Privacy Policy

Last updated: August 2025

This Privacy Policy details the policy of HOLICARE SAS ("HOLICARE"), the data controller for personal data on the website www.holicare.com (the "Website") and on the HOLICARE Platform (the "Platform").

This Policy applies to all information you provide to us or that we collect during your browsing on the Website and your use of the Platform, in accordance with the personal data regulations in force in France, notably Law No. 78-17 of January 6, 1978, on Information Technology, Data Files, and Civil Liberties, known as the "Informatique et Libertés" law, and EU Regulation 2016/679 of April 27, 2016, on data protection, known as the "GDPR".

The purpose of this Privacy Policy is to inform people using the Website and the Platform (hereinafter the "Users"):

• how we collect, use, and share the personal data we collect or may collect (I);

• about the information, which may include personal data, that we collect using "cookies" (II).

We reserve the right to modify this Privacy Policy. By browsing the Website and the Platform, you are deemed to have read and accepted this Privacy Policy in its current version. If changes to the Privacy Policy involve significant modifications to data processing based on your consent, HOLICARE will inform you by email and request your consent again via a dedicated checkbox. HOLICARE will specify in this email the consequences of your potential refusal of these processing changes.

1. Who is responsible for your personal data?

The data controller, who collects and manages your data, is the company HOLICARE, a simplified joint-stock company with a share capital of €248,084.20, registered with the Nanterre Trade and Companies Register under no. 893 088 377, whose registered office is located at 9 rue d’Alsace Lorraine, 92160 Antony, France.

2. What personal data is collected?

Personal data constitutes any information relating to an identified physical person or one who can be identified directly or indirectly (hereinafter "Personal Data").

HOLICARE commits to collecting only data that is relevant, adequate, and limited to what is necessary in relation to the purposes for which they are processed.

During your browsing on the Website, HOLICARE will collect the following categories of data:

• Identification data: last name, first name, age, gender, personal email address.

• Personal life: lifestyle habits.

• Professional life: type of position held, professional situation.

• Connection data: IP addresses, connection logs, device identifiers, login identifiers, timestamp information.

• Health data: physical and mental health status, past and present. The specific consent of the data subjects is collected by HOLICARE during registration on the platform via a separate checkbox.

• Information stored on your device: Cookies. For more details, please consult our Cookie Policy.

When you register on the Platform, HOLICARE collects the following data:

• Identity data: last name, first name, email, gender, birth year, department.

• Professional life: Teams, Manager status, Seniority, Work arrangement.

As well as any Personal Data you may provide to us during our exchanges if you contact us directly by email, mail, or telephone.

You agree to provide updated and valid personal identification data as part of the information required on the Website, and guarantee not to make any false declarations or provide any erroneous information.

3. How is your Personal Data collected?

Data concerning you is collected from you during your logins, account creation, and exchanges with HOLICARE (inquiries, emails, etc.).

Your Personal Data may be collected in the following cases:

• Registration form,

• Contact form,

• Various questionnaires present on the HOLICARE platform.

Your professional email address may be collected by HOLICARE from your employer.

Your answers to certain questionnaires, notably the HOLITEST questionnaire, are mandatory. Otherwise, you will not be able to access the HOLICARE platform.

4. For what purposes is your Personal Data collected?

4.1. Generalities The mandatory Personal Data collected on the Website is the data strictly necessary for processing your requests.

4.2. Purposes and legal bases of processing HOLICARE is responsible for the processing of Personal Data carried out via its services. Your various data is collected by HOLICARE to ensure:

• The management of your user account, based on the execution of the GCU linking you to HOLICARE;

• The management of the HOLICARE assessment questionnaires, based on your express and specific consent collected via a checkbox at the time of your registration on our platform;

• The management of relations with HOLICARE's partner health professionals and access to preventive and curative pathways, based on the execution of the GCU linking you to HOLICARE;

• The sending of commercial information regarding its services, based on HOLICARE's legitimate interest, unless you object.

HOLICARE commits to using all means at its disposal to ensure the security and confidentiality of your Personal Data for each purpose, in compliance with applicable regulations.

5. Who has access to your Personal Data?

5.1. Only authorized persons, bound by professional secrecy, as listed below have access to your Personal Data:

• HOLICARE personnel: Your Personal Data is intended for persons duly authorized to process it within HOLICARE based on their duties.

• HOLICARE's partner health professionals processing Personal Data on its behalf. These recipients are bound by medical confidentiality.

• HOLICARE's subcontractors: As part of its activities and the provision of its services, HOLICARE uses the following subcontractors acting in the name and on behalf of HOLICARE: hosting providers, IT service providers, Cloud solution providers. These present sufficient guarantees regarding the implementation of appropriate technical and organizational measures to ensure the security and confidentiality of your Personal Data.

In accordance with the GDPR, HOLICARE requires its subcontractors to present sufficient guarantees regarding the implementation of technical and organizational measures to ensure the security and confidentiality of your Personal Data. HOLICARE uses subcontractors located in countries offering an adequate level of protection because they benefit from an adequacy decision by the European Commission (meaning they have been recognized as presenting sufficient guarantees by the European Union).

HOLICARE commits not to transfer your Personal Data outside the European Union and countries benefiting from adequate protection, whether directly or indirectly through its subcontractors.

5.2. HOLICARE may also be required to communicate your Personal Data to judicial or administrative authorities to comply with a legal or regulatory requirement, a subpoena, warrant, judgment, or order, or if such disclosure is necessary for an authority asserting its legitimate authority to obtain the information as part of an investigative mission or procedure, either nationally or abroad.

6. How long is your Personal Data kept?

HOLICARE keeps your Personal Data for the time strictly necessary to fulfill the purposes for which it is collected and processed.

• The Personal Data you communicate to HOLICARE during your registration to access the service, and the HOLITEST questionnaire Data, are kept for a maximum period of 2 years following our last contact.

• Personal Data communicated to HOLICARE as part of answers to other questionnaires – including the communicated health data – are kept for a maximum period of 2 years following our last contact.

• Personal Data communicated that is necessary for the care pathway is kept for the duration of this pathway, then, at the end of the pathway, each patient file is transferred to an "end of pathway" folder of each coordinating nurse ("IDEC") (accessible only by the IDEC and the HOLICARE Medical Director).

Beyond these periods, your Personal Data is archived with supervised, limited, and justified access for the time necessary (i) to comply with HOLICARE's legal and regulatory obligations, and/or (ii) to allow it to assert a legal right, before being permanently deleted. It is specified that the HOLICARE Medical Director purges all "end of pathway" files once a year and transfers them to an archive database, accessible only by the HOLICARE Medical Director.

By analogy with the CNIL's recommendations regarding the medical and administrative management of patients in private medical practices, Personal Data, including health data and "end of pathway" files, are kept in the archive database for a maximum period of 15 years under security conditions equivalent to those of the Platform.

7. How does HOLICARE ensure the security and confidentiality of your Personal Data?

HOLICARE commits to processing your Personal Data in a manner that is: a) lawful, b) fair, c) transparent, d) proportionate, e) relevant, f) strictly within the framework of the pursued and announced purposes, g) for the duration necessary for the implemented processing, h) secure.

HOLICARE and its subcontractors implement and update appropriate technical and organizational measures to ensure the security and confidentiality of your Personal Data by preventing it from being distorted, damaged, or communicated to unauthorized third parties.

HOLICARE has implemented the necessary measures regarding the sensitivity of the data processed to guarantee its security and prevent, in particular, its disclosure to unauthorized third parties.

Regarding the "Holicare self-assessment questionnaire", HOLICARE uses Google Cloud, which holds the certification for personal health data hosts (HDS) for hosting health data.

8. Future of data in the event of a merger/acquisition or merger/absorption of HOLICARE

In the event of a merger/acquisition or merger/absorption, HOLICARE will inform you prior to the operation and the transmission of your personal data to the new entity.

9. What are your rights regarding your Personal Data?

You may, upon simple written request, access the Personal Data concerning you, request its modification or rectification, or demand to no longer be included in HOLICARE's database.

In accordance with Article 15 of the GDPR, the right of access allows you to query HOLICARE to obtain (i) the communication of your Personal Data in an accessible form, (ii) confirmation as to whether or not your Personal Data is being processed, (iii) communication of the purposes of the processing, the categories of Personal Data processed, and the recipients to whom your Personal Data is disclosed, and (iv) the retention period for your Personal Data or the criteria used to determine that period.

In accordance with Article 16 of the GDPR, the right to rectification grants you the right to demand that HOLICARE rectify, complete, or update your Personal Data when it is inaccurate, incomplete, ambiguous, or outdated.

Under the conditions set out in Article 17 of the GDPR, you have the right to erasure of your Personal Data, allowing you to ask HOLICARE to erase your Personal Data without undue delay, particularly when it is no longer necessary in relation to the purposes for which it was collected. Certain previously collected data may, however, not be erased if such deletion is likely to render impossible or seriously impair the achievement of the objectives of the aforementioned Study.

You also have the right to restriction of processing of your Personal Data in the cases listed in Article 18 of the GDPR. You may thus request that your Personal Data be kept solely for the purpose of:

• verifying the accuracy of the Personal Data you contest,

• serving you in the establishment, exercise, or defense of legal claims, even though HOLICARE no longer needs it,

• verifying whether the legitimate grounds pursued by the data controller override yours in the event you object to processing based on HOLICARE's legitimate interest,

• satisfying your request to restrict the use of your data - rather than erasure - in the event the processing of your data is unlawful.

In the circumstances set out in Article 20 of the GDPR, you have the right to data portability, allowing you, where applicable, to retrieve from HOLICARE the Personal Data you have provided to it, in a structured, commonly used, and machine-readable format, to transmit it to another data controller.

In accordance with Article 21 of the GDPR, you have the right to object to the processing of your Personal Data at any time and without having to justify your decision, by any means addressed to HOLICARE.

Finally, you have the right, at any time, to withdraw your consent to the processing for which it was collected.

HOLICARE will provide information on actions taken to the person exercising one of these rights without undue delay and in any event within one (1) month of receipt of the request. That period may be extended by two (2) further months where necessary, taking into account the complexity and number of the requests.

If HOLICARE does not take action on the request, it will inform the person without delay and at the latest within one (1) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The exercise of these rights is free of charge. However, in the event of a manifestly unfounded or excessive request, HOLICARE reserves the right to (i) charge a reasonable fee taking into account the administrative costs, or (ii) refuse to act on the request.

10. How to exercise your rights

If you wish to exercise any of these rights, you can contact HOLICARE's Data Protection Officer by email at dpo@holicare.fr or by registered letter with acknowledgment of receipt addressed to HOLICARE: 9 rue d’Alsace Lorraine, 92160 Antony, France. Your request must:

• Not concern a person other than yourself (spouse, colleague, etc.),

• Specify the data to which the request relates.

In the event of a persistent disagreement concerning your Personal Data, you have the right to refer the matter to the CNIL at the following address: Commission Nationale de l'Informatique et des Libertés: 3 Place de Fontenoy - TSA 80715 - 75334 Paris Cedex 07.

11. What are your recourses in the event of a data breach?

In the event of a personal data breach likely to result in a risk to your rights and freedoms, HOLICARE will notify the breach to the CNIL without undue delay, and, where feasible, not later than 72 hours after having become aware of it. When a personal data breach is likely to result in a high risk to the rights and freedoms of a User, HOLICARE shall communicate the breach to the User without undue delay, subject to the exceptions provided for in Article 34 of the GDPR.

Without prejudice to any other administrative or judicial remedy, a User who considers that the processing of their Personal Data infringes the provisions of current legislation may lodge a complaint with a competent supervisory authority such as the Commission Nationale de l’Informatique et des Libertés (CNIL).

12. Cookie Management

When browsing the Website www.holicare.com, cookies are deposited on your device. To learn about HOLICARE's cookie management policy, you can consult the HOLICARE Cookie Policy.