# PRIVACY POLICY
## Peekigo Application

**Last updated**: February 20, 2026
**Version**: 1.0

---

## PREAMBLE

**PEEKIGO** (hereinafter "Peekigo", "we", "our" or "the Publisher") is committed to protecting the privacy of users of its Peekigo mobile application (hereinafter "the Application").

This Privacy Policy aims to inform you clearly and transparently about:
- The personal data we collect;
- The purposes for which we use it;
- Your rights regarding your personal data;
- The measures implemented to ensure their protection.

This policy is established in accordance with the **General Data Protection Regulation (GDPR)** - Regulation (EU) 2016/679 of April 27, 2016, and the **French Data Protection Act** (Loi Informatique et Libertés) of January 6, 1978, as amended.

---

## 1. DATA CONTROLLER

The data controller for personal data is:

**PEEKIGO**
Registered office: 86 rue Michel Giraux, Villennes-sur-Seine (Yvelines), France
Email: contact@peekigo.com
SIREN: 100820463
SIRET: 10082046300014
Trade Register (RCS): Versailles
EU VAT Number: FR75100820463

**Data Protection Officer (DPO)**:
No DPO appointed at this stage.
Contact email for personal data inquiries: contact@peekigo.com

---

## 2. PERSONAL DATA COLLECTED

### 2.1 Data You Provide Directly

When using the Application, we may collect the following data:

| Category | Data Collected | Required |
|----------|----------------|----------|
| **Identification data** | Name, surname, username/nickname | Optional |
| **Contact data** | Email address | Required to create an account |
| **Login data** | Password (stored in encrypted form) | Required to create an account |
| **Profile data** | Profile picture, cultural preferences | Optional |
| **User-generated content** | Reviews, comments, favorites, museum lists | Optional |

### 2.2 Data Collected Automatically

When using the Application, we automatically collect:

| Category | Data Collected | Purpose |
|----------|----------------|---------|
| **Technical data** | Device type, operating system, app version, internal technical identifier (not linked to advertising identifier IDFA/GAID) | Ensure proper Application functioning |
| **Connection data** | IP address, connection date and time | Security and statistics |
| **Usage data** | Pages/screens viewed, features used, usage duration, tour routes chosen | Service improvement |
| **Geolocation data** | GPS position (if authorized) | Provide content adapted to the museum visited |

### 2.3 Data Collected Through Third Parties

If you sign in through a social network (Google, Apple, Facebook), we may receive:
- Your first and last name;
- Your email address;
- Your profile picture (if public).

We only collect information that is strictly necessary and that you have authorized on these platforms.

---

## 3. PURPOSES AND LEGAL BASES FOR PROCESSING

We process your personal data for the following purposes:

| Purpose | Legal Basis | Retention Period |
|---------|-------------|------------------|
| **Creation and management of your account** | Contract performance (ToS) | Account duration, then 30 days after closure (1-year restricted archive for potential disputes) |
| **Provision of Services** (tour routes, content, etc.) | Contract performance | Account duration |
| **Experience personalization** (recommendations, favorites) | Contract performance / Consent | Account duration |
| **Geolocation** to adapt content to the museum visited | Consent | Data not retained (real-time only) |
| **Sending commercial communications** (newsletter, offers) | Consent | Until consent withdrawal |
| **Application improvement** (analytics, statistics) | Consent | 13 months (raw data) / Indefinitely (anonymized/aggregated data) |
| **Support request management** | Contract performance | 3 years after resolution |
| **Compliance with legal obligations** | Legal obligation | According to applicable legal periods |
| **Fraud prevention and security** | Legitimate interest | 1 year |

---

## 4. DATA RECIPIENTS

### 4.1 Internal Access

Only authorized persons within Peekigo have access to your data, within the limits of their respective duties (technical team, customer support, marketing with your consent).

### 4.2 Subcontractors

We use technical service providers to operate the Application:

| Provider | Function | Location | Safeguards |
|----------|----------|----------|------------|
| **Scaleway SAS** | Data hosting | France (EU) | EU-based hosting and security measures |
| **No third-party analytics provider** | Usage analysis | N/A | N/A |
| **No third-party email provider** | Email delivery | N/A | N/A |
| **Stripe Payments Europe, Limited** | Payment processing | EU | PCI-DSS compliance |

These providers act only on our instructions and are contractually bound to respect the confidentiality and security of your data.

For payments, Peekigo does not store full card numbers. Sensitive card data is processed directly by the payment provider.

### 4.3 Museum Partners (if applicable)

Only with your explicit consent, we may share certain anonymized or aggregated data with our museum partners for statistical purposes (tour attendance, satisfaction, etc.).

**No personally identifiable data is shared with museum partners without your consent.**

### 4.4 Legal Obligations

We may be required to disclose your data to competent authorities upon request and in accordance with legal procedures (judicial, administrative authorities, etc.).

---

## 5. DATA TRANSFERS OUTSIDE THE EU

Some of our providers may be located outside the European Union.

In such cases, we ensure that these transfers are governed by appropriate safeguards:
- **Adequacy decision** by the European Commission;
- **Standard Contractual Clauses** (SCCs) approved by the European Commission;
- **Binding Corporate Rules** (BCRs);
- Or any other transfer mechanism compliant with the GDPR.

You can obtain a copy of these safeguards by contacting us at contact@peekigo.com.

---

## 6. DATA RETENTION PERIOD

We retain your personal data for the period strictly necessary for the purposes for which they were collected:

| Data Type | Retention Period |
|-----------|------------------|
| **Account data** | Account duration, deletion within 30 days after closure (1-year intermediate archive with restricted access) |
| **Browsing/usage data** | 13 months (CNIL compliant) |
| **Geolocation data** | Not retained (real-time only) |
| **Cookies and trackers** | Maximum 13 months |
| **Billing data** (if applicable) | 10 years (accounting obligations) |
| **Prospecting data** | 3 years after last contact |
| **Rights exercise requests** | 5 years from request date |

Upon expiration of these periods, your data is deleted or irreversibly anonymized.

---

## 7. DATA SECURITY

We implement appropriate technical and organizational measures to protect your data against unauthorized access, modification, disclosure, or destruction:

### Technical Measures:
- Encryption of sensitive data (password, payment data);
- Encryption of communications (HTTPS/TLS protocol);
- Firewalls and intrusion detection systems;
- Pseudonymization and anonymization where possible;
- Regular and secure backups;
- Security testing and regular updates.

### Organizational Measures:
- Limiting data access to strict necessity;
- Staff awareness and training;
- Strong password policy;
- Security incident management procedures.

In case of a personal data breach presenting a risk to your rights and freedoms, we will inform you as soon as possible, in accordance with the GDPR.

---

## 8. YOUR RIGHTS

In accordance with the GDPR and the French Data Protection Act, you have the following rights:

### 8.1 Right of Access (Article 15 GDPR)
You can obtain confirmation that your data is being processed and access all your personal data.

### 8.2 Right to Rectification (Article 16 GDPR)
You can request the correction of inaccurate or incomplete data.

### 8.3 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)
You can request the deletion of your data in certain cases:
- Data is no longer necessary for the purposes;
- You withdraw your consent;
- You object to the processing;
- Data has been unlawfully processed.

### 8.4 Right to Restriction of Processing (Article 18 GDPR)
You can request the restriction of processing of your data in certain cases (contesting accuracy, unlawful processing, etc.).

### 8.5 Right to Data Portability (Article 20 GDPR)
You can receive your data in a structured, commonly used, and machine-readable format, and transmit it to another data controller.

### 8.6 Right to Object (Article 21 GDPR)
You can object at any time to the processing of your data for legitimate reasons, unless the processing is based on compelling legitimate grounds or for the establishment, exercise, or defense of legal claims.

You can object to commercial prospecting at any time.

### 8.7 Right to Withdraw Consent
When processing is based on your consent, you can withdraw it at any time, without affecting the lawfulness of processing carried out before such withdrawal.

### 8.8 Right to Define Post-Mortem Directives
You can define directives regarding the fate of your data after your death.

### 8.9 How to Exercise Your Rights?

You can exercise your rights:

- **By email**: contact@peekigo.com
- **By mail**: PEEKIGO, 86 rue Michel Giraux, Villennes-sur-Seine (Yvelines), France
- **In the Application**: Settings > Privacy > Exercise my rights

To process your request, we may ask you to prove your identity.

We commit to responding within a maximum period of **one month** from receipt of your request. In accordance with Article 12.3 of the GDPR, this period may be extended by two months taking into account the complexity and number of requests. In such case, we will inform you of such extension and the reasons for the delay within the initial one-month period.

### 8.10 Complaint to the Supervisory Authority

If you believe that the processing of your data does not comply with regulations, you can lodge a complaint with the French Data Protection Authority (CNIL):

**CNIL**
3 Place de Fontenoy - TSA 80715
75334 Paris Cedex 07
Website: www.cnil.fr

For users outside France, you may contact your local data protection authority.

---

## 9. COOKIES AND SIMILAR TECHNOLOGIES

### 9.1 What is a Cookie?

A cookie is a small text file placed on your device (smartphone, tablet) when you use the Application.

### 9.2 Types of Cookies Used

| Cookie Type | Purpose | Consent Required |
|-------------|---------|------------------|
| **Strictly necessary cookies** | Application operation (authentication, security) | No |
| **Performance/analytics cookies** | Audience measurement, service improvement | Yes |
| **Personalization cookies** | Remembering your preferences | Yes |
| **Advertising cookies** (if applicable) | Displaying personalized ads | Yes |

### 9.3 Managing Your Preferences

When you first use the Application, a banner allows you to configure your cookie choices.

You can change your preferences at any time in:
- **Application Settings** > Privacy > Cookies
- **Your device settings** for advertising identifiers

### 9.4 Third-Party SDKs and Tools

The Application uses only third-party tools that are strictly necessary for operation and payment.

At this stage, no third-party analytics/marketing SDK is declared.

These tools collect technical and usage data in accordance with their own privacy policies.

---

## 10. CHILDREN'S PRIVACY

The Application is not intended for children under 16 years of age.

We do not knowingly collect personal data from minors under 16 without verifiable parental or legal guardian consent.

If you are a parent or guardian and discover that a minor under 16 has provided us with personal data without your consent, please contact us at contact@peekigo.com so that we can delete it.

---

## 11. POLICY CHANGES

We may modify this Privacy Policy at any time to reflect changes in our practices or regulations.

In case of substantial modification, we will inform you by:
- A notification in the Application;
- An email (if you have an account).

The date of the last update is indicated at the top of this document. We invite you to regularly consult this policy.

---

## 12. CONTACT

For any questions regarding this Privacy Policy or the exercise of your rights, you can contact us:

**By email**: contact@peekigo.com

**By mail**:
PEEKIGO
86 rue Michel Giraux
Villennes-sur-Seine (Yvelines), France

**Via the Application**: Settings > Help > Contact us

---

## APPENDIX - LIST OF SUBCONTRACTORS

| Subcontractor | Service | Data Processed | Location |
|---------------|---------|----------------|----------|
| Scaleway SAS | Cloud hosting | Application and infrastructure data | France (EU) |
| No third-party analytics provider | Analytics | N/A | N/A |
| No third-party emailing provider | Emailing | N/A | N/A |
| No third-party customer support provider | Customer support | N/A | N/A |
| Stripe Payments Europe, Limited | Payment | Transaction and billing data | EU |

This list may be updated. The current version is available upon request at contact@peekigo.com.

---

**Done at Villennes-sur-Seine, on February 20, 2026**

Peekigo © 2026 - All rights reserved