Scaleflex SAS and its related entities and subsidiaries (“Scaleflex”) understands that visitors to our website (“the Website”), potential customers, and Users of Scaleflex products (“Products”) care about how their information is collected, used, processed, transferred, stored, and shared. Also, as a European company, we are legally obligated to comply with EU data privacy regulations. This Global Privacy Policy describes Scaleflex’ commitment to protecting your privacy. It forms a part of our Website Terms of Use, Trial Terms of Use, and Standard Terms of Service, and all other documents incorporated therein (“Terms”). Any capitalized terms not defined in this Global Privacy Policy are defined as set out in the Terms.

Please familiarize yourself with this Global Privacy Policy. This Global Privacy Policy is formally reviewed annually and is updated as often as necessary. Updates will be posted publicly on the Website. If we make substantive changes to the purposes and policies set out here, we will update this page and we will inform Product Users by email or in-application notification.

This Global Privacy Policy provides information on how Scaleflex handles data as a data controller, meaning all data we process for our own purposes. Where Scaleflex is a processor or a sub-processor of data, that activity is generally governed by a Data Processing Agreement.

1. What We Collect and How We Use It

1.1 Website

When you visit the Website, you are not required to actively provide any information, but we may collect some of your Personal Data and Navigation Information, as set out in Section 1.3 below. We collection some Personal Data, and we may collect some Navigation Information, when you contact us via the Website chat function, sign up to download or receive information from us, or sign up to use our Products. Some information is collected via the Website using cookies. See our Cookies Policy.

1.2 Scaleflex Products

We may collect Personal Data and Navigation Information from Users of our Products to help us provide, administer, and improve our Products. In order to use the Products, you will need to provide your full name and email address to us. To make changes to the permissions you give us, please visit your Scaleflex User profile.

1.3 Collected Data

“Personal Data” refers to any information that can be used to identify you personally. For our purposes, this may include your (first and last) name, email address, User ID, company name, address, phone number and information about you that is publicly available online via sites like Facebook, LinkedIn, Twitter, and Google, data you write in a contact form, your project role, your uploads, your preferences and your account settings.

“Navigation Information” refers to information about your computer, device, visits to the Website, and use of the Products. For our purposes, this includes which website you visited prior to visiting us or which link or campaign you clicked on to reach our website, your IP address, geographical location (city and/or country), browser type and version, ISP information, referral source, length of visits, pages viewed, language preferences and heat mapping.

In some cases Navigation Information may also be Personal Data.

Generally, we may use your Personal Data and Navigation Information for the following purposes:

(a) Personalizing the Website for the legitimate purpose of improving your browsing experience. We retain Personal Data processed for this purpose until your browsing session with us has ended or until such time as you no longer have a profile with us;

(b) Managing your Scaleflex account in performance of our agreement. We retain Personal Data processed for this purpose until we receive an actionable request to delete a User’s Personal Data, or in the case of termination or expiration of our agreement with a customer, we delete Personal Data as agreed in the Terms;

(c) Understanding User preferences for the legitimate purpose of improving our Products. We may retain Personal Data processed for this purpose until you withdraw your consent;

(d) Linking your information to learn your preferences and those of people like you for the legitimate purpose of improving our offerings. We may retain Personal Data processed for this purpose until you withdraw your consent; and

(e) Contacting you for direct marketing purposes. We may retain Personal Data processed for this purpose until you withdraw your consent.

1.4 Supporting Suppliers

The Website and Products integrate some services provided by third parties. We may share some of your information with these suppliers so they can provide their services, including payment processing, removing repetitive information from prospect lists, analyzing data, marketing support, customer and/or User profiling, business development, and customer service.

To ensure that your Personal Data is collected, processed, used, stored, and transferred securely and in accordance with applicable law, Scaleflex uses third parties that provide sufficient guarantees to implement appropriate technical and organizational measures to protect your information. For such third parties that may transfer Personal Data outside the European Economic Area, Scaleflex confirms that it implements appropriate safeguards for such transfers (e.g. EU Standard Contractual Clauses, and binding corporate rules).

Please note, the terms and privacy policies of such third parties may apply to you as well, in particular: Google Analytics, Google Optimize, Google Ads, Google Tag Manager, Google Recaptcha, Hotjar, Twillio, Stripe, Salesforce, Hubspot, Clearbit, and Zendesk. Your acceptance of applicable third party terms is required to access the Website and Products.

Disclaimer: This overview of supporting suppliers provides a current view. Scaleflex strives to keep this list as up to date as reasonably possible.

1.5 Third-Party Websites

The Website and Products may contain links to third party websites. Such links do not amount to an endorsement of such other websites. Scaleflex is not responsible for other websites.

1.6 Social Media Buttons

On our Website we may use the social media plug-ins from Facebook, Twitter, LinkedIn, Vimeo, and YouTube, each marked with its logo. Plug-ins are also used for the embedded video players on our Website. We have implemented these plug-ins using a two-click solution. When you surf on our Website, no information is initially collected by social media plug-ins. if you click on one of the plug-ins or videos will your information be transmitted. When you activate a plug-in, data is automatically transmitted to that provider. These social media platforms have their own data privacy policies.

1.7 Customer Testimonials

We publish customer testimonials on the Website or in other marketing materials which may contain some Personal Data. Scaleflex obtains consent from the customer and the featured individuals prior to publication. This consent may be withdrawn by email to privacy@scaleflex.com.

1.8 Information of Children

The Website and Products are for business use and are not intended for or targeted toward children under 16 (“Children”). We do not knowingly collect any information about Children. We encourage parents and legal guardians to monitor the internet usage of their Children and ensure they do not provide personal information to Scaleflex. If you believe that we have collected information about Children, please contact us at privacy@scaleflex.com so that we can delete the information.

1.9 We Do Not Sell Personal Data

We do not sell your Personal Data.

2. Personal Data Retention and Security

2.1 Retention of Personal Data

We retain Personal Data for as long as we reasonably consider it to be necessary for the purposes for which it was collected, after which time we will delete the information. You can request deletion of your Personal Data as described in Section 3 below.

2.2 Security of Personal Data

Data security is a matter of critical importance. Scaleflex uses a wide range of security measures to safeguard your data against unauthorized access and disclosure and we continually evaluate our security program to ensure its effectiveness. Amazon Web Services provides our servers and maintains them in high-security controlled environments pursuant to the AWS Cloud Security policy.

2.3 Transfer of Personal Data

As an international company with customers and Users worldwide, we may transfer and access Personal Data around the world, including to and from the United States. To comply with applicable law, we maintain strong data protection and privacy controls to protect your Personal Data during cross-border and international transfers, as well as during periods of storage in foreign countries (e.g. EU Standard Contractual Clauses, and binding corporate rules).

We believe that your essential privacy rights are not contingent on your nationality or residency. While applicable law always governs data privacy matters, we intend for this Global Privacy Policy to apply generally to Users and their Personal Data around the world. Nevertheless, privacy law is a constantly changing landscape so we reserve the right to deviate from this Global Privacy Policy where applicable law provides for a different approach.

2.3.1 Data Hosting Locality

Customers who purchase a paid subscription can choose where the image processing and caching will take place. We operate data centers in 3 locations: Canada, France and Singapore. Image processing can be limited to one or more of these data centers upon request. Similarly, customers can request only CDN nodes in specific regions to be used for delivering the images to their end users.

2.4 Required Disclosure of Your Personal Data

We may use or disclose your Personal Data if we reasonably determine that such use or disclosure is necessary to (a) protect our rights, operations, or Users; (b) comply with applicable laws, a valid court order, or other legal process; or (c) otherwise perform our contractual obligations with our customers.

We may transfer the data we control, including Personal Data, in the event of a company reorganization, merger, or sale.

3. Your Data and Your Rights

As a general matter, depending on local data protection laws, you have rights that may include:

Clear information on our processing of your Personal Data;

• Access your Personal Data that we hold, together with the right to have inaccuracies corrected;

• To have your Personal Data delivered to you in a standard electronic format;

• To object to our processing of your Personal Data, and to prevent solely automated decision making or profiling; and

• To restrict our processing of your Personal Data, or have your Personal Data deleted.

3.1 Exercising Your Rights

If you wish to exercise your rights with respect to your Personal Data, you can email your request to privacy@scaleflex.com or send postal mail to:

• Scaleflex SAS

• Attn: Copyright Agent / Legal Team – Privacy

• 53 Chemin de Beauregard

• 38330 Saint-Nazaire-Les-Eymes, France

We will generally respond to your request within 30 days.

If you wish to unsubscribe from an email list, please click the “unsubscribe” link found at the bottom of our emails. If you work for one of Scaleflex’ customers, the best course is to ask the customer to delete your Personal Data. If you want to raise a complaint about the way we process your Personal Data or the way we have handled a request, please contact us. You may file a complaint with the data protection authority of any country where you live or work or where Scaleflex operates.

Product Users can withdraw consent by adjusting their User profile settings in the Products. Please note that the collection, processing, use, sharing, storage, and transfer of your Personal Data may be necessary for you to make use of our services and that Scaleflex customers and Users cannot unsubscribe from important User emails.

4. EU General Data Protection Regulation (GDPR)

The GDPR is a new European privacy regulation which replaces the current EU Data Protection Directive (“Directive 95/46/EC”) on May 25th 2018. The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. If a company collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR.

The GDPR applies to all organizations operating in the EU and processing “personal identifiable data” of EU residents. Personal data is any information relating to an identified or identifiable natural person.

4.1 Data minimisation

According to article 5, clause 1(c) of the GDPR text, Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”

We only collect and store data required for our service to run. We call these data the Service Data. Service Data is any information, including personal data, which is stored in or transmitted via the Scaleflex services, by, or on behalf of, our customers and their end-users.

5. California Consumer Privacy Act (CCPA) Supplement

The CCPA is effective January 1, 2020. If you are a resident of California, this supplement to the Global Privacy Policy sets out additional rights and information for you.

Many obligations under the CCPA are addressed in other provisions of the Global Privacy Policy. This Supplement is meant to fill in the gaps for California residents and the terms used in this Supplement are either defined in the Global Privacy Policy or in the text of the CCPA.

CCPA Consumer Rights

• The right to access, and to know both the categories of personal information and the specific personal information we collect;

• The right to have your personal information deleted, subject to some legal limitations;

• The right to request disclosure of the personal information collected; and

• The right to disclosure of information disclosed for valuable consideration.

Submitting Requests under CCPA

California residents may submit requests for information under the CCPA to Scaleflex by email to privacy@scaleflex.com.

Please be as specific as possible when you exercise your rights under CCPA and submit a request regarding your personal information. Under the CCPA, we are obligated to verify your identify before we process your request.

No Discrimination

Scaleflex will not discriminate against you in pricing, user experience, or any other way for exercising any of your rights under the CCPA.

7. Service Data definition

In order for the Scaleflex Service to function following data are collected:

• Images and image URLs you provide to Scaleflex for processing and delivery

• Analytics about the delivery of the images processed by Scaleflex. These analytics do not contain and process any personal identifiable data

• Access logs on the Content Delivery Networks (CDNs) used by Scaleflex to deliver images to your end users. These logs contain the IP addresses of the end users requesting an image delivered by Scaleflex, which is considered as personal identifiable data according to GDPR and is subject to additional measures to comply with it, outlined in our DPA. The IP address is the only personal information we and our sub-processors process and store temporary in our logging database. We store a pseudonymised version of the IP address for up to in our logging database.

Because we are not able to guarantee that all of our sub-processors store the users IP address in a pseudonymised matter, we have created our Data Processing Addendum (DPA), which, together with the Scaleflex Terms and Conditions form the Principal Agreement you enter to with Scaleflex SAS, the company offering the Scaleflex service.

In addition to the data we collect in order to provide our Service to you, we use analytical tools to track the way visitors of the Scaleflex website use the website and aggregate this information in order to improve it. Additional information on the trackers we use can be found in our Privacy Policy.

7.1 Categories of data processed

a) End User Personal Data

Scaleflex processes Personal Data included within Customer Content (“End User Personal Data”) when providing the Services to Customer. Upon the Customer’s choice, End User Personal Data may include data such as:

• Login credentials;

• Subscriber name and contact information;

• Financial or other transaction information;

• Other Personal Data relating to the individual data subject as set by Customer.

b) Logged Personal Data

CDN providers process Personal Data that is included in log files when performing the Services for Customer (Logged Personal Data”). Logged Personal Data is Personal Data logged by CDN Providers' servers, relating to the access to Customer Content over the CDN providers' platform by Customer’s end users, as well as logged personal data associated with user activity and interaction with web and internet protocol sessions transiting CDN providers’ servers as part of a data subject’s session with the Customer’s web property. Logged Personal Data include such data as:

• End user IP addresses;

• URLs of sites visited with time stamps (with an associated IP address);

• Geographic location based upon IP address and location of CDN providers' server;

7.2 Service Data ownership

From a privacy perspective, the customer is the controller of Service Data, and Scaleflex is a processor. This means that throughout the time that a customer subscribes to services with Scaleflex, the customer retains ownership of and control over Service Data in its account.

7.3 Removal and pseudonymization of Service Data

As data processor under GDPR, we are required to offer our customers the option to correct, amend or delete personal data. Our Invalidation API allows you to remove all data related to an image from the Scaleflex (Cloudimage) cache, processing servers and CDN. Personal data (visitor's IP address) is pseudonymised as per the contractual commitments outlined in our DPA.

In addition, we remove the personal data we store according to the following rules:

7.4 Who are Scaleflex’ sub-processors?

Scaleflex maintains an up-to-date list of the names and locations of all sub-processors used for hosting or other processing of Service Data, which can be found under sub-processors. Should you have any more questions about one or more sub-processors, you can email privacy@scaleflex.com. By adopting a Scaleflex solution, you will be added to an emailing list to receive updates on our sub-processor list.