PREAMBLE

APPFACTORY, a simplified joint-stock company with a capital of 1,000 euros, registered with the Paris Trade and Companies Register under number 942 134 289, with its registered office located at 66 Avenue des Champs-Élysées, 75008 Paris (hereinafter referred to as “Luma” or the “Data Controller”), places fundamental importance on the protection of its users' personal data.

This Privacy Policy aims to inform Clients and users of the Luma platform (hereinafter the 'Site', accessible at https://luma.coach) about the nature of personal data collected, the purposes and legal bases of their processing, the recipients, retention periods, and the rights they have.

It is drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data (hereinafter 'GDPR'), and Law No. 78-17 of January 6, 1978, as amended, relating to data processing, files, and freedoms (hereinafter 'Data Protection Law').

This policy is an integral part of the General Terms and Conditions of Sale and the Subscription Terms available on the Site.

ARTICLE 1 — DATA CONTROLLER

The data controller for personal data collected via the Luma platform is:

• APPFACTORY — Simplified Joint Stock Company (SAS)
• Share capital: 1,000 euros
• Head office: 66 Avenue des Champs-Élysées, 75008 Paris, France
• RCS Paris — SIREN: 942 134 289
• VAT number: FR01942134289
• Email: contact@luma.coach

For any questions regarding the protection of your personal data, you can contact the data controller at the email address: contact@luma.coach

ARTICLE 2 — COLLECTED DATA

2.1 — Data Collected During Account Creation

When creating their account, the Client provides the following data:

• First Name
• Last name
• Email address

A temporary password is automatically generated and sent to the Client at the email address provided during registration.

The Client is invited to modify it upon their first login using the reset feature available on the Site.

Passwords are stored in encrypted form and are never accessible in plain text by the Luma team.

2.2 — Data Collected During the Personalization Questionnaire

The personalization questionnaire is designed to tailor the Luma program to the Client's profile.

It may collect information related to:

• The Client's emotional and relational situation.
• Personal goals related to well-being, self-confidence, and personal development.
• The difficulties or personal concerns freely expressed by the Client.

These data may constitute sensitive data under Article 9 of the GDPR as they can reveal information about the Client's private life.

Their processing is based on the explicit consent of the Client, obtained at the time of subscription.

2.3 — Data Collected During Payment

Banking data (card number, expiration date, security code) is collected and processed exclusively by our authorized payment provider, in accordance with PCI DSS standards.

Luma does not store any banking data on its own servers.

Billing data collected by Luma is limited to: transaction amount, date, duration of the subscribed service, and associated email address.

2.4 — Data Collected During Use of the Platform

During the use of the platform, Luma also collects:

• Connection and browsing data: IP address, type and version of the browser, operating system, pages visited, dates and times of connection.
• Progress data: modules viewed, essentials completed, progress report, advancement score.
• The content published in the Community: messages, questions, comments posted by the Client in the exchange areas.
• Exchanges with Elia: conversations with the virtual coach, retained to ensure continuity and personalization of coaching.
• The data from the Glow-Up Routine: habits and preferences provided by the Client.

2.5 — Data Collected via Cookies

Cookies and trackers are placed on the Client's device while browsing the Site, under the conditions described in the Cookie policy.

ARTICLE 3 — PURPOSES AND LEGAL BASES OF PROCESSING

Luma processes the Client's personal data for the following purposes:

• Management of the contractual relationship (creation and management of the account, access to Services, billing, renewal, termination) — Legal basis: performance of the contract (Article 6.1.b of the GDPR).
• Personalization of the program and recommendations according to the Client's profile and goals — Legal basis: explicit consent (Article 6.1.a and Article 9.2.a of the GDPR for sensitive data).
• Operation of the virtual coach Elia and continuity of exchanges — Legal basis: performance of the contract (Article 6.1.b of the GDPR).
• Sending transactional emails (order confirmation, invoices, renewal notices, cancellation confirmations) — Legal basis: execution of the contract (Article 6.1.b of the GDPR).
• Sending marketing communications and promotional offers — Legal basis: consent (Article 6.1.a of the GDPR) or legitimate interest for existing customers (Article 6.1.f of the GDPR), with the possibility to unsubscribe at any time.
• Platform improvement, usage analysis, and audience measurement — Legal basis: legitimate interest (Article 6.1.f of the GDPR).
• Community moderation and prevention of abusive behavior — Legal basis: legitimate interest (Article 6.1.f of the GDPR).
• Compliance with legal obligations (retention of accounting data, response to judicial requisitions) — Legal basis: legal obligation (Article 6.1.c of the GDPR).

ARTICLE 4 — DATA RETENTION PERIODS

The Client's personal data is retained for the following durations:

• Account data (first name, email): retained for the duration of the active subscription, then deleted within 30 days following termination or expiration of the last subscription.
• Personalization and progress questionnaire data: retained for the duration of the active subscription, then deleted within 30 days following termination.
• Exchanges with Elia: during the entire duration of the active subscription, then deleted within 30 days following cancellation.
• Content published in the Community: deleted upon account termination, unless there is a legal obligation to retain it.
• Billing and accounting data: retained for 10 years in accordance with Article L. 123-22 of the Commercial Code.
• Login data and technical logs: retained for 12 months in accordance with Article L. 34-1 of the Postal and Electronic Communications Code.
• Consent data: retained for 3 years from the date of collection, as proof.

At the end of these periods, the data will be securely and permanently deleted or anonymized for statistical purposes.

ARTICLE 5 — DATA RECIPIENTS

5.1 — Internal Access

The Client's personal data is accessible only to authorized members of the Luma team, strictly within the limits of their responsibilities and the purposes described in Article 3.

5.2 — Subcontractors

Luma engages technical service providers acting as processors in the sense of the GDPR, bound by contracts ensuring an adequate level of data protection.

These service providers intervene in particular for:

• Hosting of the platform: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg.
• Payment processing: authorized payment service provider (PCI DSS), whose contact details are available upon request.
• Sending of transactional and marketing emails: email sending service provider, whose contact details are available upon request.
• Audience analysis and service improvement: web analytics tools, used under the conditions described in the Cookie policy.

5.3 — Transfers Outside the European Union

Some of our subcontractors, including Amazon Web Services, may process data in countries located outside the European Union.

In this case, Luma ensures that these transfers are governed by appropriate safeguards in accordance with Chapter V of the GDPR, including the use of standard contractual clauses adopted by the European Commission or through the EU-U.S. Data Privacy Framework.

5.4 — No Assignment to Commercial Third Parties

Luma never sells, rents, or transfers its Clients' personal data to third parties for commercial or advertising purposes.

Data is only shared with third parties in case of legal obligation or judicial requisition.

ARTICLE 6 — RIGHTS OF DATA SUBJECTS

In accordance with Articles 15 to 22 of the GDPR and the Data Protection Act, the Client has the following rights regarding their personal data:

• Right of access (Art. 15 GDPR): to obtain confirmation that data concerning them is being processed and to receive a copy.
• Right to rectification (Article 16 GDPR): to have any inaccurate or incomplete data corrected.
• Right to erasure (Art. 17 GDPR): to request the deletion of their data, subject to legal retention obligations.
• Right to restriction of processing (Article 18 GDPR): to request the temporary suspension of the processing of their data.
• Right to data portability (Article 20 GDPR): to receive their data in a structured, commonly used, and machine-readable format.
• Right to object (Art. 21 GDPR): to object at any time to the processing of their data based on legitimate interest, particularly for commercial prospecting purposes.
• Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before this withdrawal.
• Right to define directives regarding the fate of their data after their death (Article 85 of the Data Protection Act).

6.1 — Exercise of Rights Procedures

The Client can exercise their rights at any time by sending a request:

• By email to: contact@luma.coach
• Via the contact form available at: Contact page

The Provider commits to respond to any request within one (1) month from its receipt.

This period may be extended by an additional two months in the case of a complex or multiple request, after informing the Client.

A form of identification may be requested to verify the identity of the requester and prevent any fraudulent requests.

6.2 — Right to File a Complaint with the CNIL

If the Client believes that the processing of their personal data is not in compliance with applicable regulations, they have the right to file a complaint with the National Commission for Informatics and Liberties (CNIL):

• Website: https://www.cnil.fr
• Postal address: CNIL, 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07

ARTICLE 7 — DATA SECURITY

Luma implements all appropriate technical and organizational measures to ensure the security and confidentiality of the Client's personal data, in accordance with Article 32 of the GDPR.

These measures include, in particular:

• The encryption of sensitive data (passwords, banking data) in transit and at rest.
• Data is hosted on secure Amazon Web Services servers, certified with ISO 27001 and SOC 2.
• Restriction of access to data to authorized personnel only, based on the principle of least privilege.
• Implementation of regular backup procedures and business continuity plans.
• Continuous monitoring of systems to detect any intrusion or security incident.

In the event of a personal data breach that may pose a risk to the rights and freedoms of the Client, Luma commits to inform the CNIL within 72 hours of its discovery, in accordance with Article 33 of the GDPR, and to notify the affected individuals as soon as possible if the risk is high.

ARTICLE 8 — MINOR'S DATA

The Luma platform is exclusively intended for adults (aged 18 years or older).

Luma does not knowingly collect any personal data from minors.

If a minor were to register by circumventing this restriction, their data would be deleted as soon as Luma becomes aware of it.

Any parent or legal guardian aware of such a situation is invited to contact Luma at contact@luma.coach.

ARTICLE 9 — COOKIES AND TRACKERS

This Privacy Policy should be read in conjunction with Luma's Cookie Policy, available on the Site at the Cookies Policy page, which details the types of cookies used, their purposes, their lifespan, and the methods for accepting or rejecting them.

ARTICLE 10 — DATA PROCESSING BY ELIA

The virtual coach Elia is powered by artificial intelligence technology.

The Client's exchanges with Elia are processed and retained to ensure continuity, coherence, and personalization of coaching.

These data are only used to improve the Client's experience on the platform and are never used to train third-party AI models without the Client's prior explicit consent.

The Client is informed that Elia's responses are generated automatically and do not constitute medical, psychological, or therapeutic advice.

In case of serious emotional distress, the Client is encouraged to consult a qualified health professional.

ARTICLE 11 — CHANGES TO THE POLICY

Luma reserves the right to modify this Privacy Policy at any time, particularly to comply with any regulatory, jurisprudential, or technical developments.

Changes take effect as soon as they are published on the Site.

In case of substantial modification affecting the Client's rights, they will be informed by email with reasonable notice.

Continued use of the platform after the changes take effect constitutes acceptance of the new policy.

The version in effect is the one dated at the top of this document.

Previous versions are archived and available upon request from customer service.