GURU - Privacy policy

Last modified on August 20, 2023

DEFINITIONS

Words marked with a capital letter - whether singular or plural - must be understood in accordance with the following definitions:

"Application": Refers to the "GURU" application published by the Data Controller.

"User Account": Refers to the account that Users may create within the Application in order to benefit from additional functionalities.

"Personal Data" or "Personal Data" or "Data": Any information that directly or indirectly identifies a natural person, such as: your surname, first name, e-mail address or postal address, your telephone number.

“Personal Data” or “Personal Data” or “Data”: Any information allowing a natural person to be directly or indirectly identified, such as: your last name, first name, email address or postal address, your telephone number.

"GURU" and/or the "Data Controller": Refers to the simplified joint stock company (SAS) GURU WORLD, with a share capital of €1,000, whose registered office is located at 6, allée du Philosophe - 75011 Paris, registered with the Paris Trade and Companies Registry under number 951 037 951.

"Game": Refers to the treasure hunt set up by GURU, via the Application, and offering Users the opportunity to solve various enigmas, where applicable using augmented reality (AR) and virtual reality (VR) technologies.

"Newsletter": Refers to the newsletter sent from time to time by GURU to its Users to inform them of news about the Application, events organized by GURU and any other information relating to GURU's news and actions.

"Data Subject": Any person from whom one or more Personal Data have been, are being or will be collected.

69, avenue Ledru Rollin, 75012 Paris

"GDPR": Refers to Regulation EU 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data or General Data Protection Regulation.

"Sub-Contractor": Refers to any natural or legal person who processes Personal Data on behalf of the Data Controller, on its instructions and under its authority.

"Terminal": Refers to any equipment used by the User to access the Application.

"Processing": Refers to all operations relating to Personal Data, and in particular recording, collecting, organizing, storing, adapting or modifying, extracting, consulting, using, communicating by transmission, dissemination or any other form of making it available to third parties.

This list is not exhaustive, and may include, but is not limited to, access, reconciliation or interconnection, as well as blocking, erasure or destruction.

"User": Refers to any person having downloaded and/or browsing the Application published by GURU.

In the course of its business, GURU may collect and process Data concerning you, for example when you choose to create a User Account within the Application or when you use the "Contact Us" button to contact GURU.

In its capacity as Data Controller, GURU has established the present Personal Data Protection Policy (hereinafter "the Policy" or "the Privacy Policy") and undertakes to process such Data in accordance with the applicable rules; in particular in compliance with the principles of transparency, determination and legitimacy of purposes, accuracy, proportionality and minimization, security and confidentiality, responsibility and protection by design and by default.

This Policy tells you how we collect and process your Data. Please read it carefully.

Important - We only use your Data in the cases provided for by the regulations in force, i.e.:

set of commercial or business reasons that justifies the use of your Data by GURU, such as fighting against the fraudulent creation of false User Accounts.

69, avenue Ledru Rollin, 75012 Paris

We undertake to limit the collection of such Data to what is strictly necessary. It should be noted that this Data is collected at GURU's initiative. Personal Data may also be collected at the initiative of the Persons Concerned.

This Privacy Policy explains the following issues:

THE DATA CONTROLLER

The data controller is GURU, i.e. the simplified joint stock company (SAS) GURU WORLD, with share capital of €1,000, whose registered office is located at 6, allée du Philosophe - 75011 Paris, registered with the Paris Trade and Companies Registry under number 951 037 951.

In its capacity as data controller, GURU determines the means and purposes, i.e. the reasons, methods and conditions for Processing your Personal Data.

THE INFORMATION WE COLLECT

In the course of its business, GURU may collect, directly from you and/or via the Application, in particular but not exclusively, the following information, some of which constitutes Personal Data:

click on the links it contains);

69, avenue Ledru Rollin, 75012 Paris

HOW WE COLLECT THE INFORMATION

Below are the main methods we use to collect information

WHY DO WE COLLECT YOUR DATA?

GURU collects and uses your Personal Data for the following purposes:

"User rights" below;

69, avenue Ledru Rollin, 75012 Paris

WITH WHOM DO WE SHARE INFORMATION?

Persons working within the Company may have access to some of your Data if their duties make it necessary to Process all or part of your Data, and provided that they have been authorized by GURU to carry out Data Processing.

Access to your Data is based on individual and limited access authorizations. Personnel with access to Personal Data are subject to an obligation of confidentiality (by means of a nominal and personal confidentiality undertaking).

In the course of our activities, we call on subcontractors, i.e. people who process all or part of your Data on behalf of GURU. This may involve, for example, the tool we use to send out our Newsletter.

We take particular care in selecting Subcontractors who process Personal Data on our behalf. We undertake to ensure that Subcontractors Processors present identical guarantees of confidentiality and security and that the Processing operated by them is carried out in compliance with the regulations in force, and in particular the RGPD.

Our Subcontractors provide services on our behalf, including:

69, avenue Ledru Rollin, 75012 Paris

Our Subcontractors' access to your Data is based on signed contracts specifying their obligations in terms of Data protection, security and confidentiality. We ensure that our Subcontractors operate one or more Data Processing operations that comply with this Policy.

The use of social networks to interact with the Application (in particular the access buttons to our FACEBOOK, TWITTER, INSTAGRAM pages, etc.), is likely to lead to exchanges of Data between GURU and these social networks.

For example, if you visit a page of the Application while connected to your FACEBOOK account, META may collect this information. Or, if you click on the "TWITTER" button on your cell phone, opening the TWITTER application to which your account is also connected, TWITTER may collect this information.

We therefore invite you to consult the personal data management policies of the various social networks to find out how they collect and process your Data.

Where we are legally required to do so or in order to safeguard GURU's rights, property and safety we may also disclose your information in the following circumstances: (i) to investigate, detect, prevent or take action regarding illegal activities or other wrongdoing, suspected fraud or security matters; (ii) to establish or exercise our rights to defend against legal claims; (iii) to protect our rights, property or personal safety and those of our Users or the general public; (iv) if we or any of our affiliates undergo a change of control, including through a merger, acquisition or purchase of all or substantially all of our assets.

Sharing your information in this context is not a regular event, but may occur at any time. We will endeavor to limit the types and volumes of information we may have to share for legal purposes to what is reasonably necessary and will ensure that any transfer outside the European Union is made on an appropriate legal basis.

WHERE IS THE INFORMATION STORED?

69, avenue Ledru Rollin, 75012 Paris

Please note that our servers, as well as the partners and service providers we trust, are located around the world. Any non-personal data we collect is stored and processed mainly in France, but also in various jurisdictions around the world, for the purposes detailed in this Privacy Policy.

Personal data may be kept, processed and stored in France and in other jurisdictions in other jurisdictions if this is necessary for the proper provision of our services and/or if required by law.

GURU intends to give preference to the storage of Data within the European Union or, at the very least, to storage solutions in countries outside the European Union offering sufficient guarantees, in compliance with current legislation.

HOW LONG YOUR DATA IS KEPT

In its capacity as Data Processor, GURU undertakes to comply with the retention periods imposed by law and/or to define strictly necessary retention periods, in accordance with Article 5 of the RGPD.

We apply the principle of limiting data retention periods in order to retain Data only for as long as is strictly necessary to achieve the purposes of the Processing, it being specified that what is necessary depends on specific circumstances, such as regulations requiring information to be retained for a specific period of time or prescription periods for legal disputes. Where a limitation period is imposed by law, the retention period may not be less than this.

Your Data is kept for a period that complies with legal provisions or is proportionate to the purposes for which it was collected. Certain retention periods are in the legitimate interest of the Data Controller.

69, avenue Ledru Rollin, 75012 Paris

The table below lists the main retention periods for your Data.

Data categories

Purposes

Retention periods

Application technical data

All Data

Operation of the Application, browsing functions and preservation of User configuration choices

1 year from collection

User account data

All Data

Access to functions associated with the User Account, management and proper operation of the User Account, provision of benefits associated with the User Account

3 years from last connection to User Account

Data of people who contacted GURU

All Data related to contact requests, except contact related to the exercise of rights on Data

Processing of the request and the response provided by GURU, and any subsequent exchanges

1 year from collection, unless you object

Request linked to the exercise of one of the rights that Data Subjects have over their Data

Processing of request to exercise rights

Calendar year in progress at time of request, plus 5 years (legal statute of limitations)

Recruitment data

Management of recruitment carried out by GURU

If your application is rejected: 1 year from the date of rejection, unless you object.

If your application is successful: for the duration of the employment contract, plus the legal retention period

If your application is rejected: 1 year from the date of rejection, unless you object.

69, avenue Ledru Rollin, 75012 Paris

HOW DO WE PROTECT INFORMATION?

As Data Controller, we implement appropriate technical and organizational measures in accordance with applicable legal provisions, to protect your Personal Data against any breach.

A Data breach within the meaning of the RGPD constitutes a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data transmitted, stored or otherwise processed.

In accordance with current regulations, GURU undertakes to respect the principles of security, confidentiality and integrity of Personal Data collected from Users.

GURU undertakes to maintain the confidentiality of Personal Data with respect to its personnel its employees, collaborators and any other person likely to have access thereto.

GURU personnel authorized to have access to Personal Data undertake to respect confidentiality and may be subject to a legal or contractual obligation of confidentiality. Similarly, authorized personnel have received the necessary training in the protection of Personal Data.

GURU may propose limiting the amount of Personal Data collected, anonymizing such data or resorting to pseudonymization.

GURU implements appropriate technical and organizational measures to guarantee a level of security appropriate to the risk.

GURU relies on the combination of several security levels. Measures can be human, physical or logical in order to contribute to the security of its information systems.

In terms of human security, the measures put in place by GURU/50 include:

- Training sessions to raise awareness among GURU staff of fundamental knowledge regarding confidentiality, IT security and data protection

Personal Data in general and the GDPR in particular;

69, avenue Ledru Rollin, 75012 Paris

Appointment of a Data Protection Manager;

In terms of physical security, the measures put in place by GURU include:

In terms of logical security, the measures put in place by GURU include:

The GURU Data Protection Manager is systematically involved in new IT projects likely to modify the Processing of Personal Data: creation of new functionalities, change of software solution, change of Personal Data hosting support, etc.

This organization promotes the deployment of the principle of “Privacy by design”.

DATA BREACH

In the event of a Personal Data breach, GURU undertakes to promptly inform the CNIL under the conditions prescribed by the GDPR.

If said violation poses a high risk for the Data Subjects and the Personal Data has not been sufficiently protected, GURU will notify the Data Subjects and communicate the necessary information and recommendations.

MINORS

The minor User must obtain the consent of his legal guardian prior to the communication of Personal Data concerning him.

If you have reason to believe that a minor has shared information with us, please contact us as provided below.

DATA BREACH

In the event of a Personal Data violation, GURU undertakes to promptly inform the CNIL within the time frame and under the conditions set out by the GDPR.

69, avenue Ledru Rollin, 75012 Paris

If said violation poses a high risk for the Data Subjects and the Personal Data has not been sufficiently protected, GURU will notify the Data Subjects and communicate the necessary information and recommendations.

MINORS

The minor User must obtain the consent of his legal guardian prior to the communication of Personal Data concerning him.

If you have reason to believe that a minor has shared information with us, please contact us as provided below.

USER RIGHTS

In accordance with the GDPR, adapted into French law by law no. 2018-493 of June 20, 2018, and law no. 78-17 of January 6, 1978 known as the Data Protection Act, you have the following rights over your Data:

GURU undertakes to inform Users of the Application of the collection and use of Personal Data and thus to produce clear, transparent and accessible information on the conditions and modalities of the collection and Processing of Personal Data. Personal Character.

This Policy directly contributes to this right to information.

You have a right of access to obtain information on the existence of Processing and its terms.

You can ask the Data Controller to rectify your Data, particularly when it is incomplete and/or no longer up to date.

GURU may, where applicable, oppose a legitimate interest or compelling reasons to the request when the applicable legislation so provides. GURU may also, if necessary, ask the person making the request to provide proof of their identity prior to implementing this request.

69, avenue Ledru Rollin, 75012 Paris

Subject to the regulations in force, and in particular exceptions (for example, in terms of retention necessary to comply with a legal obligation), you can request the erasure of Personal Data relating to you:

The Data Controller will be the sole decision-maker on the merits of the requests and may, where applicable, oppose a legitimate interest or compelling reasons to the request when the applicable legislation so provides.

For example, GURU may validly object to the destruction of Data contained in accounting documents, their retention period being fixed by law.

You have the right to object at any time, for reasons relating to your particular situation, to the Processing of Personal Data concerning you.

The right to object is limited, in particular by GURU's legitimate interest in processing Personal Data and other legal requirements – such as compelling reasons.

You have the right not to be subject to a decision based exclusively on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

69, avenue Ledru Rollin, 75012 Paris

A decision is deemed to be based on an exclusively automated decision when a decision producing legal effects concerning you or significantly affecting you is taken solely by technological means, without human intervention.

If necessary, you can ask GURU for someone to intervene in the decision-making process.

Under certain conditions, you can obtain from GURU the limitation of the Processing of your Data:

You can obtain from GURU the Personal Data previously provided to the Data Controller in a structured, commonly used and machine-readable format.

Under the right to portability, you can also transmit this Data to another Data Controller or request that the Personal Data concerning you be directly transmitted by GURU to another Data Controller, if this is technically possible.

You can, using the means implemented by GURU0 for this purpose, withdraw your consent at any time when your Personal Data is processed on the basis of it.

The withdrawal of consent only applies for the future, and cannot therefore call into question the lawfulness of the Processing carried out before this withdrawal.

69, avenue Ledru Rollin, 75012 Paris

You have the right to formulate instructions regarding the storage, erasure and communication of your post-mortem Data.

You can exercise the aforementioned rights with GURU, by sending a request by e-mail to the GURU Data Protection Officer at the following e-mail address contact@guruworld.group or by post to the following address: Guru World SAS 36 Bvd de la Bastille 75012 Paris.

GURU may request the communication of a copy of a proof of identity in all cases where it considers that your identity has not been sufficiently established, or that there exists or may exist a reasonable doubt as to the identity of the applicant. . The level of checks carried out by GURU when processing requests to exercise rights will vary depending on the nature of the requests, the sensitivity of the information communicated and the context in which the request is made.

GURU undertakes to respond to any request as quickly as possible, and in any event within one (1) month of receipt of the complete request. This deadline may nevertheless be extended by two (2) months taking into account the complexity and number of requests.

The GURU Data Protection Manager is available to Users for any questions on the technologies and procedures deployed to protect all Data

Personal Data transmitted and recorded via the internet, all in accordance with the requirements of the CNIL and the European Union.

Where applicable, Users of the Application and Data Subjects have the possibility of submitting a complaint to the Commission Nationale Informatique et Libertés (CNIL), or electronically on the site www.cnil.fr or by post , to the following address :

CNIL – Complaints service

3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 Tel: 01 53 73 22 22

DATA TRANSFERS ABROAD

In connection with providing the Application, we do not intend to transfer information to affiliated entities or other third parties across the borders of your country or jurisdiction, to other countries or jurisdictions within the world. However, in the event that we resort to this

69, avenue Ledru Rollin, 75012 Paris

type of transfer, by using the Application, you consent to the transfer of your information outside the European Union.

If you are located in the European Union, your Personal Data may only be transferred to locations outside the European Union if we are satisfied that a comparable or better level of protection is provided. place to protect Personal Data in the relevant location.

A transfer of personal data to a country third to the European Union or to an international organization may take place when the CNIL has noted, by decision, that the third country, a territory or one or more sectors determined in this third countries, ensures an adequate level of protection of personal data.

Such a transfer does not require specific authorization.

In the absence of a decision from the CNIL concerning the adequate level of protection of the country third to the European Union, GURU cannot transfer this data to such a country unless appropriate guarantees have been put in place contractually and the condition that Persons Concerned nevertheless have enforceable rights and effective legal remedies within the country(ies) concerned.

THIRD PARTY WEBSITES

The Application may contain links, in particular hypertext, and/or content referring to a third-party website.

We will have no control over the content of third-party websites or the practices of these third parties with regard to the protection of Personal Data that they may collect and declines all responsibility relating to this content. It is your responsibility to find out about the Personal Data protection policies of these third parties.

PROCESSING REGISTRY

We undertake to maintain a processing register listing all Processing carried out.

This register is a document or application allowing us to list all the Processing that we implement as Data Controller. It is not intended to be communicated to the Persons Concerned.

69, avenue Ledru Rollin, 75012 Paris

We undertake to provide the supervisory authority, upon first request, with information enabling said authority to verify compliance of the Processing with the IT and freedom regulations in force.

CHANGES AND/OR UPDATES TO THE PRIVACY POLICY

We may revise this Privacy Policy from time to time, in our sole discretion, and the most recent version will always be available within the Application (as indicated at the top hereof). We encourage you to review this Privacy Policy periodically for any changes.

In the event of significant changes, we will publish a notice which will be displayed distinctly within the Application, through a “pop-up” window or a banner, to announce these changes. Your continued use of the Application following notice of changes will constitute your acknowledgment of, and consent to, any such changes to the Privacy Policy and your agreement to be bound by the terms of any such changes.

CONTACT US

If you have any general questions about the Application or the information we collect about you, or how we use it, you can contact us by email at: contact@guruworld. group

69, avenue Ledru Rollin, 75012 Paris