Legal

Privacy Policy

Last updated: May 2025

01 — General provisions

This Privacy Policy defines the procedure for processing and protecting personal data of individuals using the services of Tapilla SAS (hereinafter referred to as 'the Operator'). This Policy is developed in accordance with Federal Law No. 152-FZ 'On Personal Data' dated 27.07.2006 (as amended), as well as the General Data Protection Regulation (GDPR) for users from the European Union. Tapilla SAS is a web and e-commerce agency with registered offices in Paris and Lyon, France.

02 — Purpose of personal data processing

The Operator processes personal data for the following specific purposes: • Processing inquiries and applications submitted through the contact form • Communication regarding projects and services • Concluding and executing contracts • Sending newsletters (with separate consent) • Complying with legal obligations • Improving website functionality and user experience Processing is carried out only for the purposes specified at the time of data collection.

03 — Categories of personal data processed

We process the following categories of personal data: • Identification data: full name, job title • Contact data: email address, phone number • Communication data: messages, project details, inquiries • Technical data: IP address, browser information, cookies, visit history We do not process special categories of personal data (biometric, health, etc.) unless explicitly required by law.

04 — Legal basis for processing

Processing of personal data is carried out on the following legal bases: • Consent of the data subject — for newsletter subscriptions, marketing communications, and non-essential cookies • Contractual necessity — for fulfilling contracts and pre-contractual obligations • Legitimate interest — for fraud prevention, security, and improving services • Legal obligation — when required by applicable laws Consent is obtained as a separate document and can be withdrawn at any time by contacting hello@tapilla.com.

05 — Processing methods and storage periods

Personal data is processed using automation tools and/or without using such tools. Storage periods: • Contact form data: 3 years from last interaction • Contract data: duration of contract + 5 years (legal requirement) • Cookie data: up to 13 months from last visit • Analytics data: 26 months Data is destroyed or anonymized upon expiration of storage periods or upon withdrawal of consent, unless otherwise required by law.

06 — Rights of data subjects

You have the following rights regarding your personal data: • Right to access — obtain confirmation of processing and a copy of your data • Right to rectification — correct inaccurate or incomplete data • Right to erasure ('right to be forgotten') — delete data when no longer necessary • Right to restriction — limit processing in specific circumstances • Right to data portability — receive data in a structured format • Right to object — object to processing based on legitimate interest • Right to withdraw consent — at any time without affecting prior lawful processing To exercise these rights, contact us at hello@tapilla.com.

07 — Transfer of personal data to third parties

We may transfer personal data to third parties in the following cases: • Service providers: EmailJS (email delivery), Vercel (hosting) • Legal authorities: when required by applicable laws or court orders • Successor entities: in case of merger, acquisition, or asset sale All third parties are bound by confidentiality obligations and data protection requirements. We do not sell or rent personal data to third parties for marketing purposes.

08 — Cross-border data transfer

Personal data may be transferred to and processed in countries outside your country of residence, including the United States (hosting services). We ensure appropriate safeguards for such transfers: • Standard Contractual Clauses (SCCs) approved by the European Commission • Adequacy decisions for countries recognized as providing adequate protection • Technical security measures (encryption during transmission) For Russian data subjects: we minimize cross-border transfers and process data primarily within the EEA when possible.

09 — Data protection measures

We implement comprehensive technical and organizational measures to protect personal data: • Technical measures: TLS/SSL encryption, secure hosting, access controls, regular security audits • Organizational measures: staff training, confidentiality agreements, limited access on need-to-know basis • Incident response: procedures for detecting, reporting, and investigating data breaches In case of a data breach, we will notify affected users and competent authorities as required by law within 72 hours.

10 — Cookies and tracking technologies

Our website uses cookies and similar technologies: • Essential cookies: necessary for website functionality (session management, security) • Analytics cookies: Google Analytics 4 with IP anonymization to understand website usage • Preference cookies: remember your settings and choices You can manage cookie preferences through the banner displayed on your first visit or via browser settings. Non-essential cookies require your consent before activation.

11 — How to exercise your rights

To exercise your rights regarding personal data: 1. Send a request to hello@tapilla.com with subject line 'Data Subject Request' 2. Include your full name and contact information for verification 3. Specify which right you are exercising and provide details 4. We will respond within 30 days (may be extended to 60 days for complex requests) There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.

12 — Withdrawal of consent

You may withdraw your consent to personal data processing at any time: • For newsletter subscriptions: click 'Unsubscribe' in any email or email hello@tapilla.com • For cookie consent: clear browser cookies or adjust browser settings • For general consent: email hello@tapilla.com with subject 'Withdraw Consent' Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. We will stop processing your data for the purposes covered by the withdrawn consent, unless another legal basis applies.

13 — Updates to this policy

We may update this Privacy Policy periodically to reflect changes in: • Legal requirements and regulations • Our data processing practices • Services and features offered The current version is always available at tapilla.com/privacy-policy. We will notify users of significant changes via email or website notice. The date of the last update is indicated at the top of this policy.

14 — Contact information

For any questions regarding this Privacy Policy or personal data processing: Tapilla SAS Email: hello@tapilla.com Address: 1 Rue de Rivoli, 75001 Paris, France For Russian data subjects: You may also contact the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) regarding compliance with Russian personal data legislation.

15 — Liability and applicable law

The Operator is responsible for compliance with personal data protection legislation. Applicable law: • For EU residents: General Data Protection Regulation (GDPR) • For Russian residents: Federal Law No. 152-FZ 'On Personal Data' • For other jurisdictions: applicable local data protection laws The Operator's liability is limited to cases of willful misconduct or gross negligence. Users are responsible for providing accurate and up-to-date information.

16 — Policy effective date

This Privacy Policy comes into force on May 17, 2025 and applies to all personal data processing activities carried out by Tapilla SAS from that date forward. This Policy replaces all previous versions of the Privacy Policy. By using our website and services after this date, you acknowledge and agree to this Privacy Policy.