Privacy Policy

HUMMINGBIRD EXECUTIVE APP

PRIVACY POLICY

1/81. PURPOSE

The purpose of this Privacy Policy is to describe, in a transparent manner, the processing of

personal data carried out by HUMMINGBIRD CONSULTING in connection with the operation

of the “HUMMINGBIRD EXECUTIVE APP”, for any individual User, whether acting directly or as

the legal representative of a legal entity.

Terms beginning with a capital letter have the meanings assigned to them in the General Terms

and Conditions of Use (GTCU) and the General Terms and Conditions of Sale (GTCS) available

on the Application. This Privacy Policy forms an integral part of the GTCU.

2. REMINDER OF THE PRINCIPLES OF THE GDPR

In accordance with Article 5 of Regulation (EU) 2016/679 (GDPR), the Personal Data processed

by the Company must be:

(i) (ii) Processed lawfully, fairly and in a transparent manner in relation to the data subject;

Collected for specified, explicit and legitimate purposes, and not further processed in a

manner incompatible with those purposes;

(iii) Adequate, relevant and limited to what is necessary in relation to the purposes for which

they are processed (data minimisation);

(iv) Accurate and, where necessary, kept up to date; inaccurate data must be erased or

rectified without delay;

(v) Stored in a form which permits identification of data subjects for no longer than is

necessary for the purposes for which the data are processed;

(vi) Processed in a manner that ensures their security, including protection against

unauthorised or unlawful processing and against accidental loss, destruction or damage.

3. DATA CONTROLLER

Within the meaning of Article 4(7) of the GDPR, the data controller is the entity that determines

the purposes and means of the processing of personal data.

The data controller is HUMMINGBIRD CONSULTING, a single-member limited liability

company under French law, with a share capital of €1,000.00, whose registered office is

situated at 212, avenue du Château d’Eau, 06220 Vallauris, registered with the Antibes Trade

and Companies Register under SIREN number 902 652 114, represented by Ms Déborah

DUQUESNE, Manager.

Contact:contact@hummingbirdexecutive.com |hb@consultinghummingbird.com

4. DATA COLLECTED

4.1 Data provided when creating a Personal Account

The mandatory nature of the data is indicated by an asterisk at the time of collection. When

creating your Personal Account, you must provide us with:

Mandatory data:

– Title, surname and first name(s);

– Date of birth;

– Email address;

– Postal address;

2/8– Telephone number.

Optional data:

– Nationality;

– Occupational category;

– Bank details (for the purposes of payment or transfer of commissions).

4.2 Data collected when using the Services

Depending on the Services used, we collect the following data:

➢ Enquiries regarding off-market opportunities (Advisory):

When you submit a request for information about a Property via your internal messaging

system, your username, surname, first name, email address and telephone number are

forwarded to the relevant Advertiser so that they can provide you with the necessary

information.

➢ Concierge bookings:

When you book a Concierge Service, your title, surname, first name and telephone number are

sent to the relevant service provider. A confirmation is then sent to you.

➢ Electronic signature (DocuSign):

When using electronic signatures, the Company has access to your DocuSign login credentials

as well as the authentication data associated with the signature provided.

➢ Referral Programme:

As part of the Referral Programme, the App records and stores the following data: the

Referrer’s identity (surname, first name, Personal Account ID), the Referral Code used, the

Referral’s identity, the date and time of the Referral’s subscription, and confirmation of

payment for the Subscription. This data is necessary for the management of the Referral

Programme and to establish proof of the Referral Commission being triggered.

➢ Customer Service:

Any telephone call made to Customer Service may be recorded. Correspondence via the

internal messaging system is retained along with data relating to your Personal Account and

the subject of your enquiry.

4.3 Data collected automatically (Cookies and trackers)

We use cookies and other trackers to record usage data when you access the App’s Services

(searches carried out, listings viewed, requests made, use of the secure payment service). This

data helps us improve the Services and personalise your experience. You have the option to

refuse cookies and/or object to certain processing, under the conditions described in Article 9

of the Terms of Use.

4.4 Data received from Partners

The Company may receive personal data concerning you from its Partners and service

providers in connection with the provision of the Services accessible via the App.

3/84.5 Exclusion of sensitive data

The Company does not collect any sensitive data within the meaning of Article 9 of the GDPR

(racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union

membership, health data or data relating to sexual orientation). In the event that such data is

provided in error, the Company undertakes to delete it immediately.

5. USE OF YOUR DATA

5.1 On the basis of the performance of our contractual relationship

On the basis of the contracts binding us (Terms of Use and, where applicable, Terms and

Conditions), we use your Data in order to:

– Ensure the creation and management of your Personal Account;

– Enable you to view the Concierge Services on offer and the available Listings;

– Ensure the publication and distribution of your Listings;

– Provide you with our internal messaging service;

– Send you notifications regarding the use of our Services;

– Respond to your enquiries;

– To enable you to carry out commercial transactions and to monitor them;

– Manage the Referral Programme and the associated Referral Commissions;

– Establish and retain evidence of events recorded by the Application (application

traceability).

5.2 On the basis of our legitimate interest

On the basis of our legitimate interest, we use your Data to:

– Compile statistics and analyses to better understand how the App is used and improve

our Services;

– Send you opportunities that may be of interest to you, based on your previous browsing

history;

– Combat fraud, detect any anomalies in your Account or in connection with a

transaction, and, where necessary, suspend your Account;

– Enhance your user experience;

– To have evidence available in the event of a dispute.

5.3 Based on your consent

With your consent, we may:

– Allow you to be contacted by an Advertiser, a Service Provider or a Partner;

– Forward your booking requests to Concierge Service providers;

– Forward your details to payment providers depending on your chosen payment

method;

– Place audience measurement cookies on your device.

5.4 To comply with our legal obligations

The Company may use your Personal Data in order to comply with its legal obligations, in

particular in the event of a judicial or administrative order.

4/86. DATA HOSTING

All your Personal Data is hosted within a secure database. The Application is hosted in Germany

by CONTABO GmbH, Fürther Str. 224a, 90429 Nuremberg, Germany.

Any data transfers to countries outside the European Union are governed by the appropriate

safeguards provided for in Articles 44 to 49 of the GDPR (standard contractual clauses,

adequacy decisions or equivalent mechanisms).

7. RECIPIENTS OF THE DATA

7.1 Partners and Service Providers

The data collected may be passed on to our Partners and Service Providers in connection with

bookings and matchmaking carried out via the App, strictly limited to the data necessary for

the performance of the relevant service.

7.2 Advertisers

When you submit a request for information regarding an investment opportunity or an off-

market property, your contact details (username, surname, first name, email address,

telephone number) are passed on to the relevant Advertiser.

7.3 Technical service providers

In connection with the operation of the App, certain technical service providers (hosting

provider, payment provider, DocuSign electronic signature platform) may have access to your

data strictly within the scope of their duties and are subject to confidentiality obligations.

7.4 Administrative and judicial authorities

In order to ensure compliance with its legal obligations, the Company may disclose your

personal data to any authorised administrative or judicial authority, in particular in the event of

a court order.

8. RETENTION PERIOD

The retention period for your Data varies depending on the purpose for which it was collected:

TYPE OF DATA RETENTION PERIOD

Data relating to the management of your

Personal Account (including exchanges via

the internal messaging system)

5 years from the deletion of the Personal

Account

Data relating to published Advertisements 5 years from the date of their deletion

5/8Contractual documents signed via DocuSign 5 years from the deletion of the Personal

Account

Application traceability data (Referral Code,

10 years from the last activation or the end of

activations, Referral Programme

the Subscription

timestamps)

Data that may be subject to a court order

(connection logs, transaction tracking)

12 months from the date of collection

Documents and accounting records 10 years (statutory accounting obligations)

Credit card data 13 months from the completion of the last

transaction

Telephone conversations with Customer

1 month from the date of the call

Services

Data collected via audience measurement

cookies

13 months from the date of collection

The Company will permanently delete your Data once the periods set out above have expired,

unless there is a legal obligation to retain it for a longer period.

9. YOUR RIGHTS

personal data:

In accordance with Articles 15 to 22 of the GDPR, you have the following rights regarding your

9.1 Right of access (Art. 15 GDPR)

This allows you to obtain confirmation as to whether or not your data is being processed, and

if so, to access that data and information regarding its processing.

9.2 Right to rectification (Art. 16 GDPR)

This allows you to have your inaccurate or incomplete data rectified as soon as possible. You

may amend the personal data in your Personal Account at any time directly via the App.

6/89.3 Right to erasure (Art. 17 GDPR)

This allows you to have your data erased as soon as possible, subject to the grounds and

exceptions that may justify its retention (legal obligations, ongoing disputes, etc.).

9.4 Right to restriction of processing (Art. 18 GDPR)

This allows you to have the processing of your data restricted where you contest its accuracy,

consider its processing to be unlawful, or require it for the establishment, exercise or defence

of your legal claims.

9.5 Right to object (Art. 21 GDPR)

This allows you to object at any time to the processing of your data where it is based on a

legitimate interest, by providing reasons relating to your particular situation, subject to the

Company having a legitimate and compelling reason to continue the processing.

9.6 Right to data portability (Article 20 of the GDPR)

This allows you to obtain a copy of your data in a structured, machine-readable and

interoperable format, and to transmit it to another data controller, without the Company

objecting.

9.7 Right not to be subject to automated decision-making (Art. 22 GDPR)

This allows you not to be subject to a decision based solely on automated processing which

produces legal effects concerning you or significantly affects you, except where such a

decision is necessary for the performance of a contract or is authorised by law.

9.8 Instructions in the event of death

You may provide us with instructions regarding the handling of your personal data in the event

of your death, in accordance with Article 85 of the amended French Data Protection Act.

9.9 Exercising your rights – Complaints

To exercise any of the above rights or to make a complaint, you may contact us:

(i) By email:contact@hummingbirdexecutive.com orhb@consultinghummingbird.com ;

(ii) By post: HUMMINGBIRD CONSULTING, 212, avenue du Château d’Eau, 06220 Vallauris,

France.

If you are not satisfied with the outcome of your complaint, you may lodge an appeal with the

Commission Nationale de l’Informatique et des Libertés (CNIL), 3 Place de Fontenoy, TSA

80715, 75334 Paris Cedex 07 (www.cnil.fr), or through the courts.

10. DATA SECURITY

The Company implements appropriate physical, electronic and organisational security

measures to protect your Data against unauthorised access, loss, destruction, alteration or

disclosure. These measures include, in particular, firewalls, database access controls,

encryption protocols and authorisation control procedures.

In the event of a personal data breach likely to pose a risk to your rights and freedoms, the

Company undertakes to notify the competent supervisory authority (CNIL) within the time

7/8limits set out in Article 33 of the GDPR and, where applicable, the data subjects in accordance

with Article 34 of the GDPR.

11. CHANGES TO THE PRIVACY POLICY

The Company reserves the right to amend this Privacy Policy at any time, in particular to

comply with any legal, regulatory or case-law developments, or to take account of changes to

the Application.

Any substantial amendment will be notified to active Users via a message within the

Application and by email, at least thirty (30) calendar days before it comes into effect.

Continued use of the Application after this period constitutes acceptance of the amended

Privacy Policy.

* * * *

This Privacy Policy comes into effect from the date it is published on the App.