Hepicure, a simplified joint-stock company (SAS) with share capital of [CAPITAL] €, registered with the Paris Trade and Companies Register under number [RCS NUMBER], with its registered office at [ADDRESS] (hereinafter "Hepicure", "We", "Our", "Us") takes the protection of the personal data of its clients and prospects, and of owners wishing to list or listing their properties ("Properties") for short-term rental through Hepicure, very seriously (collectively, "Users", "You", "Your").

Personal data refers to any information about an individual from which that individual can be directly or indirectly identified ("Personal Data").

Hepicure carefully ensures compliance with the provisions relating to the protection of Personal Data, in particular the provisions of the French Data Protection Act of 6 January 1978 as amended ("Loi Informatique et Libertés"), EU General Data Protection Regulation 2016/679 ("GDPR") and the recommendations of the CNIL (collectively, the "Applicable Legislation").

As data controller, Hepicure wishes, through this Privacy Policy (the "Privacy Policy"), to inform Users of the way in which we collect, use and process their Personal Data submitted when using the website [URL] (the "Website") or more generally in connection with our services (the "Services").

1. WHAT PERSONAL DATA DO WE COLLECT?

The Personal Data we collect from Users includes:

• your surname(s) and first name(s);

• your date of birth;

• your gender;

• your family composition;

• your postal address;

• your email address;

• your telephone number(s);

• a copy of your identity document;

• your booking history;

• your bank details;

• where applicable, special category data such as health data (disability, allergy, dietary restriction, medical condition related to the use of wellness or biohacking equipment...) or data that may indirectly allow us to obtain information regarding religion, beliefs or personal convictions;

• online behavioural and consumption data;

• any other information you provide when using the Website or our Services.

We may also collect Personal Data relating to third parties. When you use our Services, you may provide contact details for one or more other persons (e.g. other stay participants). In doing so, you warrant to Hepicure that the other persons whose data you provide have been informed of and have consented to such disclosure.

2. WHAT ABOUT COOKIES?

2.1. What are cookies?

Cookies are trackers consisting of small sets of data stored in the User's browser. Cookies are very useful and allow a website to recognise you, connect when you visit a particular page, provide a secure connection to a website, and improve your user experience by enhancing your browsing comfort and/or adapting the content of a page to your interests.

2.2. How are cookies used?

We use cookies for operational purposes, statistical analysis, and to provide you with a personalised experience.

Where prior consent is required for their use, the validity period of consent to the placing of cookies is 6 months. At the end of this period, we will ask for your consent again.

The retention period for an audience measurement cookie not requiring consent is 13 months. However, the information collected through such cookies is retained by us for a maximum of 25 months, in accordance with applicable regulations.

2.3. How to manage cookie settings?

Upon your first visit to our Website, your consent to the use of your data via cookies will be requested through a banner displayed prominently at the bottom of the page.

Using the "Accept all", "Customise" and "No thanks" buttons, you will be able to accept, customise or refuse the use of cookies through our consent management partner.

You may change your choice at any time by clicking on "Cookie settings" at the bottom of our Website.

3. HOW IS YOUR PERSONAL DATA COLLECTED?

3.1. Collection by Hepicure

We may collect your Personal Data directly from you:

• when you create a Client Space on the Website or when you submit a Property booking request to Hepicure;

• when you create an Owner Space on the Website or when you contact us in connection with the rental of your Property;

• when you communicate with our teams by email, telephone or instant messaging in connection with a future or ongoing booking.

3.2. Collection by Third Parties

We may also obtain information about you from other sources, detailed below by type of service:

3.2.1. Display of Content from External Platforms

This type of service enables you to view and interact with content hosted on external platforms directly from the Website's pages. If such a service is installed, it may always collect web traffic data relating to those pages, even if Users do not use it.

Google Fonts (Google Ireland Limited)

Google Fonts is a font display service provided by Google Ireland Limited, which allows the Website to embed content of this type on its pages.

Personal Data processed: cookies; usage data. Place of processing: Ireland.

3.2.2. Analytics

The services in this section enable Hepicure to monitor and analyse web traffic and track changes in User behaviour.

Google Analytics 4 (Google Ireland Limited)

Google Analytics 4 is a web analytics service provided by Google Ireland Limited. Google uses the data collected to track and analyse the use of the Website, prepare reports on its activities and share them with other Google services. In Google Analytics 4, IP addresses are used at the time of collection and then deleted before data is recorded.

Personal Data processed: usage data; device information; browser information; approximate location; session statistics; cookies. Place of processing: Ireland.

Meta Events Manager (Meta Platforms Ireland Limited)

Meta Events Manager is an analytics service provided by Meta Platforms Ireland Limited. By integrating the Meta pixel, Meta Events Manager can provide Hepicure with audience measurement and traffic data on the Website.

Personal Data processed: cookies; usage data. Place of processing: Ireland.

3.2.3. User Database Management

This type of service enables Hepicure to build User profiles based on an email address, a name or other information provided by the User via the Website, and to track User activity through analytical features. Some of these services may also enable the sending of timed messages to the User.

Airtable (Airtable, Inc.)

Airtable is a database management and client relationship tracking service provided by Airtable, Inc.

Personal Data processed: postal address; email address; usage data; booking history; surname; company name; telephone number; first name; cookies. Place of processing: United States.

3.2.4. Online Data Collection and Survey Management

This type of service enables the Website to manage the creation, deployment, administration, distribution and analysis of online forms and surveys in order to collect, record and reuse data from any responding User.

Typeform (TYPEFORM SL)

Typeform is a survey creation and data collection platform provided by TYPEFORM SL, a Spanish company with its registered office at C/ Can Rabia 3-5, 4th floor, 08017 — Barcelona, Spain.

Personal Data processed: email address; usage data; surname; first name; cookies. Place of processing: Spain.

3.2.5. Tag Management

This type of service enables Hepicure to manage the tags or scripts required on the Website in a centralised manner. As a result, Users' Personal Data transits through these services, which may lead to the retention of such data.

Google Tag Manager (Google Ireland Limited)

Google Tag Manager is a tag management service provided by Google Ireland Limited.

Personal Data processed: usage data; cookies. Place of processing: Ireland.

3.2.6. Contact Management and Messaging

This type of service enables the management of a database of email addresses, telephone numbers or any other contact details for communicating with the User.

Lusha (Lusha Systems Inc.)

Lusha is a data enrichment and contact management service provided by Lusha Systems Inc., enabling Hepicure to access professional contact information to facilitate prospecting and commercial relationships.

Personal Data processed: email address; surname; first name; telephone number; company name; professional data. Place of processing: United States.

Twilio (Twilio, Inc.)

Twilio is a telephone number management and communications service provided by Twilio, Inc.

Personal Data processed: telephone number. Place of processing: United States.

3.2.7. Heatmaps and Session Recording

Heatmap services are used to display the areas of the Website with which Users interact most frequently. These services enable monitoring and analysis of web traffic and tracking of changes in User behaviour. Some of these services may record sessions and make them available for later visual playback.

Hotjar Heat Maps & Recordings (Hotjar Ltd.)

Hotjar is a session recording and heatmapping service provided by Hotjar Ltd. Hotjar respects Do Not Track headers.

Personal Data processed: usage data; cookies. Place of processing: Malta.

3.2.8. Web Hosting and Backend Infrastructure

These services are designed to host data and files that allow the Website to operate, be distributed and provide ready-to-use infrastructure so that specific features or parts of the Website can function.

Squarespace (Squarespace, Inc.)

Squarespace is a web hosting and website building platform provided by Squarespace, Inc.

Personal Data processed: various types of data as indicated in the service's privacy policy. Place of processing: United States.

3.2.9. Traffic Optimisation and Distribution

These services enable the Website to distribute its content using servers located in different countries and to optimise its performance.

Cloudflare (Cloudflare Inc.)

Cloudflare is a traffic optimisation and distribution service provided by Cloudflare Inc. The way in which Cloudflare is integrated means that it filters all traffic through the Website while also allowing the Website's analytical data to be collected.

Personal Data processed: various types of data as indicated in the service's privacy policy. Place of processing: United States.

3.2.10. Advertising

This type of service enables the use of Users' Personal Data for advertising communication purposes. These communications may be displayed as banners and other advertisements on the Website, potentially based on the User's interests.

Google Ads Conversion Tracking (Google Inc.)

Google Ads Conversion Tracking is an analytics service provided by Google LLC or Google Ireland Limited, which links data from the Google Ads advertising network to actions taken on the Website.

Personal Data processed: usage data; cookies. Place of processing: United States.

Meta Ads Conversion Tracking — Meta Pixel (Meta Platforms Ireland Limited)

Meta Ads Conversion Tracking (Meta Pixel) is an analytics service provided by Meta Platforms Ireland Limited, which links data from the Meta advertising network to actions taken on the Website. The Meta Pixel tracks conversions attributable to advertisements on Facebook, Instagram and the Audience Network.

Personal Data processed: usage data; cookies. Place of processing: Ireland.

3.2.11. Remarketing and Behavioural Targeting

This type of service enables the Website and its partners to distribute, optimise and display advertising based on the User's past use of the Website.

Meta Custom Audience (Meta Platforms)

Meta Custom Audience is a remarketing and behavioural targeting service provided by Meta Platforms, Inc. or Meta Platforms Ireland Limited, which links the activity of the Website to the Meta advertising network.

Personal Data processed: email address; cookies. Place of processing: United States.

LinkedIn Website Retargeting (LinkedIn Corporation)

LinkedIn Website Retargeting is a remarketing and behavioural targeting service provided by LinkedIn Corporation, which links the activity of the Website to the LinkedIn advertising network.

Personal Data processed: usage data; cookies. Place of processing: United States.

4. ON WHAT LEGAL BASES IS YOUR PERSONAL DATA PROCESSED?

The processing activities carried out by Hepicure have the following legal bases in accordance with the Applicable Legislation:

Processing

Legal Basis

Building a booking history to improve our understanding of the User within the retention periods set out in Article 9

Legitimate interest: managing our User database to offer the most suitable Services

Providing access to the Website and your personal space to consult information relating to your stays and our Services

Legitimate interest: service management

Collecting a copy of your identity document

Legal obligation (AML/CTF)

Performing the Services (stay organisation, Property booking, payment processing as agent, contract formation, service monitoring including post-stay, within applicable limitation periods...)

Contract performance (GTC)

Collecting special category data solely for the purposes of organising your stay (health data, allergies, dietary requirements...)

Consent (Art. 9 GDPR) and Contract performance (Art. 6 GDPR)

Carrying out audience and traffic statistics on the Website

Consent (cookies)

Conducting studies and research to improve your experience with Hepicure

Consent (cookies)

Retaining Personal Data to comply with our legal obligations and handle requests from authorised authorities

Legal or regulatory obligations

Sending marketing communications about our Services (newsletters, news, products and services, commercial prospecting and personalised offers) and any other requested documentation

Consent

Managing disputes and complaints relating to the Services

Contract performance (GTC)

Transmitting your contact details to selected wellness, longevity or biohacking partners so they can offer you tailored services and experiences

Consent

Where the transfer of your data is based on your consent, you may withdraw such consent at any time without affecting the lawfulness of processing carried out prior to such withdrawal.

5. WHO RECEIVES YOUR PERSONAL DATA?

Your Personal Data is processed by the relevant Hepicure departments in connection with your requests. We ensure that only duly authorised persons may access your Personal Data where necessary for the above-mentioned purposes.

Hepicure undertakes not to transfer or sell Personal Data relating to you to non-partner third parties.

We may share your Personal Data with the following third parties in compliance with Applicable Legislation:

• with our affiliated entities to provide the Services requested;

• with our commercial partners, including Property Owners, Partner Service Providers (private drivers, private aviation operators, coaches, chefs, therapists...), providers of booked services or technical service providers (IT, hosting, email distribution, payment service provider — including Stripe Connect or any licensed PSP, etc.). We take particular care to ensure that such third parties provide sufficient guarantees to ensure the protection and security of your Personal Data;

• with carefully selected partners in the wellness, longevity and biohacking sector, so that they may, subject to your prior consent, contact you to present services and experiences suited to your interests. These partners act as independent data controllers and undertake to comply with applicable data protection regulations;

• with duly authorised French or foreign authorities (e.g. tax authorities or the CNIL), in particular in connection with legal proceedings or requests for the disclosure of information.

6. THIRD-PARTY SITES AND DATA TRANSFERS

6.1. External Links

The Website may contain links to other websites operated by third parties. Please note that this Privacy Policy applies only to Personal Data collected by Hepicure. We are not responsible for the Personal Data that third parties may collect, store and use on their own websites or applications. We recommend that you read the privacy policy of each website and/or application you visit carefully.

6.2. Transfer to Partners

For the management of its clients' personal data as data controller, Hepicure uses the following sub-processors:

• Stripe, United States — Online payment software. Standard contractual clauses: https://stripe.com/privacy-center/legal#data-transfers

• Gmail, United States — Email service. Standard contractual clauses: https://policies.google.com/privacy/frameworks

• Google Calendar, United States — Electronic diary management service. Standard contractual clauses: https://policies.google.com/privacy/frameworks

• Google Drive, United States — Cloud file storage and sharing service. Standard contractual clauses: https://policies.google.com/privacy/frameworks

• Google Chat, United States — Internal communication service. Standard contractual clauses: https://policies.google.com/privacy/frameworks

• Squarespace, United States — Web hosting platform. Privacy policy: https://www.squarespace.com/privacy

• WhatsApp, United States — Electronic messaging: https://www.whatsapp.com/legal/privacy-policy-eea

• Airtable, United States — Database and client relationship management. Privacy policy: https://www.airtable.com/privacy

• Lusha, United States — Data enrichment and contact management service. Privacy policy: https://www.lusha.com/privacy-policy/

• Dotfile, France & United States — Continuous AML/CTF screening service: https://dotfile.notion.site/Privacy-Policy-ff98c837722b46eb966e40e5095cd505

• Mindee, France & United States — Artificial intelligence service for extracting data from scanned identity documents: https://www.mindee.com/privacy-policy

6.3. Transfer Pursuant to Legal Requisition or Court Order

Users are informed that Hepicure may be required to disclose the data collected to any person pursuant to a government requisition or court order.

6.4. Transfer in Connection with a Merger or Acquisition

If Hepicure is involved in a merger, asset sale, financing transaction, liquidation or bankruptcy, or in the acquisition of all or part of its business by another company, the User consents to the collected data being transferred by Hepicure to that company, which will carry out the personal data processing activities described in this Privacy Policy.

7. HOW IS YOUR PERSONAL DATA PROCESSED OUTSIDE THE EUROPEAN UNION?

We may transfer your Personal Data to countries located outside the European Economic Area ("EEA") solely for the purposes described in this Privacy Policy.

In the event of a transfer of Personal Data outside the EEA, we will take appropriate steps to ensure that the recipient protects your Personal Data adequately, in accordance with this Privacy Policy. Such measures may include:

• (a) obtaining your specific consent;

• (b) the existence of an adequacy decision by the European Commission, meaning that the recipient country is deemed to provide an adequate level of protection;

• (c) entering into a data transfer agreement based on the European Union standard contractual clauses; or

• (d) entering into the standard contractual clauses published by the European Commission.

8. HOW IS THE SECURITY OF YOUR PERSONAL DATA ENSURED?

As data controller, Hepicure implements all necessary technical and organisational measures to ensure the protection of your Personal Data and endeavours to limit the quantity of data processed in relation to the purposes pursued. We have put in place procedures to deal with any suspected data security breach and will notify you and any relevant supervisory authority of a suspected breach where we are legally required to do so.

However, the security of data transmitted over the internet or stored in data storage systems cannot be guaranteed 100%. If you have reason to believe that your interaction with us is no longer secure (for example, if you believe that the security of an account you have with us has been compromised), please inform us immediately using the contact details provided below.

9. HOW LONG WILL YOUR PERSONAL DATA BE RETAINED BY HEPICURE?

We will only retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal or accounting requirements.

To determine the appropriate retention period for Personal Data, we consider the quantity, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process it and whether we can achieve those purposes through other means, as well as applicable legal requirements.

We retain Personal Data for the following maximum periods:

• For Users who have only subscribed to the newsletter: 3 years from the date of last contact between the User and Hepicure, unless previously unsubscribed via the relevant link;

• For Users who have consented to the transfer of their data to wellness, longevity or biohacking partners: 3 years from the date of consent or until withdrawal of such consent by the data subject;

• For Users who submitted a booking request that did not proceed: 10 years from the date of last contact between the User and Hepicure;

• For Users who completed at least one booking with Hepicure:

        — 10 years from the date of last contact between the User and Hepicure;

        — 2 months after the end of the stay for copies of identity documents, unless otherwise requested by the User;

        — 10 years for rental contracts and invoices (legal obligation);

        — 10 years after the end of the stay in the event of bodily injury occurring during the stay (legal obligation);

        — In the event of legal proceedings: until such proceedings are fully resolved.

After the expiry of the periods set out above, and unless a deletion request is submitted by the data subject, Personal Data is either deleted or retained after having been anonymised, in particular for statistical purposes. It may be retained in the event of pre-litigation or litigation. It is noted that deletion and anonymisation are irreversible operations and that Hepicure will no longer be able to restore such data thereafter.

10. WHAT RIGHTS DO YOU HAVE OVER YOUR PERSONAL DATA?

As a data subject, the Applicable Legislation grants you various rights. These rights are not absolute and each of them is subject to certain conditions in accordance with the GDPR and applicable national law.

10.1. Right of Access

You have the right to obtain confirmation from us as to whether your Personal Data is being processed by us, as well as certain other information about how it is used. You also have the right to access your Personal Data by requesting a copy. We may refuse to provide information where doing so might reveal Personal Data about another person or negatively affect another person's rights.

10.2. Right to Rectification

You may ask us to take steps to correct your Personal Data if it is inaccurate or incomplete (for example, if we hold an incorrect name or address).

10.3. Right to Erasure

Also known as the "right to be forgotten", this right allows you to request the erasure or deletion of your Personal Data where, for example, there is no compelling reason for us to continue using it or its use is unlawful. This is not a general right to erasure and there are some exceptions, for example where we need to use the information to defend a legal claim or comply with a legal obligation.

10.4. Right to Restriction of Processing

You have the right to "block" or prevent the further use of your Personal Data while we are evaluating a rectification request, or as an alternative to erasure. Where processing is restricted, we may still retain your Personal Data but may not further use it.

10.5. Right to Data Portability

You have the right to obtain and reuse certain Personal Data for your own purposes across different organisations. This applies only to Personal Data that you have provided to us, that we process with your consent and for the purposes of performing a contract, by automated means.

10.6. Right to Object

You have the right to object to certain types of processing, for reasons relating to your particular situation, at any time, to the extent that such processing is carried out for the purposes of the legitimate interests pursued by Hepicure. If you object to the processing of your Personal Data for direct marketing purposes, we will no longer process your Personal Data for such purposes.

10.7. Right to Withdraw Consent

Where we process your Personal Data solely on the basis of your consent, you have the right to withdraw your consent at any time. However, such withdrawal does not affect the lawfulness of processing carried out prior to such withdrawal.

10.8. Right to Give Instructions Regarding the Use of Your Personal Data After Your Death

In France, you have the right to give us instructions on the management (retention, erasure, disclosure) of your data after your death. You may modify or revoke your instructions at any time.

11. HOW TO EXERCISE YOUR RIGHTS?

If you have any questions about this Privacy Policy, about how we process your Personal Data, or if you wish to exercise any of your rights, please send an email to: privacy@hepicure.com or a letter to: Hepicure — Data Protection Officer — [REGISTERED OFFICE ADDRESS].

All requests will be examined within the timeframes set out by applicable law. Please note that certain personal data may be exempt from such requests in certain circumstances, in particular where we need to continue processing your Personal Data for our legitimate interests or to comply with a legal obligation. Exercising your rights will not give rise to any charge.

We may need to ask you for specific information to confirm your identity and ensure your right to access such information. This is an appropriate security measure to ensure that Personal Data is not disclosed to any person who does not have the right to receive it.

If you are not satisfied with our response to your complaint, or if you believe that the processing of your Personal Data does not comply with the Applicable Legislation, you may lodge a complaint with the relevant supervisory authority. The Commission Nationale Informatique et Libertés ("CNIL") is the competent data protection authority for Hepicure.

12. AMENDMENTS TO THE PRIVACY POLICY

Hepicure may amend this Privacy Policy from time to time to reflect changes in our practices and/or any changes in Applicable Legislation. When we amend this Privacy Policy, we also update the "Last updated" date shown at the top of the page.

We invite you to consult this Privacy Policy regularly to stay informed of how Hepicure protects your Personal Data.