Disclaimer
This is an English translation of the Personal Data Processing Policy on the Website. The original French version is legally binding and prevails over this translation. You can access the French version here.

Personal Data Processing Policy on the Website

Version as of March 15, 2024

In accordance with French Law No. 78-17 of January 6, 1978, as amended, relating to information technology, files, and civil liberties, and the European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the Company informs any person accessing the services offered on the Website (the "User") of its commitment to respect the confidentiality, integrity, and security of the data that the User may communicate, notably via the website https://chimere.eu (the "Website").

Any personal data directly (such as name, first name, postal, electronic, or telephone contact details) or indirectly identifying the User are considered confidential and are treated as such, subject to changes in the legal framework regarding the qualification of personal data ("Personal Data").

1. Identification of the Data Controller

The data controller who collects and manages Users' data on the Website is Chimere, a simplified joint-stock company with a share capital of €4,000.00, whose registered office is located at 75 Rue Marcellin Berthelot
Antelios Building E
13290 Aix-en-Provence
France, registered with the Trade and Companies Register of Aix-en-Provence under unique identification number 921 272 217.

2. Personal Data That May Be Collected

When browsing the Website and using the various services offered by the Company, the User consents to the Company collecting the following categories of data:

• Identification and contact data: name, first name, company, email address and/or phone number;
• Identification and authentication data, notably when using the Company's services (technical logs, IT traces, security information, IP address);

The User undertakes to provide up-to-date and valid identification Personal Data as required on the Website and guarantees not to make any false statements or provide any incorrect information.

3. Methods of Collecting Personal Data

The User consents to the Company collecting their Personal Data during the following activities and interactions:

• Browsing the Website;
• Entering Personal Data in the forms provided;
• Subscribing to alerts or newsletters.

4. Legal Basis for the Collection and Processing of Personal Data

Users' Personal Data are collected on the basis of the following legal grounds:

• The User's specific, free, and informed consent;
• Compliance with a legal obligation incumbent on the Company;
• Performance of a contract concluded between the Company and the User (notably for the execution of the Company's general terms of service);
• The legitimate interest of the Company.

5. Purpose of Processing Personal Data

Mandatory Personal Data are strictly necessary for processing or responding to the User's requests. If such data are not provided, the User is informed that certain services offered by the Company may not be provided. The mandatory nature of the requested information is indicated to the User at the time of collection.

Optional Personal Data are collected by the Company to better understand the User and improve their browsing experience on the Website.

Personal Data are collected and processed for the following purposes:

• Contact and assistance;
• Commercial prospecting;
• Service improvement;
• Management of operations related to service management (contracts, invoices, orders, etc.).

Users are informed that, subject to their prior, specific, and positive consent, the Personal Data provided may be transferred to the Company's business partners and/or companies belonging to the same group as the Company, so that they may inform Users about their offers and services.

6. Retention Period of Personal Data

Personal Data are retained by the Company for as long as necessary to fulfill the above purposes, and in particular:

• Data relating to the management of files (membership follow-up, invoicing) are deleted or archived after a period of five (5) years following the end of the relationship with the Company;
• Data relating to customer and prospect relationship management (loyalty and prospecting operations, relationship follow-up) are deleted or archived after a period of three (3) years following the end of the relationship with the Company.

These data may also be retained for a period of ten (10) years thereafter in the archive database, under restricted access, in order to: (i) comply with the Company's legal and regulatory obligations; and/or (ii) enable the Company to assert a right in court, before being permanently deleted.

7. Recipients of Personal Data

The User's Personal Data are intended for persons duly authorized to process them within the Company, notably, depending on the nature of the processing and the type of data, persons in the sales, customer service, marketing, administrative, logistics, and IT departments.

In the course of its activities and the provision of its services, the Company may use subcontractors who process the User's Personal Data on its behalf and according to its instructions.

The Company ensures that:

• Subcontractors, employees, or collaborators guarantee the same level of protection as the Company itself;
• They process Personal Data only for the purposes authorized by the intended purposes, with the required discretion and security; and
• For this purpose, they provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures to ensure the security and confidentiality of the User's data.

If the Company uses subcontractors located in countries offering levels of protection not equivalent to the level of protection of Personal Data in the European Union, the Company undertakes to ensure that such transfer is governed by data protection agreements established between the European Union and the destination countries, or by the signing of standard contractual clauses established by the European Commission, or by the implementation of binding corporate rules ("BCR").

Finally, the Company may transfer or allow access to the User's Personal Data to administrative or judicial authorities in order to comply with any law, regulation, legal process, or enforceable governmental request.

8. Measures Implemented by the Company to Ensure the Security and Confidentiality of Personal Data

The Company undertakes to process Personal Data in a:

• Lawful;
• Fair;
• Transparent;
• Proportionate;
• Relevant;
• Strictly within the scope of the intended and announced purposes;
• For the duration necessary for the implemented processing;
• Secure manner.

The Company implements and updates appropriate technical and organizational measures to ensure the security and confidentiality of Personal Data by preventing them from being distorted, damaged, or disclosed to unauthorized third parties.

9. Users' Rights Regarding Personal Data

The User may, upon simple written request, access their Personal Data, request their modification or rectification, or request to no longer appear in the Company's database.

Under the right of access, the User is authorized, in accordance with Article 15 of the GDPR, to request from the Company:

1. Communication of their Personal Data in an accessible form;
2. Confirmation as to whether or not their Personal Data are being processed;
3. Information on the purposes of the processing, the categories of Personal Data processed, and the recipients to whom their Personal Data are disclosed;
4. The retention period of their Personal Data or the criteria used to determine this period.

In accordance with Article 16 of the GDPR, the right of rectification allows the User to require the Company to rectify, complete, or update their Personal Data when they are inaccurate, incomplete, ambiguous, or outdated.

Under the conditions provided for in Article 17 of the GDPR, the User has the right to erasure of their Personal Data, allowing them to request that the Company erase their Personal Data as soon as possible, notably when they are no longer necessary for the purposes for which they were collected.

The User also has the right to restrict the processing of their Personal Data in the cases listed in Article 18 of the GDPR. They may thus request that their Personal Data be retained only for the following purposes:

• To verify the accuracy of the Personal Data they contest;
• To serve them in the context of the establishment, exercise, or defense of their legal rights, even though the Company no longer needs them;
• To verify whether the legitimate grounds pursued by the Company override theirs in the event that they object to processing based on the Company's legitimate interest;
• To satisfy their request to restrict the use of their data, rather than erasure, if the processing of their data is unlawful.

The User has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

In the circumstances provided for in Article 20 of the GDPR, the User has the right to data portability, allowing them to obtain from the Company the Personal Data they have provided, in a structured, commonly used, and machine-readable format, for transmission to another data controller.

In accordance with Article 21 of the GDPR, the User has the right to object, at any time, to the processing of their Personal Data for commercial prospecting purposes.

In accordance with Article 85 of Law 78-17 of January 6, 1978, relating to information technology, files, and civil liberties, the User may define specific instructions regarding the retention, erasure, and communication of their Personal Data after their death. These specific instructions will only concern processing carried out by the Company and will be limited to this scope.

To exercise their rights of access, rectification, erasure, restriction, portability, and objection as mentioned above, the User simply needs to send their request in writing to the attention of the Data Protection Officer (DPO):

• By email to: dpo@chimere.eu; and/or
• By mail to the following address: Chimere -- 75 Rue Marcellin Berthelot
  Antelios Building E
  13290 Aix-en-Provence
  France.

The Company will provide the person exercising one of these rights with information on the measures taken, as soon as possible and in any event within one (1) month of receipt of the request. This period may be extended by two (2) months, taking into account the complexity and number of requests. The Company may verify the identity of the person before responding to their request.

If the Company does not act on the request, it will inform the person, as soon as possible and at the latest within one (1) month of receipt of their request, of the reasons for its inaction and the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The exercise of these rights is free of charge. However, in the case of manifestly unfounded or excessive requests, the Company reserves the right to:

1. Require payment of fees taking into account administrative costs; or
2. Refuse to act on such requests.

10. Remedies in Case of Personal Data Breach

In the event of a breach of their Personal Data likely to result in a risk to their rights and freedoms, the Company will notify the CNIL of the breach as soon as possible, and, if possible, no later than seventy-two (72) hours after becoming aware of it. The Company will also inform the User, as soon as possible, in accordance with the provisions of Article 34 of the GDPR.

Without prejudice to any other administrative or judicial remedy, the User who considers that the processing of their Personal Data constitutes a violation of the applicable legislation may lodge a complaint with a competent supervisory authority such as the Commission Nationale de l’Informatique et des Libertés (CNIL).

11. Request for Information

For any questions regarding the processing of their Personal Data and the exercise of their rights, Users may contact the dedicated service by writing to the attention of the Data Protection Officer (DPO):

• By email to: dpo@chimere.eu; and/or
• By mail to the following address: Chimere -- 75 Rue Marcellin Berthelot
  Antelios Building E
  13290 Aix-en-Provence
  France.

12. Modification of the Personal Data Processing Policy

The Company reserves the right to modify this personal data processing policy in order to comply with obligations provided for by privacy protection legislation or to adapt it to its practices. Consequently, the User is invited to consult it regularly to be aware of any changes and adaptations.