PRIVACY NOTICE

INTRODUCTION

1. IMPORTANT INFORMATION AND WHO WE ARE

   PURPOSE OF THIS PRIVACY NOTICE

   This Privacy Notice aims to give you information on how we collect and process your personaldatathrough your use of the Service, including any data you may provide through Reading Device or byusing other services of our partners.

   The Services are not intended for children under 16 and we do not knowingly collect datarelating tochildren. Users must be at least 16 years old to register for a Services Account to use theServices. If a parent or guardian believes that we have in our database the personal informationofa child under the age of 16, please contact us using the contact details as provided in Section 10, and we will use our best efforts to remove theinformation from our records.

   It is important that you read this Privacy Notice together with any other privacy notice or fairprocessing notice we may provide on specific occasions when we are collecting or processingpersonaldata about you so that you are fully aware of how and why we are using your data. This PrivacyNotice supplements the other notices and is not intended to override them.

   If you do not agree with this policy, do not access or use our Services or interact with anyotheraspect of our business.

   CONTROLLER

   Vivlio, société par actions simplifiée, registered at the Lyon company registry under number 532570 397, whose registered office is located at 26 rue Berjon 69009 Lyon - France, is thecontrollerand responsible for your personal data (referred to as “we”, “us” or “our” in this PrivacyNotice).

   If you have any questions about this Privacy Notice, including any requests to exercise yourlegalrights under the GDPR, please contact us using the contact details as provided in Section 10.

   CHANGES TO THE PRIVACY NOTICE AND YOUR DUTY TO INFORM US OF CHANGES

   By this Privacy Notice we want to ensure you that we are working on our Services to make themcompliant with the requirements of the GDPR.

   We may revise the provisions of this Privacy Notice as necessary. The latest version of thePrivacyNotice will govern the terms of use of your personal data by us and it will remain published athttps://my.vivlio.com/privacy-policy.

   THIRD-PARTY LINKS AND PLUG-INS

   Services may have links and plug-ins to third-party websites, social networks services, plug-insandapplications. Clicking on those links or plug-ins or enabling those connections may allow thirdparties to collect or share data about you. We do not control these third-party websites, socialnetworks services plug-ins and applications and are not responsible for their privacystatements.

2. THE DATA WE COLLECT ABOUT YOU

   Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where an individual can no longer be identified directly or indirectly (anonymous data).

   When you connect to Wi-Fi from your Reading Device or from any Supported Device we can collect such non-identifying information concerning the Services:

   • Your e-mail address for authentication purposes. Subject to your prior expressconsent, we may also use your e-mail address to provide you with our newsletter. You have theoptionat any time to refuse the sending of newsletters by means of the corresponding link in thenewsletter or by contacting use at the contact details provided at Section 10. The email address will then be deleted from ourdistribution list.
   • Technical Data your login data, time zone setting and location, browser plug-intypes and versions, operating system and platform and other technology on the devices you use toaccess this website.
   • Usage Data includes information about how you use our Services. By Usage Datawemean information about what feature you use and how. Example includes, but not limited to, whichbutton you press, what language settings you use, your library settings. We also collectinformationabout content usage. Example includes, but not limited to, last read position in a book,completedbooks. We collect this information to provide better Services for you. We also use it tounderstandof your usage preference which gives us the opportunity to develop and produce better Services,withhigher reliability, usability, compressed functionality and easy startup.
   • Location Data subject to your prior informed and unambiguous consent. We maycollect the location data of your Services for the purpose of personalization of the DigitalContents and Services.

3. SPECIFIC DATA IN RELATION WITH THE SERVICES

   1. Cookies
      1. For our online services we use the cookie technology. Cookies are small text files which are stored on your device using your browser and which allow certain information to come (here by us). Cookies cannot run any program or bring viruses on your computer. We use cookies to make our websites user-friendly and efficient.
      2. We use temporary and persistent cookies. Temporary cookies are deleted automatically when you close your browser. They include in particular the session cookies. The latter are so called the session ID which attributes different requests of your browser to the common session. They help to remember your device for your repeat visits to our website. The session cookies are deleted when you log out or close your browser. Persistent cookies are stored on your device between the browser sessions so we remember your preferences and activities within our websites. Persistent cookies are deleted after a specified period (here one day). You can delete cookies in the security options of your browser at any time.
      3. We also use technical cookies to help us identifying your Reading Device or Supported Device to recognize you as a previous user and to save preferences you have determined in the course of your previous access to the Services. For instance, we can save your connection information so you do not need to log in every time you access the Services.
      4. Furthermore, we use cookies to measure the reach and monitor statistics of our Services’ traffic, notably as explained in Clause below about usage of Google Analytics.
      5. The following table lists the various cookies we use on our Services:

         Cookie issuer	Cookie name	Cookie purpose
         Google	_ga	Google Analytics
         Vivlio	PHPSESSID	Authentication

      6. You can set your browser settings according to your preferences and to decline for example the cookies of the third providers or all cookies. However, please note that if you do this, you may not be able to use the full functionality of our online services.
      7. You may refuse the use of cookies for measuring the coverage and displaying the advertising by selecting the deactivation on the Network Advertising Initiative ( http://optout.networkadvertising.org/) and additionally on the US website (http://www.aboutads.info/choices) or European website ( http://www.youronlinechoices.com/uk/your-ad-choices/).
   2. Google Analytics
      1. Based on our legitimate interests (that is the interests to the analytics, optimization, and commercial operation of our online services in compliance with Art. 6 (1) lit. f) GDPR) we use Google Analytics, a web analytics service from Google LLC (“Google”). Google uses cookies. The information generated by the cookies about your use of the online services will be transmitted to and stored by Google on servers in the United States. Google is certified under the Privacy Shield Framework and can ensure they respect the European Data Protection Legislation. ( https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
      2. Google uses this information on our behalf to analyze your use of our online services in order to compile reports on website activities and provide to us additional services as to our online services and internet usage.
      3. We use Google Analytics only with activated IP anonymization. It means that Google will shorten IP addresses of the users within the Member States of the European Union or in other Member States of the Agreement on the European Economic Area. Only in exceptional cases the full IP address is transmitted to a Google server in the USA and shortened there.
      4. The IP address transmitted by your browser is not merged with other Google data. The users can prevent the storage of cookies by making the proper setting using their browser software. In addition, the users can prevent Google from recording the data related to usage of the data related to our online services generated by the cookies and from processing this data by downloading and installing the browser plugin available at:  https://tools.google.com/dlpage/gaoptout?hl=de.
      5. Third party information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Terms of Service:  http://www.google.com/analytics/terms/de.html, General overview on privacy principles:  http://www.google.com/intl/de/analytics/learn/privacy.html, as well as Google’s Privacy Policy:  http://www.google.de/intl/de/policies/privacy.
   3. Facebook Marketing Services
      1. Based on our legitimate interests to analytics, optimization and commercial operation of our online services and for these purposes we use “Facebook Pixel” tool of social network Facebook which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 (“Facebook”). Facebook is certified according to Privacy Shield Framework and ensures herewith to respect the European Data Protection Law ( https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=A...).
      2. By using Facebook Pixel Facebook allows defining the users of our online services as a target group for displaying the advertising (so called “Facebook Ads”). Accordingly, we use Facebook Pixel to display the Facebook Ads switched on by us only to those Facebook users who are interested in our online services or show some features (e.g. interests in certain topics or products determined based on the visited websites) which we transmit to Facebook (so called “Custom Audiences”). By using Facebook Pixel we want to be sure that our Facebook Ads meet the potential user’s interest and are not annoying. Moreover, with Facebook Pixel we can track the efficiency of Facebook advertising messages for the purposes of statistics and market research by viewing the users go on to click the Facebook advertising (so called “Conversion”).
      3. Facebook processes the data within the framework of Facebook’s Data Policy. You can find general information about displaying the Facebook’s Ads in Facebook’s Data Policy:  https://www.facebook.com/policy.php. Specific information and details about Facebook Pixel and functions in Help Center on Facebook: https://www.facebook.com/business/help/651294705016616.
      4. You may refuse from collection of your data with Facebook Pixel and usage thereof to display Facebook Ads. To set up the type of advertising to be displayed by Facebook you can open the page established by Facebook and follow the instructions how to set up the customized advertising:  https://www.facebook.com/settings?tab=ads. The settings are platform independent, they are picked up by all devices such as desktop computers or mobile devices.

4. HOW IS YOUR DATA COLLECTED?

   We use Automated technologies or interactions as the method to collect data from and about you. As you interact with our Services, we may automatically collect Technical and Usage Data about your use of the Services. This is information, which can be collected from your Reading Device or Supported Devices only if you connect to Wi-Fi.

5. HOW WE USE YOUR PERSONAL DATA

   Reading Device itself does not collect any personal data. Only in case you login through it to our other Services listed in Section 2 The data we collect about you Services will collect your personal data.

   PURPOSES FOR WHICH WE WILL USE YOUR DATA
   We have set out below, in a table format, a description of all the ways we plan to use data we collect from your Reading Device, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

   NOTE that we do not collect any personal data if you use only Reading Device without use of any from our Services.

   Purpose/Activity	Type of data	Lawful basis for processing including basis of legitimate interest
   To use data analytics and statistics to improve our Services and make your reading experiences better	(a) Technical (b) Usage	Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Services updated and relevant, to develop our business)
   To make you book recommendations	Usage	Necessary for us to make you your personalized recommendation for your book preferences.
   To personalize the Digital Contents and the Services (eg. language)	Location	Necessary for us to make you your personalized recommendation for your book preferences or Services preferences.
   To enable authentication to our Services. Newsletter	E-mail address	Necessary for the performance of the Services (authentication to the Services) Your consent for the sending of newsletter

6. DISCLOSURE OF YOUR PERSONAL DATA

   We do not collect person-identifying data via Reading Device that’s why we do not disclose it to anyone.

   We may share your personal data with third-party business partners, providers, vendors or contractors acting on our behalf and under our instructions, whether located inside and outside of the European Union (“EU”) or the Economic Area (“EEA”), for the purposes of operating the Services, sending marketing and other communications related to our business, and for other legitimate purposes permitted by applicable law or otherwise, and when needed, with your consent.

   Therefore, we may share your personal data in the following ways:

   • With our business partners, vendors in order to provide or improve our Services. Examplesinclude,but are not limited to: Publishers, eBook content providers and our resellers.
   • With our service providers, authorized third-party agents or contractors to provide ourServices.Examples include PocketBook, the developer of the Reading Device.

   Where mandated or permitted by applicable law, regulation or legal process, we will disclose your personal data to law enforcement officials, government authorities or other third parties, located inside and outside of the EU/EEA, where such disclosure is in accordance with due process of law and binding upon us, to the extent necessary to comply with legal process or meet our national security requirements, protect our rights, property or safety, our business partners, you, or others.

7. INTERNATIONAL TRANSFERS

   By using Services, you authorize us to transfer and store your information outside the European Union, for the purposes described in this policy.

   We take additional measures when personal data is transferred outside of the European Economic Area (EEA). This includes having standard clauses approved by the European Commission in our contracts with parties that receive information outside the EEA. We also rely on European Commission adequacy decisions about certain countries, as applicable, for data transfers to countries outside the EEA.

8. DATA SECURITY

   We have put in place appropriate security measures to prevent your data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your data to the employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

   We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

9. DATA RETENTION

   HOW LONG WILL YOU USE MY PERSONAL DATA FOR?
   We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

   To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your data, the purposes for which we process your data and whether we can achieve those purposes through other means, and the French legal requirements and statute of limitation.

   In some circumstances you can ask us to delete your data: see Request erasure below for further information.

   In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

10. YOUR LEGAL RIGHTS

    Under certain circumstances, you have rights under data protection laws in relation to your personal data. As a user of our Services you have such rights:

    Access, free of charge, obtain a paper or electronic copy, review, correct and update all your personal data stored by us, notably to confirm its accuracy.

    Subject to any relevant legal requirements and exemptions, limit the processing of your personal data or request that certain of your personal data be deleted from our files.

    If you reside within the EU, you may also exercise you right to portability of your personal data where the lawful basis for the processing is (i) (a) a contract or (b) your consent and (ii) by automated means. Please note that such a request could be limited to the sole personal data you provided us with or that we hold at that given time and subject to any relevant legal requirements and exemptions, including identity verification procedures.

    Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

    Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

    Subject to your choices, we may also send you marketing communications via email. In addition to the “unsubscribe” link contained in each of our e-mail marketing communications, you may opt-out freely and at any time of receiving our newsletters or other e-mail marketing communications from us by contacting us using the contact details provided in Section 10.

    We may send you service communications relating to the products or services we provide you via email (e.g. to inform you about changes to the product or service you requested from us, revisions of our terms and conditions or this Policy). As such service communications are necessary for the purposes of providing you with our products or services or complying with our legal obligations, you will not be able to opt-out from receiving them.

    If you wish to exercise any of the rights set out above, please contact us by using the contact details as provided in Section 10.

    NO FEE USUALLY REQUIRED
    You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

    WHAT WE MAY NEED FROM YOU
    We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

    TIME LIMIT TO RESPOND
    We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

11. CONTACT INFORMATION

    For any request or in the event of a dispute between you and us, related to the processing of your personal data, you may address your request or complaint to Vivlio by following our process available at https://my.vivlio.com/contact or by contacting us at the e-mail address privacy@vivlio.com or at the postal address 26 rue Berjon 69009 Lyon – France.

    We will endeavor to find a satisfactory solution to ensure compliance with the applicable privacy regulation.

    If we do not respond or if the dispute persists despite our proposal, you may file a complaint with the Commission nationale de l’informatique et des libertés (“CNIL”) or the supervisory authority of the European Union Member State in which you are located.