PRIVACY POLICY

1. Legal information

The purpose of this Privacy Policy is to inform Data Subjects of the manner in which their Personal Data is collected, how it is processed by the Beaumier Group and Beaumier Group Hotels in which Customers stay and/or are visited by Guests and, finally, the rights that Data Subjects enjoy with respect to such processing as defined below.

2. Definitions

The following terms, used in either the singular or plural in this Privacy Policy, shall have the following definitions:

• Intermediate Archiving: refers to the transfer of Personal Data that is still of administrative interest to the Data Controller (e.g. in the event of litigation and/or legal obligation) to a distinct logically or physically separate database, to which access is restricted in all cases. This archive is an intermediate step prior to deleting or anonymizing the Personal Data in question,

• Customers: refers to the customers of Beaumier Group Hotels and the Beaumier Group who benefit from Services,

• Guests: refers to guests of Beaumier Group Hotels who benefit from Services,

• Data Subjects: refers to both Customers and Guests and, where applicable, to any other natural person whose Personal Data is processed by the Beaumier Group and Beaumier Group Hotels,

• (Personal) Data: refers to personal data provided by a Data Subject within the framework of Services and/or collected by a Beaumier Group Hotel and/or the Beaumier Group in accordance with the Personal Data Protection Regulation and processed by a Data Controller, in particular as part of the provision of Services, in accordance with the terms and conditions as defined in the Privacy Policy,

• Specific Rights: refers to the rights granted by the Personal Data Protection Regulation to Data Subjects regarding processing of their Personal Data (rights of access, restriction, rectification, erasure, objection, post-mortem instruction, etc.),

• Beaumier Group Hotels: refers to hotels in which Customers stay and/or which are visited by Guests, and/or Beaumier Group establishments and more specifically to each legal entity controlling, controlled by or under the common control, directly or indirectly, of the Beaumier Group pursuant to Articles L.233-3 et seq. of French Commercial Code and, in particular, on the date on which this document is signed, the establishments referred to in Appendix 1,

• Beaumier Group: refers to Carte Postale Holdings SAS, a simplified joint stock company with share capital of €36,850,008, with its registered office in Batiment F 37, Avenue des Massettes, 73190 Challes-les-Eaux, France, registered on the Chambery Trade and Companies Register under number 852 828 128, in the name and on behalf of Beaumier Group Hotels,

• Personal Data Protection Regulation: refers to French Law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms, Spanish Law no. 3/2018 Organic Law on the Protection of Personal Data and the Guarantee of Digital Rights or LOPD-GDD, Swiss Federal Law on Data Protection of September 25, 2020 (As of September 1, 2023), all in accordance with EU Regulation of April 27, 2016 published in the Official Journal of the European Union on May 4, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (known as “GDPR” - General Data Protection Regulation),

• Data Controller: refers to the Beaumier Group and/or the Beaumier Group Hotel in which Data Subjects stay and/or which they visit and/or in which they benefit from a Service resulting in the collection of Personal Data processed by the Beaumier Group Hotel and/or the Beaumier Group,

• Service(s): refers to the services provided by the Beaumier Group and/or Beaumier Group Hotels and, in particular, hospitality services, leisure services, restaurant and bar services, reservation services, after-sales services, marketing services, and more generally services associated with the purposes of processing Personal Data as identified in this Privacy Policy,

• Subcontractors: refers to companies to which the Beaumier Group and/or Beaumier Group Hotels subcontract all or some Services and, for example, work services, maintenance, personal services (e.g. sports or wellness classes) but also, if they act as subcontractors, providers of marketing and management solutions for commercial prospecting and communication, in particular via social media,

• Partner Companies: refers(s) to partner companies with which Beaumier Group Hotels and/or the Beaumier Group have an agreement in order to facilitate the provision of Services and which will process the Data Subjects’ Personal Data on their own behalf as the data controller and, in particular, without this list being limitative, companies conducting intermediation activities for the reservation of Beaumier Group Services, such as tour operators, travel agencies (online or offline), global reservation systems (GDS) and all other intermediaries, which have enabled the Customer to make a reservation request for Beaumier Group Services, companies operating services within Beaumier Group Hotels (restaurants, SPAs, gyms, etc.), but also, if they act as data controllers for processing personal data, providers of marketing and management solutions for commercial prospecting and communication, in particular via social media,

3. The purposes of processing carried out by the Data Controller and its associated legal basis

Data Controllers process Data Subjects’ Personal Data for the following purposes.

The operations described below are not intended to result in the creation of profiles likely to reveal “sensitive” Personal Data such as racial or ethnic origins, philosophical, political, trade union or religious opinions, sex life or health, nor are they intended, in particular the personality test, to produce automated decisions on the part of the Data Controller.

4. Collection of Personal Data

Throughout the Customer's and Guest's experience, the Data Controller collects the following categories of Personal Data, entered by the Customer and Guest or collected during the Customer's and Guest's use of Services, and, where applicable, the Data Subjects’ personal data, in particular:

• Identity: Including, where necessary for companions, surname, first name, age, date of birth, postal address, country, telephone numbers, language, nationality, passport number, visa or other identification data issued by government agencies, birthdays and dates of special occasions, employer's contact details for reservations relating to professional activity, social media account IDs, profile picture and other data already in the public domain, or information made available by linking to your social media and loyalty accounts, size for reserving equipment for Services (e.g. skis or bikes),

• Settlement/Payment: financial information or other payment data, date and time of payment made, payment reference, invoices,

• Reservations: Beaumier Group hotels visited, reservation number, sub-reservation number, arrival and departure dates, reservation dates, reservation status, price categories applied, room categories, total cumulative amount of reservations, reservation methods,

• Activities within a Hotel: details of requests for Services and Services purchased, video surveillance, monitoring of activities and requests, use of access badges, use of Services, preferences, intolerances and interests (e.g. smoking or non-smoking room, preferred floor, type of bedding, type of print media read, sports, cultural interests, food and drink preferences, allergies, etc.), health data where applicable for specific needs,

• For the purpose of feedback: responses to the Data Controller's satisfaction forms, opening or name of commercial prospecting,

• Opinions: data relating to the contributions of Data Subjects who submit opinions/comments/complaints relating to Hotels and/or Services via the satisfaction form or by any other means.

The Customer's debit/credit card number and its security code are collected directly and securely by the Data Controller’s following payment service providers:

• Adyen: https://www.adyen.com/fr_FR/privacy-policy  • Wordline: https://worldline.com/fr-fr/compliancy/vie-privee  • Paytweak: https://www.paytweak.com/privacy.php  • Saferpay: https://worldline.com/fr-ch/compliancy/vie-privee

Only a card pre-authorization is transmitted to the Data Controller.

When you use the WiFi network within Beaumier Group Hotels, personal data is collected directly by 2iSR in its capacity as the data controller. Its privacy policy is accessible from the login portal. You can also contact its DPO at contact@2isr.fr for further information.

Every precaution has been taken to store Customers’ Personal Data in a secure environment and prevent it from being distorted, damaged or accessed by unauthorized third parties.

5. Recipients or categories of recipients of Data Subjects’ Personal Data

Data Subjects’ Personal Data is processed by the Data Controller's authorized personnel and for the aforementioned purposes.

Data Subjects’ Personal Data may be disclosed to the following recipients for the purposes identified above:

- Beaumier Group,  - Beaumier Group Hotels, - Subcontractors, - Partner Companies,  - administrative and/or judicial authorities, - court officers, accountants and chartered accountants, - etc.

Where applicable, any transfer of Data Subjects' Personal Data outside the European Economic Area will be carried out by the Data Controller subject to appropriate safeguards, in particular contractual safeguards by means of standard contractual, technical and organizational clauses, in compliance with the Personal Data Protection Regulation.

6. Commercial prospecting by email by the Beaumier Group

In accordance with Article L.34-5 of French Post and Electronic Communications Code, the Beaumier Group, which manages all reservations for Beaumier Group Hotels and is solely responsible for Beaumier Group Hotels’ communication, reserves the right to send Customers prospecting emails for similar products or services provided exclusively by Beaumier Group Hotels and/or the Beaumier Group, excluding all third parties.

The Data Subject may exercise their right to object under the conditions set out in Article 8 below and directly from each prospecting email received by clicking on “unsubscribe”.

7. The rights of Data Subjects

In accordance with the Personal Data Protection Regulation, the Data Subject may, at any time, benefit from the following Specific Rights of/to:

- access, - rectification, - erasure,  - restriction of processing, - portability,  - objection,  - post-mortem instructions, - withdrawal of consent.

a. Right of access

All Data Subjects have the right to obtain from the Data Controller confirmation as to whether or not Personal Data concerning them is being processed and, where this is the case, access to said Personal Data as well as the following information:

a) the purposes of processing,  b) the categories of Personal Data,

c) the recipients or categories of recipients to whom the Personal Data has been or will be disclosed,

d) where possible, the intended Personal Data retention period or, where this is not possible, the criteria used to determine this period,

e) the existence of the right to request from the Data Controller the rectification or erasure of Personal Data, or restriction of processing of Personal Data, or the right to object to such processing,

f) the right to lodge a complaint with the CNIL (French Data Protection Authority),

g) where Personal Data is not collected from the Data Subject, any available information as to its source,

h) the existence of automated decision-making, including profiling, and, at least in such cases, meaningful information on the underlying logic, as well as the significance and envisaged consequences of such processing for the Data Subject,

Where Personal Data is transferred to a third country or to an international organization, the Data Subject has the right to be informed of the appropriate safeguards relating to such a transfer.

The Data Controller must provide a copy of the Personal Data being processed.

The Data Controller may charge a reasonable fee based on administrative costs for any additional copies requested by the Data Subject.

When the Data Subject submits their request electronically, the information is provided in a commonly used electronic form, unless they request otherwise.

The Data Subject's right to obtain a copy of their Personal Data must not adversely affect the rights and freedoms of others.

b. Right to rectification

The Data Subject has the right to obtain from the Data Controller, without undue delay, the rectification of inaccurate Personal Data. They also have the option of having incomplete Personal Data completed, including by providing a supplementary statement.

c. Right to erasure

The Data Subject has the right to obtain from the Data Controller the erasure, without undue delay, of Personal Data relating to them where one of the following grounds applies:

a) the Personal Data is no longer required for the purposes for which it was collected or otherwise processed by the Data Controller,

b) the Data Subject has withdrawn their consent to the processing of such Personal Data and there are no other legal grounds for the processing,

c) the Data Subject exercises their right to object under the conditions set out below and there are no compelling legitimate grounds for the processing,

d) the Personal Data has been processed unlawfully,

e) the Personal Data must be erased to comply with a legal obligation,

f) the Personal Data has been collected from a child.

d. Right to restriction of processing

The Data Subject has the right to obtain from the Data Controller the restriction of processing of their Personal Data where one of the following grounds applies:

a) the accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the Personal Data,

b) the processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests restriction of its use instead,

c) the Data Controller no longer needs the Personal Data for the purposes of the processing, but it is still necessary for the Data Subject to establish, exercise or defend legal claims,

d) the Data Subject has objected to processing under the conditions set out below pending verification of whether the legitimate grounds of the Data Controller override the alleged grounds.

e. Right to data portability

The Data Subject has the right to receive from the Data Controller Personal Data concerning them, in a structured, commonly used and machine-readable format where:

a) the processing of Personal Data is based on consent, or on a contract, and

b) processing is carried out by automated means.

In exercising their right to data portability, the Data Subject has the right to have the Personal Data transmitted directly by the Data Controller to another data controller named by them, where technically feasible.

The Data Subject's right to data portability must not adversely affect the rights and freedoms of others.

f. Right to object

The Data Subject may object at any time, on grounds relating to their particular situation, to the processing of Personal Data concerning them based on the legitimate interests of the Data Controller. The latter will no longer process the Personal Data, unless it demonstrates compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the Data Subject, or may retain it for the establishment, exercise or defense of legal claims.

g. Post-mortem instructions

The Data Subject has the right to issue the Data Controller with instructions relating to the retention, erasure and sharing of their Personal Data after their death, which may also be registered with a "certified digital trusted third party". These instructions, or kind of "digital will", can name a person to be responsible for their execution; failing this, the Data Subject’s heirs will be appointed.

In the absence of any instructions, the Data Subject's heirs may contact the Data Controller in order to:

- access Personal Data processing for the "organization and settlement of the deceased's estate",  - receive disclosure of "digital assets" or "data akin to family memories, which may be passed on to heirs",

- close the Data Subject's account on a website published by the Beaumier Group and/or Beaumier Group Hotels and object to further processing of their Personal Data.

In any event, the Data Subject may inform the Data Controller at any time that they do not wish their Personal Data to be disclosed to a third party in the event of their death.

h. Withdrawal of consent

The Data Subject may withdraw their consent at any time by contacting the Data Controller in accordance with Article 7 below.

8. Exercising the Specific Rights of Data Subjects

These Specific Rights may be exercised at any time by contacting the Data Controller:

- By email at the following address: privacy@beaumier.com

- By post at the following address:

Ally Avocats Mr. Jérôme Sujkowski Beaumier Group External Data Protection Officer 27 Boulevard de Courcelles 75008 Paris, France

For the purposes of asserting its rights under the conditions set out above, and in the event that the Data Controller has doubts about the author of the request, it may ask the latter to provide proof of their identity by stating their surname, first name and email address, and to accompany the request with a copy of a valid form of identification.

A reply will be sent to the Data Subject within a maximum of one (1) month from the date of receipt of the request.

If necessary, this period may be extended by two (2) months by the Data Controller, who will notify the Data Subject of this, taking account of the complexity and/or number of requests.

In the event that the Data Subject requests the deletion of their Personal Data and/or exercises their right to request the erasure of their Personal Data, the Data Controller may nevertheless retain such Personal Data in the form of an Intermediate Archive for the period necessary to meet its legal obligations, or for evidentiary purposes during the applicable statute of limitations.

The Data Subject may also lodge a complaint with the competent supervisory authority (the CNIL).

Appendix 1 - List of Beaumier Group establishments