Data protection policy

La Poste S.A. (hereinafter "La Poste") places the protection of personal data at the heart of its missions and the services it offers you.

This Policy illustrates La Poste's commitment to respecting fundamental rights and freedoms, privacy and the protection of Personal Data. La Poste ensures that your Personal Data is processed fairly, lawfully and transparently.

This Policy sets out the principles and guidelines for the protection of your Personal Data and aims to inform you about:

- What Personal Data is collected and why,

- How your Personal Data is used,

- and your rights with regard to your Personal Data.

The Policy published on the https://nftimbre.com/ website specifies the processing of personal data carried out in connection with the provision of Philaposte services and products.

Details of the processing of personal data relating to other La Poste products and services, including the La Poste Account, can be found on the La Poste Group Privacy Policy - La Poste website

All operations relating to your Personal Data are carried out in compliance with the regulations in force and in particular with the European Regulation on the Protection of Personal Data (hereinafter "RGPD"), Law no. 78-17 "Informatique, Fichiers et Libertés" of 6 January 1978, as amended, and its implementing decrees (hereinafter "the Regulations" or "the Applicable Regulations").

This Policy may change over time, in particular to take account of changes in the Regulations or to indicate the adaptation of La Poste's practices to technological developments. We recommend that you consult it regularly on the website.

1. WHO IS AFFECTED BY THIS DATA PROTECTION POLICY?

This Policy applies to any natural person using the site, "private" customer, prospect, recipient of a parcel or letter via our paper or online services.

2. WHAT PERSONAL DATA DO WE COLLECT AND HOW DO WE OBTAIN IT?

La Poste respects the principle of data minimisation, in that it undertakes to collect only the data strictly necessary for the direct or indirect provision of the services subscribed to when they require the processing of customers' personal data.

In the event that you are asked to provide optional data, La Poste will clearly inform you of the Personal Data that is essential to the provision of the service.

Personal Data is mainly collected directly from you by De Post-La Poste and is only used for the purposes for which you have been informed.

Certain data processed by La Poste may, where necessary, be collected indirectly from the following sources:

- Either from customers, specifying information on subscribers, contacts and recipients;

- Third parties, such as commercial partners, other La Poste entities, fraud prevention bodies, data suppliers, organisations (World Customs Organisation, etc.) and members of the Universal Postal Union;

- Or sources accessible to the public (data from publications/databases made accessible by the official authorities, data from websites/social networks containing information made public by the individual him/herself, etc.);

- Or from administrations and public authorities.

In the event of indirect collection, La Poste undertakes to inform the persons concerned in accordance with the conditions laid down in Article 14 of the RGPD.

The main categories of Personal Data likely to be collected are :

- Identification and contact data: surname, first name(s), date and place of birth, postal address, e-mail address, telephone numbers, voice, information contained on your identity documents;

- Connection data relating to use of the site: IP address, identification and authentication data for your connected areas, logs, cookies, browsing data. You can consult our cookies policy for more information on how we use cookies https://nftimbre.com/politique-cookies

- Data relating to the habits and preferences of the persons concerned: as a result of the use of products or interactions with Philaposte;

-Data collected in the course of your interactions with Philaposte: your comments, suggestions, needs collected during our exchanges with you in person and online during telephone communications (conversation), your voice and image during videoconferences, e-mail discussions, chat, exchanges on our pages on social networks and your complaints. In addition, certain services may be used by minors. In this case, in the event of direct collection, La Poste will ensure that it obtains the consent of minors from their legal representatives.

3. WHY AND ON WHAT LEGAL BASIS DO WE COLLECT YOUR PERSONAL DATA?

The purpose of data processing is the objective pursued by the data controller. La Poste undertakes to process the Personal Data it collects or holds about you for specific, explicit and legitimate purposes and not to process it further in a way that is incompatible with these purposes.

The various legal bases on which La Poste processes your data, as well as the main purposes associated with them, are as follows:

- Obtaining the consent ofthe person concerned: for example, for newsletter subscriptions or for commercial canvassing of private individuals by electronic means (e-mail, SMS) relating to products and services that are not similar to those already subscribed to

- The performance of a contract to which the data subject is a party, or the performance of pre-contractual measures taken at the request of the data subject: for example for the creation, management and access to services to which you have subscribed (Mon Compte La Poste) or for the management of your online product purchases, your complaints about order tracking, for the management of the terms of receipt/delivery of your mail and parcels.

- Compliance with legal and regulatory obligations: for example, to process disputes before the judicial authorities, manage customs formalities, monitor and keep accounts, process your requests to exercise your rights.

- The legitimate interests pursued by La Poste - Philaposte: for example to improve the overall quality of services, to carry out commercial prospecting operations that do not require your consent, to combat fraud and cybercrime.

You can consult the complete list of the purposes of the processing operations as well as their legal basis and the retention periods for personal data resulting from the processing operations implemented by La Poste by clicking on the following link: Processing of personal data - La Poste

The processing operations carried out by Philaposte are described below:

Generally speaking, the purposes, the retention period and the legal basis differ depending on the services and products concerned.

4. TO WHICH SERVICES OR COMPANIES IS YOUR PERSONAL DATA COMMUNICATED?

The Personal Data that you communicate to La Poste - Philaposte, when La Poste is responsible for processing, may be transmitted to the following recipients:

- Recipients internal to La Poste Groupe:

- The departments, divisions and business units of La Poste authorised to access this information;

- La Poste subsidiaries;

- External recipients, not part of La Poste:

- La Poste's technical service providers, including their subcontractors, within the strict framework of the tasks entrusted to them;

- La Poste's partners;

- Co-contractors, beneficiaries of services, entitled beneficiaries or any third party designated by customers or users of our services and/or products, by virtue of the contractual relationship;

- public bodies, judicial officers ;

public officials, lawyers, administrative or judicial authorities, in order to comply with any law or regulation in force, or to respond to any judicial or administrative request, in the context of compliance with the legal obligations incumbent on La Poste or to enable La Poste to ensure the defence of its rights and interests;

- mediators, supervisory and control authorities authorised to receive such data;

- supervisory authorities such as statutory auditors and auditors, customs and postal authorities in the countries to which you send your goods.

When La Poste acts as a Subcontractor, it undertakes to comply with the obligations laid down in this respect by the applicable Regulations and its contractual obligations towards the instructing party, in particular by only communicating the data to the :

- recipients indicated by the data controller ;

- subsequent sub-contractors accepted by the data controller;

- public bodies, judicial officers, lawyers, administrative or judicial authorities, in order to comply with any law or regulation in force, or to respond to any judicial or administrative request, in the context of compliance with the legal obligations incumbent on La Poste or to enable La Poste to ensure the defence of its rights and interests;

- mediators, supervisory and control authorities authorised to receive such data;

- supervisory authorities such as statutory auditors and auditors, customs and postal authorities of the countries to which you send your goods.

5. HOW LONG IS YOUR PERSONAL DATA KEPT?

The length of time Personal Data is kept varies according to its nature and the purpose of the processing concerned. When Personal Data is collected for several purposes, it is retained until the longest retention period has expired. La Poste undertakes not to retain your Personal Data beyond the period necessary for the provision of these products or services.

Themain periods for which La Poste retains Personal Data are as follows

For the management of the customer and the products and services offered by La Poste or its subsidiaries

- Subscription and opening of a "My La Poste Account" account, management, compliance with legal and regulatory obligations related to the management of the account: 3 years from the last authentication or the date of deletion of the account, provided that no service associated with "My La Poste Account" is still active;

- Management of online purchases: 3 years from the last transaction;

- Management of delivery preferences: 5 years;

- Duration of the contractual relationship

For commercial prospecting: 3 years from the last contact with the prospect or until withdrawal of consent

For recordings of telephone conversationsfor customer service purposes: 6 months from the date of the recording.

For the detection, prevention and fight against fraud and cybercrime: 12 months from the date of the fraud alert.

For processing requests to exercise rights: 5 years for data relating to the processing of your requests, and 1 year for supporting identity documents.

For accounting purposes: 10 years from the end of the current financial year.

At the end of these periods, La Poste will destroy the data in accordance with its internal policy or make it anonymous for statistical, archival or historical purposes.

6. CAN YOUR PERSONAL DATA BE TRANSFERRED OUTSIDE THE EU?

The Personal Data processed by La Poste is hosted within the European Union (EU) or the European Economic Area (EEA). However, for certain specific services, La Poste may use subcontractors established outside the EU or the EEA, some of which are located in countries that are not subject to an adequacy decision issued by the European Commission (e.g. Morocco, India, Senegal, Tunisia, Mauritius). These subcontractors perform operational tasks on behalf of La Poste or its subsidiaries in connection with the processing purposes described in Personal data processing - La Poste. These subcontractors may have access to the Personal Data strictly necessary for the performance of their tasks. In this case, in accordance with the regulations in force, La Poste requires its subcontractors to provide the appropriate guarantees, in particular the signature of the European Commission's standard contractual clauses and, where applicable, the implementation of additional measures or the adoption by the subcontractors of Binding Corporate Rules.

7. HOW DOES LA POSTE PROTECT YOUR PERSONAL DATA?

La Poste undertakes to take into account the protection of your Personal Data and your private life right from the design stage of the new products or services offered to you, and to take all measures to ensure the security and confidentiality of the Personal Data. In particular, La Poste implements all technical and organisational measures to guarantee the security and confidentiality of the Personal Data collected and processed and in particular to prevent them from being distorted, damaged, destroyed or communicated to unauthorised third parties, by ensuring a level of security appropriate to the risks associated with the processing and the nature of the personal data to be protected. In accordance with European regulations, these measures may include encryption, anonymisation, pseudonymisation, partitioning or restricting access to data.

In addition, La Poste requires each recipient of your Personal Data to comply with appropriate security and confidentiality guarantees.

Furthermore, in the event of a personal data breach within the meaning of Article 4 of the RGPD affecting your Personal Data (destruction, loss, alteration or disclosure), La Poste undertakes to comply with the obligation to notify Personal Data breaches, in particular to the CNIL, as soon as possible and, insofar as possible, seventy-two (72) hours after becoming aware of any breach likely to result in a risk to your rights and freedoms.

8. WHAT RIGHTS DO YOU HAVE TO YOUR PERSONAL DATA AND HOW CAN YOU EXERCISE THEM?

You have the right to access the personal data we hold about you;

this includes the right to ask us for further information about:

- the categories of data we process

- the purposes for which the data is processed

- the recipients and categories of recipient to whom your data has been transmitted

- where possible, the length of time we will keep your data or, where this is not possible, the criteria for determining this length of time.

You have the right to ask us to correct inaccurate or incomplete personal data concerning you;

You may object at any time to our use of your Personal Data;

You have the right to be "forgotten" by us by exercising your right to erasure of your data;

With regard to the NFT stamp, the Philaposte La Poste Department cannot guarantee the right to erase the customer identifier propagated in the blockchain due to its technology;

You have the right to request the suspension of the processing of your Personal Data;

You may request that your Personal Data be recovered in a structured, commonly used and readable format so that it can be made available to and transmitted to another data controller;

You have the right to provide instructions concerning the fate of your Personal Data after your death;

You may also withdraw your consent at any time, in cases where you have been asked to do so. This will allow you in particular to modify and/or withdraw your consents concerning commercial prospecting.

You can exercise your rights by proving your identity and specifying your surname, first name and the product or service concerned.

 For processing carried out by PHILAPOSTE Management, you may send your requests either :

- by e-mail to: sav-phila.philaposte@laposte.fr

- by post to : PHILAPOSTE, Service Clients Commercial Z.I. Benoit Frachon BP 10106 Boulazac 24051 PERIGUEUX cedex 09

- or via the contact section of the site.

 For processing related to "Mon Compte La Poste" you may exercise your rights either :

- by completing the form provided for this purpose, by clicking here.

- by post to La Poste - BP 10245 - 33506 Libourne Cedex - France

- by logging on to "My La Poste Account", accessible on the laposte.fr website, if you wish to modify your data.

9. HOW TO CONTACT THE PERSONAL DATA PROTECTION OFFICER APPOINTED BY LA POSTE GROUP?

You can contact the Data Protection Officer at the following address:

The Data Protection Officer

CP Y412

9 rue du Colonel Pierre Avia

75015 PARIS

If, after contacting us, you feel that your rights with regard to your data have not been respected, you may submit a complaint to the Commission Nationale de l'Informatique et des Libertés (3 place de Fontenoy - TSA 80715 - 75334 Paris cedex 07; tel: 01 53 73 22 22).

10. LA POSTE'S COMMITMENT TO ARTIFICIAL INTELLIGENCE

As a result of the constant diversification of its activities, La Poste is increasingly required to make use of artificial intelligence (AI). As a result, in the context of the implementation of certain tools or services, the processing of your personal data is likely to involve the intervention of an artificial intelligence system (AIS).

However, we believe that it is essential :

- on the one hand, that these practices comply with all the data protection principles detailed in this policy ;

- on the other hand, to always endeavour to measure, limit and above all control the impact that the use of AI may have on the processing of your data.

In this sense, La Poste makes the ethical use of artificial intelligence a priority, so that it always remains consistent with the values of trust that it upholds.

In this context, La Poste has adopted a specific ethical approach for all data processing involving an artificial intelligence system.

GLOSSARY

"Personal Data" means any information relating to an identified or identifiable natural person.

"Recipient": Refers to the department, company or organisation that receives communication and may access your Personal Data.

"La Poste": Refers to La Poste SA

"La Poste Group": Refers to La Poste SA and its subsidiaries

"Privacy and Personal Data Protection Policy" and "Policy": Refers to this Policy describing the measures taken for the processing, use and management of your Personal Data and your rights as a person concerned by the processing.

"Processor": Refers to the entity of La Poste group which carries out the processing of your Personal Data.

"Processing": Refers to any operation or set of operations applied to your Personal Data.

"Personal Data Breach": Refers to a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to your Personal Data.

"Sub-processor": Refers to any natural or legal person, public authority, department or other body that processes personal data on behalf of the data controller.