privacy and fundamental rights of individuals.

6.4 Transfer of your personal data

Your personal data will not be transferred, rented, or exchanged for the benefit of third parties.

7. Use of your personal data by third-party platforms

The Moneco Website (including the Blog, Destination France, and the Welcome Pack) as well as the Moneco Application may contain links to other websites. Similarly, other websites may refer to or contain a link to our Website or Application. We have no control over these other domains and websites. We invite our users to read the privacy policies of each website and application with which they may interact. We do not endorse, verify, or approve, nor are we responsible for the privacy practices or content of such websites or applications. If you visit the other relevant websites or applications, you do so at your own risk and you are subject to their privacy policy.

7.1 Social media plugins

Our Website uses plug-ins provided by third-party companies (e.g., Facebook, X, LinkedIn, Google, etc.). If you interact using the plug-ins by clicking on the icons available on our pages, some of your personal data, including technical and browsing data, will be transmitted and stored on a server operated by the third-party company that operates the corresponding social network of the icon you clicked on. This data will then be processed by this third-party company in accordance with its terms and the settings of your account opened within this social network. Your data may be hosted outside the European Union, including in the United States.

If you do not want a third-party company operating a social network to link the personal data collected through the Website to your user account opened within the relevant social network, you must log out of that social network before visiting the Website.

In any case, the use of these plug-ins is managed by the third-party companies that publish social networks and is exclusively governed by the terms binding you to the social network of which you are a member. We invite you to familiarize yourself with the terms applied by these third-party companies that publish social networks.

7.2 Google services

Our Website and Application use several features offered by Google. As such, some of your personal data, including your browsing data, may be transferred to this company, whose servers may be located outside the European Union, including in the United States. The use made of your personal data by Google is subject to the terms of use issued by Google. We advise you to read them carefully in order to fully exercise your rights in this regard. The services concerned include YouTube, Google Ads, and Google Maps.

8. Hosting of your personal data

The security of your data is our priority. We inform you that we take all necessary precautions, organizational and technical measures appropriate to preserve the security, integrity, and confidentiality of your personal data, and in particular to prevent it from being distorted, damaged, or accessed by unauthorized third parties. We also use secure payment systems that comply with the state of the art and applicable regulations.

8.1 Hosting of Data collected on our Website

Your Data collected on our Website is stored and stored for the entire duration of its storage on the servers of Vercel Inc., whose registered office is located at 340 S Lemon Ave #4133 Walnut, CA 91789 and can be contacted by email at the following address: privacy@vercel.com. Their European DPO can be contacted via this form or by writing to EDPO, Avenue Huart Hamoir 71, 1030 Brussels, Belgium.

8.2 Hosting of Data collected on our Application

Your Data collected on our Application is stored and stored for the entire duration of its storage on the servers of Amazon Internet Services (AWS), whose registered office is located at Tour Carpe Diem, 31 Pl. des Corolles, 92400 Courbevoie. We use servers in the AWS Europe (Paris) region spread between La Courneuve, Vitry-sur-Seine, and Paris-Saclay. Their compliance can be contacted via this form.

9. What are your rights regarding your personal data?

9.1 Right of access

You have the right to obtain confirmation from Moneco as to whether or not personal data concerning you is being processed. If the data is being processed, you have the right to access this data and the following information:

1. The purposes of the processing;
2. The categories of personal data concerned;
3. The recipients or categories of recipients to whom the data has been or will be disclosed;
4. The envisaged duration of the data retention, if possible, or if not possible, the criteria used to determine this duration;
5. The right to request Moneco to rectify or erase your data, restrict its processing, or object to the processing;
6. The right to lodge a complaint with the CNIL;
7. If the personal data is not collected directly from you, any available information about the source;
8. The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for you.

Finally, if personal data is transferred to a third country or an international organization, you have the right to be informed of the appropriate safeguards regarding the transfer.

Moneco will provide you with a copy of the data undergoing processing upon request. We may require the payment of reasonable fees based on the administrative costs for any additional copies you request.

If you request a copy of the data electronically, Moneco will provide it in a commonly used electronic format unless you request otherwise. The right to obtain a copy of personal data must not adversely affect the rights and freedoms of others.

9.2 Right of rectification

You have the right to request Moneco to rectify any inaccurate data concerning you without undue delay. You also have the right to have incomplete personal data completed, including by providing a supplementary statement.

9.3 Right to erasure

You have the right to obtain the erasure of your personal data without undue delay when one of the following grounds applies:

1. The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
2. You withdraw your consent on which the processing is based, and there is no other legal basis for the processing. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
3. You exercise your right to object, and there are no overriding legitimate grounds for the processing;
4. The personal data has been unlawfully processed;
5. The personal data must be erased to comply with a legal obligation;
6. The personal data was provided on a voluntary basis.

You are informed that the right to erasure may not apply if the processing is necessary:

• To comply with a legal obligation,
• For the establishment, exercise, or defense of legal claims.

9.4 Right to restriction of processing

You have the right to request the restriction of the processing of your personal data when one of the following applies:

1. You contest the accuracy of your personal data, and Moneco needs to verify the accuracy of the data;
2. The processing is unlawful, and you oppose the erasure of your personal data and request the restriction of its use instead;
3. Moneco no longer needs the personal data for the purposes of processing, but you require it for the establishment, exercise, or defense of legal claims;
4. You have objected to the processing, and Moneco is verifying whether the legitimate grounds of Moneco override your grounds.

9.5 Right to data portability

You have the right to receive the personal data you have provided to Moneco in a structured, commonly used, and machine-readable format when the following conditions are met:

1. The processing is based on consent or on a contract;
2. The processing is carried out by automated means.

In exercising this right, you have the right to have your personal data transmitted directly from Moneco to another controller, where technically feasible.

The right to data portability must not adversely affect the rights and freedoms of others.

9.6 Right to object

Under the right to object, you have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data based on Moneco's legitimate interests.

Moneco will no longer process your personal data unless it demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

You have the right to object at any time to the processing of your personal data for direct marketing purposes. To do so, you can either:

• Click on the link provided in the email you received from Moneco,

• Send an email to Moneco at the following address: privacy@moneco.app

9.7 Fate of personal data after death

In accordance with the law, you have the right to define your instructions regarding the retention, erasure, and communication of your personal data after your death.

You can communicate your instructions to us or register them with a certified digital trust service provider. You can designate a person of your choice who will be responsible for executing your instructions. Otherwise, it will be your heirs.

9.8 Consent

Several processing operations of your personal data are subject to your consent. This is the case, for example, when you subscribe to our newsletter or Destination France, when you submit a spontaneous application, when you comment on our Blog, or when you register on our Application.

You can withdraw your consent at any time. To do so, simply send an email to the following address: privacy@moneco.app

This withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Please note that personal data for which the processing is mandatory to respond to your requests or provide the requested services are marked with an asterisk on the collection form. Without this information, Moneco will not be able to respond to your requests or provide the requested products or services.

10. How to exercise your rights?

10.1 Exercise of rights procedure

You can send your requests to the following addresses:

MONECO FRANCE, 99 Avenue Achille Peretti 92200 Neuilly-sur-Seine, Attention: Moneco DPO privacy@moneco.app.

To exercise your rights regarding your data, please attach a copy of a valid identification document (identity card or passport), unless the information provided in your request allows us to identify you with certainty.

To assist you in your request, you can use the following link to access a template letter provided by the National Commission on Informatics and Liberty (CNIL): https://www.cnil.fr/fr/modele/courrier/exercer-son-droit-dacces.

10.2 Response timeframe

Moneco has a period of one (1) month to respond to your request from the date of receipt. This period may be extended by two months due to the complexity of your request or the number of requests received. We will inform you within one month of your request.

Regarding our newsletter and commercial communications sent electronically, you have the option to unsubscribe at any time by clicking on the hyperlink provided in each email sent by Moneco.

You also have the right to lodge a complaint with the CNIL, the supervisory authority in France:

CNIL - 3 place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
[www.cnil.fr](http://www.cnil.fr/)

11. Modification of this Policy

We reserve the right, at our sole discretion, to modify this Policy in whole or in part at any time. You will be informed of these modifications by any useful written means if they are substantial. They will come into effect upon the publication of the new Policy. Your use of the Site, Destination France, our Welcome Pack offers, or the Application following the entry into force of these modifications will constitute acknowledgment and acceptance of the new Policy. If you do not agree with this new Policy, we will not be able to continue providing our services to you. However, feel free to write to us to explain your reasons and request clarification if needed!