Winble

Legal documents

Privacy Policy

Processing, retention and protection of your personal data

LanguageEnglish
Sections18
SourceEN - Politique de confidentialite - Winble.docx
This page uses the English version provided for the Winble Privacy Policy. Tables from the source document are adapted for comfortable reading on mobile and desktop.

Bleu Blanc Pay complies with all applicable provisions relating to the protection of privacy and personal data, in particular Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

Where UK legislation applies to users located in the United Kingdom, Bleu Blanc Pay also complies with the UK General Data Protection Regulation ('UK GDPR') and the Data Protection Act 2018.

Section 1 PURPOSE OF THE PRIVACY POLICY

This privacy policy (hereinafter the 'Policy') is intended to define our commitments regarding the protection of personal data, towards any person who may visit the website https://join.winble.com/ (hereinafter the 'website') as well as any other version of the Winble Service made available by Bleu Blanc Pay.

It sets out, in particular, the conditions for the collection, use and retention of personal data processed by our services.

This Policy applies to all interactions with our Winble services (web/app/support/prize competitions, etc.).

Section 2 DEFINITIONS

The terms and expressions used in this Policy have the same meaning as that attributed to them under Article 4 of the GDPR and, where applicable to users located in the United Kingdom, the equivalent provisions of the UK GDPR.

The definitions specific to the Winble Service set out in the General Terms and Conditions of Use and Sale supplement these legal definitions.

"Consent of the data subject"
any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
"Personal data"
any information relating to an identified or identifiable natural person (hereinafter 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Processing"
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Data controller"
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
"Data processor"
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
"Recipient"
a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
"Filing system"
any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Section 3 DATA CONTROLLER CONTACT DETAILS

BLEU BLANC PAY

Section 4 SIRET: 989 865 878 00015

Registered office address: 59 avenue Marceau, 75116 Paris

President: Serge Bueno

Contact: contact@winble.com

Section 5 DATA PROTECTION OFFICER CONTACT DETAILS OF BLEU BLANC PAY

Our Data Protection Officer (hereinafter 'DPO') is responsible for ensuring compliance with the applicable regulations on personal data protection and for responding to any requests relating to the processing of your data, including the exercise of your rights.

You can contact them by email at the following address: dpo-bleublancpay@woogassocies.com

Any request relating to the exercise of your rights will be answered within one (1) month of receipt, in accordance with Article 12 of the GDPR and, where applicable, the equivalent provisions of the UK GDPR.

This period may be extended by a further two (2) months in the event of a complex or multiple request. You will be informed within the initial one-month period.

In order to protect the confidentiality of data and prevent identity theft, BLEU BLANC PAY may, in the event of reasonable doubt as to the identity of the applicant, request additional information or identity documentation strictly necessary to verify their identity.

No identity document will be requested systematically. The document provided will be used solely for verification purposes and deleted within a maximum period of one (1) month after processing the request, unless a longer temporary retention period is required in the event of a dispute, fraud, identity theft or legal obligation.

Section 6 CATEGORIES OF PERSONAL DATA COLLECTED

The mandatory or optional nature of the personal data collected and any consequences of a failure to respond are indicated at the time of collection on the relevant forms, subscription interfaces, member areas, activation pathways or application screens.

The details of the information set out below are not intended to be exhaustive and are primarily intended to inform visitors and Users about the main categories of personal data that BLEU BLANC PAY and its partners may process.

BLEU BLANC PAY therefore undertakes to process all personal data collected in a manner compliant with the GDPR and, where applicable to users located in the United Kingdom, with the UK GDPR.

Categories of personal data collected

Categories of data

Identification data

Data

First name, surname(s), customer or user number, telephone number, email address, country of residence, date of birth or confirmation of majority where required. A copy of an identity document or equivalent may in particular be collected for identity verification purposes for protection against fraud or for the exercise of rights under the GDPR.

Categories of data

Account and authentication data

Data

Login credentials, password in secure form, account activation information, email validation, SMS validation, OTP, login history, account status, account settings, user preferences.

Categories of data

Winble subscription data

Data

Subscription plan taken out, subscription date, subscription status, duration, renewal, cancellation, order history, invoices, information relating to access rights to the components included in the plan.

Categories of data

Financial, payment and billing data

Data

Amounts paid, payment methods used, payment status, transaction references, invoices, refunds, payment incidents. Banking details and card numbers used for payment of the Winble service subscription are managed directly by our payment provider, which undertakes to ensure a high level of compliance and security of your banking data. Information necessary for transfers made for the benefit of the User.

Categories of data

Cashback and cashback wallet data

Data

Cashback amounts credited, pending, validated, cancelled or recovered, cashback wallet balance, transaction history, thresholds, transfer requests, validation statuses, reasons for suspension, cancellation or refusal of transfer, banking details or bank account information necessary for the cashback wallet transfer, transfer threshold reached, date of request or initiation of transfer, transfer status, transfer failure or rejection, reason for suspension or refusal of transfer.

Categories of data

Fan Zone and community activities data

Data

Participation in lotteries or prize competitions, draws, events, experiences, prizes or benefits, content viewed, interactions, points or benefits obtained, preferences related to the Winble universe, participation history.

Categories of data

Partner services data

Data

Service activated, partner concerned, activation status, activation code or link, activation date, access duration, information strictly necessary for the provision of the partner service. The partner may process additional data within its own scope.

Categories of data

Winble wristband data

Data

Activation, pairing, accounting data, wristband technical identifier, wristband status, product version, operating data, security data, interaction data, usage data, technical logs, support information, loss, theft, blocking, deactivation or replacement.

Categories of data

Connected features data of the wristband

Data

Data relating to vibrations, light signals, event-based interactions, gamification, points, user experience, synchronisation with the application and, where applicable, data strictly necessary for the activation or security of an associated compatible contactless payment feature.

Categories of data

Connection, browsing and security data

Data

IP addresses, connection logs, device identifiers, login identifiers, timestamp information, device type, operating system, browser, diagnostic data, security events, connection attempts, anomaly detection.

Categories of data

Fraud and abuse prevention data

Data

Transaction history, abnormal purchasing or usage behaviour, suspected multiple accounts, repeated cancellations, abnormal refund requests, circumvention attempts, documents requested in the event of reasonable doubt, results of security or eligibility checks.

Categories of data

Marketing and communications data

Data

Email address, telephone number, communication preferences, consents or objections, communications history, data relating to offers viewed or used, non-sensitive segmentation data, open or click statistics where applicable.

Categories of data

Cookies and trackers

Data

Technical or functional cookies, audience measurement cookies, statistical cookies, personalisation cookies, marketing or advertising cookies depending on the choices expressed via the cookie banner or any applicable consent management tool.

Categories of data

Data relating to the exercise of GDPR / UK GDPR rights

Data

Identity of the applicant, right exercised, exchanges with the DPO or support, elements necessary for identity verification in the event of reasonable doubt, proof of processing of the request, response provided.

Third-party partners are responsible for the processing they carry out within their own scope, in accordance with the regulations applicable to them.

The Winble wristband is not intended to collect or process data for medical, diagnostic, permanent health monitoring or medical decision-making purposes.

At this stage, features that may rely on the capture or analysis of physiological signals are not necessarily activated. If such features were to be deployed, in particular for the fan experience, gamification, points or benefits, BLEU BLANC PAY would first provide the User with specific information and, where required by regulation, collect explicit separate consent prior to their activation.

Section 7 DATA SOURCES

The personal data processed are collected directly from you, in particular when you register, use the services offered on our website or communicate with our teams (forms, contact requests, subscriptions, etc.).

Where applicable, certain data may also come from updates made by yourself in your personal area or from technical service providers involved in the provision of services, in accordance with our instructions and applicable regulations.

Certain data may also come from third-party partners, only where necessary for the provision of the Winble Service, the management of a complaint, fraud prevention, the security of the Service or compliance with a legal or regulatory obligation.

Section 8 PURPOSES AND LEGAL BASES

In the context of the services offered on the website, BLEU BLANC PAY or its data processors may collect personal data about you for specified, explicit and legitimate purposes.

In all cases, you will be informed of the purposes for which your data are collected via the various collection forms, emails sent to you or information available on the website.

Your personal data are therefore collected and processed to ensure:

Purposes and legal bases of processing

Purposes

Access to the Winble Platform

Categories of data processed

Connection data, browsing data, IP address, logs, session identifiers, technical or functional cookies, device data.

Legal basis

Article 6(1)(f) of the GDPR This processing is based on the legitimate interest of BLEU BLANC PAY to allow you to access the Platform and to ensure the security and continuity of its services. (with regard to cookies, see the cookie policy).

Purposes

Creation, management and security of the User Account

Categories of data processed

Identification data, contact data, login credentials, secure password, email validation, SMS validation, OTP, account status, login logs, technical cookies.

Legal basis

Article 6(1)(b) of the GDPR This processing is necessary for the performance of the contract entered into with you, or for the implementation of pre-contractual measures taken at your request. (with regard to cookies, see the cookie policy). Some information is necessary for the creation of your account and the provision of our services. If you refuse to provide this information, we may not be able to create your account or provide you with all or part of the services.

Purposes

Subscription, management and performance of the Winble Subscription

Categories of data processed

Identification data, contact data, subscription plan taken out, subscription status, subscription date, duration, renewal, cancellation, order history, invoices.

Legal basis

Article 6(1)(b) of the GDPR This processing is necessary for the performance of the contract entered into with you, or for the implementation of pre-contractual measures taken at your request.

Purposes

Payment and billing management

Categories of data processed

Identification data, billing data, amount paid, payment method used, transaction reference, payment status, invoices.

Legal basis

Article 6(1)(c) of the GDPR This processing is based on our legal obligations, in particular accounting and tax. Full banking details are processed by the payment provider within its own scope.

Purposes

Management of Purchase Vouchers: This purpose covers in particular: the issuance and provision of Purchase Vouchers; monitoring their use at partner stores; managing their status; the associated assistance and support service.

Categories of data processed

Identification data, financial data, account data, store or merchant concerned, amount, face value, purchase date, issue date, voucher status, date of use or expiry, applicable conditions, purchase history, cancellations, refunds or disputes.

Legal basis

Article 6(1)(b) of the GDPR This processing is necessary for the performance of the contract entered into with you, or for the implementation of pre-contractual measures taken at your request.

Purposes

Management of refunds and payment incidents

Categories of data processed

Identification data, billing data, amount paid, payment method used, transaction reference, payment status, information relating to refunds, payment incidents and any recovery actions.

Legal basis

Article 6(1)(f) of the GDPR This processing is based on the legitimate interest of BLEU BLANC PAY to monitor payments, manage refunds and recover its receivables (Article 6(1)(f) of the GDPR).

Purposes

Calculation, management and payment of cashback and the Winble cashback wallet This purpose covers in particular: the calculation and crediting of cashback based on eligible transactions; management of the cashback wallet balance (pending, validated, cancelled or recovered amounts); validation, cancellation or recovery of amounts based on applicable conditions; the transfer of the cashback wallet, including the initiation of a bank transfer when the transfer threshold is reached and a transfer request is made; management of transfer rejections or incidents.

Categories of data processed

Identification data, history of eligible transactions, pending, validated, cancelled or recovered cashback amounts, cashback wallet balance, applicable transfer threshold, banking details or bank account information necessary for the transfer, transfer requests, date of initiation of transfer, transfer status, any transfer rejections or incidents, validation statuses, reasons for suspension, cancellation or refusal.

Legal basis

Article 6(1)(b) of the GDPR This processing is necessary for the performance of the contract entered into with you, or for the implementation of pre-contractual measures taken at your request. Legitimate interest may also underpin the controls necessary for the prevention of fraud, credit errors and misuse, transfer rejections or incidents. Article 6(1)(f) of the GDPR.

Purposes

Access to the Fan Zone and management of associated content and activities This purpose covers in particular: access to the Fan Zone and exclusive content; participation in community activities, prize competitions, draws, experiences and events organised in this context; the attribution, management and distribution of prizes, benefits or associated points; monitoring participation history.

Categories of data processed

Identification data, account data, participation in activities, games or draws, interactions, content viewed, points or benefits obtained, participation history, data necessary for the attribution or distribution of a prize.

Legal basis

Article 6(1)(b) of the GDPR This processing is necessary for the performance of the contract entered into with you. Certain additional processing operations (including the analysis of interactions and participation history to engage the community, improve the user experience and prevent misuse) are based on the legitimate interest of BLEU BLANC PAY to develop and engage its community and to improve its services (Article 6(1)(f) of the GDPR).

Purposes

Activation and use of partner services This purpose covers in particular: the activation of services offered by partners when they are included in your Winble plan; the transfer to partners of the information strictly necessary for the provision of their services (for example, identifier, activation code or link); management of the access duration and activation status of partner services.

Categories of data processed

Identification data, account data, service activated, partner concerned, activation code or link, activation date, access duration, activation status, information strictly necessary for the provision of the partner service.

Legal basis

Article 6(1)(b) of the GDPR This processing is necessary for the performance of the contract entered into with you. Where the activation of a partner service or the transfer of your data to that partner is not strictly necessary for the performance of the contract, it is carried out on the basis of your consent, collected in advance, specifically and in an informed manner (Article 6(1)(a) of the GDPR). The partners concerned may act as independent data controllers for the processing they carry out in the context of their own services. In that case, their processing is governed by their own privacy policies, which we invite you to consult.

Purposes

Activation, operation, support and security of the Winble Wristband This purpose covers in particular: the activation and pairing of the Winble Wristband with your account; the normal operation of the wristband and the features provided for in your plan; support and assistance in the event of an anomaly; management of wristband security (loss, theft, blocking, deactivation or replacement).

Categories of data processed

Identification data, account data, wristband technical identifier, activation, pairing, compatibility data, product version, wristband status, technical logs, operating data, security data, support data, information relating to loss, theft, blocking, deactivation or replacement.

Legal basis

Article 6(1)(b) of the GDPR This processing is necessary for the performance of the contract entered into with you. Certain additional processing operations, in particular those aimed at ensuring wristband security, maintenance, technical support and prevention of unauthorised use, are based on the legitimate interest of BLEU BLANC PAY to secure its services and prevent fraud or misuse (Article 6(1)(f) of the GDPR).

Purposes

Connected features of the Winble Wristband and user experience This purpose covers in particular: the collection of data relating to vibrations and light signals in connection with events; gamification and the attribution of points associated with the wristband; the synchronisation of necessary data between the wristband and the Winble application; the processing of data strictly necessary for the operation of the features provided for in your plan and the associated user experience.

Categories of data processed

Data relating to vibrations, light signals, event-based interactions, gamification elements, points, synchronisation data with the application, usage data or signals strictly necessary for the operation and Winble experience.

Legal basis

Article 6(1)(b) of the GDPR This processing is necessary for the performance of the contract entered into with you. Certain optional processing operations, or relating to data or uses not strictly necessary for the performance of the contract (for example, certain advanced personalisation features or processing that may have a sensitive nature), are only carried out with your prior, specific and informed consent, where required by regulation (Article 6(1)(a) of the GDPR).

Purposes

The contactless payment feature associated with the Winble Wristband, This purpose covers in particular: the activation of this feature on your Winble Wristband, where available and at your request; the processing of data strictly necessary for the execution of contactless payments, as well as for the security of this feature.

Categories of data processed

Identification data, eligibility data, activation data, wristband technical data, security data, transaction data or data strictly necessary for the activation, security or execution of the feature.

Legal basis

Article 6(1)(b) of the GDPR When you choose to activate the contactless payment feature, the processing of data strictly necessary for its activation, operation and execution is necessary for the performance of the contract entered into with you. Full banking details and certain payment transactions are processed directly by our payment service provider, which may act as an independent data controller for these transactions, in accordance with its own privacy policy.

Purposes

Prevention of fraud, misuse, diversion and security of the Winble Service

Categories of data processed

Identification data, account data, connection data, transaction history, purchase vouchers, cashback, cashback wallet, refund requests, cancellations, usage anomalies, documents requested in the event of reasonable doubt, results of security or eligibility checks.

Legal basis

Article 6(1)(f) of the GDPR This processing is based on the legitimate interest of BLEU BLANC PAY to prevent fraud and misuse, to secure the Winble Service and to protect Users, partners and its economic interests. Where certain controls or verifications meet a legal or regulatory requirement (for example, in the context of combating fraud, money laundering or for the purpose of complying with prudential obligations), they are also based on compliance with legal obligations applicable to BLEU BLANC PAY (Article 6(1)(c) of the GDPR).

Purposes

Management of requests to exercise rights under the GDPR and, where applicable, the UK GDPR

Categories of data processed

Applicant's identity, right exercised, exchanges with the DPO or support, identity document in the event of reasonable doubt, proof of processing of the request, response provided.

Legal basis

Article 6(1)(c) of the GDPR Processing is necessary for compliance with a legal obligation to which the controller is subject, including: Articles 12 et seq. of EU Regulation 2016/679 (General Data Protection Regulation - GDPR), Law No. 78-17 of 6 January 1978 as amended UK GDPR

Purposes

Carrying out analyses, statistics and improvement of the Winble Service

Categories of data processed

Usage data, browsing data, account data, subscription data, data relating to features used, interactions with the Platform, aggregated or pseudonymised data where possible.

Legal basis

Article 6(1)(f) of the GDPR This processing is based on the legitimate interest of BLEU BLANC PAY to analyse the use of the Platform, to improve its services and to optimise the user experience. Where these analyses rely on the use of cookies or other trackers not strictly necessary for the operation of the Platform, the processing is carried out on the basis of your consent, collected in accordance with applicable regulations (Article 6(1)(a) of the GDPR), as described in our cookie policy.

Purposes

Carrying out marketing operations This purpose covers in particular: Carrying out BtoC prospecting campaigns (email, telephone, post) Managing websites and social media Organising events Running prize competitions Customer satisfaction surveys by telephone, SMS or email Developing statistics on marketing operations Carrying out audience measurement and targeted advertising

Categories of data processed

Connection and browsing data Identification data, communication preferences, consents or objections, communications history, offers viewed or used, non-sensitive segmentation data, open or click statistics, marketing cookies.

Legal basis

Certain marketing and prospecting operations are based on the legitimate interest of BLEU BLANC PAY to promote its services, to maintain its relationship with its customers and to adapt its offers, in compliance with your rights and with the possibility of objecting (Article 6(1)(f) of the GDPR). Where required by regulation, in particular for BtoC electronic prospecting (email, SMS) and the use of cookies or non-strictly necessary marketing trackers, the processing is based on your consent, collected in advance and which may be withdrawn at any time (Article 6(1)(a) of the GDPR). The conditions of use of cookies and the choices available to you are detailed in our cookie policy.

Purposes

The transfer of data to Meta (Facebook/Instagram) to receive personalised advertising from BLEU BLANC PAY.

Categories of data processed

Identification data (first name, surname, email address)

Legal basis

Article 6(1)(a) of the GDPR This processing is based on your consent.

Purposes

Management of complaints and disputes

Categories of data processed

All data including identification and contact data, account and subscription data, information relating to the transactions or services concerned (for example: purchase vouchers, cashback, payments, use of the Winble Service), content of complaints and exchanges with the customer service or the DPO, documents and supporting evidence provided, information necessary for the handling of the matter, information relating to amicable or contentious procedures (complaints, formal notices, legal actions, decisions).

Legal basis

Article 6(1)(f) of the GDPR This processing is based primarily on the legitimate interest of BLEU BLANC PAY to manage complaints, defend its rights, resolve disputes and protect its interests as well as those of its users and partners.

Section 9 AUTOMATED DECISION-MAKING

Processing does not involve automated decision-making.

Section 10 RECIPIENTS OR CATEGORIES OF RECIPIENTS

Only the specified persons mentioned below will have access to your personal data.

BLEU BLANC PAY's authorised staff, within the scope of their duties (customer service, support, accounting, marketing, compliance).

Technical service providers acting exclusively on behalf of BLEU BLANC PAY and bound by a contract compliant with Article 28 of the GDPR and, where applicable, the equivalent provisions of the UK GDPR, including in particular:

SaaS solution providers (CRM, customer support)

Email and communications delivery providers

Secure payment providers

Logistics, industrial, technical or support providers linked to the Winble wristband, its delivery, activation, pairing, maintenance, replacement or security;

Hosting, cloud infrastructure and IT services providers

Marketing and communications providers

These service providers act only on the instructions of BLEU BLANC PAY and are subject to strict confidentiality and security obligations.

Partner Brands, in their capacity as separate data controllers, may process certain data necessary for the use of Vouchers or Brand Cards in accordance with their own privacy policies.

Service providers or partners involved in the manufacture, delivery, activation, pairing, support, maintenance, security or, where applicable, the associated contactless payment functionality of the Winble wristband may receive the data strictly necessary for their involvement, depending on their respective role as data processor, independent data controller or, where applicable, joint controller.

Where BLEU BLANC PAY and a partner jointly determine the purposes and means of a specific processing operation, they may act as joint controllers within the meaning of Article 26 of the GDPR and, where applicable, Article 26 of the UK GDPR. In that case, the essential elements of the agreement defining their respective responsibilities may be communicated upon request.

Authorised third parties: The following may also be recipients:

Judicially or administratively authorised authorities

Chartered accountants, statutory auditors

Lawyers, bailiffs, debt collection companies

Any authority in the event of a legal requisition

Your personal data are not communicated, exchanged, sold or rented without your express prior consent in accordance with applicable provisions.

The list of our Recipients may be requested by sending us an email to dpo-bleublancpay@woogassocies.com, or by sending us a letter to BLEU BLANC PAY - data protection department - 59 Avenue Marceau, 75016 Paris.

Section 11 TRANSFER OF DATA OUTSIDE THE EU

BLEU BLANC PAY limits as far as possible the choice of its data processors that process your personal data in a country located outside the European Union, the European Economic Area or, where applicable, the United Kingdom.

However, in cases where BLEU BLANC PAY uses data processors located outside the European Union, the European Economic Area or, where applicable, the United Kingdom, we undertake to ensure that they provide protection measures recognised as sufficient within the meaning of the GDPR and, where applicable, the UK GDPR.

These may in particular be data processors located in any other country recognised by the European Union or the competent authority in the United Kingdom, where applicable, as ensuring an adequate level of protection of personal data ('Adequacy Decision'), subject to a data transfer agreement compliant with the Standard Contractual Clauses adopted by the European Commission, the International Data Transfer Agreement ('IDTA'), the international addendum to the Standard Contractual Clauses applicable to transfers subject to the UK GDPR, or any other protection measure compliant with the GDPR and/or the UK GDPR and recognised as sufficient by the competent authorities.

The list of data transfers outside the EU, outside the European Economic Area or outside the United Kingdom may be requested by sending us an email to dpo-bleublancpay@woogassocies.com, or by sending us a letter to BLEU BLANC PAY - data protection department - 59 Avenue Marceau, 75016 Paris.

Section 12 DATA RETENTION PERIOD

Retention in the active database

BLEU BLANC PAY retains your personal data only for as long as necessary for the purposes for which they are processed, in compliance with the GDPR and, where applicable, the UK GDPR.

Your personal data are therefore retained for the duration of the contractual relationship for the management of your WINBLE services subscription.

This includes in particular data necessary for managing access to the Platform, the Fan Zone, partner services, purchase vouchers, cashback, the cashback wallet, the Winble wristband, customer support and complaints.

Prospect data used for commercial prospecting purposes may be retained by us for a period of three years, unless you decide to exercise your right to object.

Data used in the context of marketing operations

User data used in the context of marketing operations may be retained by us for a period of three years from the end of the commercial relationship, unless you decide to exercise your right to object, either by sending us an email at dpo-bleublancpay@woogassocies.com or via the unsubscribe link included in our emails.

Retention in the archive database

The categories of personal data below may also be retained for longer periods in the following cases:

Financial data (including payment-related data) will be retained in a secure archive database for the period required by applicable tax and accounting laws (such as the obligation to retain invoices for a period of 10 years under Article L.123-22 of the French Commercial Code);

Data enabling proof of a right or a contract to be established, or retained pursuant to a legal obligation, may be subject to an intermediate archiving policy in order to comply with legal, accounting and tax obligations. This includes in particular the general limitation period of 5 years provided for under Article 2224 of the French Civil Code.

Data necessary for the prevention, detection, management or proof of fraud, suspected fraud, misuse, an anomaly, a dispute, an abnormal refund, repeated cancellations, a security incident or misuse of the Winble Service, including with respect to purchase vouchers, cashback, the cashback wallet, benefits or the Winble wristband, may be retained for the period necessary for the analysis and handling of the situation, then archived for the applicable limitation periods.

In the event of legal proceedings, your personal data as well as any information, documents or records containing personal data tending to establish the facts that may be at issue may be retained for the duration of the proceedings, including for a period exceeding those indicated above.

Data relating to the management of requests to exercise rights under the GDPR and, where applicable, the UK GDPR, are retained for the entire period necessary for processing and will thereafter be archived for the applicable criminal limitation period (6 years) in intermediate archiving.

Management of accounts after the end of the contractual relationship

During the Winble subscription period, the absence of login or effective use of the account does not in itself constitute a reason for deleting the user account, subject to compliance with the applicable General Terms and Conditions of Use and Sale. Upon termination of the contractual relationship, in particular in the event of cancellation, expiry, non-renewal or account closure, we may proceed to delete, deactivate or archive your account and associated data in the active database, subject to the longer retention periods provided for above. The deletion of your account due to inactivity does not entail the erasure of all your data where certain data must still be retained to comply with our legal, accounting or tax obligations or for the establishment, exercise or defence of legal claims.

Section 13 DATA SECURITY

In accordance with Article 32 of the GDPR and, where applicable, Article 32 of the UK GDPR, BLEU BLANC PAY implements appropriate technical and organisational measures to ensure the security, confidentiality, integrity and availability of the services and to protect your personal data against destruction, loss, alteration, unauthorised disclosure of personal data transmitted, stored or otherwise processed, or unauthorised access to such data.

Section 14 YOUR RIGHTS

In accordance with the GDPR regulations and, where applicable, the UK GDPR on personal data, you have the right to:

Access (Article 15 of the GDPR),

Rectification (Article 16 of the GDPR),

Erasure (Article 17 of the GDPR),

Restriction of processing (Article 18 of the GDPR),

Data portability (Article 20 of the GDPR),

Object (Articles 21 and 22 of the GDPR),

Posthumous directives (Law No. 78-17 of 6 January 1978 on information technology, data files and civil liberties, Article 85)

Your right of access

In accordance with Article 15 of the GDPR and, where applicable, the UK GDPR, you have confirmation as to whether or not your personal data are being processed and, where they are, you have the right to request a copy of your data and information concerning:

the purposes of the processing;

the categories of personal data concerned;

the recipients or categories of recipients as well as, where applicable if such disclosures are to be made, the international organisations to which the personal data have been or will be disclosed, in particular recipients established in third countries;

where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

the existence of the right to request from the controller rectification or erasure of your personal data, the right to request restriction of processing of your personal data, and the right to object to such processing;

the right to lodge a complaint with a supervisory authority;

information relating to the source of the data where they are not collected directly from the data subjects;

the existence of automated decision-making, including profiling, and, in the latter case, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Your right to rectification of your data

In accordance with Article 16 of the GDPR, you may ask us to rectify, complete, your personal data where it is inaccurate, incomplete, ambiguous or out of date, as appropriate.

Your right to erasure of your data

In accordance with Article 17 of the GDPR, you may request the erasure of your personal data in the cases provided for by legislation and regulations.

Your attention is drawn to the fact that the right to erasure of data is not a general right and can only be exercised if one of the grounds set out in Article 17 of the GDPR is present.

Your right to restriction of processing of your data

In accordance with Article 18 of the GDPR, you may request restriction of the processing of your personal data in the cases provided for by legislation and regulations.

Your right to object to data processing

In accordance with Articles 21 and 22 of the GDPR and, where applicable, the UK GDPR, you have the right to object at any time, on grounds relating to your particular situation, to processing of your personal data for which the legal basis is the legitimate interest pursued by the data controller.

In the event that such a right to object is exercised, we will ensure that we no longer process your personal data in the context of the processing concerned unless we can demonstrate that we have compelling legitimate grounds for maintaining such processing. These grounds must override your interests, rights and freedoms, or the processing must be justified for the establishment, exercise or defence of legal claims.

Where the data processing we carry out is based on your consent, you may withdraw it at any time. We will then cease processing your personal data without affecting the lawfulness of any processing operations for which you had previously given consent.

Your right to data portability

In accordance with Article 20 of the GDPR, you have the right to data portability of your personal data. We draw your attention to the fact that this is not a general right. Indeed, not all data from all processing operations are portable and this right only applies to automated processing, to the exclusion of manual or paper-based processing.

This right is limited to processing operations for which the legal basis is your consent or the performance of pre-contractual measures or a contract.

Your right to define posthumous directives

You have the option of defining specific directives relating to the retention, erasure and communication of your personal data after your death in accordance with the procedures set out in Article 85 of the Data Protection Act (Loi Informatique et Libertés). These directives define how you wish your rights over your data to be exercised after your death. These specific directives will only apply to processing carried out by us and will be limited to that scope alone. You may modify or revoke your directives at any time.

How to exercise your rights

All the rights listed above may be exercised:

By post to: BLEU BLANC PAY - data protection department - 59 Avenue Marceau, 75116 Paris

By email: dpo-bleublancpay@woogassocies.com

Please note that you do not need to pay any fees to access your personal data or exercise your rights. However, we may charge a reasonable fee if your request is manifestly unfounded, repetitive or excessive.

We may also contact you to request additional information in relation to your request in order to respond to you. A response will be provided within one month. Exceptionally, we may exceed this one-month period if your request is particularly complex.

13.9 Automated processing

As a general rule, the data collected is not subject to entirely automated decision-making procedures within the meaning of Article 22 of the GDPR, and user profiling is excluded.

Analysis or segmentation mechanisms may be used for statistical or marketing purposes, without producing any direct legal effect on users.

Section 15 RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

The supervisory authority competent to deal with any request concerning us is the Commission Nationale de l'Informatique et des Libertés (CNIL). If you wish to submit any request to the CNIL, you will find its contact details below:

Section 16 CNIL (COMMISSION NATIONALE DE L'INFORMATIQUE ET DES LIBERTÉS)

Tel.: 01 53 73 22 22

www.cnil.fr

Where the UK GDPR is applicable, you may also lodge a complaint with the competent supervisory authority in the United Kingdom, the Information Commissioner's Office (ICO).

Section 17 ICO (INFORMATION COMMISSIONER'S OFFICE)

Tel.: 0303 123 1113

www.ico.org.uk

Section 18 AMENDMENTS TO THE PRIVACY POLICY

This Privacy Policy may be updated in order in particular to comply with any legislative or regulatory developments, or any change in processing resulting from a change in our services.

In the event of a material change affecting the rights of users or the nature of the processing, they will be informed by any appropriate means (email or notification on the Platform).

The most current version governs our use of your personal data and will always be available on the website, on the platform or on request from BLEU BLANC PAY.