Access to and use of the website www.tapilou.com (hereinafter referred to as the " Site ") may involve you providing certain personal data (hereinafter referred to as " Personal Data ") about yourself.

In order to preserve your trust, we, the company TAPILOU, invite you to read our policy on this matter, which describes the data collected, the use made of it, and the rights you have with regard to it.

1. DEFINITIONS

"Client" refers to the user who is a client of the Site.

“Customer Account” refers to the account you created as a Customer and user and which is accessible through your Login Credentials.

“Geolocation data” means data that identifies your location in a reasonably specific way, for example using latitude and longitude coordinates obtained by GPS, Wi-Fi or mobile triangulation.

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Identifiers" refers to your email address and password.

“Data Protection Act” refers to Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms (amended by Law No. 2018-493 of 20 June 2018).

“ Product(s) ” refers to the baby and toddler play mat(s) sold by the Company on the Site.

“Regulation (EU) 2016/679” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

"Services" refers to all the features made available to you through the use of the Site.

“Site” refers to the TAPILOU website which is exclusively intended for you as a non-professional user and customer (individual) and accessible at the URL www.tapilou.com .

“Terminal” means the smartphone, tablet or any other device with an operating system compatible with the Site and from which you access the Content and Services.

2. WHO COLLECTS YOUR DATA?

The website www.tapilou.com is published by the company TAPILOU, a simplified joint-stock company with a capital of 1,000 euros registered in the trade and companies register of Marseille under number 882 014 095 whose registered office is located at 58 montée de saint menet, 13011 Marseille – FRANCE, represented by Mrs. Déborah Goldberg, in her capacity as president.

In connection with the use of the Site, we collect and process certain Personal Data concerning you.

We are therefore data controllers within the meaning of the French Data Protection Act and EU Regulation 2016/679.

3. WHAT PERSONAL DATA DO WE COLLECT?

We only collect, via the Site, your Personal Data that is strictly necessary for the proper execution of the services offered, namely:

• Creating a Customer Account;
• Payment for your orders;
• Delivery of your orders;
• Archiving your orders and issuing invoices;
• Sending a newsletter;
• Contact via the contact form.

You agree to provide complete and accurate information to enable the proper functioning of the Site's Services.

3.1 Data collected during the creation and management of your Customer Account

The Personal Data we collect for the creation of your account are: your name, your first name, your email address and your password.

This data is collected to allow you to create a Customer Account and access the Services.

3.2 Data collected in connection with payment for Products

We collect only the data strictly necessary to process your order payment, namely, depending on the payment method chosen:

• the card number, expiry date and visual cryptogram in case of payment by bank card via the STRIPE payment solution;
• email address and password of the PAYPAL account in case of payment via your PAYPAL payment solution;
• the name of the banking institution, the IBAN and the BIC of the banking institution in case of payment in three installments via the ALMA split payment solution.

IT IS STRONGLY RECOMMENDED TO READ THE PRIVACY POLICIES OF OUR PAYMENT SOLUTION PROVIDERS BEFORE ANY ORDER VALIDATION [1] .

We guarantee to take all appropriate organizational and technical measures to preserve the security, integrity, and confidentiality of your banking data against any unauthorized access, use, misappropriation, disclosure, or modification by using secure payment systems that comply with the state of the art and applicable regulations. This data is encrypted using a robust algorithm.

3.3 Data collected for the purpose of managing your orders

The Personal Data we collect for the management of your orders are: your name, your first name, your email address, your delivery address, your telephone number, your billing address, and possibly the name and first name of the person to whom you wish to offer a Product or a gift card.

This data is collected to allow us to manage your order and deliver the Products to the person concerned.

3.4 Data collected via the contact form

Through the contact form, we collect data relating to your name, surname, email address as well as the subject and content of the message you wish to send us.

The contact form allows you to get in touch with us to learn more about our products, provide feedback, or ask a general question. The data collected is then used so that we can contact you to respond to your message.

3.5 Data collected within the framework of the Newsletter

The Personal Data we collect to register you for our Newsletter is limited to your email address.

This allows us to send you our newsletter.

3.6 Geolocation Data

We also collect your geolocation data if you allow us to receive it by enabling access to geolocation data through the settings of your smartphone, tablet or any other device with an operating system compatible with the Site.

4. WHY DO WE COLLECT YOUR DATA?

We collect your data:

• To operate the Site and provide the Services, in particular to authenticate your access to your Customer Account, process your order payment, and deliver the Product(s);
• To manage our business needs, such as monitoring, analyzing and improving the performance and functionality of the Site. For example, we analyze your behavior and conduct studies on how you use the Site;
• To protect the Site and yourself against fraud by verifying your identity, and by helping to detect and prevent fraud and misuse of the Site;
• To fulfill our obligations and enforce our general terms of use of the Site, as well as to comply with all applicable laws and regulations.
• For statistical processing and to improve our services. This processing is completely anonymized, and therefore not covered by the aforementioned Regulation 2016/679.

5. WHAT JUSTIFIES THIS COLLECTION?

The data will be collected and processed fairly and lawfully, and will be used to provide the services offered on the Site.

In the context of the orders you place on the Site, the legal basis for the collection and processing is the performance of the sales contract concluded between TAPILOU and the Customer.

Regarding other processing, we only collect your Personal Data to the extent that you have expressly given your consent.

You may withdraw your consent at any time by sending a request to that effect to the following contact details:

• By email: contact@tapilou.com .
• Or by mail: TAPILOU 58 montée de saint menet, 13011 Marseille – FRANCE

The withdrawal of your consent only applies to the future and does not call into question the lawfulness of processing carried out prior to the withdrawal of your consent.

6. WOULD YOU LIKE TO RECEIVE OUR NEWSLETTER AND/OR OUR COMMERCIAL OFFERS?

You can consent to or object to the use of your email address when you provide your data, so that we can send you our newsletter or commercial offers electronically.

You can object to this marketing at any time via the link provided for this purpose in all the emails you receive.

7. WHO DO WE SHARE YOUR DATA WITH?

TAPILOU is the sole recipient of all collected and processed data. Only duly authorized TAPILOU personnel may access it.

Our service providers responsible for delivering your Products also have access only to the data necessary for the proper execution of their delivery service, namely: your name, surname, email address, telephone number and your delivery address.

Our payment solution providers also have access only to the data necessary for the proper performance of their service as specified in article 3.2 herein.

Finally, our IT subcontractors may have access to the data during their maintenance operations, but may under no circumstances carry out any other data processing operation, such as modifying or using the data.

Your personal information will never be sold, exchanged, transferred or given to any other company for any reason whatsoever, without your consent, except as necessary to respond to a request from you.

No data is transferred outside the European Union or to a country that does not ensure a sufficient and appropriate level of data protection in accordance with European Union regulations on Personal Data.

Anonymized data, however, may be provided to other parties for marketing, advertising, or other uses.

8. WHO ARE OUR SUBCONTRACTORS?

For the purposes of data processing, we use the services of SHOPIFY, a company incorporated under Canadian law, located at 151 O'Connor Street - Ottawa, Ontario K2P 2L8 – Canada, which provides:

• hosting of all Personal Data processed on the Site and
• Site maintenance.

We guarantee that our subcontractors host the data within the European Union or in a country ensuring a sufficient and appropriate level of data protection and provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of EU Regulation 2016/679 and the French Data Protection Act.

In any event, all subcontracting is carried out in strict compliance with this document. Therefore, we guarantee that our subcontractors will in no way exceed the processing procedures defined in this document.

The subcontractor may itself be authorized to subcontract all or part of its operations subject to strict compliance with the provisions of Article 28 of EU Regulation 2016/679 and this document.

However, as data controllers, we remain your sole point of contact.

9. WHAT ARE YOUR RIGHTS?

In accordance with current regulations, you have rights over your Personal Data.

To exercise these rights, you must write to us specifying the subject of your request and keep proof of receipt of your request.

Any request for information about your rights or any request to exercise one of your rights should be sent to the following contact details:

• by email: contact@tapilou.com .
• or by mail: TAPILOU, 58 montée de saint menet, 13011 Marseille – FRANCE

Any request to exercise your rights will be accompanied by a copy of your identity document in order to prevent any fraud and/or unlawful access to your data.

However, certain personal information may be exempt from such requests in certain circumstances, for example, if it infringes on the rights and freedoms of others. If an exception applies, we will inform you when responding to your request.

9.1 Rights of access, objection, limitation, erasure and rectification of data

In accordance with current regulations, you have the right to:

• to access any of your Personal Data that we hold about you;
• to update any of your Personal Data that is not up to date or incorrect;
• to restrict how we process your Personal Data;
• to ask us to provide you with a copy of any of the Personal Data we hold about you;
• to object to the use of your Personal Data;
• to object to the use of your Personal Data for marketing purposes.

9.2 Right to data portability

You have the right to data portability, which means that we must return your data to you in a structured, commonly used and machine-readable format, if you so wish.

You can only exercise this right to data portability with regard to data that you have actively and knowingly declared or that you have generated through your activity, in particular in the context of using the contact form, excluding any other data that is calculated, derived or inferred from the data you have provided.

Furthermore, only data processed automatically and collected on the basis of your consent or the performance of a contract are covered by this right.

We reserve the right to refuse your request if the data concerned by your request does not meet the aforementioned conditions.

For any data that does not meet the aforementioned criteria, you can only exercise the rights mentioned in the previous clause.

We will not obstruct the transfer of data covered by the right to data portability to another data controller, either through you or directly where technically feasible. If direct transfer of data to another data controller is not technically possible, we will inform you and offer an alternative solution.

We are not responsible for how you process the data obtained through your right to data portability once you have retrieved it. Nor are we responsible for the processing carried out by the company that retrieved your data following a request you made.

9.3 Right to make advance directives

In accordance with current regulations, you can formulate advance directives on the use of your data after your death (for example: retention, deletion, disclosure).

You can modify or withdraw your instructions at any time.

9.4 Right to lodge a complaint with the CNIL

You are hereby informed of your right to contact the CNIL if we fail to comply with legal and regulatory provisions in the management of your Personal Data.

To do so, you can contact the CNIL via the following link: https://www.cnil.fr/fr/plaintes

Notwithstanding the above, as the data controller, we remain your sole point of contact.

10. HOW LONG DO WE KEEP YOUR DATA?

10.1 We retain your Personal Data in an identifiable format only for the period strictly necessary for the management of our business relationship and for compliance with our legal and/or regulatory obligations.

Insofar as you are a Customer and hold a Customer Account, some of the data collected about you is kept for a period of five (5) years following the current year at the time of the termination of the contract between us (deletion of the Customer Account) in intermediate archives [2] and this, in order to be able to respond to you in the event of a dispute.

10.2 The data collected from the contact form is kept for the time necessary for us to respond to you and, potentially, for the duration of any subsequent exchanges between you and us. We then archive this data for a period not exceeding one (1) year from the date of collection or the last message you sent us.

10.3 Bank details collected on the Site for the purpose of paying for Products are kept until the final payment due date. The bank details are then kept in intermediate archives [3] for thirteen (13) months following the debit date or fifteen (15) months in the case of deferred debit payment cards, and may only be used in the event of a dispute of the transaction by the Customer, for evidentiary purposes, in accordance with Article L.133-24 of the French Monetary and Financial Code.

10.4 If you have not objected to receiving marketing communications, your Personal Data will be kept for three (3) years from the date of collection or your last interaction with us (for example, a request for information or clicking on a hyperlink in an email constitutes interaction with us. However, simply opening an email does not constitute interaction with us). At the end of this three (3) year period, we may contact you to ask if you wish to continue receiving marketing communications. If you do not provide a positive and explicit response, your data will be deleted.

10.5 In the event of exercising the right of access or rectification, the data relating to identity documents shall be kept for the period provided for in Article 9 of the Code of Criminal Procedure, i.e. one (1) year.

In the event of exercising the right to object, the data relating to identity documents may be archived for the limitation period provided for in Article 8 of the Code of Criminal Procedure, i.e. three (3) years.

If you exercise your right to object to receiving marketing communications, the data necessary to process your request, such as your email address, will be kept for three (3) years from the date you exercised your right and cannot be used for any other purpose.

10.6 Furthermore, we may retain anonymous or anonymized data through an irreversible process for an unlimited period for statistical processing purposes. Given the anonymized nature of this data, it is not considered personal data within the meaning of EU Regulation 2016/679.

11. HOW DO WE USE COOKIES AND TRACKING TECHNOLOGIES?

Browsing the Site may result in the installation of cookies on your device.

11.1 Why use cookies?

A cookie is a small file that does not allow your personal identification, but which nevertheless records information relating to the navigation of a Terminal on a website.

These cookies improve access to our website and identify repeat visitors. Furthermore, our cookies enhance your experience by tracking and targeting your interests.

The cookies used on the Site are placed by us or by third parties.

We place on the Site cookies that are strictly necessary for browsing the Site, cookies whose sole purpose is to enable or facilitate communication by electronic means, and audience measurement cookies whose purpose is limited to measuring the audience of the content viewed in order to allow an evaluation of the content published and the ergonomics of the Site.

Google Analytics and Hotiar cookies, which are used for audience measurement purposes, are placed by third parties.

We automatically receive and record information from your terminal and browser, including your IP address, software and hardware, and the page you request.

Collecting your IP address is essential to enable you to communicate on the Internet, but it does not provide more precise information than the city, and the IP address is anonymized once geolocation is complete.

Cookies used in addition to those strictly necessary for browsing the Site are used for the following purposes:

• Audience measurement: these cookies allow us to compile visitor statistics;
• Social buttons: these cookies allow you to share the Site's content on social networks;
• Tracking and advertising spaces: these cookies allow us to place promotional content in advertising spaces and to offer targeted advertising based on your interests.

Cookies that are not strictly necessary can be disabled by following the instructions given in the section " How to configure cookies? " below.

11.2 What are your rights?

Cookies that are strictly necessary for the provision of a service on the Site expressly requested by you do not require your consent.

However, cookies that are not strictly necessary for browsing the Site require your consent. Until you have given your consent, these cookies cannot be placed or read on your device. You will be informed of this by the appearance of a banner.

You can withdraw your consent to the placement or reading of certain cookies on your device at any time.

This consent is valid for thirteen (13) months. After this period, your consent will be requested again.

Cookies are stored on your device for a maximum of thirteen (13) months. After this period, the cookies are permanently deleted from your device. This period is not extended in any way by a subsequent visit to the Site.

The data collected via cookies is not combined with any other data processing.

You have the option to object to cookies through an objection mechanism by sending a request to this effect to the following address: contact@tapilou.com .

If you exercise this right, no data concerning you will be collected.

You are informed that refusing to install a cookie may prevent you from accessing certain services on the Site.

11.3 How to configure cookies?

To refuse the installation of cookies that are not essential for browsing the Site, you can configure your internet browser settings as follows:

• In Firefox: go to the " Firefox/Preferences " tab. Click on " Privacy " and choose " Never " under " Accept third-party cookies ". You can also choose to only keep cookies until Firefox is closed;
• In Google Chrome: click the " More " tab. Click on " Settings " then " Advanced settings ". In the " Privacy and security " section, click on " Content settings ", then click on " Cookies " and disable " Allow sites to save/read cookie data ". You can also choose to enable it;
• In Safari: go to the " Safari/Preferences " tab. Click on " Privacy " and choose " Always block " under " Cookies and website data ". At the end of your browsing session, you can also click on " Remove all website data ". You can also choose to enable the " Do Not Track " feature.
• In Edge: go to the " Internet Options " tab, then " Privacy ", where you can configure the internet zone and limit cookie access by choosing the " High " privacy option, which blocks cookies with insufficient privacy policies as well as cookies that record information without user consent;
• In Opera: go to the " Preferences " tab. Click on " Advanced " and then click on " Cookies ". You can choose to accept all cookies, only those from the visited site, or never accept cookies.

Please note, however, that your consent is stored using a cookie. Therefore, if you delete all cookies stored on your device via your internet browser, we will be unable to know that you have chosen this option.

Warning : if you systematically refuse the installation of all cookies on your Terminal, including those strictly necessary for browsing, via the " block all cookies " options, your browsing on the Site may be limited, and access to certain services may prove impossible.

For more information, you can consult the CNIL website via the following link:

https://www.cnil.fr/fr/cookies-les-outils-pour-les-maitriser .

12. HOW TO CONTACT US?

You can contact us if you have any general questions or concerns about this privacy policy or how we process your Personal Data at the following address: contact@tapilou.com or via the contact form.

13. CHANGES TO THIS PRIVACY POLICY

We may update this privacy policy at any time in the event of changes to our practices and in particular to the functionalities of the Site.

In the event of any changes to our privacy policy, we will necessarily update the " last updated" date herein. We will be sure to inform you of any substantial changes relating to the processing of your data by posting a prominent notice on the Site.

[1] Hyperlinks:

https://stripe.com/fr/privacy

https://getalma.eu/legal/data

https://www.paypal.com/fr/webapps/mpp/ua/privacy-full

[2] Intermediate archiving refers to data which still has administrative value for the services concerned (in case of litigation for example), and whose retention periods are set by the legal rules of prescription.