PERSONAL DATA PROTECTION CHARTER

THG is a simplified joint stock company with a share capital of €15,000, whose registered office is located at 26, rue Burdeau -- 69 001 LYON, and registered in the Trade and Companies Register under number 852 231 752 RCS LYON (hereinafter "THG"), benefiting from the status of intermediary in participatory financing (IFP), registered as such in the ORIAS register under number 19006325. THG is a company involved in the organization of public or private operations of collective digital revelations of works of art, for the purpose of participating in the financing of solidarity actions.

Within the framework of its activities, THG has designed and developed a SaaS solution accessible at the address https://www.thehopegallery.com/fr and/or any suffixes and/or access fields that would refer to this address, as well as via any application on cell phones, tablets or computers, allowing in particular the digitization of the collection of donations and funding assistance (the Platform).

THG also offers Users an online store, accessible at the address https://thehopegallery.bigcartel.com/ and/or any suffixes and/or access fields that would refer to this address, as well as via any application on cell phones, tablets or computers, on which said Users can purchase works and creations, in original format or in reprographic form, as well as various derivative products (the "Store").

The preservation of Users' personal data is important to THG.

THG undertakes to implement adequate measures for the protection, confidentiality and security of Users' personal data, in accordance with current European regulations, as issued by Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and French, in particular the rules of national law implementing said Regulation.

The purpose of the present charter (the "Charter") is to inform and enlighten Users on the purposes of the collection and processing of their personal data by THG, as data controller.

Users are therefore invited to read the Charter very carefully, to print it and to keep a copy.

By using the Platform, the User accepts all the provisions included in the Charter relating to the collection and processing of his data, for the purposes hereinafter explained.

Users are required to provide their personal data in digital format when using the Platform.

**1. **Categories of personal data collected

No sensitive data is collected or processed by THG.

The User data that THG may collect and process may consist of (without limitation) the following data:

**a) identity: **civility, surname, first names, company name, address, telephone number (landline and/or mobile), e-mail addresses ;

**b) data relating to the means of payment: **billing address, credit card number, expiry date of the credit card, visual cryptogram (the latter not being kept, in accordance with the regulations in force);

**c) data related to the donation, such as the donation number, the details of the donation;

**d) data related to the follow-up of the relationship: ** history of donations, purchases and transactions, correspondence with the User, comments and opinions of Users;

(e) donation payment and billing data: payment or remittance methods, invoices, receipts

g) data necessary for the realization of loyalty, canvassing, study, survey, product test and promotion actions, the selection of persons can only result from the analysis of the data listed above;

**h) data relating to the organization and processing of contests, lotteries and any promotional operation, such as the date of participation, the answers to the contests and the nature of the prizes offered

(i) data relating to the contributions of persons who submit opinions on products, services or content, including their pseudonym.

**2. *Principles applicable to the collection and processing of personal data.

Legal basis for the collection and processing of personal data.

Users' personal data are processed by THG in the cases authorized by the regulations in force and under the following conditions:

  • Obtaining free, specific, informed and unambiguous consent from the User (or his/her legal representative in case of minority or incapacity) to the processing of their personal data;

  • Collection of personal data necessary for the execution of the User's request;

  • Compliance with legal and/or regulatory obligations imposed on THG (such as the fight against fraud and corruption);

  • Protection of THG's legitimate interests (such as protecting the security of its computer network).

Users' navigation information applicable to the collection and processing of personal data

When using the Platform or certain related services, certain data is collected automatically such as IP address, reference of the browsing software used, browsing data (date, time, content viewed, search terms used, etc.), operating system references.

Among the technologies used to collect Users' personal data, in order to improve the quality of its service and better meet their expectations, THG may use cookies and tracers, as well as "php" sessions or equivalent, which store data, using a unique session identifier. These sessions store said data for the duration of the User's browsing.

The data collected during the browsing is deleted at the end of the browsing session on the Platform, by the User or, if applicable, within a maximum period of 13 months from their collection.

Purposes of the collection and processing of personal data

Users can use the Platform without having to provide personal data to THG.

THG collects and processes Users' data for the following purposes:

(i) for the purposes of making donations on the Platform,

(ii) for the purpose of purchasing on the Shop,

(iii) for the purposes of using and improving the Platform and/or THG's commercial offers, in particular in the context of polls, surveys and other solicitations,

(iv) for financial, billing and communication purposes to Payment Intermediaries (as defined and identified in the Platform and Store terms and conditions of use), in connection with the payment of donations via the Platform or the payment of purchases on the Store

(v) for the purposes of communication to the beneficiaries of donations, in order to issue tax receipts associated with the payment of donations, if eligible,

(vi) for the purposes of organizing its contests and lotteries,

(vii) for the purposes of sending and communicating newsletters, informative or commercial e-mail alerts and/or news from THG to Users who wish to receive them,

(viii) to respond to inquiries (online contact forms),

(ix) to respond to job applications (personal data collected: last name(s), first name(s), e-mail, telephone number, CV, cover letters if attached,

(x) to disseminate via the Platform and/or all social and communication networks and/or all other THG media and materials, in whatever form or nature, existing or future, the comments and/or opinions of the Users on said Platform and/or on THG,

(xi) for any measure or project that is more broadly in the interest of the Users or to improve the customer relationship and experience,

(xii) to meet regulatory requirements in effect or being adopted.

Retention Period of Personal Data

The length of time that Users' personal data is retained depends on the purpose for which it is retained.

In this context, Users' personal data are kept for the time necessary to fulfill their request.

Failing this, the personal data is deleted within the time limits recommended by the Commission Nationale Informatique et Libertés (CNIL), at the end of a period of three years from their collection on the Platform, subject to :

  • the possibilities and legal obligations regarding archiving,

  • the obligation to keep certain data for evidentiary purposes and/or to anonymize them.

The personal data of the User, THG's customer, collected and processed for the purpose of executing the offers, are kept for the time necessary to manage the contractual relationship.

By way of derogation, the personal data required to establish proof of a right or a contract are archived in accordance with the legal provisions (5 or 10 years after the end of the commercial relationship, depending on the case).

**3. **** Recipients of the personal data collected

The personal information collected is exclusively intended for THG and will not be transferred or exchanged to third parties, other than for the purposes mentioned in article 2 above, for the User who is a THG client.

In this respect, the Donor User's data will be transmitted to the Payment Intermediaries, for the purposes of paying his donation(s) via the Platform and/or purchasing on the Shop.

In addition, the Donor User's data may be transmitted to the Beneficiaries of the Donations, for the purpose of issuing tax receipts associated with the payment of the Donations, subject to eligibility.

Only authorized personnel of the THG group and its service providers may have access to the personal data collected and process them, without prejudice to their possible transmission to the bodies in charge of a control or inspection mission in accordance with the legislation and/or regulations in force or for the purpose of responding to a judicial or administrative decision.

The said providers are the following:

  • Rezo Zero**, for all needs related to the management of the Platform. This intermediary is in France.

  • Google and its various modules**, for the management of THG's emails on Gmail, calendar sharing within the team on Google Calendar, use of features available on G Suite (Google sheet, Google Doc, etc.), management of digital communication campaigns on Google Ads, use of Google Maps on the Platform, storage space on Google Drive, analysis of activity on the Platform on Google Analytics, distribution of surveys on Google Form, use of the social network YouTube, etc. This intermediary is located in Ireland.

  • Hotjar**, for the management of the Analytics and tracking of the activity on the Platform. This intermediary is located in Malta.

  • Mailchimp** and Mailjet, for the use of sending transactional emails and newsletters. These intermediaries are located in the United States (Mailchimp) and in France (Mailjet).

  • Slack**, to allow the use of an internal company chat (notably message and document exchanges). This intermediary is located in the United States.

  • Stripe**, represents an online payment module used on the Platform. This intermediary is located in the United States.

Subject to their complete anonymization, THG is entitled, in compliance with the textual provisions in force, to use Users' personal data, in particular for statistical purposes, measurement, transfer and/or exchange with third parties.

**4. **Transfer of personal data

The personal data of Users collected is hosted in France.

When using affiliates or service providers located outside the European Union, THG is committed to verifying that appropriate measures have been put in place to ensure that Users' personal data benefit from an adequate level of protection.

Data controllers and processors may transfer data outside the European Union (EU) and the European Economic Area (EEA), provided that they frame these transfers using the various legal tools defined in Chapter V of the GDPR.

In this context, in order for transfers of personal data outside the European Union to be deemed justified, the data controller must ensure that appropriate measures have been put in place to ensure that such personal data benefit from a sufficient and adequate level of protection.

In order to ensure a high level of protection for data transferred from European territory to third countries, organizations wishing to transfer data can thus resort to various tools, including the European Commission's adequacy decision regarding certain countries ensuring an adequate level of protection (art. 45 of the GDPR: https://www.cnil.fr/fr/reglement-europeen-protection-donnees/chapitre5#Article45).

The adequacy decision is the first legal framework tool, insofar as it is taken on the basis of an overall examination of the legislation in force in a State, on a territory or applicable to one or more specific sectors within that State.

With respect to transfers of personal data from European companies to American companies, the United States of America has been recognized as adequate by the European Commission only for certain specific processing operations. In this context, the adequacy concerns transfers to American companies that have adhered to the Data Protection Shield, better known as the "Privacy Shield". These transfers do not require any specific supervision.

The Data Protection Shield is a self-certification mechanism for U.S.-based companies that has been recognized by the European Commission as providing an adequate level of protection for personal data transferred by a European entity to U.S.-based companies. 

This mechanism is therefore considered to provide legal safeguards for such data transfers.

**5. ****Protective measures implemented by THG

THG collects and processes Users' personal data in compliance with applicable regulations.

When the disclosure of a User's personal data to third parties is necessary and authorized, THG ensures that these third parties guarantee the same level of protection for said personal data as that provided by THG. In this context, THG requests confirmation from each of its contractual partners that they comply with the applicable regulations.

THG implements technical and organizational measures to ensure that the storage of Users' personal data is secure and for the period of time necessary to fulfill the purposes.

THG draws the Users' attention to the fact that no transmission or storage technology is totally infallible.

Therefore, in the event of a proven breach of Users' personal data, which could result in a high risk for Users' rights and freedoms, THG will inform the competent supervisory authority of this breach in accordance with the terms and conditions provided for by the regulations in force.

Users must exercise caution to prevent any unauthorized access to their personal data and in particular to their computer and digital terminals (computer, smartphone, tablet in particular).

**6. **Users' rights

In accordance with current regulations, Users have the following rights, subject to legal and regulatory limitations:

Right to information on the collection and processing of personal data

THG undertakes to make its best efforts to ensure that the information communicated to Users is accessible, accurate and transparent on the conditions of the collection and processing of their personal data. 

Right of access / right to erasure ("right to be forgotten") / right to rectification / right to opposition / right to limitation of processing

Any User may, at any time, access the personal information held by THG. He has the right to receive a copy in electronic form (for any additional copy, THG will be entitled to demand payment of a fee based on the administrative costs incurred).

Each User has the right to request the deletion and/or rectification of his personal data if they are erroneous or obsolete. THG may retain certain personal data when required by law or for legitimate reasons.

Users may object at any time for legitimate reasons:

  • the use of their personal data for direct marketing purposes, or

  • to the re-use of their personal data for processing other than those listed in article 2 above, except in case of fulfillment, by THG, of one of its legal and/or regulatory obligations.

Users have the right to request that the processing of their personal data be limited to what is strictly necessary. This right is applicable only :

  • if the User concerned disputes the accuracy of his/her personal data;

  • if the User concerned justifies that the processing of his/her personal data is unlawful and requests a limitation of their use rather than their deletion;

  • if THG no longer needs the personal data of the User concerned and they are still necessary for the User concerned to establish, exercise or defend legal claims;

  • if the User concerned objects to the processing of his or her personal data based on the legitimate interest of the data controller, by justifying a higher legitimate interest.

Right of complaint to a supervisory authority

Any User, who believes that the efforts implemented by THG to preserve the protection of their personal data do not guarantee the respect of their rights, has the possibility to lodge a complaint with the competent supervisory authority (CNIL or any other authority mentioned on the list available from the European Commission).

Right to the portability of their personal data

Users have a right to the portability of their personal data, allowing them to obtain from THG said personal data concerning them, in a structured, commonly used and readable format.

Users may request that their personal data be transferred to another data controller.

Right to decide on the fate of personal data following death.

Users also have the right to organize the fate of their personal data after their death by adopting general or specific directives that THG undertakes to respect.

In the absence of such directives, THG recognizes the possibility for heirs to exercise certain rights, in particular the right of access if it is necessary for the settlement of the deceased's estate and the right of opposition.

Exercise by Users of their rights

In order to exercise his rights, any **User may contact THG, according to the following coordinates: **

THG

**26 rue Burdeau

69 001 LYON (FRANCE)

[email protected]

To assist them in exercising their rights, THG informs Users that the CNIL has established and made available to them, on its website accessible at www.cnil.fr, model letters.

Before processing the User's request(s), THG will be entitled to verify the User's identity by requesting any useful proof of identity.

THG will respond to each User's request(s) as soon as possible and in any event within one (1) month of the requesting User's proof of identity.

In case of complexity and/or number of requests, this period may be extended by two (2) additional months, THG undertaking in any event to inform the User concerned of the extension and the reasons for the postponement.

**7. ****Modification of the Charter

THG reserves the right to make changes to the Charter at any time, in order to comply with legislative and regulatory changes and/or to improve its personal data processing and protection policy.

In case of modification, a new version will be updated and put online with the date of "Last update".  

Any new version of the Charter will be subject to prior acceptance by the Users.