Personal Data Privacy Policy

Preamble

The purpose of this privacy policy is to present to the users of the Site the measures relating to the processing of their personal data and, in particular, to inform them how their personal data may be collected and processed on the Site.

The Site is a platform connecting boat owners with nautical-sector professionals (in particular concierge, skipper, mechanic). Two types of users are distinguished:

• visitors, who browse the Site without creating an account;
• clients, who create an account and use the platform's services. Clients fall into two categories: boat owners (the "Owners") and nautical-sector professionals (the "Professionals"). A Professional may attach their employees to their account, each having their own profile.

This policy applies to all of these users; where necessary, the processing operations specific to visitors, Owners and Professionals are distinguished.

1. Identity of the data controller

The data controller is CHECK BOAT, a simplified joint-stock company (société par actions simplifiée, SAS) with a share capital of 1,000 euros, registered with the Trade and Companies Register of La Rochelle under number 935 085 282 and whose registered office is located at 4 route du Moulin Neuf, 17220 Saint-Médard-d'Aunis, France.

CHECK BOAT acts as data controller for the processing operations related to the operation of the platform, account management, matchmaking, booking and payment.

When a Professional receives an Owner's data (or vice versa) in order to carry out a mission, the Professional acts as an independent data controller for the processing it carries out on its own behalf and undertakes to comply with the applicable regulations. CHECK BOAT and the Professionals are not joint controllers: each is responsible for the processing whose purposes and means it determines.

2. Processing of users' data

First of all, this data privacy policy is intended for all users of this Site, whether a mere visitor, a prospect or a client (Owner or Professional) of the data controller.

The data controller ensures that only the data strictly necessary for the purposes for which they are processed are collected and processed.

2.1. When data is collected

The data controller may collect users' personal data:

• when they visit the Site;
• when they use the features and services offered on the Site;
• during exchanges with the data controller via the Site, in particular through the contact form;
• upon registration, creation and update of the user account, a matchmaking request, a booking or a payment.

2.2. The nature of the data collected

Data relating to a company (corporate name, legal form, registration number, share capital) do not in themselves constitute personal data; they fall under this policy only where they relate to an identifiable natural person, in particular a sole trader, a director or a contact person.

The personal data that the data controller may collect refer to information personally identifying users, such as, for example:

• identification data: title, surname, first name, email address, postal address, telephone number; for Owners, the address of the location where the boat is moored; for Professionals, the details of the contact person or director and, where applicable, the data relating to the sole trader;
• data relating to the management and security of the user account: login credentials, password;
• data relating to the management of the commercial relationship: mission or booking number, invoices, amount and commission, transaction data (payment identifier, status). Bank card data are processed directly by Stripe, a PCI-DSS certified provider; CHECK BOAT has no access to them and does not store them;
• data relating to the entity, for professional users: corporate name, legal form, share capital, country and city of registration, RCS number, SIRET, intra-community VAT, address, telephone, website;
• data relating to the verification of the professional profile: Kbis extract, insurance certificate, diplomas or qualifications, verified manually by CHECK BOAT;
• data relating to exchanges between users: content of messages exchanged via the messaging service and reviews posted;
• connection data: IP address, connection logs, browser, etc.

Cookies

Cookies are text files, often encrypted, stored in your browser. They are created when a user's browser loads a given website: the site sends information to the browser, which then creates a text file. Each time the user returns to the same site, the browser retrieves this file and sends it to the website's server.

The cookies placed on the site essentially make it possible to:

• display, on the user's first visit, the banner indicating the presence of cookies and the option to accept or refuse them;
• compile statistics and figures on traffic and use of the various elements making up the site (sections and content visited, navigation paths), enabling the data controller to improve the relevance and ergonomics of its services through the Matomo audience-measurement tool.

The user can configure their browser so that it notifies them of the presence of cookies and offers them the option to accept them or not. The user can accept or refuse cookies on a case-by-case basis or refuse them once and for all. Please note that this configuration may alter the conditions of access to the site's services that require the use of cookies.

Cookies are kept only for a maximum period of thirteen (13) months. The user's choice regarding the refusal or consent to the placing of cookies is kept for a period not exceeding six (6) months.

For the management of cookies and choices, the configuration of each browser is different. It is described in the help menu of the user's browser, which will tell them how to change their cookie preferences.

• For Safari™: support.apple.com/kb/ht1677
• For Chrome™: support.google.com/chrome
• For Firefox™: support.mozilla.org
• For Opera™: help.opera.com

2.3. Purposes of the collection

The personal data that users choose to provide to the data controller are intended to ensure:

• the proper functioning and continuous improvement of the Site, its services and its features;
• the handling of contact requests;
• the management of the user account;
• the matchmaking between Owners and Professionals;
• the management of bookings and missions;
• the processing of payments via the provider Stripe, the management of the escrow of funds until the mission is validated, the deduction of CHECK BOAT's commission and the transfer of the sums to the Professional;
• the provision of a messaging service allowing exchanges between the parties;
• the management of reviews;
• the verification and validation of the Professionals' supporting documents (Kbis extract, insurance certificate, diplomas or qualifications);
• the handling of contact and information requests;
• the handling of users' requests regarding their data rights (access, rectification, update, erasure, etc.);
• the compilation of statistics intended to improve the functioning of the Site;
• commercial management (orders, monitoring of the customer relationship, invoices, unpaid amounts, disputes, etc.);
• the sending of newsletters.

2.4. Legal bases

In accordance with Article 6 of the GDPR, the processing operations carried out by CHECK BOAT are based on the following legal bases:

• The performance of a contract or pre-contractual measures (Article 6.1.b): the creation and management of the account, the matchmaking between Owners and Professionals, the management of bookings and missions, the processing of payments (escrow of funds, commission, transfer) and the provision of the messaging service;
• CHECK BOAT's legitimate interest (Article 6.1.f): the verification and validation of the Professionals' supporting documents, the security and proper functioning of the Site, the prevention of and fight against fraud, the management of reviews and the compilation of traffic statistics. The user may object to this processing on grounds relating to their particular situation;
• Compliance with legal obligations (Article 6.1.c): invoicing, bookkeeping and the retention of supporting documents for the statutory periods;
• The user's consent (Article 6.1.a): the placing of non-essential cookies and, where applicable, the sending of marketing communications. This consent may be withdrawn at any time, without such withdrawal affecting the lawfulness of prior processing.

3. Information at the time of collection and consent

The data that must be provided on a mandatory basis will be indicated on the Site at the time personal data is collected. In principle, such data will be marked with an asterisk (*).

The Site is reserved for persons aged at least eighteen (18). CHECK BOAT does not knowingly collect data relating to minors.

4. Recipients of the data

The personal data that may be provided by users may be accessed by:

• the staff of the data controller's various departments: sales department, marketing department, customer-service department;
• the other party to the matchmaking: the Professional receives the Owner's data necessary to carry out the mission, and vice versa, each then acting as an independent data controller;
• CHECK BOAT's processors acting on its behalf, in particular the host (Amazon Web Services, Ionos), the payment provider Stripe and the chartered accountant.

5. Retention periods

Users' personal data are kept for the time necessary for the operations for which they were collected, in compliance with the regulations in force and in accordance with the purposes described in this privacy policy.

Different retention periods may apply depending on the purpose and the obligations in force, for example:

• clients' data (Owner and Professional) are kept for the duration of the contractual relationship plus five (5) years after the end of the relationship;
• prospects' data are kept for a period of three (3) years from the user's last incoming contact if they are not considered a client;
• accounting data are archived for a period of ten (10) years from the close of the financial year;
• cookies are kept only for a maximum period of thirteen (13) months, and cookie consent for a period of six (6) months.

6. Security and confidentiality

The data controller has taken all useful and necessary precautions, in particular physical, logical and organisational security measures, to preserve the security and confidentiality of personal data against any accidental loss, distortion, alteration, or any unauthorised access, use, modification or disclosure.

The data controller requires the same level of security from its providers and processors and, more generally, from any third-party recipient of the data.

7. Procedures for and exercise of users' rights

Under the conditions defined by French Law No. 78-17 of 6 January 1978 on information technology, data files and civil liberties and Regulation No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR"), natural persons have a right:

• to information or inquiry: the data subject has the right to know the purposes and methods of the processing of their data;
• of access: the data subject has the right to access the data concerning them collected by the data controller;
• to rectification and updating: the data subject may request that their data be amended if it is incorrect, completed or updated;
• to restriction: the data subject may request that their data be restricted in the cases provided for and limited by law (Article 18 GDPR);
• to portability: the data subject has the right to obtain, in a readable medium and a structured format, all the data concerning them;
• to erasure: the data subject may ask the data controller to erase the personal data concerning them, but only in six (6) cases:
  • the data are no longer necessary in relation to the purposes for which they were collected;
  • the data subject withdraws their consent;
  • the data subject objects to the processing;
  • the personal data have been unlawfully processed;
  • the personal data must be erased to comply with a legal obligation;
  • the personal data were collected in the context of the offer of information-society services to minors.

Data subjects also have the possibility, on legitimate grounds, of objecting to the processing of the data concerning them by writing directly to the data controller, either to the following postal address: 4 route du Moulin Neuf, 17220 Saint-Médard-d'Aunis, France, or via the Site's contact form, accompanied where applicable by a valid proof of identity.

In addition, data subjects have the possibility of giving general or specific instructions on the methods of processing and use of their information after their death.

Furthermore, the law allows data subjects to lodge a complaint with the CNIL according to the procedures indicated on its website (www.cnil.fr).

Each user is required to comply with the regulations in force on personal data, the violation of which is punishable by criminal penalties.

8. Amendment of this privacy policy

This privacy policy may be amended to take account of legislative and regulatory developments and changes in the data controller's practices.

Users are therefore invited to regularly review this data privacy policy available on this Site.