Privacy policy • MYM

PRIVACY POLICY AND DATA PROTECTION

Version dated 19.10.2023 This Privacy policy is for you, users of the MYM platform (hereinafter “the Platform”) and aims to inform you about how we can collect andto use your data personal. Respect for your privacy and protection ofins personal data is a priority for us, which is why we undertake to process them in strict compliance with the Data Protection Act of January 6, 1978 (hereinafter “IEL law”) as amended and the Regulation (EU) General Data Protection Act of April 27, 2016 (hereinafter “GDPR”).

Who are we and how do we use your data?

The MYM Platform is managed by AIR MEDIAS, simplified joint stock company with share capital of 502,000 euros, registered in the Lyon Trade and Companies Register under number 809 565 906, whose head office is located 16 rue Cuvier 69006 Lyon. AIR MEDIAS (below “MYM”) will have the status ofRliable du Ttreatment forthe use of your personal data in order to: allow you to access all the services offered by the Platform and in particular:

Make the Platform available to you;
Recommend Creators/Users to you based on your preferences and forward messages sent by Creators to you via the Platform;
Moderate the content and messages you encounter on the Platform;
Ensure the cybersecurity of the computer systems on which your data is hosted;
Delete and archive your data when necessary;
Continuously improve the Platform;
Manage the cookies we use to ensure the proper functioning of the Platform;
Assist you in the validation process of your account and support you in your use of the Platform.

allow you to use our payment services and in particular;

Provide our Users with means of payment for the purchase of Content;
Provide our Creators and Ambassadors with the means to deposit their income into their bank accounts;
Establish our internal accounting and comply with tax requirements;

allow us to promote our Platform and in particular;

Offer you promotional codes, support or useful resources;
Communicate on our social networks;
Respond to reviews you leave about us on various sites;

allow us to resolve any disputes and respond to requests from authorities;

Manage possible legal disputes;
Manage your requests to exercise rights (GDPR);
Respond to requests from judicial and administrative authorities;
Fight against leaks of Content from the Platform on the web;

For your understanding: A data controlleris, within the meaning of the Data Protection Act and the GDPR, the person who determines the means and purposes of the processing, that is to say who determines why and how your personal data is used. When two or more data controllers jointly determine the purposes and means of the processing, they are thejoint controllers(or co-responsible). The subcontractor is a person processing personal data on behalf of the controller, he acts under the authority of the controller and on the instructions of the latter.

Definitions

" Content " :designates any element published by a User on the Platform, whether it is Media published by a Creator, a message (in particular via messaging) or content of any nature whatsoever (text, image, video, sound, multimedia) published by a User.

" Data " :designates theDgiven toCcharacterPpersonnel subject to'a use under this Privacy Policy.

“Personal Data”:means personal data as defined in Article 4 (1) of the GDPR, that is to say any information allowing a person to be identified.

“General Data Protection Regulation” or“GDPR” : means Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data, and repealing the directive 95/46/EC.

“Data Controller” : the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing, in accordance with Article 4 (7) of the GDPR.

" Subcontractor " :means the natural or legal person, public authority, service or other body which processes Personal Data on our behalf and in accordance with our instructions, in accordance with Article 4 (8) of the GDPR.

" User ": designates any person navigating the Platform https://mym.fans/ , whether User, Creator, Ambassador or simple Internet user.

« Usage/Use »: designates any operation usuallydesignated as “processing” of data, within the meaning ofArticle 4 (2) of the GDPR.

Capitalized terms in this privacy policy, which are not defined above, will have the meaning given to them in ourTerms of Service. 2. Why and for what purpose do we use your data? We collectwe only the Data necessary for the purposesdescribedbelow :

For your understanding: Purposeof the processing of your personal data corresponds to the reason for which we process your data, to the objective that we pursue in using them. It is our responsibility to explain it to you and to present to you why the objective we are pursuing islegitimate. The legitimacyof the use of your personal data corresponds to the legal basis, that is to say what authorizes us to collect and use the data. These legal bases are exhaustively listed by the GDPR.

Main purpose	Detail	Legal basis
Make the Platform available to Users	Register Users Host Content on the Platform Transmit messages sent by Creators via the Platform Verify the age of Subscribers and certify Creators Connect Subscribers with Creators and Creators with Ambassadors Respond to Users’ questions and requests Send you the documents and information necessary for the use of our services (for example as part of the Certification of Creators) by e-mail, SMS	The execution of our contracts (CGU/CGS/CGP depending on whether you are a Subscriber, Creator or Ambassador)
Moderate Content on the Platform	Respond to User reports Ensure the removal of illicit Content from the Platform Prevent the sharing of contact details on the Platform	Our legal obligation to respond to notifications of illicit content made on the Platform (Article 6 LCEN, DSA). Our legitimate interest. The execution of our contracts (CGU/CGS)
Ensuring the cybersecurity of our IT services	Implement security measures to ensure the proper functioning of the information system (application and network) Test the termination of the information system in the face of cyber threats	Our legal obligation to implement the technical and organizational security means necessary to ensure the security of your data (Article 32 GDPR)
Delete and archive data	Comply with our obligations regarding archiving and purging of data.	Our legal obligation to delete your data when it is no longer relevant to keep it (Article 5 GDPR)
Continuously improve the Platform	Ensure the proper functioning of the Platform Improve the Platform through user interview campaigns	Our legitimate interest in guaranteeing the best level of operation and quality of the Platform, in particular through visit statistics. Your consent, where required.
Manage cookies	Allow Users to share content on social networks Measures technical performance or ergonomics Measure attendance Offer personalized advertisements	Our legitimate interest in guaranteeing the best level of operation and quality of the Platform, in particular through visit statistics. Your consent
Manage payment services for Subscribers	Allow payment of subscriptions and Content on the Platform Fight against fraud	The execution ofCGV
Return winnings to Creators and Ambassadors	Transfer income to personal accounts Track the financial performance of an account Ring off funds while the corresponding transactions are validated	The execution ofCGS
Establish our internal accounting	Maintain the company's general accounts Prepare our tax returns.	Our legal obligation to keep accounting and tax documents (ArticleL123-22 of the commercial code and article1649 ter A du CGI)
Highlight our platform	Send you by e-mail, SMS or any other means of communication, in accordance with applicable legal provisions, marketing, advertising and promotional messages, or suggest and advise you on goods or services that may be of interest to you. Promote the brand image of the Platform on social networks (advertising campaigns, etc.) Contact you on our networks	Our legitimate interest in highlighting the Creators present on the Platform and recruiting new Users
Respond to reviews you leave for us on various sites	Provide a personalized response to online reviews	Our legitimate interest in providing solutions to Users
Manage possible legal disputes	Prepare, exercise and pursue legal recourse	Our legitimate interest in defending our interests in court
Manage your requests to exercise rights	Qualify legal requests Investigate following the rights request Carry out relevant technical operations	Our legal obligation arising from articles 15 et seq. of the GDPR and articles 48 et seq. of the Data Protection Act
Manage requests and controls from authorities	Monitor and respond to requests from the competent authorities (police, independent administrative authority, etc.)	Our obligations arising from the various applicable regulations (GDPR, consumer code, general tax code)
Fight against leaks of Platform Content on the web	Process your requests when a Content leak is detected Fight against websites hosting this content Sanction Users responsible for acts of Content counterfeiting.	Our legitimate interest in ensuring that exclusive Content hosted on the Platform is protected. The execution ofCGV
Send you emails	Sending emails and other alerts to Users who have requested them	Our legitimate interest is that our Users are supported in their experience on the Platform.

3. What information do we collect and for how long? To provide you with the Platform services, we collect some of your personal data. At MYM, we take the principle of limiting the use of your data to heart and therefore believe that respecting your privacy requires collecting only the necessary data. Furthermore, we undertake to ensure that the data collected is kept in a form allowing your identification for a period which does not exceed the duration necessary for the purposes for which this data is collected and processed. Here are the details of the categories of personal data that we may use:

Purpose	Data processed	The duration of the conversation
Make the Platform available to Users	For our Creators and Ambassadors : Identification data : surname, first name(s), address, telephone number, email addresses, pseudonym, date of birth, data indicated in the biography, connection token.	Your last name, first names, date of birth, email address and telephone number are kept fora period of 5 years from the deletion of your account. Your nickname, biography and connection token are keptfor a period of 1 year from the deletion of your account.
	Creator Media	The Media in your Feed aredeleted immediately after deleting your account. Push and Private Media (on order from a Subscriber) remain available on their account untilthe deletion of it. .
	Identity document and facial photograph	This data is kept in active databasefor 1 year from the deletion of your accounton active basis. They are kept5 additional years in intermediate archiving.
	Connection data : connection logs	This data is deleted12 months after collection.
	For our Subscribers : Identification data : name, first name(s), address, telephone number, email addresses, pseudonym, date of birth	Your last name, first names, date of birth, email address and telephone number are kept fora period of 5 years from the deletion of your account. Your nickname and connection token are keptfor a period of 1 year from the deletion of your account.
	Your account	The account is deleted after three years of inactivity
	ID and facial photograph (optional)	This data is kept in active databasefor 1 year from the deletion of your accounton active basis. They are kept5 additional years in intermediate archiving. The facial photograph and data created to estimate the User's age are deleted immediately after receiving the estimation result.
	Connection data : connection logs	This data is deleted12 months after collection.
Moderate Content on the Platform	Media whose legality is contested	Illicit media are preserved6 months from the date they were made inaccessible.
Moderate Content on the Platform	Name, first name and pseudonym of the person who made the report Message containing prohibited elements (contact details, meeting proposals).	For our Users: for a period includingbetween 6 years from the reporting or if applicable,account deletion (3 years from the last activity on the account) it being understood that the report is kept for 6 years. For third parties reporting Content:6 years from the report.
Ensuring the cybersecurity of our IT services	All your data hosted on the Platform, to ensure that access to said data is secure.	Until your account is deleted (3 years from the last activity on the account)
Delete and archive data	Data for which archiving or deletion is required.	The data is immediately deleted.
Continuously improve the Platform	Identification data: Last name, first name, pseudonym.	2 years from collection
Continuously improve the Platform	Recording and reporting of the video interviews we conduct with you.	1 an from the collection for the videos and2 years for textual records.
Manage cookies	User logs and connection data and identification data of computer equipment; Data collected via cookies and other trackers present on our Platform; for more details, seeour cookie management charter.	Cookies and other trackers are deleted from your terminals13 months after their submission. Data collected using cookies and trackers is retained25 months.
Management of payment services for Subscribers	Bank data Credit card number PayPal email address Data necessary for preparing invoices	The data is retained for aperiod of 13 months from paymentfor evidentiary purposes by our payment service providers. Your PAN and visual cryptograms are not stored.
Payment of winnings to Creators and Ambassadors	Bank data WERE GOING	18 months from the deletion of your account.
Payment of winnings to Creators and Ambassadors	PayPal email address Data necessary for preparing invoices	10 years from the end of the accounting year.
Establish our internal accounting	Order descriptions (amount, nature of purchase, etc.) Your tax identification data.	10 years from the end of the financial year.
Highlight our Platform	Identification data: Email address, telephone number. Media.	In the case of emailing-SMS campaigns: During the existence of your account. In the case of advertising campaigns: For the duration necessary for their completion (usually 1 month to 6 months from publication).
Respond to reviews you leave for us on various sites	Identification data: Name, first name, pseudonym, content of our exchanges.	Your data is not kept by the Platform.
Manage possible legal disputes	Identification data: Name, first name, pseudonym, content of our exchanges. Any information relevant to the dispute.	This data is kept untilthe exhaustion of all avenues of appeal.
Manage your requests to exercise rights	Identification data: Email address, last name, first name, content of the request.	This data is kept6 years from the resolution of the request.
Manage requests and control from authorities	Any information that the authority requires from us. These may be: Last names, first names, pseudonym Suspected illicit media Billing Summary Connection logs (device used etc.) Any other information useful to the authority.	This data is kept6 years from their transfer to the competent authority.
Fight against leaks of Platform Content on the web	Identification data: Email address, last name, first name, content of the request from the Creator whose Media was distributed.	This data is kept for 6 years from the processing of the content removal request.
Send you emails	Identification data: Email address, last name, first name, account pseudonym. Contextual data: Data relating to your journey on the Platform (e.g. assistance to certify you).	This data is kept for3 years from last contact.

4. How do we secure your use of MYM? Beyond content moderation, securing MYM mainly involves two processes: verifying the age of Fans on the one hand, and certifying Creators on the other hand, within the framework of which we are required to process your data.

Age verification and certification of Fans

To have access to adult content, a Fan must undergo a procedure to certify that they are of legal age and can, therefore, access any type of content. To do this, MYM uses different solutions, which are offered to Fans:

The Fan can use an “age estimation” solution by analyzing his facial features. To do this, he takes a selfie, which is processed by our partner (Yoti or any other solution compliant with French legislative standards) and which provides us with an estimate of the Fan's age to ensure that he is an adult. The selfie and the analysis data are immediately deleted after we receive the analysis result.
The Fan can also use an age “verification” solution, which will validate the fact that the Fan is of legal age, by questioning a third party certifier such as a telephone operator or a French administration (while respecting the anonymity of the Fan) .

If there is any doubt about the Fan's age, it is automatically blocked. They can then go through a “manual” verification process by providing a selfie and an identity document, which are then verified by one of our operators. This process allows the certification of the Fan's account. And in this case the identification data are kept for 6 years from the end of the contractual relationship (for example when blocking or deleting the account).

Certification of Creators

When registering, the Creator is asked to certify his account. This involves verifying his identity, first implying that the Creator uploads a certain number of Media to his Account on the Platform, which will be used to establish the identity and capacity of the Creator. Next, the Creator must undergo identity verification by providing an ID to Yoti, which is then analyzed via built-in software. Finally, the Creator is invited to present his face for a real-time analysis, which, without facial identification, allows facial features to be compared with those appearing on the identity document. This data is processed and stored by Yoti, MYM can only access it via a link provided to it. The data is kept for eight (8) years. If the Creator sees his pieces refused by Yoti, he can submit to a manual verification directly managed by our customer relations department. The data provided in this process is then very exceptionally processed and hosted by MYM, without the intermediary of Yoti. 5. How can you manage how often you receive emails? When a Subscriber interacts with a Creator, the latter can send them Private Media proposals. The Creator sends the proposals on his own initiative to a pool of Users which corresponds to his Subscribers, his former Subscribers, and interested Users (those who have liked or saved a media, made an attempt to subscribe or put the Creator in favorite). When a Creator sends a request to their Subscribers, they receive a notification in the Platform's messaging system as well as an email in the mailbox they entered when registering. To no longer receive or refine the emails you receive, you have two options:

On the one hand, you can access thepreference centeravailable at the following address:https://mym.fans/app/settings/notifications-preferences. This interface allows you to specify in detail the notifications you wish to receive (for example, the lives of your Creators or the publication of their latest posts).
You can also click on the unsubscribe link located at the bottom of any email sent via the MYM Platform.

For your understanding: MYM does not exercise any control over the content or frequency of the proposals sent by the Creators,these latter are responsible for processing with regard to the use of dataof their Subscribers obtained during their exchanges. These data, without being exhaustive, correspond to the content of messaging exchanges, the User's nickname or their purchase history. In accordance with the GDPR, the Creator must respect theconfidentialityof this information, ensure that you have implemented measures tosecurityadapted and refrain, except in exceptional circumstances, fromto transferthis data to third parties. The MYM platform strongly recommends that Creators who have questions about their obligations under the GDPR seek specialist advice.

6. What data do we automatically collect? When you browse the Platformhttps://mym.fans/, we record automatically information relating to your browsing. DConnection data can Thusbe automatically recorded in our server logs such as your IP address, your unique identifier, your operating system and its location, the type of browser you use, the pages you have visited. We also invite you to consult ourcookie charter, which will provide you with details of the cookies and other trackers used by MYM. 7. Who are the recipients of your data? Only the authorized persons mentioned below will have access to your data when necessary:

Other Users of the Platform;

Authorized personnel of AIR MEDIAS (MYM);
The service providers responsible for the management, hosting of the Platform and the IT system of AIR MEDIAS (MYM);
Service providers responsible for customer relationship management and content moderation;
Service providers responsible for payment management;
Email marketing providers;
Where applicable, authorized personnel of our subcontractors;
Where applicable, the courts concerned, mediators, accountants, auditors, lawyers, bailiffs, debt recovery companies, etc.police or gendarmerie authorities in the event of judicial requisition;
Third parties likely to place cookies on your terminals when you consent

Your data is not communicated to any person other than those mentioned above. Your data will not be exchanged, sold or rented. 8. Who can you contact to exercise your rights? In accordance with the Data Protection Act and the GDPR, you have the following rights:

Right of access (article 15 GDPR), rectification (article 16 GDPR) and update;
Right to erasure of your personal data (article 17 GDPR), when they are inaccurate, incomplete, ambiguous, out of date, or whose collection, use, communication or retention is prohibited;
Right to withdraw your consent at any time (article 13-2c GDPR);
Right to limit the processing of your data (article 18 GDPR);
Right to object to the processing of your data (article 21 GDPR);
Right to portability of the data that you have provided to us, when your data is subject to automated processing based on your consent or on a contract (article 20 GDPR);
Right to lodge a complaint with the CNIL (article 77 GDPR);
Right to define the fate of your data after your death and to choose whether we communicate (or not) your data to a third party that you have previously designated. In the event of death and in the absence of instructions from you, we undertake to destroy your data, unless their retention proves necessary for evidentiary purposes or to meet a legal obligation.

Failing this, you can exercise your rights upon simple request, by email to the addressdpo@mym.fans or by mail to AIR MEDIAS (MYM) – 16 rue Cuvier 69006 LYON. In the event of communication of a copy of an identity document to prove your identity, we will keep it for one (1) year or three (3) years when this communication is made as part of the exercise of a right of opposition . You have the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL) at the following address:https://www.cnil.fr/fr/plaintes. 9. How do we secure your data? We are committed, including through our possible subcontractors, to implement all technical and organizational measures to ensure the security of the processing of personal data and the confidentiality of your data,thanks to current technical means and in application of the amended Data Protection Act, the European Data Protection Regulation (GDPR) and Law No. 2018-133 of February 26, 2018 “containing various provisions for adaptation to European Union law in the field of security ». We take useful precautions, taking into account the nature of your data and the risks presented bythe use we can make of it,to preserve the security of the data and, in particular, prevent it from being distorted, damaged, or from unauthorized third parties having access to it (physical protection of premises, authentication process for our customers with personal and secure access via identifiers and confidential passwords, password encryption, connection logging, etc.). With this in mind, we carry out audits of our information system as well as the service providers with access to your personal data. 10. How do we transfer your data outside the European Union? We treat mainly your data within mwe willof the European Union. Considering the nature ofOUR activity,we canto be lead tos to carry out transfers of your data outside the European Union. In this case, these transfers are accompanied by appropriate guarantees in accordance with the regulations. These guarantees are available on request at dpo@mym.fans or by mail to AIR MEDIAS (MYM)- 16 rue Cuvier 69006 LYON. 11. How will you be informed of a change to the Privacy Policy? Our Privacy Policy may be modified in particular following various legislative and regulatory developments. You will be able to consult the update directly on the Platform.