Privacy and personal data protection policy applicable to the UMAY Application

1. Identification
 
This UMAY application (the “Application”) is the property of OCEAN PINK, a simplified joint-stock company with capital of €5,000 registered in the Chateauroux Trade and Companies Register under number 844 724 336, whose registered office is located 1 ROAD OF THE LORDS 36220 LURAIS (contact@umay.app)
OCEAN PINK is subject for France to VAT under the number FR05844724336.
The publication director is Pauline VANDERQUAND.
The Application is hosted by OVH, SA par simplified share with a single shareholder with a capital of €10,174,560, whose head office is located at 2, rue Kellermann, 59100 Roubaix. Contact: www.ovh.com

2. Protection of personal data
 
OCEAN PINK attaches great importance to the protection of privacy and personal data. In accordance with European Regulation 2016/679 of April 26, 2016, the “Informatique et Libertés” law of January 6, 1978 amended by order no. 2018-1125 of December 12, 2018 and the decree of August 1, 2018, OCEAN PINK takes strong commitments to the people concerned.
It is recalled that all information collected on the Application is recorded by OCEAN PINK, responsible for processing.

Data collected
OCEAN PINK collects personal data transparently and explicitly. As such, OCEAN PINK collects:

• Data relating to the identification of the persons concerned
• Browsing data (IMEI, connection logs, etc.)
• Location data (movements, GPS data, etc.)

Information relating to the identification of the persons concerned:
A minimum of information allowing the identification of people is collected. It is mainly about the email in order to be able to find his account and some individual characteristics (gender, age, sexual orientation, habits of outings and travels). All this information is optional and not mandatory to use the application. A simple peudo is enough to use the application anonymously.
Location information:
In order to be able to provide the Essential Services of UMAY, we need to track the location of your device when you use UMAY.
We collect and process geolocation information when you register and use the UMAY Application: when you launch a journey or an SOS from the application, it being specified that we do not store your location data in real time, only your last position.
Your location data is also shared with the trusted people you have selected and only with them.
We do not track your device location when you are not using UMAY
If you wish to stop location tracking of your device, you can do so at any time by changing your device settings.
Browsing information:
The IMEI number of the phone, the date of creation of the account, the date of the last connection, the Firebase Token used for Push notifications, the USER’s OS (Android or IOS), the current version of the UMAY Application installed
Sensitive information such as medical information:
UMAY does not collect Medical Information

Purposes of processing
Each processing is carried out specifically for explicit purposes and clearly referred to on the page of the Application where the data is collected. These purposes are as follows:
For the provision of services: We use the information in the context of the provision of our services, in particular to allow you to carry out the following actions:

• Start a journey to an address, to a safe place or to location sharing without a destination
• Find safe places around you within a determined radius
• Trigger an SOS to allow your trusted people to find you

To personalize your experience:
We keep the data allowing us to calculate your level. The data concerned are the number of journeys launched, the number of sharing of the application, the number of recommendations of safe places.
You can also save addresses to start a trip faster
To communicate with you:
If you wish, you can provide us with your email address (not mandatory) to find your account in the event of a change of telephone or reinstallation of the application.
To contract, monitor and perform the service, (ii) the improvement of products or services and (iii) where applicable, pre-litigation and contractual litigation management. The legal basis for this processing is the performance of a contract (Article 6.1.b of the European Regulation);
To produce statistics. The legal basis for this processing is the pursuit of legitimate interests of the data controller (article 6.1.f of Regulation 2016/679 of April 26, 2016).
OCEAN PINK reserves the right to create additional and/or complementary means of collection. As such, OCEAN PINK will specify, in accordance with the regulations, the purposes specific to the processing concerned on the data collection page.

Data recipient
The recipients of the data are of several orders:

• Company staff
• The data host
• Subcontractors and institutional partners

These categories of recipients are supplemented by the competent administrative and judicial authorities as well as, where applicable, categories of recipients specific to each processing operation and expressly referred to in the notices displayed on the data collection page.
The transmission of personal data to recipients (regardless of their legal nature, subcontractor, data controller or simple recipient) is carried out in a secure manner and pursuant to an agreement between OCEAN PINK and each recipient. OCEAN PINK undertakes that each recipient is aware of the guiding principles for the protection of personal data and is subject to them in application of the law and/or a specific contract.

Data transfer
The data collected on the Application may be processed outside the European Union. If this is the case, OCEAN PINK will take all necessary measures with its subcontractors and partners to guarantee a level of protection of the data collected in accordance with the applicable regulations.
If the subcontractors and partners concerned are not located in a country with legislation considered to offer adequate protection, they will then have previously signed the “standard contractual clauses” of the European Commission or will be subject to binding internal rules. approved by the competent authorities.

Data retention
OCEAN PINK takes care to store your personal data either within the European Union, or in a country that guarantees a level of protection adequate to the level of legal protection provided by European Union law, or by signing with the subcontractor hosting your personal data the standard clauses of the European Commission.
As such, OCEAN PINK has taken all the guarantees in terms of compliance with the regulations. Your personal data is thus kept by OCEAN PINK in a secure manner, in accordance with the applicable regulations, for a period not exceeding that necessary with regard to the purposes for which they are processed and in no case exceeding the limitation periods provided for by applicable law.

Your rights
You have the following rights:

• right of access to your personal data;
• right to rectification of your personal data if they are inaccurate or incomplete;
• right of limitation under the conditions referred to in Article 18 of Regulation 2016/679 of April 26, 2016;
• right to erasure of your personal data if:
• they are no longer necessary for the purposes for which they were collected or otherwise processed;
• you withdraw your consent with regard to processing subject to consent (e.g. commercial prospecting);
• you validly object to the processing;
• they have been unlawfully processed; or a law requires it.
• right of opposition for legitimate reasons,
• right to the portability of your data,
• right to define directives relating to the fate of your personal data after your death and,
• for processing based on consent, to withdraw your consent at any time.

To exercise one or more of these rights, you must provide proof of identity and contact the person in charge of data protection at OCEAN PINK, whose contact details are as follows: contact@umay.app

Contact information
In the event of a complaint, you can contact the CNIL (www.cnil.fr).
You can register on the cold calling opposition list at www.blocktel.gouv.fr/.

3. Force majeure
 
OCEAN PINK cannot be held liable in the event of non-performance of one of its commitments to Users, if this failure is due to a case of force majeure such as (and without limitation) natural disasters, riots, wars, epidemics , prince’s act, earthquakes, telecommunications malfunction.

4. End of contract
 
Each User may delete his User Account at any time without any prior justification, thus terminating his User contract. All you have to do is make a request by email to contact@umay.app.
The deletion of the User Account may lead to the deletion of all the content to which You had access.
OCEAN PINK reserves the right to delete the User Account of any User who seriously and repeatedly violates these General Conditions.

5. Applicable law and jurisdiction
 
The General Conditions are subject to French law. The competent jurisdictions are determined by article L141-5 of the Consumer Code.
The Application complies with French legislation, and under no circumstances does OCEAN PINK give any guarantee of compliance with the local legislation that would be applicable to you, when you access the Application from other countries.
These General Conditions are written in French. In the event that they are translated into a foreign language, only the French text is authentic in the event of a dispute.

APPENDIX I
DATA PROCESSING AGREEMENT / GDPR
Given the operation of OCEAN PINK’s tools and services and in accordance with the EDPB Guidelines of September 2, 2020, the Parties have determined the positions of the Parties as follows.

Definitions
Unless otherwise expressly specified in this DPA, the terms “Regulatory Authority”, “Personal Data”, “Data Subjects”, “Binding Corporate Rules”, “Controller”, “Processor”, “Processing” and “Personal Data Breach” will have, in this DPA, the definitions provided by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”).
In addition, the term Laws and regulations applicable to the protection of personal data will have, in this DPA, the following definition: “laws, regulations and other national and European standards, applicable to the processing of personal data implemented works under the Contract(s), including in particular the GDPR and French law adopted in addition to or in application of the provisions of the GDPR, as well as, where applicable, the European regulations applicable to the processing of electronic communications data , the use of tracking technologies such as cookies and direct marketing (“e-Privacy” rules). The laws and regulations applicable to the protection of personal data are interpreted by the CNIL and the EDPB. »

Location data: we collect and process geolocation information when you register and use the UMAY Application (when you launch a journey or an SOS from the application, it being specified that we do not store your location data in real time only your last location. We do not track your device’s location when you are not using UMAY, however, in order to provide UMAY’s Essential Services, we need to track your device’s location when you are using UMAY. If you wish to stop tracking the location of your device, you can do so at any time by changing your device settings.

BROWSING DATA: the IMEI number of the phone, the date the account was created, the date of the last connection, the Firebase Token used for Push notifications, the USER’s OS (Android or IOS), the current version of the UMAY app installed

Sensitive information such as medical data: UMAY does not collect medical data.