Privacy policy

Article 1. PREAMBLE

This Privacy Policy is an integral part of the Vaultinum Platform Terms of Service, so the definitions used in the latter are incorporated herein. The Vaultinum Platform Terms of Service can be found at the following URL: https://vaultinum.com/platform-user-agreement. The purpose of this Privacy Policy is to inform Data Subjects about how their Personal Data is collected, how it is processed when using the Platform and/or the Services and finally the Specific Rights that Data Subjects have regarding such processing.

Article 2. DEFINITIONS

The following terms, whether used in the singular or plural in this Privacy Policy, shall have the following meanings:

Intermediate Archiving

means the archiving of Personal Data that is still of administrative interest to Vaultinum (for example, in case of litigation and / or legal obligation) in a distinct database, which is separated rationally or physically and to which, in any case, access is restricted. This archiving is an intermediate step before the deletion or anonymization of the Personal Data concerned;

Beneficiary

has the meaning given by the TOS;

TOS

means the Vaultinum Platform Terms of Service accessible on the Vaultinum website;

Deposit

has the meaning given by the TOS;

Personal Data

means the personal data of a Data Subject, as defined in the General Data Protection Regulation, collected and/or processed by Vaultinum in the context of the use of the Platform and/or the Services;

Specific Rights

means the rights granted by the General Data Protection Regulation regarding the processing of Personal Data;

Data Subject

means, without distinction, any person whose Personal Data is likely to be processed by Vaultinum including Users;

Platform

means the online platform accessible on the website of Vaultinum, by means of access codes and allowing the User to access the Services;

Privacy Policy

means this privacy and data protection policy for Data Subjects implemented by Vaultinum;

General Data Protection Regulation

means the law n°78-17 of January 6, 1978 relating to data processing, files and freedoms, in application of the EU regulation of April 27, 2016 published in the Official Journal of the European Union on May 4, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (known as "GDPR" for General Data Protection Regulation);

Services

has the meaning given by the TOS;

User

has the meaning given by the TOS;

Vaultinum

means VAULTINUM, a Swiss limited liability company, identified by the BID number CHE-225.897.477, whose registered office is located at route de Pré-Bois 29 - 1215 MEYRIN - SWITZERLAND.

Article 3. LEGAL QUALIFICATIONS

3.1. Vaultinum Qualifications

Vaultinum determines the purposes and means implemented to provide the Platform and Services to Users and must be, as such, qualified as responsible for the processing of Personal Data. Vaultinum acts on the instructions of the Users concerning the hosting of the Deposits and the Personal Data of the Beneficiaries and must be, as such, qualified as a processor of the Personal Data.

3.2. Warranties of the parties

➢ Collection of Personal Data from Data Subjects

The User is solely responsible for the collection of Personal Data of the Data Subject that the User transmits directly (by communicating them) or indirectly (within the Deposits for example) to Vaultinum during the use of the Platform and/or the Services. When Vaultinum acts as a processor, it is the User's responsibility to ensure that the Personal Data of the Data Subjects are:

- collected in a lawful, fair and transparent manner with regard to the Data Subject;

- collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;

- adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization);

- accurate and, where necessary, kept up to date;

- kept in a form that allows the identification of the Data Subjects for no longer than is necessary for the purposes for which they are processed;

- treated in such a way as to ensure their appropriate security.

➢ Processing of Personal Data of Data Subjects

The use of the Platform and/or Services by the User necessarily calls for one or more processing of Personal Data of the User and/or, where appropriate, of Data Subjects with whom Vaultinum has no direct contractual relationship. As such, the User guarantees to Vaultinum that the processing of Personal Data of Data Subjects benefits from an adequate legal basis in accordance with the General Data Protection Regulation such as, in particular, the Data Subjects having consented to the processing of their Personal Data by Vaultinum in the context of the use of the Platform and/or the Services. The User guarantees to Vaultinum that it will ensure that the information of the Data Subjects whose Personal Data are processed shall be in a timely manner and in the forms required by the General Data Protection Regulation, and where applicable for what concerns the processing carried out by Vaultinum, by making available to the Data Subjects the present Privacy Policy.

Article 4. VAULTINUM ACTS AS THE DATA CONTROLLER

Vaultinum undertakes to implement adequate measures to ensure the protection of Personal Data of Users and to process them in compliance with the General Data Protection Regulation.

4.1. Identity and contact details of the data controller

The controller is Vaultinum and the representative of the controller is Mr. Philippe THOMAS, in his capacity as legal representative of Vaultinum, who may be reached at the email address contact@vaultinum.com or by phone at +41 41 511 82 08.

4.2. Collection of Personal Data

Vaultinum is required to collect and process Personal Data provided by the User via the registration form which is essential to the processing of their request for the creation of an account. By using this form, the User is required to submit the following:

- Surname;

- First name;

- E-mail address;

- Telephone number (optional);

- Date of birth (optional);

- Nationality (optional).

Non-optional information is mandatory and necessary only for the processing of the User's request. The absence of a response to a mandatory field is likely to compromise the processing of the User's request. Depending on the Service chosen by the User, the information indicated as optional when creating an account may become mandatory when subscribing to a Service.

4.3. Purposes of processing

The information collected in the registration form and transmitted directly by the User is recorded in a digital file by the controller and is used for the following purposes:

- Access to the Platform and provision of the Services;

- Customer relationship management and billing;

- Processing requests for access to deposited material;

- Technical support and maintenance of the Platform and/or Services;

- Management of requests to exercise Specific Rights;

- Traceability of operations carried out via the Platform.

The Personal Data is also used to send e-mails for informational purposes, and/or commercial prospecting concerning products or services similar to those already provided to the User. The User acknowledges that they can, at any time, object to the use of their Personal Data (see article 4.8"Exercise of Specific Rights") provided that such use is not necessary for the execution of a contract with Vaultinum and/or for a legitimate interest.

4.4. Legal basis for processing

In accordance with Article 6(1)b of the General Data Protection Regulation, the processing of Personal Data collected via the registration form and/or when subscribing to a Service is necessary for the execution of the TOS to which the User is party. The processing of traces (connection logs) related to operations carried out by the User via the Platform is necessary for the purposes of the legitimate interests pursued by Vaultinum, namely the security of information systems (see Article 6(1)f of the General Data Protection Regulation).

4.5. Retention period

The data collected is kept for the duration of the contractual relationship and, at the end of this period, for the legal period of preservation of data as evidence. Log data (connection logs) is kept for a maximum of one (1) year from the date of their collection. During these periods, Vaultinum undertakes to implement all necessary measures to ensure the confidentiality, integrity and security of Personal Data, so as to prevent, in particular, their access by unauthorized third parties.

4.6. Recipients and transfer of Personal Data

The Personal Data is transmitted to the relevant departments of Vaultinum in order to ensure the processing for the sole purpose provided and agreed upon by the User. Vaultinum uses the technology of the company INGENICO to provide banking transactions. Thus, when paying by credit card, the bank details are encrypted and transmitted to the company INGENICO, without Vaultinum ever having knowledge of such details. As such, Vaultinum does not collect the full number of the credit card, nor its cryptogram. To exercise its rights as set out in Article 4.8- "Exercise of Specific Rights", relating to credit card details, the User is invited to contact the company INGENICO directly. Vaultinum undertakes not to commercialize the personal data collected and not to make any transfer of Personal Data outside the European Union and/or Switzerland. In the event that Vaultinum uses a subcontractor who transfers data outside the European Union and/or Switzerland, it undertakes to ensure that this subcontractor provides sufficient guarantees regarding the implementation of appropriate technical and organizational measures.

4.7. Users' rights

In accordance with the General Data Protection Regulation, the User may, at any time, benefit from the following Specific Rights:

- Right of access;

- Right of rectification;

- Right to erasure;

- Right to restrict processing;

- Right to data portability;

- Right to object;

- Post-mortem instructions.

➢ Right of access

The User has the possibility to obtain from Vaultinum the confirmation that the Personal Data concerning them is or is not processed and, when it is, the access to the said Personal Data as well as the following information:

- the purposes of the processing;

- categories of Personal Data;

- the recipients or categories of recipients to whom the Personal Data have been or will be communicated;

- the length of time the Personal Data will be kept or, where this is not possible, the criteria used to determine this length of time;

- the existence of the right to ask Vaultinum the correction or deletion of Personal Data, or a limitation of the processing of its Personal Data, or the right to object to such processing;

- the right to lodge a complaint with the competent control authority (CNIL in France);

- where Personal Data is not collected from the User, any available information as to its source;

- the existence of automated decision-making, including profiling, and, at least in such cases, relevant information concerning the underlying logic and the significance and intended consequences of such processing for the User.

When Personal Data is transferred to a third country or to an international organization, the User has the right to be informed of the appropriate safeguards with respect to such transfer. Vaultinum provides a copy of the Personal Data being processed and may require payment of a reasonable fee based on administrative costs for any additional copies requested by the User or in the event of a request for transmission of the Personal Data in paper and/or physical form. Where the User submits an application electronically, the information shall be provided in a commonly used electronic form, unless the User requests otherwise. The User's right to obtain a copy of their Personal Data shall not infringe the rights and freedoms of others.

➢ Right of rectification

The User has the possibility to obtain from Vaultinum, as soon as possible, the correction of Personal Data that is inaccurate. The User also has the possibility to obtain from Vaultinum an assurance that any incomplete Personal Data has been completed, including by providing a complementary declaration.

➢ Right of erasure

The User has the possibility to obtain from Vaultinum the deletion, as soon as possible, of Personal Data concerning them where one of the following reasons applies:

- Personal Data is no longer necessary for the purposes for which they were collected or otherwise processed by Vaultinum;

- The User has withdrawn their consent for the processing of their Personal Data and there is no other legal basis for the processing;

- The User exercises their right to object under the conditions recalled below and there is no compelling legitimate reason for the processing;

- The Personal Data has been processed unlawfully;

- Personal Data must be deleted to comply with a legal obligation;

- The Personal Data was collected from a child.

➢ Right to restrict processing

The User has the possibility to restrict Vaultinum from the processing of their Personal Data when one of the following reasons applies:

- Vaultinum verifies the accuracy of Personal Data following the User's challenge of the accuracy of the Personal Data;

- The processing is unlawful and the User objects to the deletion of the Personal Data and demands instead the limitation of their use;

- Vaultinum no longer needs the Personal Data for the purposes of processing but they are still necessary to the User for the establishment, exercise or defense of legal rights;

- The User has objected to the treatment in the conditions outlined hereafter and Vaultinum verifies whether the legitimate reasons pursued prevail over the alleged reasons.

➢ Right to the portability of Personal Data

The User has the possibility to receive from Vaultinum Personal Data concerning the User, in a structured, commonly used and machine-readable format where: - The processing of Personal Data is based on consent or contract; and - The treatment is carried out using automated processes. When the User exercises their right to portability, they have the right to have the Personal Data transmitted directly by Vaultinum to another controller that they will designate when technically possible. The right to portability of the User's Personal Data must not infringe on the rights and freedoms of others. ➢ Right to object The User may object at any time, for reasons relating to their particular situation, to the processing of Personal Data concerning them based on the legitimate interest of Vaultinum. The latter will then no longer process the Personal Data, unless it demonstrates that there are compelling and legitimate reasons for the processing that prevail over the interests, rights and freedoms of the User, or may retain them for the establishment, exercise or defense of legal rights.

➢ Post-Mortem Instructions

The User has the possibility to communicate instructions to Vaultinum on the preservation, deletion and sharing of their Personal Data after their death, such instructions can also be registered with a "certified digital trustworthy third party". These instructions, or a kind of "digital will", can designate a person in charge of their execution; failing that, the User's heirs will be designated. In the absence of any instruction, the heirs of the User may contact Vaultinum:

- to access the processing of Personal Data for the "organization and settlement of the estate of the deceased";

- to receive disclosure of "digital assets" or "data resembling family heirlooms that may be transmitted to heirs";

- to proceed to the closure of the User's account and to oppose the continuation of the processing of their Personal Data.

In any case, the User has the possibility to indicate to Vaultinum, at any time, that the do not want, in case of death, that their Personal Data is communicated to a third party.

4.8. Exercise of Specific Rights

The above Specific Rights may be exercised at any time by sending an e-mail to the following address: dpo@vaultinum.com or by completing the contact form available at the following address: https://vaultinum.com/fr/contact. In order to exercise his or her Specific Rights under the conditions described above, the User must prove his or her identity by any means. Where Vaultinum has reasonable doubts about the identity of the person making the request to exercise a Specific Right, Vaultinum may request such additional information as is necessary, including, where required, a photocopy of a signed identity document. A response will be sent to the User within a maximum of one (1) month from the date of receipt of the request. If necessary, this period may be extended by two (2) months by Vaultinum, which will alert the User, taking into account the complexity and/or number of requests. In case of request from the User for deletion of their Personal Data and/or in case of exercise of their right to ask for the deletion of their Personal Data, Vaultinum will be able however to keep them in the form of Intermediate Archiving, and this for the duration necessary to satisfy its legal obligations, or for evidentiary purposes during the applicable prescription period. The User is informed that they may lodge a complaint with the competent control authority (in France, this is the CNIL). The User is also informed that they have the possibility to withdraw their consent to receive information and commercial offers by clicking on the unsubscribe link accessible at the bottom of an e-mail received.

Article 5. VAULTINUM ACTS AS A PROCESSOR

5.1. Description of the processing operation, purpose of the processing

Vaultinum is authorized to process, on behalf of the User, certain Personal Data necessary for the use of the Platform and/or the Services. The nature of the processing operations carried out is the collection, processing and storage of data.

The purposes of the processing are:

- the hosting of the Deposits;

- the hosting of the Personal Data of the Beneficiaries.

The categories of Data Subjects are:

- the Beneficiaries;

- any person whose data is included in a Repository.

The Personal Data is:

- the identity of the Beneficiaries: surname, first name, e-mail address, telephone number, company name;

- any other data contained within a Repository.

The data collected is kept for the duration of the contractual relationship and, at the end of this period, for the legal period of preservation of data as evidence.

5.2. Vaultinum's obligations to the User

Vaultinum is committed to:

- process the data only for the purposes for which they are intended to be processed;

- process data in accordance with this Privacy Policy;

- guarantee the confidentiality of the Personal Data processed;

- ensure that persons authorized to process Personal Data are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality and receive the necessary training in the protection of personal data;

- take into account the principles of data protection by design and data protection by default for its tools, products, applications or services.

5.3. Third-party processor

Vaultinum may use another processor (hereinafter referred to as the "Third-Party Processor") to conduct specific processing activities. In this case, it informs the User in advance and in writing of any changes envisaged concerning the addition or replacement of other processors. This information must clearly indicate the subcontracted processing activities, the identity and contact details of the Third-Party Processor and the dates of the processing. The User has a period of eight (8) working days from the date of receipt of this information to terminate his or her account in the event of an objection in accordance with the conditions set out in the TOS. The Third-Party Processor is required to comply with the obligations hereunder on behalf of and according to the instructions of the User. It is the responsibility of Vaultinum to ensure that the Third-Party Processor presents the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the General Data Protection Regulation. If the Third-Party Processor does not fulfill its data protection obligations, Vaultinum remains fully responsible to the User for the Third Party Processor's performance of its obligations.. Right to information of the Data Subject It is the responsibility of the User, as the data controller, to provide information to the Data Subjects at the time of collection of the Personal Data.

5.5. Exercise of Specific Rights

To the extent possible, Vaultinum shall assist the User in fulfilling its obligation to respond to requests for the exercise of the Specific Rights of Data Subjects. Unless otherwise specified by the User, Vaultinum must respond, in the name and on behalf of the User and within the time limits provided by the General Data Protection Regulation to requests from the Data Subjects in case of the exercise of their Specific Rights, regarding the data subject to the processing provided by this Privacy Policy.

5.6. Notification of Breaches of Personal Data

Unless otherwise specified by the User, Vaultinum shall notify the competent control authority (CNIL in France), in the name and on behalf of the User, of violations of Personal Data as soon as possible and, if possible, no later than seventy-two (72) hours after becoming aware of them, unless the violation in question is not likely to create a risk for the rights and freedoms of a natural person. Unless otherwise specified by the User, Vaultinum communicates, in the name and on behalf of the User, the violation of Personal Data to the Data Subjects as soon as possible, when this violation is likely to generate a high risk for the rights and freedoms of a natural person.

5.7. Security measures

Vaultinum is committed to implementing the following security measures:

- Pseudonymization and encryption of Personal Data;

- the means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;

- the means to restore the availability of, and access to, Personal Data within a reasonable timeframe in the event of a physical or technical incident;

- a procedure to regularly test, analyze and evaluate the effectiveness of the technical and organizational measures to ensure the security of the processing.

5.8. Disposal of Personal Data

At the end of their contractual relationship, Vaultinum undertakes to destroy all Personal Data, including copies existing in Vaultinum's information systems, with some exceptions. Upon request of the User, Vaultinum can certify their destruction in writing.

5.9. Data Protection Officer

The Vaultinum Data Protection Officer can be reached at dpo@vaultinum.com.