Customer personal data protection charter

1. Our commitments to protecting your personal data

Since Courir was founded in 1980, we have always had a close relationship with our customers and with local social and economic fabric. In response to the increasing digitisation of personalised contact with customers, Courir has created a Personal Data Protection Charter shared with our partners.

This charter will help us maintain a close relationship with every customer and develop an accessible and relevant product offering. With your consent, Courir will inform you what we are doing to protect your personal data.

To enable you to buy with peace of mind, this charter contains clear, simple and genuine information about how data is processed by Courir with your consent. This charter will give you a better understanding of which information and personal data we collect (hereinafter referred to as "personal data") and how we use it to bring you new services while respecting all your personal data rights.

Whichever sales or contact channel you use, Courir undertakes to protect your privacy in accordance with current legislation by safeguarding the personal data you share with us, and keeping it confidential and safe.

The Main Principles

With your consent, Courir undertakes to adhere to the key principles for respecting fundamental rights and all current laws and regulations:

• Transparency: we supply you with all the useful information about the purposes and recipients of the data we collect about you;
• Legitimacy and relevance: we only collect and process the data needed for the purposes declared;
• Confidentiality and integrity: we implement all reasonable technical and organisational measures to stop your personal data being disclosed, lost, modified or accessed by unauthorised third parties;
• Retention: we only store your personal data for the time needed for the processing purpose or specific service;
• Right to access: we allow you to access, amend and correct your personal data direct in your personal area on our sites. We will delete your data if you request this.

2. How we use your personal data

2.1. When do we collect your personal data?

Your personal data may be collected:

• when you join our loyalty programmes;
• when you visit our online services;
• as part of our commercial relationship;
• when you buy our products and use our services or our partners' services;
• when you contact out Customer Services team.

2.2. Which data is collected?

Declarative personal data is the data you provide within our commercial relationship, or with our partners, for example:

• when you create a customer account or join the membership programme;
• to manage your orders;
• to track commercial or promotional information for our brands or online services;
• when you contact Courir e.g. Customer Services;
• when you enter competitions.

This data is collected via forms (digitally on our websites or mobile apps), on paper, or in response to questions asked by, for example, our Customer Services team.

Compulsory declarative data is marked with an asterisk.

To use our services, you need to provide (except in specific cases):

• your first name, surname, address, date of birth, email address, landline or mobile;
• your loyalty card number.

Personal data linked to Courir products and services. This is generated by how you use or purchase our products and services within our commercial relationship.

On this website, we also collect

• information about your purchase amounts and types, plus personal data about how you use our online services;
• orders, invoices and tracking for these;
• till receipts;
• the customer journey through our online services.

Exclusion of special personal data categories

In accordance with the law, we never collect special categories of personal data, meaning data that reveals racial or ethnic background, political opinions, religious or philosophical beliefs, or union membership, genetic personal data, biometric personal data used to uniquely identify a natural person, personal data concerning health, or personal data about the sex life or sexual orientation of a natural person.

These special categories of personal data are never collected or processed by Courir.

2.3. How do we use your data?

We use your data in accordance with the terms of this charter and the general terms and conditions of sale or use for our products and services. We are always mindful of the need for transparency and security when it comes to your data. Uses:

• where you consent, having been given clear, evident and precise information about the processing undertaken for one or more specific purposes, either through a written declaration (which may be digital), or through the absence of objection, or through an oral declaration (example: your chosen favourite store);
• where data is required to fulfil a sales contract, general terms and conditions of sale or use, or to undertake pre-contractual measures at your request;
• to fulfil Courir's legal or regulatory obligations (such as a guarantee, invoicing or fraud prevention);
• where the legitimate interests of Courir or recipients may justify Courir processing your personal data (e.g. insurance, etc.);
• where you order via our Adidas marketplace from courir.com (delivery data transferred to Adidas).

This processing takes account of your interests and fundamental rights as customers. As such, it includes measures and guarantees to ensure your interests and rights are protected, establishing an appropriate balance with our legitimate interests.

2.4. Why do we collect your data?

• to manage our commercial relationship;
• to manage our loyalty programme;
• to offer our services and process your purchases and orders, and those of our partners;
• to deliver products and services;
• to communicate with you about your orders, invoices and products, and about our services and promotions;
• to store and update our customer records;
• to inform and provide explanations about our relationship, particularly through our consumer service;
• to offer tailored personalised services as we develop our product and service offering;
• to improve your customer experience with our improved customer awareness;
• to enable us to personalise our products and services to suit our customers' needs using data analysis;
• to market innovative services and products, or complementary or promotional offers, or to display relevant adverts targeted to suit previous behaviour or any other useful information, having been given your consent;
• to prospect and develop our activities;
• to undertake analysis and statistics work, and develop tools to manage, measure and report on our sales and marketing activities for developmental purposes;
• for technical purposes (e.g. to access your customer account, store your personal data to stop you having to enter it again during your visit, or the next time you visit).

2.7. Where is your personal data stored?

Data is stored by Courir, who collects it in accordance with French legislation and European regulations.

We may share personal data with other companies if it is needed for services you have entered into or subscribed to (e.g. home delivery, click and collect, product availability alerts, etc.). Operations where a third party receives your data are subject to a contract to ensure that your data is protected and your rights are respected.

Where data is transferred to a country outside the European Union, there are rules in place to ensure it is kept protected and secure.

2.8. For how long do we store your personal data?

Data retention periods are in line with CNIL recommendations and/or legal obligations:

3. How to exercise your right of access ?

Exercise your rights by accessing the online service in the FAQ or via [My Account - Personal Data]. You can also exercise your right of access by writing with a copy of an identity document to the DPO (Data Protection Officer) at Groupe Courir – 91 avenue Ledru-Rollin 75011 Paris.

4. Our data security measures

4.1. Our commitments to security and privacy

Our priority is respecting your right to have your data protected, secure and confidential. Courir undertakes to use security measures appropriate to personal data sensitivity levels to protect it from malicious intrusion, loss, modification and disclosure to unauthorised third parties.

When designing, developing, selecting and using our services requiring personal data processing, Courir is mindful of the right to personal data protection from the start.

As such, we may for example use pseudonymisation or anonymisation where this is possible or necessary.

All personal data is confidential, so can only be accessed with your consent by Courir staff or providers acting on behalf of Courir who need it to do their work. All those with access to your data are bound by a duty of confidentiality and subject to disciplinary action and/or other sanctions if they do not fulfil their obligations.

Operations involving third-party recipients are subject to a contract to ensure that your personal data is protected and your rights are respected.

At Courir, we are fully committed to protecting the personal data you give us. Due to our ongoing concerns about security and protection, we encourage you to take care to prevent unauthorised access of your personal data and protect your devices (computer, smartphone, tablet) from unwanted or malicious access by using a strong password, which it is recommended you change regularly. If you share a device, we recommend you log out after each session.

4.2. Our Data Protection Officer

We have appointed a Data Protection Officer (DPO), whose contact details are: Claire Pellarin, Data Protection Officer, 6 place Robert Schuman, Bât B1- 38000 Grenoble France; dpo@courir.com.

5. Glossary

" Anonymisation " is defined as resulting "from processing personal data in order to irreversibly prevent identification";

" Pseudonymisation " is a technique where identifying information (or personal data in general) is replaced with a pseudonym. This technique allows for re-identification and correlations to be examined if the need arises;

" Collect " means gathering personal data. This can be done using questionnaires or forms online;

" Consent " means any freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to you;

" Personal data " means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"Right of access" means all fundamental rights as described in European regulations concerning:

• the right to information;
• the right of access;
• the right to rectification;
• the right to erasure or to be forgotten;
• the right to data portability;
• the right to object;
• the right to restriction of processing;
• the right to issue instructions on the retention, erasure and communication of your personal data after your death.

" Restriction of processing " means the marking of stored personal data with the aim of limiting its processing in the future;

" Minimisation " in the data context means limiting the collection or use of information;

" Data pooling " means the result of multiple partners sharing their databases containing the details of customers or prospects;

" Profiling " means "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements";

" Products or services " means all products and services, including technology (websites, apps and associated services) that are offered or will be offered by Courir; "Commercial prospecting" means looking for customers. The fact that it is commercial means it relates to commerce;

" Commercial relationship " covers all dealings between Courir and its customers, such as when you buy products or services, use the after-sales service, participate in online games, return products, make a complaint, complete satisfaction surveys or take part in the loyalty programme;

" Data Processing Officer " is the person at an organisation who individually or jointly determines the goals and methods used in processing your personal data;

" Behavioural segmentation " uses behavioural information to establish a person's socio-economic or psychological profile in order to include them in a segment;

" Online services " means digital services offered by Courir such as a website, apps, associated services and mobile services;

" Processor " is the contractor who processes personal data on behalf of the data-controller person, structure or organisation;

" Individual behaviour tracking", sometimes called "profile deduction", means techniques to evaluate aspects of how a natural person uses the internet;

" Third party " means anyone other than Courir and yourself;

" Personal data processing " means any operation or set of operations which is performed on your data, no matter the online service medium or process used.