SHAREID PRIVACY AND DATA PROTECTION POLICY

The protection of personal data is of high importance to ShareID. In accordance with EU Regulation No. 2016/679 of April 27th, 2016 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”), and following all provisions of French laws and regulations applicable to the processing of personal data as described in the present Privacy and Data Protection Policy, ShareID collects, processes and/or stores personal data of users browsing the shareid.ai website (hereinafter referred to as the “Site”), personal data of ShareID customers and end-users of ShareID’s services and related solutions delivered in SaaS mode (hereinafter referred to as the “Services”). 

Personal data refers to any information (including biometric data) related to natural persons,directly or indirectly identified or identifiable (hereinafter referred to as the "Data").

The present Privacy and Data Protection Policy shall apply to the Data and/or Services of the Site’ users (hereinafter referred to as the "Users") as follows:  

• "Prospect" refers to natural persons browsing the Site under the conditions defined in ShareID’s General Terms and Conditions of Use (GTCU), who voluntarily provide information in contact forms and/or subscribe to the ShareID’s newsletter, or 
• "Customer" refers to legal entities subscribing to the Services, or 
• "End User" refers to natural persons using the Services as a customer or employee of the Customer 

ShareID shall protect Users’ privacy by ensuring the protection, confidentiality, integrity, availability, and security of Users’ Data in connection with the use of the Site and/or Services.

ShareID shall implement all necessary measures in order to:  

• Provide clear and transparent information regarding the processing of Data; 
• Implement all appropriate technical and organisational measures to protect Data against wrongful disclosure, loss, alteration, or unauthorized access by third parties; 
• Ensure the storage of Data for the duration strictly necessary for processing purposes
• Provide an answer to any User request for accessing and/or modifying their Data expressed by email, sent to dpo@shareid.ai, or by post sent  to: SHAREID - 20 Bis rue Louis Philippe, 92200 Neuilly-sur-Seine (France)  

ShareID reserves the right to modify or adjust this Privacy and Data Protection Policy at any time. Users are advised to regularly review this policy. Any changes made to this Privacy and Data Protection Policy shall become effective on the date of its publication on the Site.

ARTICLE 1 – DATA CONTROLLERS

• 1.1 ShareID shall be considered the Data controller as defined by the GDPR:
  
  • Regarding Prospects in the context of Prospects’ use of the Site; and
  • Regarding Customers in connection with the management of orders for Services
  1.2 The Customer shall be considered the Data controller, as defined by the GDPR, regarding the End User, wherein ShareID acts as a Data processor, as defined by the GDPR, for the provision of Services. In this respect, the Customer shall fulfill its obligations concerning the End User, in particular obtaining the End User’s prior consent to the collection and/or processing of the End User’ Data. The Customer shall indemnify and exempt ShareID for any damages that may arise in connection therewith. The processing methods of the End User’s Data by the Customer, in particular, the Data retention period implemented by the Customer with regards to the Data processed by ShareID on their behalf as part of the Services, are specified in the Privacy and Data Protection Policy of the Customer’s website and/or platform used by the End User.

ARTICLE 2 – PERSONAL DATA CATEGORIES

ShareID, ShareID’s partners, and/or ShareID’s subcontractors may collect, process, and/or store the following User Data:  

• Identification Data
• Business Data
• Banking and billing Data
• Log Data

ARTICLE 3 –  LAWFULNESS AND PURPOSES OF PERSONAL DATA PROCESSING  

3.1 ShareID shall retain Data for a limited period, in accordance with applicable laws or the purposes for which the Data has been collected. Data retention periods may vary based on the nature of the Data collected and processed. 

ShareID collects and/or processes the Data referred to in Article 2 (Personal Data Categories) for the following purposes and durations:

• Prospect’s Identification Data 

ShareID processes identification Data that is necessary for the processing of requests arising from the completion by the Prospect of the contact form on the Site, and/or the subscription to ShareID’s newsletter, and/or the creation and management of Prospect files, and/or sending of commercial communications related to the Services: 

• Surname 
• First name  
• Business email address  
• Job position (newsletter)  
• Company name (newsletter) 

ShareID shall store Prospects’ identification Data in an anonymized form upon Prospect’s request for the erasure of their Data or three (3) years from the Prospect's last contact.

• Customer’s Data

ShareID shall process Customers’ Data for the provision of Services.

Customers’ business Data is necessary for the creation and management of Customer files, and/or for the management of Services subscribed by the Customer, and/or to provide commercial communications related to the Services, and/or to provide information related to the modification or evolution of the Services subscriptions’ terms: 

• Surname (legal representative)  
• First name (legal representative)  
• Business email address  
• Telephone number  
• SIREN or SIRET number  
• VAT number

Customers’ business Data shall be kept in an anonymous form by ShareID upon (i) Customers’ request for the erasure of their Data or (ii) at the end of the subscription to the Services.

Customers’ banking and billing Data is necessary for drafting invoices related to Customers’ subscription fees for the Services, and for the following sub-purposes:

• Collecting and securing payments  
• Billing and collection management   
• Fraud detection and prevention 

Customers’ banking and billing Data shall be kept by ShareID and/or ShareID's payment service provider for a maximum period of thirteen (13) months from the date of full payment of the sums due by the Customers for orders of Services. 

• End User’s Data

Customers, being the Data controllers for the processing of End Users’ Data, shall determine the lawfulness, purposes, and means of such processing.

End Users’ log Data is necessary for End Users’ access and/or use of the Customer's website and/or platform: 

• IP address
• Hardware
• Email address
• Operating system
• Date and time of visit or use  
• Session ID (if applicable) 
• Unique identifier of the notification service (for the purpose of identifying the electronic communications terminal equipment)
• Identification number of the electronic communications terminal equipment
• Technical identifier associated with the End User’s account 
• End User’s consent status regarding the processing of Data and/or the access to and activation of the camera on the End User’s terminal

The End User's log Data shall be deleted by ShareID upon the transmission of the necessary information for the proper provision of Services to the Customer, in particular with regard to the electronic identification and verification of the End User's identity.

The User’s identification Data is necessary for the proper provision of remote identity verification services (Full IDV), and/or authentication of official identity documents (Doc IDV), and/or strong authentication with the official identity (MFA 3.0): 

• Email address  
• Video, and/or photo, and/or copy of the identity document from which the following identity Data is extracted:some text
  • Surname(s)  
  • Usual name(s) (if applicable)
  • Date of birth 
  • Place, department, and country of birth 
  • Nationality 
  • Gender
  • Height  
  • Eye colour
  • Postal address 
  • Photo on the identity document
  • Identity document Number 
  • The public key used to certify the authenticity of the document

• The increased ID electronic component qualification statuts for high-assurance electronic identifications.

• ID copy (if applicable)
• End User’s facial video, and/or photo for static and/or dynamic facial recognition
• Consent for the collection, processing, and/or storage of his/her Data, and/or authorisation to access and activate the camera on the terminal used by the End User

With respect to “Full IDV” and “Doc IDV” Services: 

• Videos of the End User and their identity document shall be deleted as soon as the Customer has acknowledged the successful receipt of the Customer's request, and no later than ninety-six (96) hours following the end of the Customer's request processed by ShareID.
• Biometric data shall be processed in-memory at the time of facial recognition calculations. No biometric data shall be stored by ShareID. 
• The validity status of the End User's secure identity document and the enhanced qualification status of the secure identity document’s electronic component (for high guarantee level electronic identifications) shall be deleted upon receipt of the results by the Customer and no later than ninety-six (96) hours following the end of the Customer's request processing by ShareID.

With respect to "MFA 3.0" Services, the End User’s identification Data shall be deleted by ShareID at the end of the provision of Services, specifically upon transmission of the processing results to the Customer. 3.2 The Data that shall be deleted by ShareID within the timeframes as specified in the present Article may be subject to archival in a confidential file with limited access,  for the purpose of asserting a right or a contractual relationship, in particular in the event of a claim filed by the User or by a third party.  The evidence file, serving as an audit trail allowing competent authorities to verify the Data in the event of a legal dispute, is considered confidential and it shall be destroyed by ShareID five (5) years after its creation date (with the exception of invoicing Data, which shall be kept for ten (10) years in accordance with the provisions of Article L. 123-22 of the French Commercial Code and Article 289-VII of the French General Tax Code). The archival process is not automatic, it is understood that the Customer shall request the implementation of the evidence file.

ARTICLE 4 – PERSONAL DATA RECIPIENT 

4.1 As part of the Customer's subscription to the Services and the End User's use of the Services

The Data may be disclosed by ShareID to any third party in charge of the performance, processing, and/or management of the Customer's subscription to the Services and/or the use of the Services by the End User.

However, in various cases, in particular for the following, ShareID may disclose or share the Customer’s and/or End User’s Data with other third parties:  

• With the consent of the Customer or End User concerned; or
• To comply with applicable laws, regulations, legal processes, court orders, or other mandatory disclosures; or
• To protect the rights, property, and safety of the Services, Customers, and/or End Users.

4.2 In connection with the management of requests made by the Prospect using the Site's contact form or subscribing to the ShareID newsletter

ShareID shall not disclose the Prospect's Data to third parties in connection with the performance, processing, and/or management of requests made by the Prospect through the Site's contact form, or in connection with the subscription and transmission of ShareID’s newsletter to the Prospect, except in specific circumstances where the Data is shared with the following contributors and/or subcontractors:

• To contributors of ShareID's internal departments in connection with such processing: In accordance with applicable regulations, access to the Prospect’s Data shall be made on the basis of individual, limited, and supervised access authorisations.  
• To subcontractors providing, in particular, the following services on behalf of ShareID:  some text
  • The management of automated and non-automated mailings or emails: HUBSPOT, GOOGLE CONSOLE, WALAXY  
  • Prospect’s relationship management: HUBSPOT
  • Provision of analytical solutions or statistics to measure the Site's audience: GOOGLE ANALYTICS 
  • Hosting of the Site: WEBFLOW INC
  • Hosting of the Services: OVH CLOUD, Google CLOUD

4.3 With regard to subcontractors, ShareID shall ensure that its subcontractors, as Data processors, regardless of their nature, provide the same sufficient warranties in terms of technical and organisational measures to meet the requirements of GDPR. 

If subcontractors fail to fulfill their obligations with regard to Data protection, ShareID shall remain fully liable to the Data controller for the subcontractors’ performance of their obligations.

ARTICLE 5 – DATA TRANSFER OUTSIDE EU TERRITORY 

ShareID stores Users’ Data within the European Economic Area (hereinafter “EEA”). However, in the event ShareID needs to transfer the Data to subcontractors or business partners outside the EU, ShareID ensures that the Data processing is governed by European Commission standard contractual clauses, which ensure an adequate level of protection for privacy and fundamental rights of individuals.

ARTICLE 6 – PERSONAL DATA SECURITY 

ShareID shall take all necessary measures to ensure the security and confidentiality of the Data, in particular to prevent the Data from being damaged or accessed by unauthorised third parties. 

In addition, ShareID shall refrain from making any commercial use of the User's Data without obtaining prior consent from the User.

ARTICLE 7 – ACCESS, RECTIFICATION, OBJECTION AND REMOVAL 

7.1 In accordance with the provisions of Article 1.2 of the present Privacy and Data Protection Policy, the procedure for handling Data requests originating from the End User concerning the access, the rectification, the use’ limitation, and/or the portability of their Data as specified in the privacy policy of the website and/or platform of the Customer used by the End User.  

ShareID shall not be held liable for the handling of such requests with regard to the End User.

7.2 In accordance with the legal and regulatory provisions of the GDPR, the Prospect and the Customer shall have :

• The right to be informed;  
• The right to access and rectify their Data; 
• The right to erase. In the event of a request to erase the Data, ShareID may nevertheless retain the Data in the form of intermediate storage, for the period necessary to comply with its legal, accounting, and tax obligations; 
• The right to restrict the processing of their Data. It is important to note that this right can only be exercised if:some text
  • The User disputes the accuracy of their Data, in such case the duration of the restriction is limited to the period necessary to verify its accuracy,
  • The User considers that ShareID is unlawfully processing their Data and requests a restriction of the use of their Data rather than their erasure,
  • ShareID no longer needs the User’s Data with regard to the purposes referred to in Article 3, except if they are still necessary for the establishment, exercise, or defense of the User’s rights in court.
• The right to portability of their Data to a certain extent, especially the right to receive the Data provided to ShareID in a structured, commonly used format and the right to transmit this Data to another controller. This right to Data portability shall not apply to the processing of Data necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in ShareID as a Data controller; 

• The right to object to the processing of their Data, and in particular:some text
  • A right to object to the use of their Data for prospecting purposes, in particular market research. In this respect, the Prospect shall make a written request to ShareID to be removed from ShareID's mailing lists 
  • A right to object to market profiling, specifically the Prospect will continue to receive commercial solicitations but these shall be less relevant and no longer targeted according to the Prospect’s interest
• And the right to define general and/or specific instructions relating to the fate of their  Data and, in particular, how the User wants their rights to be exercised after their death. In this respect, in the event that ShareID is notified of the User’s death, the User’s Data shall be erased, unless it is necessary to keep them for a specific period of time for reasons related to ShareID's legal and regulatory obligations and/or legal prescription periods, and after, if applicable, having been communicated to a third party possibly designated by the User.

7.3 The User may, at any time, file a complaint with the data protection authority of their country (in France, the CNIL: www.cnil.fr).

For any inquiries regarding this Privacy and Data Protection Policy or for any claims related to the protection of their Data, Users may contact ShareID’s Data Protection Officer (hereinafter referred to as the "ShareID’s DPO") by sending a request by registered letter with acknowledgement of receipt to the following postal address: SHAREID - 20 Bis rue Louis Philippe, 92200 Neuilly-sur-Seine (France), or by email to the following address: dpo@shareid.ai.

With regards to requests that reach ShareID’s DPO by post, Users are required to provide the email address used as a Prospect, Customer, and/or End User as well as their full name. If Users are unable to find the email address or in cases of serious doubts by ShareID about the User’s identity, additional information related to their identity may be requested.

ShareID shall provide a response within a maximum period of thirty (30) days following the date of receipt of the User's request.

*************************