The data that BAMYLOC Company collects is necessary to fulfill the following purposes:

• Respond to requests received through the contact form,

• Track your navigation on the website,

• Manage commercial relationships,

• Process payment requests from website and agencies,

• Offer you commercial opportunities,

• Perform operations related to customer management concerning contracts, order processing, deliveries, invoices, accounting, and particularly customer account management;

• Conduct commercial prospecting and marketing (sending advertising messages (SMS or email));

• Conduct customer studies including surveys and commercial statistics;

• Update prospecting files for managing the telephone solicitation opt-out list;

• Process requests for rights of access, rectification, and opposition;

• Manage individuals' reviews of products, services, or content.

Regarding Supplier Partner data:

• Supplier file management: perform administrative operations related to contracts, orders, deliveries, and invoices, accounting as it relates to supplier account management;

• Maintain documentation on suppliers.

Regarding candidate data:

• Management of job applications.

In general, BAMYLOC Company does not process any of your data for purposes incompatible with those for which they were collected, except with your prior consent.

BAMYLOC Company collects different types of personal data about you:

• Personal data that you communicate to us directly:

• When you fill out a contact form,

• When you submit a quote request,

• When you make a reservation on the website,

• When you wish to enter into a contract,

• When you contact customer service to ask a question or file a complaint,

• Generally, when you interact with BAMYLOC Company in any other way.

The communication of your personal data is voluntary. However, certain information, identified by an asterisk, is essential for BAMYLOC Company to process your request. Without this information, BAMYLOC Company will not be able to process your request.

• Personal data that is communicated to us

As part of commercial partnerships, data is transmitted to us by third-party organizations: (to be completed)

• Tour operator (all-inclusive travel organizer)

• Broker (Comparison websites)

• Assistance provider (insurance companies)

• Hotel partners (Hotel, Vacation rental...)

• Franchisor.

• Personal data that we collect automatically

We automatically collect certain information about you when you access the BAMYLOC Company website, including information about your browsing. BAMYLOC Company uses cookies and other tracking technologies to collect information about you when you interact with the BAMYLOC Company website.

To learn more about cookies and how to disable them, please consult the Cookie Policy.

BAMYLOC Company collects your personal data for the purposes described in section 1 of this Policy. In all cases, BAMYLOC Company collects your data only when their collection and processing are based on a legal foundation.

Execution of contractual relationships with BAMYLOC Company

Your data is necessary for the execution of the contract you have subscribed to or wish to subscribe to. On this contractual legal basis, any refusal to communicate your personal data will prevent the conclusion and execution of the contract.

Compliance with a legal obligation to which BAMYLOC Company is subject

Some of your data is processed by BAMYLOC Company to meet its legal obligations:

• Fulfill its legal obligations, particularly applicable accounting rules, regarding the management of customer accounts and supplier accounts,

• Handle requests for rights of access, rectification, and opposition,

• Manage a telephone solicitation opt-out list,

• Verify the driver's age when establishing a vehicle rental contract.

Your consent

Subject to obtaining your prior consent, BAMYLOC Company may process your data to:

• Send you commercial offers on its products and services,

Place cookies as described in the Cookie Policy.

At any time, you can change your mind and withdraw your consent, according to the procedures described in section 5.2 of this Policy, without calling into question the lawfulness of processing based on consent carried out before the withdrawal.

Legitimate interests of BAMYLOC Company

BAMYLOC Company may process your personal data for the purpose of pursuing its legitimate interest, particularly for managing commercial relationships.

Your data is retained by BAMYLOC Company for the time necessary to achieve the purposes outlined in point 1 herein, plus applicable legal limitation periods.

Regarding cookies.

BAMYLOC Company may retain data for 13 months.

Regarding commercial management and commercial prospecting.

BAMYLOC Company may retain data for 3 years from the last contact between BAMYLOC company and you. (Simplified Standard No. 48)

Regarding billing.

BAMYLOC Company may retain data for 10 years (Art L123-22 paragraph 2 of the Commercial Code. Simplified Standard No. 48)

Regarding accounting.

BAMYLOC Company may retain data for 10 years (Art L123-22 paragraph 2 of the Commercial Code. Simplified Standard No. 48)

For more information about the retention periods of your data, you can contact BAMYLOC Company's DPO at: dpo@gbh.fr

1. Your Rights Regarding Your Data

Right to Access Your Data

You can obtain confirmation from BAMYLOC Company whether your data is being processed or not and, when it is, access to all data and information held by BAMYLOC Company.

Right to Rectify Your Data

You can obtain from BAMYLOC Company, as quickly as possible, the rectification of any inaccurate or erroneous data concerning you. You can also request that your data be completed, if necessary.

Right to Erasure of Your Data

Except for legal exceptions, you can request BAMYLOC Company to erase your data as quickly as possible, particularly if you believe that the processing carried out by BAMYLOC Company on your data is no longer necessary for the purposes for which it was collected.

Right to Data Portability

You have the ability to retrieve some of your data in an open, machine-readable format or to request BAMYLOC Company to transfer it to another organization. This right only applies to data that you have actively and consciously provided to BAMYLOC Company (for example, data you entered in an online form) or data generated during the use of a service or device as part of the conclusion or management of your contract, and which is processed automatically, based on consent or contract performance.

Right to Object

In case your data is processed for prospecting purposes, you can object to this at any time (See section 5.2 of this Policy). Similarly, you can object to targeted advertising distribution (Cookies).

Right to Restriction of Processing

You can ask BAMYLOC Company to retain your data without being able to use it, in one of the following cases:

• You contest the accuracy of the data used by BAMYLOC Company,

• You object to your data being processed,

• In case of unlawful use but you object to its erasure,

• You need it for the establishment, exercise, or defense of legal claims.

Right to Withdraw Your Consent

When the processing of your personal data is based on your consent (sending our electronic commercial offers, for example), you have the option to withdraw your consent at any time (See section 5.2 of this Policy).

Similarly, to withdraw your consent to cookies, you can do so according to the procedures mentioned in the Cookie Policy.

Right to Provide Post-Mortem Instructions

You have the option to define directives regarding the retention, deletion, and disclosure of your data after your death. These directives define how you wish your rights regarding your data to be exercised after your death. You can send us these directives by sending a letter, with the subject "Post-mortem directives," to the following address: dpo@gbh.fr. You can modify or revoke your directives at any time.

Right to Lodge a Complaint with the CNIL

If you believe that your rights are not being respected or that the protection of your data is not ensured in accordance with the GDPR, you can, at any time, lodge a complaint with a competent supervisory authority (in France, the CNIL), directly on the CNIL website or by mail to: CNIL - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07.

2. Exercising Your Rights

To exercise any of your rights, send your request to: dpo@gbh.fr or BAMYLOC POLE CARAIBES 97139 LES ABYMES – specifying "Attention: DPO."

Any request must specify, in the subject line, the reason for the request (exercise of right of access, objection, etc.) and the company concerned by the request. The request must also be accompanied by a copy of both sides of a valid ID document bearing the signature of the requester and specify the address to which the response should be sent.

BAMYLOC Company will send you its response within a maximum period of one month from the date of receipt of your request. This period may, however, be extended to two months due to the complexity and number of requests.

If you believe, after contacting BAMYLOC Company, that your Data Protection rights are not being respected, you can lodge a complaint with the CNIL.

Prospecting and Targeted Advertising

Once you have agreed to receive commercial offers from BAMYLOC Company, you can, at any time, change your choice by clicking on the unsubscribe link or replying STOP, as indicated in the SMS messages sent to you.

In general, for any questions regarding this data protection policy or for any request regarding the management of your personal data by BAMYLOC Company, you can send your request by email or mail, as indicated above.

The BAMYLOC Company may also transmit your data to the following entities when necessary to fulfill one of the purposes mentioned in point 1:

Regarding traffic violation management, your data may be transmitted to:

• ANTAÏ (Ministry of Interior traffic violation management service)

Regarding payment information collection, your data may be transmitted to:

• Paybox (Website payment processing)

Regarding service-related data collection (vehicle rental options), your data may be transmitted to:

• BBLOU (Rental of children's accessories)

Your data is hosted on secure servers located in France. If your data were to be transferred outside the EU, particularly through our subcontractors, we would pay special attention to ensure that they process your data in strict compliance with current regulations regarding personal data protection.

The BAMYLOC Company implements all technical, physical, and organizational measures to ensure the security and confidentiality of your data during collection, processing, and transfer of your information.

The security of your device is your responsibility.

In cases where we may need to use service providers to process some of your data, we commit to verifying that they provide sufficient guarantees to ensure the protection of personal data entrusted to them and to have them sign confidentiality clauses in accordance with Article 28 of the GDPR.

In the event of a personal data breach, meaning a security incident, whether malicious or not and occurring intentionally or not, resulting in compromised integrity, confidentiality, or availability of your personal data, we commit to respecting the following obligations:

The "breach register" contains the following elements:

• The nature of the breach;

• The categories and approximate number of individuals concerned;

• The categories and approximate number of files concerned;

• The likely consequences of the breach;

• The measures taken to address the breach and, where appropriate, to limit the negative consequences of the breach;

• Where applicable, the justification for not notifying the CNIL or not informing the individuals concerned.

However, in accordance with current regulations, we are not required to inform you of a breach in the following cases:

• Your personal data is protected by measures making it incomprehensible to anyone not authorized to access it;

• Measures have been taken to ensure that the risk is no longer likely to materialize;

• This communication requires disproportionate effort on our part, particularly when we have no means to contact you to inform you.

Fields marked with an asterisk in our forms are required. The consequence of not providing this information is simply that your request will not be processed. The obligation to provide the requested data is contractual, as it is necessary for the execution of the contract to which you are a party or for pre-contractual measures taken at your request, particularly in cases of information requests or quotes regarding our products and services.

See Cookie Policy

We are committed to integrating personal data protection from the design phase of a project, service, or any other tool related to the handling of personal data, including data minimization, limiting the purposes of data collection, respecting data integrity and confidentiality, and limiting retention periods.

In order to respect the principle of Accountability, our company:

• Adopts internal procedures to ensure compliance with regulations (IT charter, personal data protection charter);

• Maintains documentary evidence of all processing carried out under its responsibility or that of the processor (maintenance of processing records, confidentiality agreements with employees and service providers, company security policy, procedures for managing access requests, rectification, opposition...);

• Conducts impact assessments (PIA) for processing operations that present particular risks to rights and freedoms.

The objective is to provide comprehensive documentation demonstrating compliance with data protection rules at all times.

• Pseudonymization and encryption of personal data;

• Means to ensure the confidentiality, integrity, availability, and ongoing resilience of processing systems and services;

• Means to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

• A procedure for regularly testing, assessing, and evaluating the effectiveness of measures to ensure the security of processing.