Article 1. Parties to this agreement Between the undersigned: 1° GINGER, a simplified joint-stock company with a capital of €2,020,800, whose registered office is located at 52 rue du Faubourg Poissonnière, 75010 Paris, registered with the Paris Trade and Companies Register under number 309 706 992, and with VAT number FR86309706992. Hereinafter referred to as the " Data Controller ", On the one hand, And 2° Any natural person browsing the Data Controller's website; Hereinafter referred to as the " Data Subject ", On the other hand, The following has been stated and agreed upon: Article 2. Purpose This Privacy Policy applies, without restriction or reservation, between the Data Subject and the Data Controller. This policy aims to provide information regarding how the Data Controller collects and processes certain personal data relating to the Data Subject, in accordance with applicable law, and in particular European Regulation No. 2016/679 and Law No. 78-17 (hereinafter referred to as the “ Legislation ”), in connection with the Data Subject's use of the website www.lestricotsdelea.com (hereinafter referred to as the “ Website ”). Access to and use of the Website are subject to compliance with the General Terms and Conditions of Sale, the Legal Notices, and this Privacy Policy.

Article 3. Definitions

• The supervisory authority refers to the National Commission for Information Technology and Freedoms (CNIL), the independent French public authority for regulating data protection;
• Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her by the controller.
• A cookie is a file that allows tracking the user's journey on the website.
• Recipient means any natural or legal person, public authority, agency or other body that receives the Data, whether or not it is a Third Party. However, public authorities that may receive the Data, particularly in the context of an investigation, are not considered Recipients within the meaning of this definition.
• Data means any information relating to the Person concerned.
• DPO designates the data protection officer of the Data Controller, namely Cabinet Bouchara – Avocats (17 rue du colisée – 75008 Paris, info@cabinetbouchara.com ), responsible for assisting the Data Subject in exercising their rights over their Data.
• File refers to any structured set of data accessible according to specific criteria, whether this set is centralized, decentralized or distributed functionally or geographically.
• Legislation means any law and regulation relating to data protection, and in particular European Regulation No. 2016/679 and Law No. 78-17.
• Navigation refers to the consultation, review, ordering and/or purchase of Products on the Site by the Person concerned.
• Data subject means any natural person who browses the Site, insofar as he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
• Products refers to the products offered for sale and/or reservation on the Site by the Data Controller to the Data Subject.
• Pseudonymization refers to the processing of Data in such a way that it can no longer be attributed to the Data Subject without the use of additional information.
• Data Controller refers to the simplified joint-stock company GINGER with a capital of 2,020,800 euros, whose registered office is located at 52 rue du Faubourg Poissonnière, 75010 Paris, registered with the RCS of Paris under number 309 706 992, which alone determines the purposes and means of the Processing.
• Site refers to the infrastructure developed by the Data Controller in computer formats usable on the Internet including data of different kinds, and in particular texts, sounds, still or animated images, videos, databases, intended to be consulted by the Data Subject to know, reserve, order and/or buy Products (www.lestricotsdelea.com).
• Subcontractor means any natural or legal person, public authority, agency or other body other than the Data Controller which processes Data on behalf of the Data Controller.
• Third party means any natural or legal person, public authority, agency or other body other than the Controller, the Processor and persons who, under the direct authority of the Controller or the Processor, are authorized to process the Data, including tour operators, travel agencies and booking systems.
• Processing means any operation or set of operations which is performed on Data or on sets of Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

AGREEMENT Article 4. Principles relating to Processing In accordance with the Legislation, the Data Controller undertakes to respect the following principles for each Processing operation:

• Legality;
• Loyalty ;
• Transparency;
• Limitation of purposes;
• Data Minimization;
• Exactness ;
• Limitation of preservation;
• Integrity ;
• Confidentiality ;
• Responsibility.

Article 5. Data processed In the context of Navigation, the Data Controller collects and processes a certain amount of Data, including:

• Personal information (surname, first name, sizes, gender, postal address, email address, telephone number, date of birth, age, date of registration and unsubscription to the customer account and the newsletter of the Data Controller, messages exchanged with the Data Controller);
• Banking information (method of payment, credit card number);
• Information about your order (product ordered, delivery address, delivery tracking number, order price, purchase and delivery history);
• Technical information (browsing behavior on the Site, IP address, products added to the basket, collection of consent).

Article 6. Context of Processing Data may be collected and processed by the Data Controller on various occasions, including:

• Purchasing Products on the Site;
• Product Reservation on the Site;
• Contact with the Data Controller;
• Newsletter subscription;
• Creating a customer account;
• Publication of product-related notices;

Site Navigation.

Article 7. Details of the Processing

Purpose of Processing Data Concerned Legal Basis for Processing Data Retention Period Management of Product purchases, deliveries, invoicing, and accounting standards First name, last name, email address, postal address, telephone number, delivery address, order placed, delivery tracking number, sizes, Products purchased, registration and unregistration dates, payment method, order and delivery history, credit card number, IP address Contract, legal obligation, and legitimate interest of the Data Controller to establish, exercise, and defend its legal rights 10 years from the date of purchase of the Product EXCEPT 15 months from the date of purchase for bank details (immediately for the security code) Management of Product reservations First name, last name, email address, telephone number, sizes, collection of consent, IP address, Products purchased, reservation history Data Subject's consent 3 years from the date of the Product reservation request Creation and management of customer accounts First name, last name, email address, postal address, telephone number, sizes, account creation date Customer, account deletion date, consent collection, IP address. Data subject consent: 3 years from the data subject's last login to their customer account OR immediately upon deletion of their customer account. Business relationship management and marketing: First name, last name, email address, postal address, telephone number, purchase and delivery history, consent collection, IP address. Data subject consent and the legitimate interest of the data controller in promoting its products: 3 years from the last contact by the data subject or from the end of the business relationship.

Newsletter management: Email address, first name, last name, phone number, consent collection. Data subject consent. Upon unsubscribing. Website security and improvement: IP address, browsing data. Legitimate interest of the data controller in improving and managing the website, securing and administering the website, and preventing fraud and malicious acts. 13 months. Complaints and customer service management: First name, last name, email address, postal address, phone number, purchase history, exchanges, IP address, consent collection. Data subject consent and legitimate interest of the data controller in improving its products and customer service. 3 years from the last contact by the data subject. Website statistics and personalized advertising: IP address, browsing data, consent collection. Data subject consent. 13 months.

The Data Controller reserves the right to anonymize the Data being processed before deleting it. The anonymized data may then be processed for statistical purposes. Article 8. Data Recipients. In principle, the Data Controller is the sole Recipient of the Data. However, the Data Controller may transfer the Data to Recipients, particularly in the context of managing Product purchases by the Data Subject, and/or to any public authority that requests it, particularly in the context of an investigation. The Data Controller undertakes to require its Subcontractors to provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures to ensure that the Processing complies with legal and regulatory requirements and guarantees the protection of the Data Subject's rights, particularly in the event of Data transfers outside the European Union.

Furthermore, the Data Controller may disclose the Data being processed to any Recipient or Third Party when there is a legal obligation to do so or when the Data Controller considers in good faith that it is necessary to:

• Respond to any complaints against him;
• Comply with the requirements of the judicial order and/or the administrative order and/or the Supervisory Authority;
• To enforce any contract to which the Person concerned is a party;
• Safeguarding the vital interests of every natural person;
• The execution of a mission of public interest.

In the event of a purchase of the Data Controller by a Third Party, the Data Controller reserves the right to share the Data with the purchasing Third Party, subject to the Third Party's compliance with this Privacy Policy. Article 9. Data Subject Rights Regarding Data The Data Subject has a number of rights regarding their Data, which they may exercise, except where otherwise provided by applicable law or regulation, by submitting a request to the Data Protection Officer (DPO) at the following address: CABINET BOUCHARA – AVOCATS DPO Department 17 rue du Colisée – 75008 PARIS info@cabinetbouchara.com The DPO will assist the Data Subject in exercising their rights regarding their Data with the Data Controller. In case of reasonable doubt concerning the identity of the Data Subject submitting a request to exercise their rights regarding their Data, the DPO may request that they attach a copy of an official identity document to support the request. Requests will be processed as soon as possible and at the latest in accordance with the deadlines set by law. Article 9.1. Right of access The Data Subject has the right to obtain from the Controller confirmation as to whether or not Personal Data concerning him or her are being processed, and, where that is the case, access to the Personal Data and the following information:

• The purposes of the processing;
• Data categories;
• The Recipients or categories of Recipients to whom the Data has been or will be communicated, in particular Recipients who are established in third countries or international organizations;
• Where possible, the retention period for the Data or, where this is not possible, the criteria used to determine this period;
• The existence of the right to request from the Data Controller the rectification or erasure of Data, or a restriction of the processing of Data, or the right to object to such processing;
• The right to lodge a complaint with a supervisory authority;
• When the Data is not collected from the Data Subject, any available information as to its source;
• The existence of automated decision-making, including profiling, and, at least in such cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The Data Controller shall provide a copy of the Data undergoing Processing and reserves the right, in consideration for the provision of this copy, to charge reasonable fees based on administrative costs for any additional copies requested by the Data Subject.

Article 9.2. Right to erasure and rectification The Data Subject has the right to obtain from the Controller the rectification and/or erasure of inaccurate or outdated Data without undue delay, unless circumstances prevent the exercise of this right, and in particular:

• The exercise of the right to freedom of expression and information;
• Compliance with a legal obligation;
• The public interest in the field of public health, archives, scientific or historical or statistical research;
• The establishment, exercise or defense of rights in court.

Article 9.3. Right to object. The data subject has the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data based on the performance of a task carried out in the public interest or the legitimate interests pursued by the controller. The controller shall then cease processing the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. Furthermore, the data subject has the right to object at any time to the processing of personal data for direct marketing purposes by the controller to the extent that the data subject is involved in such marketing. Finally, when Data is processed for scientific or historical research purposes or for statistical purposes, the Data Subject has the right to object, on grounds relating to his or her particular situation, to the processing of the Data, unless the Processing is necessary for the performance of a task carried out in the public interest. Article 9.4. Right to restriction of processing The Data Subject has the right to obtain from the Controller restriction of processing of Data where:

• The accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the Data;
• The processing is unlawful and the data subject objects to their erasure and demands instead the restriction of their use;
• The Data Controller no longer needs the Data for the purposes of the Processing but the Data Subject still needs it for the establishment, exercise or defence of legal claims;
• The Data Subject objected to the Processing pursuant to Article 9.3, pending verification of whether the legitimate grounds pursued by the Controller override those of the Data Subject.

The Data Subject who has obtained restriction of Data Processing is informed by the Data Controller before the restriction of processing is lifted.

Article 9.5. Right to Data Portability The Data Subject has the right to receive the Data he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format, and has the right to transmit those data to another data controller without hindrance from the Data Controller, where:

• The processing is based on the consent of the data subject or on the performance of a contract to which the data subject is a party;
• The processing is carried out using automated processes.

The Data Subject, when exercising their right to data portability, has the right to have their data transmitted directly from one data controller to another, where technically feasible. Article 9.6. Right to lodge a complaint with the supervisory authority. The Data Subject has the right to lodge a complaint with the supervisory authority if they consider that their data is being processed unlawfully by the data controller. Article 9.7. Right to define instructions regarding the fate of their data . The Data Subject has the right to define instructions regarding the fate of their data after their death with the data controller, who will use all available technical means to ensure compliance with these wishes.

Article 9.8. Withdrawal of consent : " Where processing is based on consent, the data subject has the right to withdraw their consent to the processing of their data at any time, in accordance with Article 7 of the GDPR. "

Article 9.9. Right not to be subject to a decision based solely on automated processing : "The data subject has the right not to be subject to a decision based solely on automated processing, in accordance with Article 22 of the GDPR; no such decision is applied by LES TRICOTS DE LEA ."

Article 10. Data Security. The Data Controller shall take appropriate technical and organizational measures to protect the Data against destruction, loss, alteration, misuse, and unauthorized access, modification, or disclosure, whether such actions are intentional or accidental. These technical and organizational measures are designed to ensure the confidentiality, integrity, availability, and resilience of the Site and the information systems where the Files are stored. To secure the User's browsing experience, the Site is encrypted using SSL (Secure Socket Layer).

Article 11. Amendments to the Privacy Policy The Data Controller reserves the right to amend this Privacy Policy from time to time, in particular the list of Recipients in Article 8. In the event of a substantial amendment to this Privacy Policy, the Data Subject will be personally informed of the new Privacy Policy. The Data Subject is encouraged to consult this Privacy Policy regularly to stay informed of any changes. The Data Subject may send any questions regarding this Privacy Policy to the Data Protection Officer at the following address: info@cabinetbouchara.com . Article 12. Invalidity of the Privacy Policy If any provision of this Privacy Policy is found to be invalid under any applicable law or final court decision, it shall be deemed unwritten, without invalidating the entire Privacy Policy or affecting the validity of its other provisions.