Mentions Juridiques

Kompass Personal Data Protection Policy

Version: 02072025

The purpose of this "Personal Data Protection Policy" (the "Policy") is to inform all concerned individuals ("You" or "Your") about how Kompass ("we") collects and uses such Personal Data and about the means available to you to control this use.

Article I - Who Are We?

KOMPASS INTERNATIONAL SASU, a French company registered in the Nanterre Trade and Companies Register under number 823 374 137, headquartered at 6/10 rue Troyon, 92310 SEVRES (hereinafter referred to as "KOMPASS"), collects personal data from individuals engaged in professional activities as part of its operations. Kompass has specialized in B2B data for over 80 years and has successively operated paper directories on companies worldwide using a unique proprietary classification, followed by an internet portal in 26 languages serving around sixty countries and commercial intelligence solutions now powered by AI algorithms and data collection technologies necessary for our clients across thousands of websites, blogs, media, social networks, etc.

In some cases, our various portals or websites allow B2B visitors to register to benefit from certain Kompass services, but we can also collect information available through their browser: IP address, name of the address owner, address provider, referrer, pages visited, etc.

We also process personal data that has not been directly collected from the individuals themselves. For example, if your name, position, and contact details appear on a public site, your company's website, or a social network in compliance with your visibility choices, our algorithms index the relevant page to always allow finding the source of personal data made available to our clients to meet our contractual obligations.

This document aims to inform you about our methods of processing your personal data in accordance with GDPR.

Article II - Scope of Application

This policy applies to personal data processed in a B2B context.

Its objective is to present how we process and protect your personal data, as well as the choices available to you regarding the collection, processing, access, and the process of updating, correcting, and deleting your personal data.

It applies to you if you belong to one of the following categories:

• Employees of the Kompass group and network of partners, customers using our solutions, suppliers, and all individuals present in our B2B database.

They apply only to operations (hereinafter "processing") carried out on information concerning you insofar as you are likely to be identified directly or indirectly (hereinafter "personal data").

• Note for visitors and users of the sites: each specific country's Kompass.com site is subject to specific terms of use available on each of the sites and which are part of this policy. Your use of the sites as well as the personal data you agree to communicate on the sites are subject to the provisions of this policy and the applicable terms of use.

Article III - Purpose of Collecting and Processing Your Personal Data

Kompass has been providing B2B networking services for decades, and our main mission is based on two pillars:

• Best describing what companies do (Producers, Distributors, or Service Providers) and around which activities and products.
• Indicating which professionals to contact to consider a business relationship as a buyer or seller.

We process personal data in the following cases:

1 - Based on your consent:

• To respond to your requests via our online forms.
• Sending advertising brochures, newsletters, etc.

You always have the option to exercise your right to object to the use of your personal data.

2 - Based on a contractual obligation (Article 6.1.b GDPR), in particular:

• We provide services for updating our clients' prospecting databases.
• We allow our clients to directly exploit the data through our commercial intelligence solutions as part of their marketing and commercial prospecting.
• We handle email campaigns end-to-end for our clients.

3 - Based on our legitimate interests (Article 6.1.f GDPR), we will use your personal data to:

• Conduct our marketing or commercial actions or those of our clients and B2B users from the moment you have not requested to be excluded from our database.
• Deliver the services expected by users of our solutions.
• Optimize our online offers and all R&D work.
• More generally, provide B2B services to our clients.
• Establish, exercise, or defend our legal rights.

4 - Based on a legal obligation (Article 6.1.c GDPR):

Kompass may also use your email address for administrative purposes or other non-marketing objectives (e.g., to notify you of important changes to the sites).

Article IV - Our Sources of Personal Data

Sources of personal data include:

Connected data on Kompass sites: We collect data from individuals who register to benefit from certain Kompass B2B services, but we can also collect information available through their browser: IP address, name of the address owner, address provider, referrer, pages visited.

Browsing company websites: A dedicated team manually browses freely accessible and public websites to collect only professional data. The data is all observed on sites at the time of browsing.

The world of Open Data: We use available Open Data directories (e.g., INSEE, INPI BODAAC, data.gouv.fr for France and equivalent sites for other countries).

Telephone directories present on the internet, blogs, social networks, or sites related to job search and offers.

1. We may also collect personal data from trusted third parties, subject to appropriate contractual guarantees, such as our subsidiaries, distributors, resellers, and engage third parties such as marketing service providers to collect personal data that may be useful for fulfilling our contractual commitments.
2. Where applicable, we use our own automatic search algorithms that allow us to deduce email addresses, which are then systematically subjected to validation tests before being stored in the database.

We do not process categories of sensitive personal data or deduce such information from the data we collect.

• Note for visitors and users of Kompass sites: Certain features and characteristics of the sites can only be used if you communicate certain personal data to Kompass when you visit or use the sites; these personal data fields are indicated by an asterisk.

You are free to provide or not provide all or part of your personal data.

However, if you choose not to provide it, such a decision could prevent the achievement or satisfactory achievement of the objectives described in "III - Our processing of your personal data" above; certain services and features of the site(s) may not function properly and/or you may be denied access to certain pages of the site(s). In particular, you will not be allowed to purchase software licenses or other products or services via the site(s).

Article V - Types of Data

The categories of personal data mentioned in this agreement may take the form of:

• Title
• Name
• First name
• Company
• Position or title
• Education
• Contact details: Phone number, Email
• Contact history and means of contact (timeline): date, phone calls, or emails
• Contract history: solutions, subscriptions, dates, etc.
• History of website visits and their details

Article VI - Legal Basis and Balance of Interests

Given the above, we always strive to find a fair balance between your interests and ours in the context of processing your personal data.

The various cases of use are described in the attached document relating to the balance of interests.

Article VII - Kompass Commitments

Security of Processing

We ensure the protection and security of the personal data you have chosen to communicate to us to ensure their confidentiality and prevent them from being distorted, damaged, destroyed, or disclosed to unauthorized third parties, including when certain operations are carried out by subcontractors.

Considering the state of the art, we have taken physical, electronic, organizational, and technical protection measures to prevent any loss, misuse, unauthorized access or disclosure, alteration, or potential destruction of this personal data. Among these protective measures, we integrate technologies specifically designed to protect personal data during their transfer.

In the event of an incident or data breach, we have implemented appropriate alert procedures.

We grant our employees access to the personal data subject to processing strictly necessary for the execution, management, and monitoring of the contract. We ensure that people are authorized to process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.

Staff Training

We ensure that our employees receive regular adequate training in the protection of personal data and that they apply best practices in the context of data processing.

Privacy by Design

We have taken physical, organizational, and technical protection measures to prevent any loss, misuse, unauthorized access or disclosure, alteration, or potential destruction of this personal data.

To this end, we have implemented:

• Means to ensure constant confidentiality, integrity, availability, and resilience of processing systems and services;
• It means to restore the availability of personal data and access to it within appropriate timeframes in the event of a physical or technical incident;
• A procedure for regularly testing, analyzing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

In our activity, we consider the protection of data by adopting a "privacy by design" approach - consisting of placing the protection of personal data and privacy as an absolute priority from the design of a project - and we work mainly with service providers offering technical and organizational security guarantees for the protection of personal data.

Article VIII - Profiling and Automated Decision

We do not perform any profiling from the personal data you communicate to us and do not make any decisions that significantly affect you solely based on algorithms, including profiling.

Article IX - Transfer and Recipients of Personal Data

Hosting and Transfer of Personal Data

Hosting:

The Kompass Production infrastructure is hosted within the data centers of our partner Microsoft Azure Western Europe located in the Netherlands.

Our proprietary infrastructure dedicated to the internal information system and development is hosted by a provider in the Île-de-France region.

Both providers offer the highest level of security to ensure the availability, integrity, and confidentiality of hosted data.

Finally, the backup infrastructure intended for the business continuity plan is located at another site in Île-de-France with the same provider.

Transfer:

Kompass makes personal data available to its clients and partners through its tools/solutions fed and maintained in compliance with GDPR for the processing purposes set out in Article III of this policy.

These may be legitimately transferred to entities, European or outside Europe, duly authorized and contractually linked to Kompass: the recipients.

The recipients are of three types:

• Service providers
• Kompass distributor partners
• End customers using Kompass solutions and applications

Recipients of Personal Data

There are therefore three types of recipients with different levels of responsibility arising from the use by destination:

• Service Providers: Regarding IT Services (database management, hosting, storage, maintenance, etc.) and Accounting (Customer Directories) or Marketing and Support (Directories of registered users). They act on the instruction and mandate of Kompass as subcontractors based in the EU and therefore meet GDPR requirements.
• Kompass Distributor Partners: Distributed worldwide, they are obliged to act in compliance with local regulations (GDPR for Europeans) and to do everything to comply with them (processing conditions, retention, etc.). As soon as they carry out extractions and deliveries of personal data to serve their local customers, they become de facto data controllers.
• End Customers of Kompass solutions and applications: These, when their action is limited to consultation within our tools, are free from constraints. However, any other actions (file extractions, feeding their internal tools (API/CRM), or communications directly generated from our applications and using personal data qualify them as data controllers for which they must comply with GDPR and local regulations.

We ensure through contracts or validation of the Terms of Service that all recipients are informed and implement appropriate technical and organizational measures so that the processing of personal data they carry out meets GDPR requirements, guarantees the protection of your rights, and that they will not use your data for purposes other than those stated in Article III.

Article X - Service Providers

We may use subcontractors and service providers to process personal data and always consider data protection by adopting a "privacy by design" approach (see Article VII.c of this document) and work only with providers that offer sufficient technical and organizational security guarantees to ensure data protection and in accordance with Article 28 of the GDPR.

Sometimes, these service providers, particularly our distributors, resellers, and partners, will be independent data controllers, and their terms and conditions, license agreements, and privacy statements will apply.

Article XI - What Are Your Rights and How to Exercise Them?

Your Rights

You have the right to access your personal data, allowing you to rectify, modify, delete, or limit their use, with the understanding that:

• The right to object cannot be exercised for processing based on a contract, legal obligation, or vital interests.
• The right to erasure cannot be exercised for processing based on a legal obligation or public interest.
• The right to portability cannot be exercised for processing based on legitimate interest, legal obligation, public interest, or vital interests.

You also have the right to set guidelines regarding the retention, erasure, and communication of personal data after your death.

If we fail to adequately respond to requests, you have the right to lodge a complaint with a supervisory authority (in France, the CNIL).

How to Exercise Your Rights?

You can exercise your rights by mail addressed to the following address: Kompass, DPO Service, 6-10 rue Troyon, 92310 Sèvres, or by email: dpo@kompass.com.

To ensure the rapid and correct processing of your requests to exercise rights, the following information is necessary: name, first name, email address, postal address, phone number. In some cases (right of access, right to portability, and rights for heirs), to protect you against identity theft and verify the validity of your request, you must attach a copy of an identity document and provide any useful information or document in support of your request.

Article XII - Retention Period of Your Personal Data

The retention period of personal data varies according to their destination.

Commercial Relationship:

If they are used generally for commerce-related purposes (e.g., billing), Kompass is obliged to maintain them as long as we have a legal obligation or for our legitimate interests in establishing legal rights. We retain this data for a period of 10 years or more if there is an administrative obligation.

Database:

For data from our database from our partners, personal data is maintained according to the update frequencies provided by these suppliers, who themselves manage retention periods according to local regulations (GDPR or others).

Regarding our own data production, personal data is validated and updated regularly through emailing sent to the concerned individuals. This process also reminds them of their right to be forgotten. We retain their data as long as individuals do not object to their processing by Kompass and/or its partners.

Article XIII - Contact Us

To exercise one of your rights or if you have other questions or complaints regarding our use of your personal data and their confidentiality, write to our Data Protection Officer: dpo@kompass.com.

Article XIV - Modifications

We reserve the right to revise or modify this privacy policy.

Last update: 02/07/2025

Annex 1: Legitimate Interest

Why We Use Your Data	Legitimate Interest We Rely On	What Data We Use
CONNECTION AND NAVIGATION
To allow you to register and log in and view Premium information about companies that interest you	Commercial interest for Kompass but potentially also for companies connected through our solutions.	Your account information such as your name, position, email address. More generally, all B2B professional contact data.
To allow you to navigate our site while benefiting from the best possible services	Commercial interest for Kompass	Data concerning your use of our Services such as IP address, device ID, user agent, location
SECURITY
To better protect your data from threats, we record user activity on Kompass and identify suspicious behavior, scraping, hackers. To verify certain information, you have provided. To share it with our affiliates for the same purpose of securing against malicious acts or hacking.	Strengthen the security and performance of our systems. Better protect our Clients' and visitors' data. Detect and analyze any suspicious behavior. Allow our affiliates or clients to detect, investigate, and remedy any potential threat or fraud.	Data concerning the use of our systems: IP address, device ID, location data, browser type, as well as other online identifiers collected through Cookies. Your email address, your identifiers, and if applicable, payment data. Data that you or third parties provide on our site such as your name, position, location, contact information: email address, your phone number, your payment information
BUSINESS DEVELOPMENT
To monitor and analyze the use of our online services by our clients or unidentified visitors. To fulfill our B2B networking mission	To evolve and manage our offers and solutions efficiently. To create economic opportunities for our clients or partners.	Data concerning your use such as IP address and other types of information to characterize or locate the user. Your professional identity (name, position, email address, phone)
MARKETING CAMPAIGNS
To promote our own offers and solutions to professionals when authorized.	To create opportunities and increase the population of our Clients and Users. To provide solutions aimed at saving time for your company's employees.	The professional identity (name, position, email address, phone) of certain employees or managers by function.