Compte CO2 - Headband Illustration

Personal Data Protection Policy

This document describes 450's Personal Data Protection Policy.

The general terms and conditions of all 450 products and services (hereinafter the "General Terms and Conditions") governing the relationship between 450, a simplified joint stock Company with capital of €40,000.00, Brest Trade and Companies Register number 523 074 540, Registered office: 11, rue de Poulizan, 29127 Plougonvelin , France hereinafter referred to as "450"), and any person applying for or holding an account with 450 (hereinafter referred to as the "Customer" or the "Member" or the "Account Holder" or the "User") are described in the document General Terms and Conditions also referred to as « GTC ».

Climate change has become a major concern. However, many people are still wondering how they can take action at their own level. SAS 450 (hereinafter "450") has been forged around the vision: the fight against climate change will either be a citizen's fight or it won't be. If we are to turn the corner on climate change, it is essential to encourage everyone to change their habits, particularly the way they live and travel.

The CO2 Account, operated by 450, makes a vital contribution by creating an €G currency for the climate. To use this currency, 450 has introduced the CO2 Card, associated with the CO2 Account.

450 processes the Personal Data (as defined below) of persons browsing the CO2 Account Website and the smartphone Application, which have been developed by 450.

Article 1 - Définitions

In these Personal Data Protection Policy (hereinafter the "Personal Data Protection Policy"), unless the context indicates otherwise, the expressions and terms below shall be defined as follows:

« 450 » or « 450 SAS »: 450 Company, a simplified joint stock Company (société par actions simplifiée), governed by French law and having its registered office at 11, rue de Poulizan, 29217 Plougonvelin, France, registered with the Brest Trade and Companies Register under number 523 074 540. 450 is an electronic money distributor of the electronic money establishment Treezor, having its registered office at 94 rue de Villiers 92300 Levallois-Perret.

« Application »: The CO2 Account smartphone application developed by 450.

« Treezor »: SAS Treezor, 450's partner and ACPR-approved payment service provider Établissement de Monnaie Électronique under number 16798, a company of which 450 is a distributor.

« CO2 Card »: Prepaid payment card, supplied by Treezor, used to operate the CO2 Account.

« CO2 Account»: Account to which the Card operates and to which any €G Reward obtained under the Program is credited.

« General Terms and Conditions »: The general terms and conditions governing the use of the Site and the Application.

« Non-Personal Data »: Non-Personal Data refers to information that does not allow a person to be identified. Non-Personal Data may, for example, be an analysis resulting from an aggregation of several Personal Data made anonymous (in such and such a department, X% of households heat with a wood-burning stove). 450 may provide Non-Personal Data to its Partners. Non-Personal Data is not covered by this Personal Data Protection policy.

« €G »: The €G, or green-euro, is the unit of account of the CO2 Account. One €G is worth one euro. An €G is issued when there is a reduction in carbon dioxide emissions (CO2).

« Client » or « Member »: A person who uses the Site and/or the Application and who is duly registered by communicating Personal Data intended for this purpose.

« €G Bonus »: Quantity of €G credited to the CO2 Account obtained under theme, and corresponding to the Member's CO2 emission reductions in accordance with the procedures described in the General Terms and Conditions.

« Program »: The incentive program designed to reward Members who reduce their CO2 emissions in accordance with the procedures described in the General Terms and Conditions.

« Web Site »: the Compte CO2/COO2 Account website.

« Self Data »: According to the FING, the expression "Self Data" refers to the production, use and sharing of Personal Data by individuals, under their control and for their own purposes: to get to know themselves better, make better decisions, evaluate their past decisions, make life easier, and so on.

« Company » ou « 450 »: 450 SAS, which owns and manages the Program.

« Owner »: The person who has the CO2 Card and who has met the administrative requirements (in particular the requirement to provide Personal Data) to obtain it. The person holding the CO2 Card must use the Application, and possibly the Website, and have a CO2 Account.

« User »: A person who uses the Site and/or the Application and who is duly registered by communicating Personal Data intended for this purpose.

«Visitor »: Any person using the Site or the Application who is likely to have communicated to 450 one or more personal data concerning him/her (email, telephone number, etc.).

« You » « Your »: Visitors and users of the Website and Program Members.

Article 2 - Scope of this personal data protection policy

This Personal Data Protection Policy sets forth the principles and guidelines for the protection of the Personal Information of visitors and users of the Website and/or the Application, and/or holders of a CO2 Account with 450 ("You" or "Your"), collected on - or via - the Website and/or the Application. Your use of the Website, of the Application as well as the Personal Data that You agree to communicate in the context of their use or of the creation of a CO2 Account with 450 are subject to the provisions of the present Personal Data Protection Policy and to the General Terms and Conditions of the Website, of the Application, of the CO2 Account and of the CO2 Card. The General Terms and Conditions of the Website, the Application, the CO2 Account and the CO2 Card form part of this Personal Data Protection Policy.

Article 3 – Collected Data

3.1 - General Information

In order to access certain functionalities of the Website and the Application, or to subscribe to the creation and operation of a CO2 Account, with or without the CO2 Card, You must provide 450 with certain Personal Data when You visit or use the Website and the Application.

The Personal Data likely to be collected includes:

• Civil status and identification data: surname, first name(s), gender, date and place of birth, nationality, videos of both sides of one or more identity documents, proof of identity, family situation, marital status, and authentication photos/videos (which may be subject to biometric processing);

• Contact and connection data: postal address, e-mail address, telephone number(s), proof of address, username and password, IP address, devices used to connect to the CO2 Account application and data associated with the use of the application (dates and times of access, data associated with the use of the device, unique identifiers), cookies;

• Data linked to Your personal situation: type of heating in Your home, annual energy consumption in Your home, number and type of vehicles, annual mileage travelled in each vehicle;

• Data relating to Your professional situation: professional situation;

• Economic data: income (amount, sources and supporting documents), tax residences;

• Transactional data (nature of operations, date, card payments, transfers, direct debits, amount, wording, reasons for operations, bank details, etc.);

• Connection data linked to the use of our services: identification and authentication data, logs, cookies and other tracers, browsing data on the Site and Applications;

• Data from correspondence and communications between You and us, carried out remotely: telephone conversations and calls, postal and electronic mail, instant messaging, communications on social networks, server logs & API security logs (IPs/Devices), complaints or claims or any other type of communication;

• Data relating to products and services subscribed to (type of product, method of payment, due date, amount);

• Data in the User’s Contact List (only if the User chooses to link his or her contact directories to the Application);

• and any other Personal Data useful for the purposes of registering and possibly obtaining and managing the CO2 Account and the CO2 Card (information or documents needed to trace the origin and destination of funds for transactions carried out with Your account). In any event, the Personal Data collected is limited to the data required for the purposes described in article 4.

You are free to choose whether or not to provide all or part of Your Personal Data. No personal data is collected unless You have voluntarily decided to provide it. However, if You choose not to provide them, such a decision could prevent the achievement or satisfactory achievement of the objectives described in article 4 below, certain services and certain functionalities of the Website and/or the Application could not function and/or You will not be authorised to purchase products or services via the Website and/or the Application. Furthermore, for the creation and management of the CO2 Account, whether or not associated with the CO2 Card, the collection of a certain number of Your Personal Data is mandatory. In this respect, You may also object to the said collection, but 450 would then no longer be able to provideYou with access to its products and services.

You may at any time choose to leave the Program and cancel Your registration. In this case, all Your Personal Data will be deleted, with the exception of the user's e-mail address, in accordance with the conditions described in articles 6 and 7.

With regard to the closure of the CO2 Account or the cancellation of Your subscription to the CO2 Card, this Personal Data Protection Policy refers to the respective General Terms and Conditions of Use of the said services and products.

3.2 - Exclusion of the processing of special categories of personal data relating to the aforementioned services and product.

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, known as the "GDPR", the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosop hical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning the sex life or sexual orientation of a person are prohibited, unless expressly exempted.

In the course of its business, 450 does not collect and/or process personal data as mentioned in this 3.2.

3.3 - Protection of children's personal data

450's products and services are also aimed at children under the age of 18, who can influence their parents and grandparents to take action to combat climate change, which is by construction an intergenerational issue. As a result, 450 voluntarily collects, uses and stores Personal Data and Non-Personal Data from children under the age of 18. 450 is committed to protecting such information and treating it as sensitive data.

"GDPR", where the direct provision of information society services to children, the processing of personal data relating to a child is lawful where the child is at least 16 years old. Where the child is under the age of 16, such processing is lawful only if, and to the extent that, consent is given or authorised by the holder of parental responsibility for the child.

450 therefore invites any minor wishing to register and/or benefit from its products and services to contact his or her legal guardian for consent purposes. 450 pays particular attention to the protection of the Personal Data of minors under the age of 16, and reasonably to compliance with the provisions of the said regulation relating to parental consent.

Accordingly, 450 invites each legal guardian to present and explain the purpose and content of such a personal data protection policy to the minor child in his or her charge, in the event that the minor child is concerned by registering for and/or obtaining 450 products and services.

Article 4 - Methods and purposes of collecting personal data

The Personal Data is intended to be returned to You (Self Data) so that You have information and incentives enabling You to reduce Your CO2 emissions, and so that You can share this information with other users of the Website, with the aim of leading society towards a low CO2 economy: it's up to us to invent the low carbon economy!

Personal Data is also generally collected for the needs of 450's business such as improving Your identification relating to the products and services provided by 450, Your authentication on its various dematerialized media, and in particular for better marketing and advertising efforts by 450, better adaptation of 450's products and services to customer needs or compliance with the reporting obligations provided for by law, and other similar activities.

With respect to specific payment services, 450 also collects Personal Data in order to comply with its legal and regulatory obligations relating to the identification, verification of identity and knowledge of its customers.

The Personal Data concerning You collected on - or via - the Website and/or the Application are subject to computer processing and are used by 450 for the following purposes:

• To provide You with data (Self Data) to enable You to estimate Your CO2 emissions, then to calculate them exactly (real emissions), based on Your energy consumption bills, and to enable You to evaluate solutions to reduce Your CO2 emissions; The CO2 content of each energy source should enable You to make better decisions in order to reduce Your emissions;

• To encourage You to reduce Your CO2 emissions and to inform You about the problem of climate change and the need to combat climate change;

• To enable You to communicate and exchange with other users of the Website;

• To enable You to request information;

• To enable You to make interactive and personalised use of the Website and/or the Application;

• To facilitate the circulation of the Program's new €G digital currency;

• To identify Your needs and areas of interest and to provide You with the most suitable products and services;

• To send You by e-mail promotional offers from its Partners for products or services payable in €G;

• Send You newsletters from the Program;

• The management of the business relationship, the CO2 Account and/or the products and services subscribed to, the fight against fraud and money laundering, compliance with the legal and regulatory obligations incumbent on 450 (such as knowledge of its customers, security of computer networks, etc.), in particular for the purposes of proof;

• Generally, accessing all the functions and options offered by the Website;

• The creation and management of Your CO2 Account, as well as the various products and services related thereto;

• And any other purpose related thereto.

By providing Your Personal Data necessary for the performance of 450's business (such as name, surname, date of birth, e- mail address, mobile telephone number, home address, proof of address and identity, accommodation, etc.), You expressly authorise 450 to use it together with other Personal Data useful for sending You commercial or marketing messages. 450 may also use Your e-mail address for administrative or other non-marketing purposes (for example, to notify You of important changes to the Website).

Article 5 - Cookies and other local information storage systems

Cookies are text files stored and used to record personal and non-personal information about Your browsing on the Website and the Application. 450 may use "cookies" or other technologies that may collect or store Personal Data in order to improve the services provided to You, for example, by:

• enabling a service to recognise Your equipment, so that You do not have to provide the same information several times in order to perform the same task;

• recognising the user name and password that You have already provided so that You do not have to provide them again on every web page that requests them;

• measuring the number of users of the services, thus making them easier to use and ensuring their ability to respond quickly to Your requests;

• analysing the data to enable 450 to understand how users interact with the services in order to improve them.

450 uses two types of cookies: permanent cookies and so-called "session" cookies. Session cookies disappear as soon as You disconnect from the Website and/or the Application. Permanent cookies are retained after You disconnect from the Website and/or the Application so that they can be used during Your subsequent connections, for a period of 12 months.

You will be notified the first time You receive a cookie and You can decide whether or not to accept it. By continuing to use the Website and/or the Application with knowledge of the information detailed above, You expressly accept the use by 450 of such cookies and other local information storage systems.

You may also program Your browser in such a way as to systematically refuse cookies. However, if this is the case, certain functions and features of the Website may not function correctly and You may not be able to access certain services.

Article 6 - Conditions for processing and storing personal data

The "processing" of Personal Data includes in particular the use, storage, recording, transfer, adaptation, analysis, modification, declaration, sharing and destruction of Personal Data in accordance with what is necessary with regard to the purpose of data collection, circumstances or legal requirements.

Your Personal Data is also hosted by one of 450's partners (Clever Cloud SAS, registered with the Nantes Trade and Companies Register under number 524 172 699), which may retain it for the purposes of creating and managing user accounts for 450's services and products, until it is deleted. In this respect, 450 informs You that the Personal Data transmitted to Clever Cloud is stored in France. 450 invites You to consult Clever Cloud's privacy policy at the following link: https://www.clever-cloud.com/privacy-policy.

In addition, for the purposes of creating the products and services offered by 450, in particular the CO2 Card, your Personal Data is transmitted to Treezor SAS, an ACPR-approved Electronic Money Establishment (Établissement de Monnaie Électronique) on 21 June 2016, under number 16798 for the purposes of creating the Card and managing the associated account.

All Personal Data collected is kept for as long as Your Member contract is active.

If You decide to terminate Your membership contract, all Your Personal Data will be deleted, with the exception of :

• The user's e-mail address;

• Civil status, contact and transactional data may be kept for a period of five (5) years from the end of the business relationship, in particular for proof purposes;

• Any other Personal Data useful in the context of the purposes and for a limited period depending on the purpose of the processing and the minimum retention period stipulated by the applicable legislation.

When it is no longer retained, Personal Data is destroyed.

Article 7 - Links to websites not controlled by 450 or its subsidiaries

The Web Site and/or the Application may contain links to third party Web Sites that may be of interest to You.

450 does not provide any Personal Information to these third parties without Your express consent. However, 450 may provide them with Non-Personal Information. These third parties use technological processes to send advertisements and links appearing on the Web Site directly to Your browser, via Your IP address. They may also use other technologies (such as cookies, javaScript or Internet banners) to assess the effectiveness of their advertisements and personalise their content.

450 has no control over the content of third party Internet Web Sites or over the practices of such third parties with respect to the protection of Personal Data, which are not covered by 450's commitments under this Personal Data Protection Policy. 450 therefore declines all responsibility for the content of third party Internet Web Sites.

450 invites You to obtain information on the personal data protection policies of these third parties.

Article 8 - Transfer of personal data

If You access the Web Site from a country outside the European Union whose legislation on the collection, use and transfer of data differs from European legislation, You agree to the transfer of Your Personal Data to the European Union as part of Your browsing on the Web Site and/or the Application.

450 authorizes itself to provide its affiliates or subsidiaries located in other countries outside the European Union with Your Personal Data, in strict compliance with the purposes mentioned above. However, prior to the transfer of Your Personal Data, 450 ensures that these recipients comply with the requirements of the European Union Directive on the protection of personal data and/or that contractual measures to secure the transmission of Personal Data have been adopted.

If 450 becomes aware that a third party is using or disclosing Personal Information in a manner inconsistent with this Personal Data Protection Policy or in violation of applicable law, 450 will take all reasonable steps to prevent or stop such use or disclosure.

You have the right to authorize 450 to use Your Personal Information for a purpose other than its original purpose.

450 may also transfer Your Personal Information to third parties if 450 believes that such transfer is necessary for technical reasons (for example, to host the Web Site) or to protect its legal interests (for example, in the event of an acquisition or merger by a third party or the liquidation of all or part of 450). Such transfers may be made over the Internet, by mail, by facsimile or by any other method that 450 deems appropriate and in accordance with applicable law.

Article 9 - Right of access, rectification and opposition

450 has put in place appropriate Personal Data protection measures to ensure that Personal Data is used correctly and to ensure that it is accurate and kept up to date.

In accordance with the French Data Protection Act of 6 January 1978, as amended in 2004, You have the right to access and rectify information concerning You, which You may exercise by logging into Your CO2 Account. Alternatively, You may exercise Your rights of access and rectification by sending an e-mail to the following address : cnil@compteco2.com.

In accordance with Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the "GDPR", You may withdraw Your consent to the processing of Your Personal Data at any time. The withdrawal of Your consent does not compromise the lawfulness of the processing of Your Personal Data based on the consent given prior to the withdrawal.

Nevertheless, any withdrawal of Your consent is likely to compromise Your use of the products and services offered by 450, in particular the CO2 Card and the associated CO2 Account. 450 would then no longer be able to allow You to participate, the identification of any individual by Personal Data being necessary for this activity.

You may, at any time, object to the processing of Your Personal Data by sending an e-mail to the following address: cnil@compteco2.com. 450 will respond to Your request as quickly as possible, unless there are compelling legitimate reasons for not doing so.

Article 10 - Security and data recipients

450 takes care to protect and secure the Personal Data that You have chosen to communicate to it, in order to ensure their confidentiality and prevent them from being distorted, damaged, destroyed or disclosed to unauthorised third parties.

450 or its suppliers have taken physical, electronic and organisational protection measures to prevent any loss, misuse, unauthorised access or distribution, alteration or possible destruction of this Personal Data. Among these protection measures, 450 or its suppliers integrate technologies specially designed to protect Personal Data during their transfer. However, despite the efforts of 450 or its suppliers to protect Your Personal Information, 450 or its suppliers cannot guarantee the infallibility of this protection due to the inevitable risks that may arise during the transmission of Personal Information.

As all Personal Information is confidential, access to it is limited to 450 employees, service providers and agents who need it to perform their duties. All persons having access to Your Personal Data are bound by an obligation of confidentiality and may be subject to disciplinary measures and/or other sanctions if they fail to comply with these obligations.

However, it is important that You exercise caution to prevent unauthorised access to Your Personal Data. You are responsible for the confidentiality of Your password and the information contained in Your account. Consequently, You must ensure that You close Your session if You share the same computer.

450 undertakes to collect and process Your Personal Data in a lawful, fair and transparent manner, for the purposes of the Program and any other product or service that may link you to 450.

450 is responsible for the security of the Personal Data that You communicate to us. Consequently, we undertake to notify You as soon as possible in the event of leakage, theft or misappropriation of Your Personal Data, in accordance with the regulations in force.

Article 11 - Conflict resolution

Although 450 has taken reasonable steps to protect Personal Information, no transmission or storage technology is completely infallible.

However, 450 is committed to ensuring that Personal Information is protected. If You have reason to believe that the security of Your Personal Information has been compromised or that it has been misused, You are invited to contact 450 at the following address: cnil@compteco2.com.

450 will investigate and attempt to resolve complaints regarding the use and disclosure of Personal Information in accordance with the principles set forth in this Personal Data Protection Policy.

Unauthorized access to or misuse of Personal Information may violate local laws and the policies of 450, its affiliates or subsidiaries.

In accordance with Regulation (EU) 2016/670 of the Parliament and of the Council of 27 April 2016, known as the "GDPR", if You submit a request for information relating to Your Personal Data to 450's Personal Data controller, the latter must respond as soon as possible, and in any event within one month of receipt of the request by 450. This period may be extended by two months in view of the number and complexity of the requests to be processed by the latter.

If the controller of Your Personal Data is unable to respond correctly, it has one month from receipt of Your request to explain the reasons for its inaction.

Article 12 - Contact

If You have any questions about this Personal Data Protection Policy, You can send an e-mail to the following address: cnil@compteco2.com.

Effective date and revisions to the Personal Data Protection Policy

This Personal Data Protection Policy may be updated according to 450's needs and circumstances or if required by law.

Compte CO2 - Footer Flower Illustration